Privacy Policy

Last updated: April 2026

Who runs Šmudla

Šmudla is operated by Ádám Nagy, IČ 08436665, registered at Zvěřinova 160/3, 618 00 Brno-Černovice, Czech Republic. I am the data controller for personal data processed by the Šmudla app.

Questions, requests, complaints: hello@smudla.app.

What I collect

Only what the service needs to work:

• Account data — your name, and either an email address or a phone number, used to sign you in.
• Household content — the rooms, tasks, shopping items, and notes you create inside the app.
• Activity records — who completed which task and when, so members can see progress.
• Device tokens — the push notification identifier assigned to your device, so we can notify you about new tasks or reminders.
• Country signal — when you sign up, we look up your approximate country from your IP address to pre-fill the phone number flag. The IP address is temporarily stored (up to 24 hours) to enforce rate limits on sensitive actions (sign-up, password reset, feedback), then automatically deleted.
• Support messages — anything you write and any screenshots you attach when using in-app feedback.
• Technical logs — server-side request logs (error codes, timestamps) used to operate the service. These contain user identifiers for a short retention window, then are rotated out.

Legal basis (GDPR Art. 6)

• Performance of a contract — processing your account, household content, and activity records is required to provide the service you signed up for.
• Legitimate interest — fraud prevention, abuse protection, rate-limiting, and technical logs, balanced against your privacy.
• Consent — push notifications. You can revoke this any time in your device settings or inside the app.

How I use it

Your data is used solely to run Šmudla — storing your household, syncing between members, sending notifications, and protecting the service from abuse. I do not sell, rent, or share your personal data with anyone for marketing.

Who processes it (subprocessors)

Šmudla uses the following third parties to operate:

• Google Firebase (Google Cloud EMEA Limited, Ireland) — authentication, Firestore database, Cloud Functions, Cloud Messaging, App Check. Data is stored in EU region europe-west3 (Frankfurt).
• Google Play Integrity — verifies that requests come from a genuine Šmudla app install (Android).
• Resend (Resend, Inc., USA) — transactional email (verification links, password resets, feedback). Email address and message content pass through Resend.
• ipapi.com (apilayer sp. z o.o., Poland) — one-off country lookup from your IP during sign-up. No persistent profile is created.

Some of these may transfer data outside the EEA. Transfers rely on EU Standard Contractual Clauses and the EU–US Data Privacy Framework where applicable.

How long I keep it

• Account + household data — as long as your account exists. Delete your account to erase it (see below).
• Former-member records — when you leave or delete your account, a minimal record remains in households you were part of: your display name and one-way cryptographic hashes (SHA-256) of your email and phone number. These let other members see past activity attribution and prevent duplicate re-joins. Hashes cannot be reversed to your original contact info and are deleted when the household itself is deleted.
• Server logs — rotated out after 30 days.
• Support messages — retained until the issue is resolved, then deleted within 90 days.

Your rights

Under GDPR you have the right to:

• Access the personal data I hold about you
• Correct inaccurate data
• Delete your data (see delete-data)
• Restrict or object to processing
• Receive a copy of your data in a portable format
• Withdraw consent for push notifications at any time
• File a complaint with the Czech Data Protection Authority (Úřad pro ochranu osobních údajů, uoou.cz)

To exercise any of these, write to hello@smudla.app. I respond within 30 days.

Children

Šmudla is intended for users aged 13 and over. If you are under 13, do not create an account. If I learn that a child under 13 signed up, I will delete the account.

Security

Data is encrypted in transit (HTTPS/TLS) and at rest (Google Cloud default encryption). Access to production data is restricted to the data controller.

Changes

If this policy changes materially, I will notify active users in the app and/or by email and ask for re-acceptance before the next sensitive action. The "last updated" date above always reflects the current version.

Contact

For questions about this policy or to exercise your rights: hello@smudla.app.