Effective date: [EFFECTIVE DATE — to be completed]

1. Who we are
Controller: LT Studio s.r.o.
Company ID (IČO): 56 839 910
Registered seat: Uralská 1405/9, Košice – mestská časť Nad jazerom, 040 12, Slovak Republic
Data protection contact: info@grannysquaredesigner.com
Support contact: support@grannysquaredesigner.com

2. Scope of this notice
This Privacy Policy explains what personal data we process when you use the Granny Square Designer mobile application and related websites, for which purposes, on what legal bases, for how long, to whom we disclose data, and what rights you have.
We do not collect emails for marketing and we do not send newsletters. We only send essential service or safety notices where strictly necessary.

3. What data we process

• Account and identifiers
• Authentication/identity provided by the platform (e.g., Apple, Google) or our internal user ID.
• Subscription/purchase identifiers from Apple App Store or Google Play to activate features.
• App usage data
• Saved designs, settings and preferences (e.g., colors), and in-app actions necessary to provide the service.
• Technical data
• IP address, device and OS information, timestamps, diagnostics and security logs (anti-abuse, reliability).
• Subscription and in-app purchase data
• Purchase/renewal date and time, product/plan type, subscription status, country/currency, transaction identifier/token, refund or cancellation status.
• We do not receive card numbers or CVC from Apple or Google.
• Web payment gateway data (if applicable)
• Name, billing details (address, country, VAT ID where applicable), email, account identifier, transaction/payment identifier, amount, currency, status, date/time, payment method, and technical anti-fraud data (IP, browser fingerprint/UA).
• Full card details (PAN/CVC) are not processed or stored by us; they are processed by the payment provider.
• Web payment provider: (EU‑based) [to be confirmed]. The provider processes card data; we do not process or store full card numbers/CVC. We receive only transaction metadata needed to activate access, issue receipts and comply with tax/accounting obligations.
• Support communications
• Emails, attachments and metadata you send to our support, handled only to resolve your request.
• Sources of data
• We obtain data primarily from you during use of the app.
• Technical data are generated automatically.
• Purchase/verification information may be received from Apple, Google and/or the web payment provider.

4. Purposes and legal bases

• Providing the service and app features, user account and content (performance of a contract — GDPR Art. 6(1)(b)).
• Managing subscriptions, purchases and unlocking paid features (performance of a contract — GDPR Art. 6(1)(b)).
• Accounting and tax compliance, including VAT/DPH records (legal obligation — GDPR Art. 6(1)(c)).
• Security, fraud prevention, diagnostics and service quality (legitimate interests — GDPR Art. 6(1)(f)).
• Support communications (performance of a contract/legitimate interests, depending on the request).
• Marketing emails/newsletters: not used and not sent.

5. How long we keep data (retention)

• Account/service data: for the duration of your account and a reasonable period thereafter (typically up to 24 months after last activity) to protect our rights and ensure diagnostics.
• Technical/security logs: typically 90–180 days unless longer is required due to an incident or legal obligation.
• Support communications: up to 24 months after the case is closed.
• Transactions and subscription/accounting records: for the period required by accounting and tax laws (generally up to 10 years in Slovakia).

6. Who we share data with (recipients)

• Hosting and infrastructure providers (processors) — only what is necessary to run and secure the service. JPsoftware, Slovak Republic (EU). Primary data hosting in Slovakia; backups are stored within the EU.
• Apple App Store and Google Play — independent controllers for processing of payments; they share only purchase metadata/tokens with us, never full card details.
• Web payment provider: GP webpay (EU‑based) [to be confirmed] — processes card data for payments and may act as our processor for transaction metadata. We do not receive full card details. Retention: accounting records kept as required by law (typically up to 10 years).
• Accounting/tax advisor: Ekonom Košice s. r. o., Slovak Republic — acting as an independent controller for statutory bookkeeping and tax compliance. We share accounting records (revenues from Apple, Google, and—if used—web payment gateway) only to the extent necessary. Retention: as required by law (typically up to 10 years).
• Support is handled directly via email (support@grannysquaredesigner.com); we do not use third‑party helpdesk or CRM tools.
• Public authorities — only where required by law.

7, International transfers
We do not transfer personal data outside the EU/EEA/UK. Our hosting and processors are located in the EU/EEA.
Primary hosting is provided by JPsoftware in the Slovak Republic (EU). Backups are stored within the EU.

8. Security
We apply appropriate technical and organisational measures, including encryption in transit, access controls, audit logs and backups. No system is 100% secure, but we minimise data and continuously improve protection. We do not store full card details.

9. Your rights
You have the right to access, rectification, erasure, restriction, portability and to object to processing (especially processing based on legitimate interests). Where we rely on consent, you can withdraw it at any time (we currently do not rely on consent for marketing).
We respond without undue delay and within one month (extendable by two months where necessary; we will inform you). Requests can be sent to info@grannysquaredesigner.com or support@grannysquaredesigner.com.

Supervisory authority
Office for Personal Data Protection of the Slovak Republic (Úrad na ochranu osobných údajov SR)
Hraničná 12, 820 07 Bratislava 27, Slovak Republic — https://www.dataprotection.gov.sk

10. Children and minimum age
The app is intended for users aged 13+ and is not directed to children. If you believe a child provided us with data contrary to this policy, contact us at info@grannysquaredesigner.com and we will take appropriate steps, including deletion.

11. Cookies and similar technologies
On our website we use only essential technical cookies and, where necessary on the checkout page, cookies/SDK required by the payment provider (e.g., 3-D Secure and anti-fraud). Marketing email tracking is not used because we do not send newsletters.
Analytics: We currently do not use any analytics tools on the website. If we introduce privacy-friendly analytics in the future, we will update this notice and, where required, obtain consent first.

12. Subscriptions, payments and refunds
Mobile subscriptions and purchases are processed via Apple App Store or Google Play. Billing, cancellations and refunds follow the respective store rules. We do not handle or store full card details.
Web payment provider: GP webpay (EU‑based) [to be confirmed]. The provider processes card data; we do not process or store full card numbers/CVC. We receive only transaction metadata needed to activate access, issue receipts and comply with tax/accounting obligations.

13. Mandatory vs. voluntary data
Technical identifiers and data necessary to operate the app are required to provide the service; without them some features will not work. Any additional information you provide to support is voluntary.

14. Automated decision-making
We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on you.

15. Changes to this policy
We may update this policy from time to time (e.g., when features or laws change). We will publish the new version with an updated effective date and, where appropriate, notify you in the app or on the website.

16. Contact
Data protection contact: info@grannysquaredesigner.com
Support: support@grannysquaredesigner.com