oAlert.pl
PL EN
Back to homepage

Data protection

Privacy Policy

We stay transparent — here is everything about how the oAlert.pl app processes your data.

Version 2026-03-19, effective from 2026-03-19.

Data Safety Summary (Google Play & App Store)

This summary provides key information required by Google Play Store and Apple App Store about how oAlert collects, uses, and protects your data.

  • DATA COLLECTED: Device identifiers (Android ID, identifierForVendor), a locally generated UUID used for device identification, device info (model, OS version, app version), IP address, push notification tokens (FCM/APNS), optional bug report data (description, email, photos), barcode scans (EAN codes sent to backend), ad tracking events (impression, click, completion), community report data (product details, problem description, photos), premium subscription status.
  • DATA SHARED: Push tokens shared with Firebase Cloud Messaging and Apple Push Notification service for notification delivery. Device headers shared with oAlert backend for compatibility checks. Advertising ID may be shared with Google Mobile Ads SDK for ad delivery. Analytics data shared with Firebase Analytics (iOS and Android).
  • DATA USAGE: Delivering product safety alerts, sending push notifications, displaying advertisements, improving app stability, troubleshooting crashes, barcode scanning for alert lookup, processing community reports, managing premium subscriptions.
  • SECURITY PRACTICES: All data transmitted via encrypted HTTPS/TLS connections. API responses additionally encrypted with AES-256-CBC. No personal data stored on servers except push tokens and optional bug reports. Local data encrypted on device. Server access restricted.
  • DATA RETENTION: Local cache deleted on app uninstall. Push tokens removed after 18 months of inactivity. Server logs kept for approximately one year. Bug reports kept for 12 months after resolution.
  • USER RIGHTS: You can request access, deletion, or correction of your data by contacting [email protected]. You can delete local data via in-app reset. You can disable push notifications at any time.
  • THIRD-PARTY ACCESS: Firebase (Google), Google Mobile Ads SDK, ML Kit (Google). These parties operate under their own privacy policies.
  • NO SELLING OF DATA: We do not sell, rent, or trade your personal data to third parties for marketing purposes.

1. Data controller

The oAlert mobile application (available at oAlert.pl) is operated by ADAKS MEDIA DANIEL DOBROWOLSKI, NIP: PL6152062671, with registered address at 59-800 Lubań, Mściszów 112B, Poland, who acts as the controller of personal data processed within the Application.

For privacy requests or questions please write to [email protected].

2. Data stored directly on your device

We design features so that the most sensitive information stays on your device. The following items are written to local storage (UserDefaults/cache on iOS, Room Database/DataStore on Android) and never leave the device unless you explicitly include them in a support message:

  • Alerts (product names, categories, shops, alert types, risk levels) downloaded from our backend are cached only to show lists, statistics and filters. They are deleted when you use the in-app "Reset/clear" option or uninstall the Application.
  • User notes – free text attached to a specific alert. Notes remain in local storage (UserDefaults on iOS, Room/DataStore on Android) and are not uploaded anywhere. You may export notes to PDF or share them, but this happens locally on your device.
  • Favourite alerts and "read" statuses – identifiers kept locally so the "Important" list and the red highlighting of new alerts work. The identifiers never leave the device.
  • Filters, onboarding progress, consent prompts (ATT/push on iOS, notification permission on Android) and decisions about badges or tips – stored locally to remember your choices.
  • Statistics and filtering results – the Application computes them locally on the cached alerts (e.g. monthly counts or top categories). No aggregated metrics are transmitted.
  • Debug logs (AppLogger on iOS) generated in development or beta builds stay on the device and are cleared with the Application.
  • Premium subscription status (active/inactive, plan type) stored locally to customise the interface (hide ads, unlock Premium features).
  • Community report drafts in progress stored locally until submitted to the server.

3. Device information sent to our backend

Every network call to refresh alerts, register a token or send feedback includes limited diagnostics so we can ensure compatibility and detect abuse. The data is delivered only to the oAlert backend via encrypted HTTPS connections.

  • HTTP headers: X-App-Version, X-App-Build, X-OS-Version (X-iOS-Version on iOS, Android version on Android), X-Device-Model, X-Device-ID (identifierForVendor on iOS, Android ID on Android) and X-Platform. They help us troubleshoot crashes and verify that your device can handle the newest features.
  • User-Agent header containing application name and version information.
  • IP address and request metadata stored in access logs. These logs are automatically deleted after 90 days. Logs may be kept longer if required for security incidents or legal reasons.
  • Device ID (UUID) – the Application generates a unique identifier (UUID) stored locally in UserDefaults/Keychain (iOS) or SharedPreferences (Android). This identifier is used for device identification in the advertising system (passed in requests to advertisement management endpoints such as /ads/should-show and /ads/track) and for push notification registration. The identifier persists for the lifetime of the app installation and is deleted when you uninstall the Application or use the in-app reset feature.

4. Features that require additional data

Certain functions send extra fields so they can work as intended:

  • Push notifications – we register the push notification token (APNS on iOS, FCM on Android) together with platform, locale, device model and device identifier (identifierForVendor on iOS, Android ID on Android). Tokens are used solely to deliver alerts and are removed once you disable notifications or after long-term inactivity. Push payloads may contain alert identifiers or small snippets to refresh the local cache; optional attachments are downloaded temporarily and discarded immediately after the notification is shown. On Android, WorkManager may trigger background fetch after receiving a push notification.
  • Bug report – if you send a report we receive the description (max. 2,000 characters), an optional e-mail address, the Firebase device token and optional photo attachments. The data is not shared outside oAlert and is kept only for handling the ticket.
  • Barcode scanner / camera – requires camera permission. On iOS the camera uses AVFoundation, on Android it uses CameraX and ML Kit Barcode Scanning. The camera works only while you keep the scanner screen open. Frames are not recorded, images are processed locally, and the decoded barcode (EAN) is treated like a local search phrase and may be sent to the backend to find matching alerts.
  • Statistics and filtering – all calculations happen on-device. We do not upload summary data or personal insights.
  • Advertisement tracking – when ads are displayed, the Application sends tracking events (impression, click, completion) to the oAlert backend including device identifier (device_id), advertisement identifier (ad_id), display location, ad type, and event timestamps. This data is used to manage ad frequency and measure ad effectiveness. On Android, this may indirectly use the Google Advertising ID through Google Mobile Ads SDK.
  • Advertisement configuration – the Application fetches advertising configuration from the server and caches it locally for 24 hours. This configuration determines which ad formats are displayed, their frequency, and placement. The request includes only device headers described in Section 3.
  • Install date tracking – the Application stores the date of first installation locally on your device. During the first 24 hours after installation, advertisements are not displayed. This grace period mechanism operates entirely on-device and does not send any data to our servers.
  • Application version checking – the Application periodically checks the current version against the minimum required version from the oAlert backend. This check sends only the current app version and platform. Depending on the result, the Application may display a mandatory update prompt (blocking further use until updated) or an optional update suggestion that can be dismissed. No personal data is collected during this process.

5. Community reports

The Application allows users to submit reports about potentially dangerous products (Community Reports). The following data is collected when you create a report:

  • Product information: product name, batch number, storage conditions, expiry date, purchase date, store name. Optionally: EAN code, manufacturer, country of origin.
  • Problem description: free text between 120 and 5,000 characters describing the issue with the product.
  • Photos: up to 5 product photos and 1 receipt photo (JPEG format). EXIF metadata (including GPS location data, camera information and timestamps) is automatically stripped from all uploaded photos before storage on the server.
  • In-report messaging: text messages exchanged between you and the oAlert administrator within the context of your report.
  • You can confirm (upvote) or flag other users' community alerts for moderation review.
  • All data is transmitted via an encrypted connection to the oAlert server and stored there.
  • Legal basis: Article 6(1)(b) GDPR (performance of the service you requested) and Article 6(1)(a) GDPR (consent for voluntary photo upload).
  • Retention: reports, photos and messages are stored for a minimum of 12 months.
  • Deletion: you can request deletion of your community reports and associated data by contacting [email protected].

6. Premium subscriptions

The Application offers paid subscription plans that unlock additional features:

  • Available plans: Premium Individual (Apple App Store and Google Play Store, monthly subscription) and Premium Family (Apple App Store only, monthly subscription).
  • oAlert does NOT process or store payment data — all payment processing is handled entirely by Apple (App Store) or Google (Google Play Store).
  • Your premium subscription status (active/inactive) is transmitted to the oAlert server to customise the service: disabling advertisements and enabling priority push notifications.
  • Legal basis: Article 6(1)(b) GDPR (performance of the contract for the subscribed service).

7. Legal bases and purposes

Providing access to alerts, favourites, filters, scanner and local history – Article 6(1)(b) GDPR (performance of a service requested by the user).

Diagnostics, security monitoring and log retention – Article 6(1)(f) GDPR (legitimate interest of keeping the Application reliable).

Push notifications, optional reminders and marketing communication – Article 6(1)(a) GDPR when you grant consent and Article 6(1)(f) GDPR for operational notifications.

Displaying ads and funding the Application through partner SDKs – Article 6(1)(a) GDPR (ATT consent on iOS, notification consent on Android) and Article 6(1)(f) GDPR (legitimate interest of financing development).

Analytics and usage tracking – Article 6(1)(f) GDPR for Firebase Analytics to improve application stability and user experience.

8. Sharing and third-party SDKs

We share data only when it is necessary to deliver the service:

  • oAlert backend – receives alert queries, filters, headers and bug reports. We do not send this data to other partners. On Android, communication uses Retrofit/OkHttp libraries; responses may be encrypted and decrypted locally using APIEncryptionHelper.
  • Apple Push Notification service (APNS) and Firebase Cloud Messaging (FCM) – process device tokens and payloads exclusively to deliver notifications.
  • Firebase (FirebaseCore, FirebaseMessaging, FirebaseAnalytics) – manages push registration and token refresh. Firebase Analytics collects standard app usage events on both iOS and Android, including alert detail views, following Google privacy documentation.
  • Google Mobile Ads SDK – renders banners, rewarded, App Open, interstitial and native/video ads. On iOS requires ATT consent before accessing advertising identifiers. On Android may access Google Advertising ID. Follows Google privacy documentation.
  • App Tracking Transparency (ATT) prompt (iOS only) – iOS displays this dialogue to request your consent before the Application or ad SDKs can access your advertising identifier (IDFA). If you allow tracking, your IDFA may be shared with Google Mobile Ads SDK for personalised advertising. If you deny tracking, only non-personalised advertisements will be shown. The following tracking-related domains may be contacted by the ad SDK: googleads.g.doubleclick.net, pagead2.googlesyndication.com, securepubads.g.doubleclick.net. Your ATT decision is stored locally and can be changed at any time in iOS Settings > Privacy & Security > Tracking.
  • ML Kit Barcode Scanning (Android only) – processes camera frames locally on device to decode EAN barcodes. No images leave your device.
  • Additional Android libraries – Coil (image loading), Vico (statistics charts), ExoPlayer (video playback in ads), Accompanist (permissions UI, swipe-to-refresh), WorkManager (background tasks), Room Database and DataStore (local storage). These libraries operate entirely on-device.
  • Text-to-Speech and media playback – on iOS the Application uses AVFoundation/Speech for audio/video playback and optional text-to-speech (e.g. reading alert details aloud). On Android the Application uses the system TextToSpeech engine for the same purpose. All speech synthesis is performed locally on the device; no audio data or voice recordings are transmitted to our servers or third parties.
  • Network communication – on iOS the Application uses URLSession, on Android it uses Retrofit/OkHttp. All connections are to the oAlert backend only; we do not call external analytic services beyond Firebase Analytics.

9. Retention and deletion

Local caches, favourites, notes, filters and permissions disappear automatically when you uninstall the Application or use the in-app reset feature.

Push tokens are purged when Apple or Google mark them as invalid or after 18 months of inactivity. You can also delete them by disabling notifications.

Bug reports and attachments are kept for up to 12 months after the ticket is resolved so we can analyse recurring defects.

Server logs (API requests and search events) containing diagnostic headers are automatically deleted after 90 days. Logs may be stored longer if required for security incidents or legal compliance.

Community reports, attached photos and messages within reports are stored on the server for a minimum of 12 months.

10. Your rights and security

You have the right to access, rectify, erase, restrict or object to the processing of your data, and to receive a copy of the data provided to us.

All connections use HTTPS/TLS, access to infrastructure is limited, and we monitor anomalies to keep diagnostic data free of personal content.

To exercise your rights contact us via [email protected]. You can also lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warszawa, Poland (https://uodo.gov.pl).

We do not use automated individual decision-making or profiling within the meaning of Article 22 GDPR.

11. How to delete your data

To delete your data from our servers, contact us at [email protected] with your request. We will delete: (1) your push notification token (FCM/APNS) – this will stop you from receiving push notifications; (2) server logs containing your device identifier; (3) any bug reports you submitted (if you provide the email address used in the report); (4) your community reports along with attached photos and messages.

Note: Most data (alerts, notes, favourites, statistics, filters) is stored only on your device and is automatically deleted when you uninstall the Application or use the in-app "Reset/clear" feature. We cannot delete data that exists only on your device – you must do this yourself.

12. Children's privacy

The Application is rated 4+ on the Apple App Store and "Everyone" on Google Play Store, meaning it is suitable for all age groups.

Despite this rating, we do not knowingly collect, use, or disclose personal data from children under 16 years of age (in accordance with Article 8 of the GDPR). The Application does not require account creation or submission of any personal information to function.

Advertisements displayed in the Application are served by Google Mobile Ads SDK with child-directed treatment settings enabled where required. We do not target advertisements at children (COPPA compliance).

If a parent or guardian becomes aware that their child has provided personal data (e.g. via a bug report), please contact us at [email protected] and we will promptly delete such information.

13. International data transfers

The oAlert backend servers are located within the European Economic Area (EEA).

However, certain third-party services process data outside the EEA:

  • Google LLC (Firebase Cloud Messaging, Firebase Analytics, Google Mobile Ads SDK) – may process data on servers in the United States. Google relies on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) as transfer mechanisms, as described in their privacy documentation.
  • Apple Inc. (Apple Push Notification service) – processes push tokens on servers that may be located outside the EEA. Apple relies on Standard Contractual Clauses and the EU-US Data Privacy Framework.
  • By using the Application, you acknowledge that your data may be transferred to and processed in countries outside the EEA where data protection laws may differ from those in your country of residence.

14. Website cookies and analytics

The oAlert.pl website uses cookies and third-party services to analyze traffic and measure advertising effectiveness. This section applies only to website visitors, not mobile app users.

  • Google Ads (gtag.js) – We use Google Ads conversion tracking (ID: AW-17864085751) to measure the effectiveness of advertising campaigns. This service sets cookies on your device and may collect information such as: IP address, browser type, device information, pages visited, and time spent on the site.
  • Cookie consent banner – When you first visit the website, you will see a cookie consent banner. You can choose to accept all cookies, only necessary cookies, or manage your preferences. Your choice is stored in your browser localStorage.
  • Cookie categories: (1) Necessary cookies – required for basic website functionality, always enabled; (2) Analytics cookies – Google Analytics cookies (_ga, _gid) used to understand how visitors use the website, retained for up to 2 years; (3) Marketing cookies – Google Ads cookies (_gcl_*) used for conversion tracking and remarketing, retained for up to 90 days.
  • Google Consent Mode v2 – We implement Google Consent Mode to respect your privacy choices. If you reject analytics or marketing cookies, Google tags will operate in limited mode without collecting personal data.
  • Legal basis – Article 6(1)(a) GDPR (consent) for analytics and marketing cookies. Necessary cookies are based on Article 6(1)(f) GDPR (legitimate interest in website operation).
  • Third-party data processing – Google LLC processes data as a processor under their Privacy Policy (https://policies.google.com/privacy). Data may be transferred to the United States under EU-US Data Privacy Framework.
  • Your rights – You can withdraw consent at any time by clicking "Manage preferences" in the cookie banner, or by clearing your browser cookies. You can also opt out of personalized advertising at https://www.google.com/settings/ads.

15. Updates to this document

We may update the Privacy Policy when we add features, integrate new SDKs or when legal requirements change. The latest version is always available inside the Application and on oAlert.pl.

Contact

ADAKS MEDIA DANIEL DOBROWOLSKI
59-800 Lubań, Mściszów 112B, Poland
[email protected]

Back to homepage Terms of service Privacy policy