PRIVACY POLICY

§1. Personal data administrator

1. The administrator of the personal data of the Users of the Application is GIRL Spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw at Hoża 86/410, 00-682 Warsaw, entered into the register of entrepreneurs kept by the District Court for the m.st of Warsaw in Warsaw, XII Commercial Division of the National Court Register under the number KRS 0001194379, NIP 7011278458, REGON 542783554 (hereinafter: "Administrator").

2. E-mail address of the Administrator to contact you in matters of personal data: kontakt@girl-app.com.

3. Correspondence address of the Administrator in matters of personal data: GIRL Spółka z ograniczoną odpowiedzialnością, Hoża 86/410, 00-682 Warsaw.

4. We have appointed a Data Protection Officer (DPO), who can be contacted: for the protection of personal data, i.e. a personal data protection officer (DPO), who can be contacted:

1. to the e-mail address: kontakt@girl-app.com;

2. in writing, to the address: GIRL Spółka z ograniczoną odpowiedzialnością, Hoża 86/410, 00-682 Warsaw.

§2. Purposes and bases for data processing

Your personal data may be processed for the following purposes:

Purpose of processing: Legal basis

Creating and maintaining a User Account: Article 6(1)(b) of the GDPR – performance of the contract

Organization and participation in Events: Article 6(1)(b) of the GDPR – performance of the contract

Content Moderation, User Protection and Abuse Prevention: Article 6(1)(f) of the GDPR – legitimate interest of the Administrator

Handling requests and contacting the User: Article 6(1)(f) of the GDPR

Fulfilment of legal obligations (e.g. tax): Article 6(1)(f) of the GDPR

Analysis of the use of the Application and keeping internal statistics: Article 6(1)(f) of the GDPR – legitimate interest (product and UX optimization)

Improving the usability, stability and security of the Application: Article 6(1)(f) of the GDPR – legitimate interest (ensuring the continuity and quality of the Services)

Development and implementation of new functionalities: Article 6(1)(f) of the GDPR – legitimate interest (innovation and development of GIRL Sp. z o.o.)

Sending the newsletter: Article 6(1)(f) of the GDPR – agreement

Marketing and statistical purposes: Article 6(1)(f) of the GDPR – agreement

§3. Scope of processed data

The following data may be processed in the application:

1. Identification and contact data: name (nickname), e-mail address, and Account ID.

2. Demographics: date of birth and age (verification of the requirement to be at least 18 years old).

3. Profile Data: profile picture, interests, profile description (bio) and contact network information (list of verified friends in the Application is).

4. Location data: Location (e.g., city or approximate GPS coordinates) necessary to find local groups and Events.

5. Data on the activity and functions of the Application: information on participation in Events (registration, status of the organizer/participant) and browsing thematic groups,

1. the time of the start and end of the use of individual screens of the application (the so-called screen time, in the form of time stamps),

2. the number and type of the User's interaction with the elements of the Application's interface, including button clicks and transitions between screens.

6. Technical and statistical data: technical data of the device (e.g. IP address, operating system, device model, unique identifiers),

1. statistical data linked to the User's or Account's identifier, used to analyse how the Application is used.

7. Communication data: data related to the newsletter (e-mail, time of recording and withdrawal of consent) and content sent in the communication channels of the Events.

§4. Data recipients

Personal data may be transferred:

1. technical service providers (e.g. hosting, Firebase, analysis of statistics),

2. payment processors (e.g. in the case of paid Events),

3. entities authorized under the law (e.g. law enforcement authorities, courts),

4. marketing and newsletter service providers.

Personal data may be transferred outside the European Economic Area (EEA), in particular to the United States, in connection with the use of the services of providers such as Google (Firebase, Analytics, AdMob). The transfer is based on standard contractual clauses approved by the European Commission or other relevant protection mechanisms in accordance with the GDPR. To the extent that data is collected by external tools (Firebase, Google Analytics, AdMob), the terms and conditions of these providers apply.

§5. Data retention period

The data will be stored:

1. for the period of holding the Account in the Application or until an effective objection to the processing is filed, but no longer than the period necessary to pursue, establish claims, or defend against claims, i.e. 3 or 6 years,

2. for the period required by law (e.g. tax),

3. in the case of data processed on the basis of consent – to withdraw it.

§6. User rights

You have the right to:

1. access to your data,

2. rectification of data,

3. erasure of data ("right to be forgotten"),

4. delete the Account without the need to provide a reason,

5. restriction of processing,

6. data portability,

7. object to processing,

8. withdraw consent (at any time, without affecting compliance with previous processing),

9. file a complaint with the President of the Office for Personal Data Protection (2 Stawki Street, 00-193 Warsaw, www.uodo.gov.pl).

In order to exercise your rights, please contact the Administrator: kontakt@girl-app.com.

§7. Photos from the Events and image

1. Within the Application, you may add photos from Events, which may include an image of yourself or others. The image is treated as personal data within the meaning of the GDPR.

2. Publishing a photo in the Application means that it is visible to other participants of the same Event.

3. The use of photos containing the User's image for promotional or marketing purposes of the Application outside its scope (e.g. in social media, advertising materials) is carried out only on the basis of a separate, explicit consent of the User (Article 6(1)(a) of the GDPR), which the User may withdraw at any time by contacting the Administrator.

4. The User may withdraw the consent to the use of a particular photo at any time by contacting the Administrator.

§8. Data security

We have implemented appropriate technical and organizational measures to protect your data from unauthorized access, disclosure, loss or destruction. Data is transmitted using encryption (SSL/HTTPS) and is only accessible to authorized persons.

§9. Cookies and Tracking Technologies

The Application may use Cookies and similar technologies to:

1. maintaining sessions and ensuring the operation of the Application,

2. analyze the use of the Application,

3. personalization of content (if you agree).

Detailed information can be found in a separate Cookies and Tracking Technology Policy, available in the Application. To the extent that data is collected by external tools (Firebase, Google Analytics, AdMob), the terms and conditions of these providers apply.

§10. Newsletter

1. You have the option of subscribing to the newsletter of the GIRL Application

2. As part of the newsletter, you can receive information about events, news and promotional materials.

3. The basis for the processing of data (e-mail address) is the User's voluntary consent (Article 6(1)(a) of the GDPR).

4. You can withdraw your consent at any time by clicking on the unsubscribe link in the footer of the message or by contacting the Administrator.

5. The withdrawal of consent does not affect the lawfulness of the processing before its withdrawal.

§11. Changes to the Privacy Policy

We reserve the right to change this Policy. We will notify Users of any material changes via the Application or by e-mail, in good time.

§12. Cookies and Tracking Technology Policy

Effective Date: 01.04.2026

1. What are cookies and tracking technologies?

The GIRL Application may use cookies and similar tracking technologies (e.g., mobile device identifiers, local storage, SDKs) to ensure the proper functioning of the Application, analyze how the Application is used, improve our Services, customize content and functionality, and conduct marketing activities.

2. What technologies can be used?

1. In the Application, we use in particular:

1. technical cookies and identifiers – necessary for the proper operation of the Application, maintaining the session, ensuring security and remembering the User's basic settings, including:

1. session cookies, which remain stored until you log out of the Application or close it,

2. persistent cookies, which remain on the device for the time specified in their parameters or until deleted by the User,

2. analytical tracking technologies (e.g. Firebase Analytics, Sentry) – used to analyze the way the Application is used, detect errors and optimize the User's experience,

3. Marketing tracking technologies (e.g., Google AdMob) – to display tailored promotional content.

3. What are server logs and how are they used?

1. During the use of the Application, the so-called server logs may be automatically collected. This data includes, in particular: the URL of the resources called, the date and time of receipt of the query and the sending of the response, information about errors that occurred during the execution of the query, the IP address of the device and information about the operating system or model of the device used.

2. We use the data from the logs only for the purpose of administering the Application and the server, ensuring the security and stability of the systems and keeping aggregate statistics on the use of the Application.

3. Log data is not used to identify individual Users, unless it is necessary to prevent abuse, clarify security incidents or pursue claims.

4. Can you give or withdraw your consent?

1. In the case of technologies that are not necessary for the operation of the Application (analytical and marketing), the User will be asked for consent when the Application is first launched or in the appropriate privacy settings.

2. The use of these technologies is based on the User's consent within the meaning of Article 6(1)(a) of the GDPR. Consent may be withdrawn at any time in the privacy settings of the Application, without affecting the lawfulness of the processing before its withdrawal.

3. You can also restrict or block advertising identifiers in your device's system settings (Android/iOS), which may affect the scope of personalization of advertising content.

5. How long is the data stored?

The length of time you store your data depends on the specific technology and the purpose for which it is used. Some data is stored only during the session, others may be stored for a longer period of time – generally from 6 to 24 months in the case of statistical and marketing data, unless you delete it first in the settings of your device or Application.

6. Who has access to the data?

Data collected through cookies and tracking technologies may be available to:

1. the operator of the Application (GIRL Sp. z o.o.),

2. providers of analytical tools (e.g. Google, Firebase),

3. advertising operators, if consent is given for marketing purposes,

4. providers of technical services supporting the functioning of the Application.

All these entities are obliged to apply appropriate personal data protection measures in accordance with the GDPR.

7. Changes to the Cookies Policy

We reserve the right to make changes to this Policy. We will inform Users of material changes in the Application or by e-mail, in particular if the changes require re-obtaining consent to the use of certain technologies.