1. Introduction

Welcome to Paido ("we", "us", or "our"). Paido is a local event discovery platform based in Croatia. We are committed to protecting your personal data and respecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable Croatian and EU data protection laws.

This Privacy Policy explains what data we collect, how we use it, and what rights you have regarding your personal information when you use our platform at paido.ai.

2. What Data We Collect

We collect the following categories of personal data:

• Account information: When you sign in via Google OAuth, we receive your name, email address, and profile image from Google. Organizer accounts are created by our administrators upon invitation.
• Location data (optional): If you grant permission, we access your device's location to show you nearby events and offers. This data is processed in your browser and sent to our server only as coordinates for event queries. You can revoke location access at any time through your browser settings.
• Analytics data: We collect anonymous usage data such as page views, clicks, and navigation patterns using our self-hosted analytics system (ClickHouse). This data is not linked to your personal identity unless you are logged in.
• Uploaded content: If you are an organizer, images you upload for events or venues are stored on our self-hosted storage system.
• Cookies: We use a JWT authentication cookie to keep you signed in. See section 7 for details.

3. How We Use Your Data

We use the data we collect for the following purposes:

• To display events, offers, and venues near your location
• To authenticate your identity and maintain your session
• To enable organizers to create and manage events and promotions
• To understand how our platform is used and improve our service
• To ensure platform security and prevent abuse

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Data Storage & Security

Your data is stored on servers located in the European Union. We use industry-standard security measures to protect your data, including encrypted connections (HTTPS/TLS), secure authentication tokens, and restricted server access. Images and uploaded content are stored on our self-hosted MinIO storage system.

While we take reasonable precautions to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your information.

5. Third-Party Services

We use the following third-party services:

• Google OAuth: For user authentication. When you sign in with Google, Google's privacy policy applies to the data they process. We only receive your name, email, and profile image.
• Google Maps: To display interactive maps showing event and venue locations. Google's privacy policy applies to map data processing.
• Cloudflare: For content delivery (CDN) and security. Cloudflare may process connection metadata (IP addresses, request headers) as part of their service.

We do not use Google Analytics or any other third-party analytics service. Our analytics are entirely self-hosted.

6. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can request correction of inaccurate personal data.
• Right to erasure: You can request deletion of your personal data ("right to be forgotten").
• Right to data portability: You can request your data in a structured, commonly used format.
• Right to restrict processing: You can request that we limit how we use your data.
• Right to object: You can object to the processing of your personal data.
• Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days. You also have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP) or another EU supervisory authority.

7. Cookies

We use a single essential cookie to maintain your authentication session (JWT token). This cookie is strictly necessary for the platform to function when you are signed in and does not require consent under GDPR. We do not use advertising cookies, tracking cookies, or any non-essential cookies.

8. Data Retention

We retain your account data for as long as your account is active. Analytics data is retained in aggregated, anonymized form. If you request account deletion, we will remove your personal data within 30 days, except where we are legally required to retain it. Event data created by organizers may be retained after account deletion for historical and archival purposes, with personally identifiable information removed.

9. Children's Privacy

Paido is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child under 16, please contact us at [email protected] and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Your continued use of Paido after changes are posted constitutes your acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: [email protected]
• Platform: paido.ai