Legal

Privacy policy

What data we collect, why we collect it, and what you can do about it.

Effective date: July 1, 2026 · Data controller: Ocupi d.o.o., Novi Sad, Serbia · Contact: privacy@ocupi.rs

1. What data we collect

Account data - name, username, email address, and password hash (stored by Supabase Auth). You may optionally add a profile photo and bio.

Activity data - activities you create, activities you join, your attendance history, and your reliability score.

Usage data - standard server logs including IP address, browser type, pages visited, and timestamps. These are used for security and debugging only.

Location - if you use the Near Me map feature, your browser will request your approximate location. This is processed locally in your browser and is not stored on our servers.

2. Why we collect it

  • To operate the platform - account management, displaying activities, tracking joins and the reliability score
  • To communicate with you - activity notifications, important platform updates
  • To keep the platform safe - detecting abuse, enforcing community guidelines, server security
  • Legal obligations - retaining certain records as required by Serbian law

We do not use your data for advertising. We do not sell your data to third parties.

3. Who we share data with

Supabase - our database and authentication provider. Data is stored on Supabase-managed infrastructure in the EU. Supabase processes data under their own GDPR-compliant privacy policy.

We do not share personal data with any other third parties unless required by law or court order.

4. How long we keep your data

Your data is kept for as long as your account is active. If you delete your account:

  • Your profile, name, and email are deleted within 30 days
  • Activity history (anonymised) may be retained for up to 12 months to preserve aggregate event records
  • Server logs are retained for 90 days for security purposes

5. Your rights (GDPR / Serbian ZZPL)

Under Serbian data protection law (aligned with GDPR), you have the right to:

  • Access - request a copy of the data we hold about you
  • Rectification - correct inaccurate data (most of this you can do directly in Settings)
  • Erasure - request deletion of your account and personal data
  • Portability - receive your data in a machine-readable format
  • Object - object to processing in certain circumstances

To exercise any of these rights, email privacy@ocupi.rs. We will respond within 30 days.

6. Cookies

Ocupi uses only strictly necessary cookies - specifically the Supabase authentication session cookie that keeps you logged in. We do not use advertising, tracking, or analytics cookies. No cookie consent banner is required because we only use essential cookies.

7. Security

We use HTTPS for all data in transit. Passwords are never stored in plaintext - authentication is handled by Supabase Auth which uses bcrypt hashing. Database access is protected by Row-Level Security policies that ensure users can only access their own data.

8. Children

Ocupi is not intended for users under 16. We do not knowingly collect data from children. If you believe a minor has created an account, contact us at privacy@ocupi.rs and we will delete it.

9. Changes to this policy

If we make material changes to this policy, we will notify you by email or in-app notice at least 14 days before the changes take effect.

10. Contact and complaints

Data protection enquiries: privacy@ocupi.rs

If you are not satisfied with our response, you have the right to lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia (poverenik.rs).