Back to home

Privacy Policy — Tprice

Last updated: 2026-06-15 Effective date: 2026-06-15

This Privacy Policy explains how Tprice ("Tprice", "we", "us", "our") collects, uses, stores, and protects personal data of users ("you", "user") of the Tprice mobile application for iOS and Android. It is written to satisfy the European Union General Data Protection Regulation (GDPR), the United Kingdom GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Serbian Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti, the controller's home-jurisdiction law), and the Apple App Store and Google Play store-listing requirements (App Privacy form / Data Safety form).

The English text of this policy is the authoritative version. Translations into Russian, Croatian, and Serbian are provided for convenience.

1. Identity of the controller

The data controller is NIKITA IARUNIN PR BEOGRAD, a sole proprietor (preduzetnik) registered in the Republic of Serbia (Belgrade), company registration number (matični broj) 67768850, tax identification number (PIB) 114678100, registered office Jurija Gagarina 231, 11073 Belgrade, Serbia, trading as Tprice.

  • Privacy and data-protection contact: [email protected]
  • General support: [email protected]
  • Governing law: the law of the Republic of Serbia, without prejudice to mandatory consumer-protection provisions of the country of residence of the user.

1a. Data Protection Officer (GDPR Art. 13(1)(b))

Tprice has not appointed a Data Protection Officer because it does not meet any of the three criteria under GDPR Art. 37(1):

  • Tprice is not a public authority or body (Art. 37(1)(a));
  • Tprice's core activities do not consist of processing operations that, by their nature, scope, or purposes, require regular and systematic monitoring of data subjects on a large scale (Art. 37(1)(b));
  • Tprice's core activities do not consist of processing on a large scale of special categories of personal data under Art. 9 or personal data relating to criminal convictions and offences under Art. 10 (Art. 37(1)(c)).

Privacy questions are handled by the developer directly via [email protected].

1b. Territorial scope

Tprice is offered to users in the European Economic Area, the United Kingdom, Switzerland, the United States, Croatia, Serbia, and other markets where the app is listed on the Apple App Store and Google Play. Tprice is not offered in the Russian Federation. Personal data of Russian-resident users is not knowingly collected; if such a user is identified, the account will be deleted and the user notified at the email on file.

1c. Application of the GDPR and the UK GDPR (Art. 3(2))

Because the controller is established in the Republic of Serbia and offers the application to data subjects in the European Economic Area and the United Kingdom, the GDPR and the UK GDPR apply to the relevant processing by virtue of their Art. 3(2). You may exercise the rights described in §9, and lodge a complaint with a supervisory authority as described in §17. For any matter relating to the processing of your personal data you may contact us at [email protected].

2. What we collect

The table below is the single source of truth for what personal data Tprice collects. Every item is mapped both to Apple's App Store privacy taxonomy (declared in the App Privacy form) and to Google's Play Store Data Safety taxonomy (declared in the Data Safety form). The two forms differ slightly in how they classify the same underlying data; differences are explained in §4.

Item we collect Apple App Store taxonomy Google Play taxonomy
Email address from Google or Apple SSO sign-in, and from the in-app "Report a product error" / "Contact us" forms. When you use Sign in with Apple with the "Hide My Email" option, the value we store is Apple's private-relay address ([email protected]); we do not receive your real Apple ID email. Contact Info → Email Address Personal info → Email address
Free-text content of messages you submit via the in-app "Report a product error" / "Contact us" forms. These messages are routed exclusively to Tprice support staff and are not used for any other purpose. They fall under Google's support-communications exception and are therefore not declared as a Messages item on Play. User Content → Customer Support (not declared — covered by Google's support-communications exception)
Your list of favorite products and your price alerts. Stored on our backend as account data; on Play they are part of the Email + User IDs declaration rather than a separate App-interactions item. User Content → Other User Content (covered by Email + User IDs Required items; not separately declared)
Firebase Authentication user identifier (Firebase UID) — primary key linking your account on our backend. Identifiers → User ID Personal info → User IDs
Firebase App Instance ID — pseudonymous, app-installation-scoped identifier generated by the Firebase SDK. Identifiers → Device ID Device or other IDs
Firebase Cloud Messaging (FCM) registration token — a device-installation-scoped push identifier generated by the Firebase SDK after you submit a request through the in-app "Contact us" form and grant the operating-system notification permission. It is transmitted to our backend together with your selected app language so that we can notify you when we have replied to your support request, as described in §5 and §9c. It is never used for marketing or advertising. Identifiers → Device ID Device or other IDs
In-app product search queries (the text you type into the search box). Search History App activity → In-app search history
In-app interaction events: screen views, login, sign-up, barcode scans, product views, adding to favorites, sharing, price-alert creation, language change. Usage Data → Product Interaction App activity → App interactions
Auto-collected diagnostic events generated by the Firebase SDK: app_exception, first_open, session_start, app_clear_data, os_update, app_remove. No stack traces are collected (Firebase Crashlytics and Sentry are not integrated). Diagnostics → Performance Data App info and performance → Crash logs

The asymmetric handling of IP-derived approximate location (declared on Apple, not on Google) is explained in §4. Separately, your IP address is processed server-side at our service edge for security and abuse prevention; this is not a store-declared collection item (it is not collected from your device for this purpose) and is described in §4, §5a, and §8.

3. What we DO NOT collect

To prevent ambiguity, the following data are explicitly not collected by Tprice:

  • Display name. Tprice does not extract or store the displayName field returned by Google or Apple sign-in.
  • Precise (GPS) location. The application contains no GPS code, does not request location permissions, and does not depend on expo-location or any equivalent library.
  • The Apple Advertising Identifier (IDFA). Tprice does not display the App Tracking Transparency prompt and does not call requestTrackingAuthorization.
  • The Android Advertising ID (AD_ID). The permission com.google.android.gms.permission.AD_ID is explicitly blocked in the application manifest.
  • Camera frames. The camera is accessed only while the in-app barcode scanner is open. Video frames are decoded on-device by the barcode library and are never stored, uploaded, or transmitted off the device. Only the decoded numeric barcode string is sent to our backend to look up the product.
  • Photographs, videos, audio recordings, or files from your device storage.
  • Contact list, calendar, call log, SMS, or browser history.
  • Health, fitness, or biometric data.
  • Crash stack traces. Firebase Crashlytics, Sentry, and any equivalent crash-reporting library are not integrated.
  • Telephone number, postal address, full date of birth, or social-security / national-ID numbers.
  • Credit-card numbers, bank account numbers, or any payment-card data. The application is provided free of charge and offers no in-app purchases or paid subscriptions; Tprice does not collect or process any payment, financial, or purchase data.

4. City and country selection — taxonomic disclaimer

When you choose a country and a city from the in-app list, Tprice stores this choice as a preference and uses it solely to filter the product catalog and price data. This preference is not derived from GPS, Wi-Fi, Bluetooth, or any device sensor, and it is not treated as physical location data under either the Apple or the Google store taxonomies. The Android application does not request any location permission.

Separately, Firebase Analytics, when receiving an analytics event from your device, performs a server-side coarse geo-enrichment of the event based on the source IP address (country and city level only). For this analytics enrichment Tprice does not receive your raw IP address from the device; the enrichment is performed by Google entirely server-side, and Tprice's analytics console sees only the resulting country and city dimensions of the event. This processing is identical on iOS and Android. Separately from analytics, the Tprice service edge does process your IP address when you make requests to our backend, for the purpose of security and abuse prevention; that processing, its legal basis, and its retention are described in §5, §5a, and §8.

We declare this IP-based enrichment as "Coarse Location" in the Apple App Privacy form because Apple's taxonomy treats it as a Location item. We do not declare it as a separate Location item in the Play Data Safety form because the Android application does not hold or request any location permission and Google's taxonomy treats this kind of inherent SDK-side IP enrichment as part of the Analytics SDK's processing. The declarations are intentionally cautious on Apple's side; the underlying data flow is the same on both platforms.

The separate processing of your IP address at the Tprice service edge for security and abuse prevention (described in §5, §5a, and §8) is not a store-declared collection item on either platform: the IP address is observed at the network edge incident to each request rather than collected from your device by the application, it is used solely for security and abuse prevention, and it is retained only in access logs for the limited period stated in §8. It is therefore not an Apple "Location" item — the only Apple Location declaration is the Firebase analytics enrichment described above — and it is not a declared data type on the Google Play Data Safety form.

5. Purposes of processing

Tprice processes personal data only for the purposes listed below. The application is provided free of charge and offers no in-app purchases or paid subscriptions. We do not display advertising in the application, do not send marketing emails, do not send promotional or marketing push notifications, do not sell, share, or rent personal data to data brokers, and do not profile users for advertising or for the benefit of third parties. We operate a remote push-notification channel limited to a single transactional notification: a confirmation that we have replied to a support request you submitted through the in-app "Contact us" form. We send no other push notifications, and we never use this channel for marketing. This channel is described in the "Service notifications" purpose below, in §5a, and in §9c.

  • Account management. Creating your account, signing you in, linking your favorites and price alerts to your account, and processing your account-deletion request. Tprice does not offer a guest mode. Signing in with Google or Apple — which provides your email and creates a Firebase UID — is required in order to use the application. This is why Email and User IDs are declared as "Required" in the Play Data Safety form.
  • App functionality. Providing the core features of the application: product catalog, price history, search, favorites, price alerts, in-app customer support, barcode scanning.
  • Service notifications. When you submit a request through the in-app "Contact us" form, we send you a transactional push notification to let you know that we have replied to you (typically by email). This uses the FCM registration token described in §2; the notification text is localised on our server to your selected app language. This is the only push notification we send, and we do not use the push channel for marketing or any other purpose.
  • Analytics. Measuring feature usage, search performance, screen flow, and conversion funnels in an aggregated and pseudonymous form via Firebase Analytics (Google Analytics 4), including the IP-derived coarse (country / city) location enrichment described in §4. Analytics processing is governed by the in-app analytics toggle described in §9c and by the in-app consent dialog described in §5a.
  • Security of the service. Detecting and preventing automated scraping, brute-force attacks, and other abuse of the service through per-IP rate-limiting applied at the gateway in front of our backend (keyed on your IP address) and through inspection of access logs.

5a. Legal basis under GDPR Art. 6

Processing activity Categories of data Legal basis (GDPR Art. 6)
Creating and maintaining your account; linking your favorites and price alerts to your account Email, Firebase UID Art. 6(1)(b) — performance of a contract to which you are a party
Storing your favorites, price alerts, search queries, and your selected country / city / language preference Favorites, price alerts, search history, preferences Art. 6(1)(b) — performance of contract
Handling messages you submit through the in-app customer-support forms Email, free-text message Art. 6(1)(b) — performance of contract
Firebase Analytics events, including the IP-based coarse geo enrichment, and on-device storage of Firebase SDK identifiers ("similar technologies" under the ePrivacy Directive Art. 5(3)) In-app interactions, search queries, screen flow, diagnostics, App Instance ID, coarse location Art. 6(1)(a) — your explicit, opt-in consent. Consent is requested via a dedicated in-app dialog that defaults to "no analytics" and is shown once the application has had enough engagement signal to make an informed prompt meaningful (whichever first: two completed sessions, three product views, or seven days since first launch). Until you tap "Allow analytics" on that dialog, the Firebase Analytics SDK is not initialised on your device, no App Instance ID is written to on-device storage, and no analytics events are delivered to Google. You may withdraw consent at any time via the in-app analytics toggle (§9c).
Notifying you that we have replied to a support request you submitted through the in-app "Contact us" form, and storing the FCM registration token and your app-language preference for that purpose FCM registration token, app language Art. 6(1)(b) — performance of a contract: this notification forms part of the in-app support service you requested. Holding the device-scoped token so we can deliver that notification additionally relies on Art. 6(1)(f) — our legitimate interest in being able to reach you about your own support request, for which we have carried out a balancing assessment. The token is generated and transmitted only after you submit a "Contact us" request and grant the operating-system notification permission, is never used for marketing or analytics, is transmitted only with your app-language preference for localisation, and is cleared on uninstall or account deletion. The operating-system notification permission is your control and you may revoke it at any time (§9c). Marketing would require your separate opt-in consent under Art. 6(1)(a)
Detection of abuse and security incidents; per-IP rate-limiting of requests at the gateway in front of our backend; inspection of access logs Client IP address (used as the rate-limiting key at the gateway, and recorded in access logs), request path, timestamp, and the Firebase UID where the request is authenticated (recorded in logs only, not used as a rate-limiting key) Art. 6(1)(f) — legitimate interest in the security and availability of the service. We have carried out a legitimate-interests balancing assessment and limit this processing to the IP address and request metadata strictly necessary for security

You may withdraw your consent for analytics processing at any time without affecting the lawfulness of processing carried out before the withdrawal. See §9c.

6. Third-party processors

Tprice uses the following third-party processors. Each processes personal data on our behalf under a written data processing agreement (Art. 28 GDPR) and only on documented instructions. Each processor is contractually required to provide a level of protection of personal data at least equivalent to the level described in this policy.

Processor Function Data processed Privacy policy
Google LLC and Google Ireland Ltd. Firebase Authentication (sign-in with Google), Firebase Analytics (Google Analytics 4), Firebase Cloud Messaging (transport for the transactional support-reply notification) Email, Firebase UID, Firebase App Instance ID, analytics events, FCM registration token, IP address (for coarse geo enrichment, server-side) https://policies.google.com/privacy
Apple Inc. Sign in with Apple, Apple Push Notification service (APNs — relays the transactional support-reply notification to iOS devices via Firebase Cloud Messaging). When you choose "Hide My Email", Apple operates a private-relay forwarding address; Tprice stores and uses only the relay address. Apple ID-derived email (real or private-relay), APNs device token https://www.apple.com/legal/privacy/
Cloudflare, Inc. Edge reverse proxy in front of the Tprice backend for the hosts api-hr.tprice.app and users.tprice.app (TLS termination, CDN, and DDoS protection). Every request to the backend transits Cloudflare's edge. Client IP address, request metadata (path, headers, timestamps), and request payloads in transit — including the Authorization header bearing the Firebase ID token (with its sub and email claims), which is decrypted at Cloudflare's TLS-termination edge https://www.cloudflare.com/privacypolicy/
Hetzner Online GmbH Hosting of the Tprice backend server (data centres in Germany) Data stored in the backend database: Firebase UID, email, favorites, price alerts, FCM push token; server access logs https://www.hetzner.com/legal/privacy-policy/
Expo, Inc. Build and over-the-air update infrastructure (EAS). Does not process personal user data of the application's end users; processes only build artifacts and OTA bundles. None (no end-user data) https://expo.dev/privacy

6a. Transfers outside the European Economic Area

  • Google and Apple process personal data in the United States and in other countries where they operate. Transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, by the EU-US Data Privacy Framework (Google LLC and Apple Inc. are certified participants).
  • Hetzner processes the backend database within Germany (EEA), so no third-country transfer takes place for backend storage.
  • Cloudflare operates a global edge network and is established in the United States. All traffic to api-hr.tprice.app and users.tprice.app transits Cloudflare's edge (where TLS is terminated) before reaching the backend in Germany. Transfers are governed by the Standard Contractual Clauses and, where applicable, by the EU-US Data Privacy Framework (Cloudflare, Inc. is a certified participant).
  • Expo / EAS processes build artifacts in the United States under Standard Contractual Clauses; no end-user personal data is transferred.
  • The controller is established in the Republic of Serbia, which is outside the EEA and is not the subject of a European Commission adequacy decision. Access by the controller from Serbia to personal data stored in the EEA (Hetzner, Germany) is a transfer for which we maintain appropriate safeguards under Chapter V of the GDPR (Standard Contractual Clauses). This processing is additionally subject to the cross-border-transfer provisions of the Serbian Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti).

We do not transfer personal data outside the EEA without an adequate-protection mechanism under Chapter V of the GDPR.

7. Data sharing

Tprice does not sell personal data and does not share personal data with third parties for their own purposes. Personal data is processed only by Tprice and by the processors listed in §6, acting on Tprice's documented instructions under a written data processing agreement. For the purposes of the Google Play Data Safety form, these processors are service providers and these transfers do not constitute "sharing".

Tprice does not participate in any advertising network, does not integrate any third-party analytics service other than Firebase Analytics, and does not integrate any social-media tracking pixel.

8. Retention

Category Retention period
Account data (email, Firebase UID, favorites, price alerts, preferences, FCM push token) For as long as your account remains active. Deleted immediately when you delete your account in-app, or within 14 business days of an email deletion request. The FCM push token is additionally cleared as soon as the push service reports that the token is no longer valid (for example after you uninstall the application).
Firebase Analytics events Fourteen months from the date of the event (the standard Google Analytics 4 retention window).
Backend server access logs Up to 30 days, for security and abuse prevention.
Customer-support correspondence Up to 12 months from the last message, to allow follow-up and to detect recurring abuse.

9. Your rights under the GDPR

If you are located in the European Economic Area or in the United Kingdom, you have the following rights with respect to personal data that Tprice processes about you:

  • Right of access (Art. 15) — to obtain confirmation of whether we process your data and, if so, a copy of that data.
  • Right to rectification (Art. 16) — to have inaccurate data corrected.
  • Right to erasure (Art. 17) — to have your data deleted; see §9b for mechanics and statutory carve-outs.
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20) — to receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) — to object to processing based on legitimate interest (Art. 6(1)(f)). For processing carried out for the security and rate-limiting of the service, we may continue the processing where we can demonstrate compelling legitimate grounds (Art. 21(1)). You can revoke the operating-system notification permission at any time, after which the stored push token is no longer used and is cleared (see §9c and §8).
  • Right to withdraw consent (Art. 7(3)) — see §9c.
  • Right to lodge a complaint with a supervisory authority — see §17.

To exercise any of these rights, write to [email protected] from the email address tied to your account. We respond within one month, extendable by a further two months for complex requests with prior notice, in accordance with Art. 12(3) GDPR. We do not charge a fee unless the request is manifestly unfounded or excessive.

9a. California (CCPA / CPRA)

If you are a California resident, you have additional rights under the CCPA as amended by the CPRA:

  • Right to know what categories of personal information we have collected, the sources, the purposes, and the categories of recipients.
  • Right to delete personal information we have collected from you, subject to statutory exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing of personal information.
  • Right to limit use and disclosure of sensitive personal information.
  • Right to non-discrimination for exercising any of the above.

Tprice does not sell and does not share personal information as those terms are defined under the CCPA / CPRA, and has not done so during the preceding twelve months. Tprice does not engage in cross-context behavioural advertising.

Categories of personal information collected in the preceding twelve months (Cal. Civ. Code §1798.140(v))

Category Sources Business / commercial purpose
Identifiers — Firebase UID, email, FCM device push token Firebase UID and email directly from you via Google or Apple SSO at sign-in; the FCM push token generated on your device after you grant the notification permission Account creation and management; authentication; security; analytics (under consent); notifying you that we have replied to a support request you submitted
Internet or other electronic network activity information — in-app interactions, search queries, screen flow; your IP address processed at our service edge Firebase Analytics SDK on your device (only if consent has been given); requests to our backend (IP address) Product analytics and improvement; security and rate-limiting
Geolocation data — coarse (country / city) only, derived server-side from your IP address by Firebase Analytics Google Analytics 4 infrastructure (server-side) Aggregate market analytics
Customer records — email and free-text message content Directly from you when you submit a "Report a product error" or "Contact us" form Handling your support request

Retention periods for each category are set out in §8.

Sensitive personal information

Tprice does not collect "sensitive personal information" within the meaning of Cal. Civ. Code §1798.140(ae), other than account-authentication credentials (the Firebase Authentication ID token) processed solely to provide the service you have requested under the §1798.121(a) carve-out. Accordingly, the right to limit the use and disclosure of sensitive personal information does not give rise to additional controls beyond the account-deletion mechanism in §9b.

Exercising CCPA rights

Write to [email protected] from the email address tied to your account. We verify identity by matching the requester's email to the email on file. Authorised agents must provide (i) written permission signed by you authorising the agent to make the request, (ii) proof of identity verified directly with us by the consumer, and (iii) confirmation from the consumer that the agent is authorised to act on the consumer's behalf (Cal. Code Regs. tit. 11 §7063).

9b. How account deletion works

You can delete your account in two ways:

  1. In-app — open the app, go to Profile → Account settings → Delete account, and confirm. Your account is deleted immediately.
  2. By email — write to [email protected] from the email address tied to your account, with the subject line "Account deletion request". We complete the deletion and send a confirmation within 14 business days. This SLA is shorter than the one-month maximum permitted by GDPR Art. 12(3) and is our binding commitment.

When we delete your account, we permanently remove:

  • Your email address and Firebase UID.
  • Your favorites and price alerts.
  • Your selected country, city, and language preferences linked to the account.
  • Your FCM push notification token.
  • Any free-text customer-support messages tied to your account, unless we are required to retain them under a legal obligation.

Some records are retained after account deletion, as described in §8:

  • Aggregated Firebase Analytics data that is no longer linked to a deleted account and is purged automatically after fourteen months.
  • Server access logs, up to 30 days, which do not identify a deleted user.

This account-deletion process is also described on a standalone publicly accessible page at https://www.tprice.app/en/account-deletion.

9c. Right to withdraw consent in practice

  • Analytics. The analytics toggle in Profile → Account settings → Usage analytics is the in-app point of control for analytics consent: it defaults to OFF and is the only way to enable analytics before the engagement-threshold dialog (§5a) is shown. After consent has been given — whether at the dialog or via the toggle — switching the toggle off withdraws consent. Firebase Analytics is then disabled at the SDK level (setAnalyticsCollectionEnabled(false)), and resetAnalyticsData() is called to wipe the App Instance ID on your device; no analytics events — including auto-collected events such as screen_view, session_start, app_exception, and no setUserId association — are collected from your device until you turn the toggle back on. Withdrawing analytics consent stops collection of all items declared as "Optional" in the Play Data Safety form (App interactions, In-app search history, Crash logs, and the analytics part of Device IDs — the Firebase App Instance ID). The "Device or other IDs" item also covers the FCM push token; collection of that token is not governed by this analytics toggle but by the operating-system notification permission described below. Items declared as "Required" (Email, User IDs) are unaffected by this toggle because they are necessary for the account to function; to stop their collection, delete your account (§9b).
  • Notifications. The application requests the operating-system notification permission only when you submit a request through the in-app "Contact us" form, so that we can notify you of our reply:
    • Support-reply notification (remote push). When you submit a "Contact us" request and grant the permission, the Firebase SDK generates a push (FCM) registration token, which the application transmits to our backend together with your selected app language. We use this token only to notify you that we have replied to your support request; the message is localised on our server to your app language, and on iOS is delivered through Apple's Push Notification service (APNs), which relays it to your device (see §6). This is the only push notification we send. Its legal basis is Art. 6(1)(b) — the notification forms part of the support service you requested — and, for holding the token, Art. 6(1)(f); not consent. Accordingly the operating-system permission is your point of control — you may deny or revoke it at any time in your operating-system settings, after which we stop sending you push notifications (and the token is cleared as described in §8). We do not send promotional or marketing push notifications. If we introduce a marketing push channel in a future release it will be strictly opt-in, off by default, and we will obtain your separate consent under Art. 6(1)(a) before any marketing message is sent.
  • Your account as a whole. See §9b.

10. Children

Tprice is intended for users 18 years of age and older. The application is not directed to children, does not contain features designed for children, and does not knowingly collect personal data from children under 18. The 18-year threshold is set uniformly across all markets, which is higher than the minimum digital-consent age required by GDPR Art. 8 in any EEA member state and higher than COPPA's threshold of 13 in the United States.

If we learn that we have collected personal data from a user under the age of 18, we delete the account and the associated data as soon as practicable. If you believe that a child under 18 has provided personal data to Tprice, please contact [email protected].

The application is not enrolled in the Google Play Families Policy because it is not directed to children.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of the document is always current. For material changes — changes that affect the categories of data collected, the purposes of processing, the legal bases, or the categories of recipients — we will notify users in advance via an in-app banner. We will also keep the previous version of this policy accessible on request through [email protected].

Continued use of the application after a non-material change to this policy constitutes acknowledgement of the updated text. For changes that require renewed consent under GDPR Art. 7, we will request fresh consent in-app.

12. Contact

13. Automated decision-making (GDPR Art. 22)

Tprice does not engage in automated decision-making, including profiling, that produces legal effects concerning you or that similarly significantly affects you.

14. Special categories of personal data (GDPR Art. 9)

Tprice does not collect or process special categories of personal data, namely data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

15. Personal data breach notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, Tprice will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, in accordance with GDPR Art. 33. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, Tprice will also communicate the breach to the affected users without undue delay, in accordance with GDPR Art. 34.

16. Cookies and similar technologies

Tprice is a native mobile application and does not use HTTP cookies. The application stores the following locally on your device:

  • Application settings (selected country, city, language, the analytics opt-in preference) in the operating-system-provided local key-value store (AsyncStorage on React Native), which is private to the application.
  • Identifiers used by the Firebase SDKs (notably the Firebase App Instance ID and the Firebase Authentication ID token), treated as "similar technologies" under Art. 5(3) of the ePrivacy Directive. The Firebase Authentication ID token is necessary to provide the account service you have requested. The Firebase App Instance ID is generated and stored only after you have granted affirmative consent via the in-app analytics dialog described in §5a (shown once the engagement-threshold conditions are met) or by enabling the analytics toggle in Profile → Account settings → Usage analytics (§9c). Prior to consent, no analytics identifier exists on your device; the Firebase Analytics SDK is configured with auto-collection disabled at build time. Local session-counter values used to decide when to show the consent dialog (session count, product-view count, install date) are stored under the strictly-necessary exception of ePrivacy Directive Art. 5(3) — they never leave the device and are not associated with any identifier.
  • The Firebase Cloud Messaging (FCM) registration token, generated and stored on your device only after you submit a "Contact us" request and grant the operating-system notification permission. Because it is generated solely as a result of your explicit request to receive notifications, storing it falls under the ePrivacy Directive Art. 5(3) exemption for storage that is necessary to provide a service explicitly requested by the user. It is used only to deliver the support-reply notification described in §5a and §9c, and is not used for analytics or advertising. If you do not grant the notification permission, no FCM token is generated.

The Tprice website at www.tprice.app uses only strictly necessary cookies (or no cookies) and does not load third-party tracking pixels.

17. Supervisory authorities

If you believe that our processing of your personal data infringes data-protection law, you have the right to lodge a complaint with a supervisory authority. The controller is established in the Republic of Serbia, where the competent national authority is the Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti. Because the controller has no establishment in the European Union, the GDPR "one-stop-shop" mechanism does not apply: if you are in the EEA you may lodge your complaint with the supervisory authority of your Member State of residence, place of work, or place of the alleged infringement. The supervisory authorities in our principal markets are:

  • CroatiaAgencija za zaštitu osobnih podataka (AZOP) — https://azop.hr
  • SerbiaPoverenik za informacije od javnog značaja i zaštitu podataka o ličnosti (Poverenik) — https://www.poverenik.rs
  • European Union (other member states) — the supervisory authority of the member state of your habitual residence, place of work, or place of the alleged infringement. The full list is maintained by the European Data Protection Board at https://edpb.europa.eu/about-edpb/about-edpb/members_en
  • United Kingdom — the Information Commissioner's Office (ICO) — https://ico.org.uk

You may also contact [email protected] before lodging a formal complaint; we will do our best to address your concern.

End of policy.