Privacy Policy
Effective Date: 1 May 2026 • Version 1.0
Plain-Language Summary
- Data Controller: Alone&Alright, headquartered in the Netherlands, is responsible for all personal data processing.
- Biometric & Gender Data: Biometric templates are deleted immediately after verification. Only an encrypted "Verified Female" token is retained.
- Location Tracking: Real-time location data is collected only with your explicit consent and can be withdrawn at any time.
- Your Rights: You have the right to access, correct, or delete your data. We respond within 30 days.
- Complaints: You may lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
1. Identity and Contact Details of the Data Controller
Alone&Alright operates as the data controller, determining the fundamental purposes and technical means of the processing of personal data under this Privacy Policy, in strict accordance with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and the Dutch GDPR Implementation Act (Uitvoeringswet AVG).
Data Controller: Alone&Alright
Jurisdiction: The Netherlands
Contact Email: aloneandalright0@gmail.com
The corporate leadership and data governance team consists of: Elsie Corroyez (CEO), Dalma Vivien Györe (CFO), Sfiriac Andrei Sebastian (COO), Esra Rietbergen (HR Lead), Sirbov Adrian Ioan (Product Lead), Eunjin Lee (Marketing & Sales Lead), Rita Laura Nagy (Marketing & Sales Support), and Hyukjune Han (Partnership Lead).
2. Principles of Data Processing
All processing operations undertaken by Alone&Alright are governed by the core principles of Article 5 of the GDPR. Personal data is processed lawfully, fairly, and transparently. The platform enforces strict purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality across all data categories.
3. Categories of Personal Data Collected, Purposes, and Legal Bases
| Data Category | Purpose | Legal Basis |
|---|---|---|
| Identity Verification Data (government ID, biometric facial scan, gender markers) | Verify the user is female; ensure community integrity | Art. 9(2)(a) — Explicit Consent |
| Location Data (real-time GPS, historical pathways, IP address) | Deliver safety scores, offline maps, and smart routing | Art. 6(1)(a) — Consent |
| User-Generated Content (reviews, tips, ratings, images) | Populate the community safety platform | Art. 6(1)(b) — Performance of a Contract |
| Payment Information (billing address, payment method, transaction history) | Process the €7.99 one-time payment and comply with financial auditing regulations | Art. 6(1)(b) & Art. 6(1)(c) |
| Device & Usage Analytics (device ID, OS, app logs, crash reports) | Ensure security, debug errors, and improve functionality | Art. 6(1)(f) — Legitimate Interest |
4. Processing of Special Categories of Personal Data (Article 9 GDPR)
The platform requires biometric identity verification to maintain its female-only community. This processing of biometric data is permissible under Article 9(2)(a) GDPR (explicit consent) in accordance with guidance from the Autoriteit Persoonsgegevens.
- Users are given a granular explanation of the biometric verification process before consenting.
- Biometric templates and ID images are permanently deleted immediately after successful verification.
- Only an encrypted, non-reversible "Verified Female" token is retained, fully decoupled from raw biometric input.
5. Collection, Storage, and Usage of Location Data
Location data forms the backbone of the app's safety features. The application requests explicit device-level GPS permission, which the user can revoke at any time in their device settings.
Raw, identifiable location data transmitted to Alone&Alright servers is held securely for a maximum of 30 days, after which it is fully anonymised and aggregated into macro-level safety analytics. Withdrawing location consent will disable proximity-based features but the community platform remains accessible.
6. Data Retention Periods
| Data Type | Retention Period | Justification |
|---|---|---|
| Identity Verification Scans | Deleted immediately upon verification | Strict data minimization |
| Account Details & User Content | Duration of active account | Necessary to provide the service |
| Payment & Billing Records | 7 years | Dutch Belastingdienst tax law |
| Raw Location Data | Maximum 30 days, then anonymised | Routing queries and incident resolution |
| Usage Analytics & Logs | Maximum 90 days | Security monitoring and troubleshooting |
7. Third-Party Processors and Cross-Border Data Transfers
Alone&Alright engages pre-vetted third-party processors for payment gateways, cloud hosting, identity verification, and analytics. All processors are bound by Data Processing Agreements (DPAs) compliant with Article 28 GDPR.
Where data is transferred outside the EEA, safeguards are in place via Adequacy Decisions (e.g., EU-U.S. Data Privacy Framework) or Standard Contractual Clauses (SCCs) with supplementary encryption measures.
8. Your Rights under the GDPR
- Right of Access (Art. 15): Request confirmation and access to your personal data.
- Right to Rectification (Art. 16): Demand correction of inaccurate or incomplete data.
- Right to Erasure (Art. 17): Request deletion of personal data, subject to legal retention mandates (e.g., 7-year financial records).
- Right to Restriction (Art. 18): Request a temporary halt to processing under specific conditions.
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interests or direct marketing.
- Right to Withdraw Consent (Art. 7(3)): Withdraw consent for biometric verification or location tracking at any time.
To exercise any of these rights, submit a request to aloneandalright0@gmail.com. We will respond within 30 days as required by the GDPR.
9. Right to Lodge a Complaint
If you believe your data is being processed in violation of the GDPR, you may lodge a complaint with the Dutch supervisory authority:
Autoriteit Persoonsgegevens (AP)
Postbus 93374, 2509 AJ Den Haag, The Netherlands
Hoge Nieuwstraat 8, 2514 EL Den Haag
Tel: +31 70 888 8500
10. Cookie and Tracking Policy
In compliance with the ePrivacy Directive and Article 11.7a of the Dutch Telecommunications Act (Telecommunicatiewet):
- Strictly Necessary: Core authentication and security cookies are deployed automatically without requiring consent.
- Analytics/Tracking: Deployed only upon affirmative opt-in consent. No pre-ticked boxes. Revocable at any time in the app's privacy settings.
11. Data Breach Notification
In the event of a personal data breach posing a risk to users, Alone&Alright will notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware of it, per Article 33 GDPR. Where a high risk to users exists, affected users will also be notified directly without undue delay.
12. Protection of Minors
The platform is strictly for adults aged 18 and older. If a minor is detected via the verification process, the account will be immediately suspended and all associated data permanently deleted.
13. Updates to This Policy
Substantive changes will be communicated via in-app notification or email no less than 14 days before taking effect. Continued use of the application after the effective date constitutes acknowledgment of the revised policy.