oAlert.pl
PL EN
Back to homepage

Data protection

Privacy Policy

We stay transparent — here is everything about how the oAlert.pl app processes your data.

Version 2026-06-10, effective from 2026-06-10.

Data Safety Summary (Google Play & App Store)

This summary provides key information required by Google Play Store and Apple App Store about how oAlert collects, uses, and protects your data.

  • DATA COLLECTED: Device identifiers (Android ID on Android; on iOS the advertising identifier (IDFA) if you allow tracking via the ATT dialogue, otherwise a locally generated random UUID), device info (model, OS version, app version), IP address, push notification tokens (FCM/APNS), optional bug report data (description, email, photos), barcode scans (EAN codes sent to backend), ad tracking events (impression, click, completion), community report data (product details, problem description, photos), premium subscription status.
  • DATA SHARED: Push tokens shared with Firebase Cloud Messaging and Apple Push Notification service for notification delivery. Device headers shared with oAlert backend for compatibility checks. Advertising ID may be shared with Google Mobile Ads SDK for ad delivery. Analytics data shared with Firebase Analytics (iOS and Android); with your consent, crash and performance data shared with Firebase Crashlytics and Firebase Performance Monitoring. Device identifiers and ad-interaction data may also be shared with the AppLovin MAX SDK (iOS and Android) and the ad networks mediated by Google AdMob and AppLovin MAX (including Meta Audience Network and Unity Ads) for ad delivery and measurement.
  • DATA USAGE: Delivering product safety alerts, sending push notifications, displaying advertisements, improving app stability, troubleshooting crashes, barcode scanning for alert lookup, processing community reports, managing premium subscriptions.
  • SECURITY PRACTICES: All data transmitted via encrypted HTTPS/TLS connections. API responses additionally encrypted with AES-256-CBC. On our servers we store only data linked to an anonymous device identifier (push tokens with notification preferences, diagnostic and advertising telemetry, poll votes, announcement read statuses) and voluntarily submitted reports. We do not store names, accounts or contact details unless you voluntarily provide them in a report. Local data encrypted on device. Server access restricted.
  • DATA RETENTION: Local cache deleted on app uninstall. Push tokens removed after 90 days of inactivity. Server logs kept for approximately 90 days. Bug reports kept for a maximum of 12 months from creation.
  • USER RIGHTS: You can request access, deletion, or correction of your data by contacting [email protected]. You can delete local data via in-app reset. You can disable push notifications at any time.
  • THIRD-PARTY ACCESS: Firebase (Google, including Crashlytics and Performance Monitoring), Google Mobile Ads SDK, AppLovin MAX (AppLovin Corporation), Meta Audience Network (Meta Platforms, Inc.), Unity Ads (Unity Technologies), ML Kit (Google), Cloudflare, Inc. (network infrastructure). These parties operate under their own privacy policies.
  • DATA SALE / SHARING (U.S. STATE LAWS): We do not sell your personal data for money. When interest-based advertising is enabled, we may disclose or make available device and advertising identifiers, IP address, consent/opt-out status and ad-interaction data to advertising SDKs (Google Mobile Ads, AppLovin MAX) and their advertising, measurement and fraud-prevention partners. This may be considered a sale, sharing or targeted advertising under certain U.S. state privacy laws such as the California CCPA/CPRA. You can opt out — see the Your U.S. State Privacy Rights section below.

1. Data controller

The oAlert mobile application (available at oAlert.pl) is operated by ADAKS MEDIA DANIEL DOBROWOLSKI, NIP: PL6152062671, with registered address at 59-800 Lubań, Mściszów 112B, Poland, who acts as the controller of personal data processed within the Application.

For privacy requests or questions please write to [email protected].

2. Data stored directly on your device

We design features so that the most sensitive information stays on your device. The following items are written to local storage (UserDefaults/cache on iOS, Room Database/DataStore on Android) and never leave the device unless you explicitly include them in a support message:

  • Alerts (product names, categories, shops, alert types, risk levels) downloaded from our backend are cached only to show lists, statistics and filters. They are deleted when you use the in-app "Reset/clear" option or uninstall the Application.
  • User notes – free text attached to a specific alert. Notes remain in local storage (UserDefaults on iOS, Room/DataStore on Android) and are not uploaded anywhere. You may export notes to PDF or share them, but this happens locally on your device.
  • Favourite alerts and "read" statuses – identifiers kept locally so the "Important" list and the red highlighting of new alerts work. The identifiers never leave the device.
  • Filters, onboarding progress, consent prompts (ATT/push on iOS, notification permission on Android) and decisions about badges or tips – stored locally to remember your choices.
  • Statistics and filtering results – the Application computes them locally on the cached alerts (e.g. monthly counts or top categories). No aggregated metrics are transmitted.
  • Debug logs (AppLogger on iOS) generated in development or beta builds stay on the device and are cleared with the Application.
  • Premium subscription status (active/inactive, plan type) stored locally to customise the interface (hide ads, unlock Premium features).
  • Community report drafts in progress stored locally until submitted to the server.

3. Device information sent to our backend

Every network call to refresh alerts, register a token or send feedback includes limited diagnostics so we can ensure compatibility and detect abuse. The data is delivered only to the oAlert backend via encrypted HTTPS connections.

  • HTTP headers: X-App-Version, X-App-Build, X-OS-Version (X-iOS-Version on iOS, Android version on Android), X-Device-Model, X-Device-ID (see the device identifier description below), X-Platform, X-Ad-Consent (advertising consent status), X-Push-Token (notification token attached to API requests) and Accept-Language. They help us troubleshoot crashes and verify that your device can handle the newest features.
  • User-Agent header containing application name and version information.
  • IP address and request metadata stored in access logs. These logs are automatically deleted after 90 days. Logs may be kept longer if required for security incidents or legal reasons.
  • Device ID – sent in the X-Device-ID header with every API request. On Android it is the Android ID or a locally generated UUID stored in SharedPreferences. On iOS, if you allow tracking in the system App Tracking Transparency (ATT) dialogue, the advertising identifier (IDFA) is also used as the device identifier towards our server; if you do not allow tracking, the Application generates a random UUID instead. The value is stored in the Application storage (UserDefaults on iOS) and is used for device identification in the advertising system (passed in requests to advertisement management endpoints such as /ads/should-show and /ads/track) and for push notification registration. It persists for the lifetime of the app installation and is deleted when you uninstall the Application or use the in-app reset feature.

4. Features that require additional data

Certain functions send extra fields so they can work as intended:

  • Push notifications – we register the push notification token (APNS on iOS, FCM on Android) together with platform, locale, device model and the device identifier described in Section 3. Alongside the token we store your notification preferences on the server: premium status, advertising consent status, silent notification mode, disabled alert categories and alert types, and language. Tokens are used solely to deliver alerts and are removed once you disable notifications or after long-term inactivity. Push payloads may contain alert identifiers or small snippets to refresh the local cache; optional attachments are downloaded temporarily and discarded immediately after the notification is shown. On Android, WorkManager may trigger background fetch after receiving a push notification.
  • Bug report – if you send a report we receive the description (max. 2,000 characters), an optional e-mail address, the Firebase device token and optional photo attachments. The data is not shared outside oAlert and is kept only for handling the ticket.
  • Barcode scanner / camera – requires camera permission. On iOS the camera uses AVFoundation, on Android it uses CameraX and ML Kit Barcode Scanning. The camera works only while you keep the scanner screen open. Frames are not recorded, images are processed locally, and the decoded barcode (EAN) is treated like a local search phrase and may be sent to the backend to find matching alerts.
  • Statistics and filtering – all calculations happen on-device. We do not upload summary data or personal insights.
  • Advertisement tracking – when ads are displayed, the Application sends tracking events (impression, click, completion) to the oAlert backend including device identifier (device_id), advertisement identifier (ad_id), display location, ad type, and event timestamps. This data is used to manage ad frequency and measure ad effectiveness. On Android, this may indirectly use the Google Advertising ID through Google Mobile Ads SDK. Depending on configuration, advertisements may be served through the Google Mobile Ads SDK or the AppLovin MAX mediation SDK, which may additionally process device and advertising identifiers as described in the Third-party SDKs section.
  • Advertisement configuration – the Application fetches advertising configuration from the server and caches it locally for 24 hours. This configuration determines which ad formats are displayed, their frequency, and placement. The request includes only device headers described in Section 3.
  • Install date tracking – the Application stores the date of first installation locally on your device. During the first 24 hours after installation, advertisements are not displayed. This grace period mechanism operates entirely on-device and does not send any data to our servers.
  • Application version checking – the Application periodically checks the current version against the minimum required version from the oAlert backend. This check sends only the current app version and platform. Depending on the result, the Application may display a mandatory update prompt (blocking further use until updated) or an optional update suggestion that can be dismissed. No personal data is collected during this process.
  • In-app polls and announcements – when you vote in an in-app poll, we store your selected answer together with the device identifier (to prevent multiple voting) and your platform and app version. For in-app announcements we record which announcements have been read on your device. Legal basis: Article 6(1)(f) GDPR (proper operation of these features). Retention periods are listed in Section 9.

5. Community reports

The Application allows users to submit reports about potentially dangerous products (Community Reports). The following data is collected when you create a report:

  • Product information: product name, batch number, storage conditions, expiry date, purchase date, store name. Optionally: EAN code, manufacturer, country of origin.
  • Problem description: free text between 120 and 5,000 characters describing the issue with the product.
  • Photos: up to 5 product photos and 1 receipt photo (JPEG format). EXIF metadata (including GPS location data, camera information and timestamps) is automatically stripped from all uploaded photos before storage on the server.
  • In-report messaging: text messages exchanged between you and the oAlert administrator within the context of your report.
  • You can confirm (upvote) or flag other users' community alerts for moderation review.
  • All data is transmitted via an encrypted connection to the oAlert server and stored there.
  • Legal basis: Article 6(1)(b) GDPR (performance of the service you requested) and Article 6(1)(a) GDPR (consent for voluntary photo upload).
  • Retention: reports, photos and messages are stored for the period of publication, no longer than 24 months from creation; rejected reports are deleted after 3 months.
  • Deletion: you can request deletion of your community reports and associated data by contacting [email protected].

6. Premium subscriptions

The Application offers paid subscription plans that unlock additional features:

  • Available plans: Premium Individual (Apple App Store and Google Play Store, monthly subscription) and Premium Family (Apple App Store only, monthly subscription).
  • oAlert does NOT process or store payment data — all payment processing is handled entirely by Apple (App Store) or Google (Google Play Store).
  • Your premium subscription status (active/inactive) is transmitted to the oAlert server to customise the service: disabling advertisements and enabling priority push notifications.
  • Legal basis: Article 6(1)(b) GDPR (performance of the contract for the subscribed service).

7. Legal bases and purposes

Providing access to alerts, favourites, filters, scanner and local history – Article 6(1)(b) GDPR (performance of a service requested by the user).

Diagnostics, security monitoring and log retention – Article 6(1)(f) GDPR (legitimate interest of keeping the Application reliable).

Push notifications, optional reminders and marketing communication – Article 6(1)(a) GDPR when you grant consent and Article 6(1)(f) GDPR for operational notifications.

Displaying advertisements through partner SDKs – Article 6(1)(a) GDPR (your consent) where consent is required for interest-based advertising or for accessing advertising identifiers. In the EEA, the United Kingdom, Switzerland and other regions where required, we request consent through a consent management platform or an equivalent consent mechanism before enabling interest-based advertising, and we pass the resulting consent and opt-out signals to Google Mobile Ads, AppLovin MAX and supported mediated networks. If you do not consent, or later withdraw consent, we do not use interest-based advertising; depending on availability you may see contextual, non-personalised or limited ads, or no ads. The legitimate interest of funding the Application (Article 6(1)(f) GDPR) covers only non-personalised advertising and aggregate ad measurement.

Firebase Analytics, Firebase Crashlytics, Firebase Performance Monitoring and usage analytics – Article 6(1)(a) GDPR (your consent) where analytics or app-instance identifiers or similar on-device technologies are used and consent is required; we apply Google consent settings (Consent Mode v2, used both in the Application and on the oalert.pl website) so analytics storage is denied until consent where required. Strictly necessary diagnostics and security logs that do not use analytics identifiers may rely on Article 6(1)(f) GDPR.

8. Sharing and third-party SDKs

We share data only when it is necessary to deliver the service:

  • oAlert backend – receives alert queries, filters, headers and bug reports. We do not send your alert queries, filters or bug reports to advertising partners. On Android, communication uses Retrofit/OkHttp libraries; responses may be encrypted and decrypted locally using APIEncryptionHelper.
  • Apple Push Notification service (APNS) and Firebase Cloud Messaging (FCM) – process device tokens and payloads exclusively to deliver notifications.
  • Firebase (FirebaseCore, FirebaseMessaging, FirebaseAnalytics) – manages push registration and token refresh. With your analytics consent, Firebase Analytics (Google Analytics 4) collects usage events on both iOS and Android in the following categories: (1) identifiers of viewed content (which alerts, polls and announcements you open; for polls — the fact that you voted, without the content of your answer); (2) engagement measures (reading time, scroll depth, notification reaction time); (3) Premium subscription purchase events (plan, currency, price, trial period, subscription length on cancellation); (4) preferences (language, theme, notification categories, permission status); (5) ad diagnostics, including detection of system clock manipulation and ad blockers (legal basis: legitimate interest — protection against abuse); together with device properties (manufacturer, model, OS and app version, premium status, installation age bracket). Analytics data is exported to Google BigQuery (Google Cloud, covered by the same transfer mechanisms); raw events in BigQuery are retained for no longer than 14 months. Consent signals are applied via Google Consent Mode v2, which we use both in the Application and on the oalert.pl website.
  • Firebase Crashlytics (Google) – with your analytics consent, collects crash reports: a pseudonymous random report identifier (a UUID generated in the Application and deleted when you withdraw consent), device diagnostics (model, OS and app version, language, premium status, notification status) and a log of events preceding the crash (including identifiers of recently opened alerts and polls, push and ad events) — these diagnostic logs may therefore contain identifiers of content you viewed. Legal basis: Article 6(1)(a) GDPR (consent). Google retains crash reports for 90 days.
  • Firebase Performance Monitoring (Google) – with your analytics consent, collects performance traces: app start-up times, network request timings (including request URLs) and screen rendering metrics.
  • Firebase App Check – verifies the authenticity of the Application using Apple mechanisms (App Attest/DeviceCheck).
  • Google Mobile Ads SDK – renders banners, rewarded, App Open, interstitial and native/video ads. On iOS requires ATT consent before accessing advertising identifiers. On Android may access Google Advertising ID. Follows Google privacy documentation.
  • Meta Audience Network (Meta Platforms, Inc.) and Unity Ads (Unity Technologies) – ad networks available in Google AdMob mediation. They may receive device information, IP address, the advertising identifier (IDFA/AAID — only with your consent) and ad events; consent signals are passed to them automatically in line with your choice. They operate under their own privacy policies.
  • Google Ads on-device conversion measurement – measurement of ad campaign conversions performed on your device; the data does not leave the device in a form that allows identification.
  • AppLovin MAX SDK (AppLovin Corporation) – an advertising mediation and ad-delivery SDK used to display banner, interstitial, rewarded, native and App Open ads and to mediate demand from other ad networks. For these purposes AppLovin and the networks it mediates may collect and process device, app and network information, IP address, advertising and vendor identifiers, consent/opt-out status and ad-event data to deliver ads, serve interest-based advertising where permitted, measure performance and prevent fraud. AppLovin MAX is integrated in both the iOS and Android applications. On iOS, access to the advertising identifier (IDFA) requires your ATT permission; on Android, AppLovin may access the Google Advertising ID (a resettable advertising identifier), subject to your consent where required. In the EEA, the United Kingdom, Switzerland and other regions where required, interest-based advertising is shown only after you grant consent. AppLovin and oAlert act as independent controllers for the personal data made available to AppLovin, which operates under its own privacy policy: https://legal.applovin.com/privacy/
  • No sensitive data to ad networks – we do not send alert content, product or category names, barcode (EAN) searches, your notes, or community-report content to Google Mobile Ads, AppLovin MAX or any ad network, and we do not use these SDKs to process special categories of data (such as health) or precise geolocation.
  • App Tracking Transparency (ATT) prompt (iOS only) – iOS displays this dialogue to request your permission before the Application or third-party ad SDKs access your advertising identifier (IDFA) or track you across other companies apps and websites. If you allow tracking, your IDFA and related ad-event data may be made available to Google Mobile Ads, AppLovin MAX and supported mediated networks for personalised advertising and measurement, subject to any other required consent. If you deny tracking, those SDKs are not permitted to access the IDFA for these purposes and ads may be contextual, non-personalised or limited. The following ad-related domains may be contacted: googleads.g.doubleclick.net, pagead2.googlesyndication.com, securepubads.g.doubleclick.net. Your ATT decision is stored locally and can be changed at any time in iOS Settings > Privacy & Security > Tracking.
  • ML Kit Barcode Scanning (Android only) – processes camera frames locally on device to decode EAN barcodes. No images leave your device.
  • Additional Android libraries – Coil (image loading), Vico (statistics charts), ExoPlayer (video playback in ads), Accompanist (permissions UI, swipe-to-refresh), WorkManager (background tasks), Room Database and DataStore (local storage). These libraries operate entirely on-device.
  • Text-to-Speech and media playback – on iOS the Application uses AVFoundation/Speech for audio/video playback and optional text-to-speech (e.g. reading alert details aloud). On Android the Application uses the system TextToSpeech engine for the same purpose. All speech synthesis is performed locally on the device; no audio data or voice recordings are transmitted to our servers or third parties.
  • Network communication – the Application own-backend calls use URLSession (iOS) or Retrofit/OkHttp (Android) and go only to the oAlert backend. Embedded third-party SDKs (Firebase, Google Mobile Ads, AppLovin MAX and the ad networks it mediates) connect to their own endpoints to provide their functionality, as described in this section.
  • "Our other apps" list – the Application downloads the list of our other applications from the external domain dobrysoftware.com. That server sees your IP address but receives no device or advertising identifiers.
  • Cloudflare, Inc. (USA) – a network services provider (reverse proxy, attack protection, CDN). Cloudflare processes the IP addresses and request metadata of all connections to oalert.pl (both the website and the Application API) as our data processor.
  • Server infrastructure provider – the company hosting our backend servers within the EEA acts as our data processor for the data stored on those servers.

9. Retention and deletion

Local caches, favourites, notes, filters and permissions disappear automatically when you uninstall the Application or use the in-app reset feature.

Push tokens are purged when Apple or Google mark them as invalid or after 90 days of inactivity. You can also delete them by disabling notifications.

Bug reports and attachments are kept for a maximum of 12 months from the creation of the report so we can analyse recurring defects.

Server logs (API requests and search events) containing diagnostic headers are automatically deleted after 90 days. Logs may be stored longer if required for security incidents or legal compliance.

Community reports, attached photos and messages within reports are stored on the server for the period of publication, no longer than 24 months from creation. Rejected reports (including photos) are deleted after 3 months.

Advertising events recorded on our server (impressions, clicks, diagnostics) are kept for a maximum of 12 months.

App-open events and activity signals (heartbeats) are kept for 90 days.

Poll votes are permanently anonymised after 12 months — they are detached from the device identifier and only aggregate results are retained.

Announcement read statuses are kept for 12 months.

Retention at third parties: Firebase Analytics (Google Analytics 4) retains user-linked data according to our GA4 settings, no longer than 14 months; raw analytics events exported to Google BigQuery are retained for no longer than 14 months; Firebase Crashlytics crash reports are retained by Google for 90 days; Firebase Performance Monitoring traces are retained in accordance with Google's retention periods for that service.

10. Your rights and security

You have the right to access, rectify, erase, restrict or object to the processing of your data, and to receive a copy of the data provided to us.

Where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out before the withdrawal.

Providing data is voluntary; not providing optional data (such as an e-mail address or photos in a report) only limits your ability to use the given feature.

All connections use HTTPS/TLS, access to infrastructure is limited, and we monitor anomalies to keep diagnostic data free of personal content.

To exercise your rights contact us via [email protected]. You can also lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warszawa, Poland (https://uodo.gov.pl).

We do not use automated individual decision-making or profiling within the meaning of Article 22 GDPR.

11. Exercising your rights (GDPR)

You have the right to access your data (Art. 15 GDPR), rectify it (Art. 16), erase it (Art. 17), restrict processing (Art. 18) and data portability (Art. 20).

The easiest and recommended way to submit a request is the in-app Report Center: open the Report Center, create a new ticket and describe your request in the message body — for example "Please erase all my data associated with this device (Art. 17 GDPR)". Using this channel you do not need to provide any identifier — the ticket is automatically and securely linked to your device, which allows us to locate your data without collecting any additional information (Art. 11 and Recital 57 GDPR). You may optionally include an e-mail address for a reply.

You may also submit a request by e-mail to [email protected]. Because we do not maintain user accounts and associate your data solely with an anonymous device identifier, a request submitted by e-mail can be fulfilled only if we are able to unambiguously link it to your device; otherwise we will ask you to resubmit via the Report Center, which provides automatic identification. We will not refuse a properly identified request regardless of the channel.

We will respond without undue delay and at the latest within one month of receiving the request (Art. 12(3) GDPR). In particularly complex cases we may extend this period by up to two further months; we will notify you with reasons within the first month. Confirmation of receipt and the response will be sent in the Report Center conversation thread and, if you provided an e-mail address, also to that address.

On erasure we remove: (1) your push notification token (FCM/APNS); (2) server logs containing your device identifier; (3) any bug reports you submitted along with their attachments and messages in the thread; (4) your community reports together with photos and replies; (5) any telemetry rows referencing your Device ID (heartbeats, app-open events, ad events, poll votes, etc.). After the erasure request is fulfilled the Report Center thread also becomes inaccessible.

In addition to the data stored on our servers, upon an erasure request we also initiate deletion of analytics data linked to your pseudonymous identifier in Google services (the Google Analytics user-deletion mechanism). The crash report identifier is additionally reset every time you withdraw analytics consent in the Application.

To demonstrate compliance with your request (accountability principle — Art. 5(2) GDPR) we retain a minimal record containing only: the date the request was received, the type of request, a hashed (SHA-256) device identifier, and the date and scope of fulfilment. This record does not contain the content of your ticket or any deleted data (legal basis: Art. 6(1)(c) and (f) GDPR) and is retained for no longer than 6 years (the limitation period for potential claims).

Any e-mail address or other data voluntarily provided in a ticket is retained only for the duration of handling the request and then deleted (except for the compliance record described above).

Note: most data (alerts, notes, favourites, statistics, filters) lives only on your device and is automatically deleted when you uninstall the Application or use the in-app "Reset" feature.

You also have the right to lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warszawa, Poland (https://uodo.gov.pl).

12. Children's privacy

The Application is rated 4+ on the Apple App Store and "Everyone" on Google Play Store, meaning it is suitable for all age groups.

Despite this rating, we do not knowingly collect, use, or disclose personal data from children under 16 years of age (in accordance with Article 8 of the GDPR). The Application does not require account creation or submission of any personal information to function.

The Application is not directed to children and we do not knowingly collect personal data from children. If we determine that a user is a child under applicable law (including COPPA or applicable EU/UK age-of-consent rules), we do not initialise AppLovin MAX or request ads through AppLovin for that user. For Google Mobile Ads we apply child-directed or under-age-of-consent treatment where required. Where ads cannot lawfully be served, ads may be disabled.

If a parent or guardian becomes aware that their child has provided personal data (e.g. via a bug report), please contact us at [email protected] and we will promptly delete such information.

13. International data transfers

The oAlert backend servers are located within the European Economic Area (EEA).

However, certain third-party services process data outside the EEA:

  • Google LLC (Firebase Cloud Messaging, Firebase Analytics, Google Mobile Ads SDK) – may process data on servers in the United States. Google relies on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) as transfer mechanisms, as described in their privacy documentation.
  • AppLovin Corporation (AppLovin MAX) – may process data on servers in the United States. AppLovin states that it participates in the EU-US Data Privacy Framework, the UK Extension and the Swiss-US Data Privacy Framework; where the Framework is not relied on, transfers are protected by Standard Contractual Clauses, including controller-to-controller SCCs where applicable.
  • Meta Platforms, Inc. (Meta Audience Network) and Unity Technologies (Unity Ads) – may process data on servers in the United States. Both participate in the EU-US Data Privacy Framework; where the Framework does not apply, transfers are protected by Standard Contractual Clauses (SCCs).
  • Apple Inc. (Apple Push Notification service) – processes push tokens on servers that may be located outside the EEA. Apple relies on Standard Contractual Clauses and the EU-US Data Privacy Framework.
  • Cloudflare, Inc. – may process IP addresses and request metadata on servers in the United States. Cloudflare participates in the EU-US Data Privacy Framework and additionally relies on Standard Contractual Clauses (SCCs).

14. Your U.S. State Privacy Rights (California and other states)

  • If you are a resident of California (CCPA/CPRA) or certain other U.S. states (for example Virginia, Colorado, Connecticut or Utah), you have rights to know and access the personal information we process, to request its deletion or correction, and to opt out of the sale or sharing of personal information and of targeted advertising.
  • Categories shared for advertising: device identifiers and advertising identifiers, IP address, and app-interaction (impression, click, completion) data, shared with advertising SDKs (Google Mobile Ads, AppLovin MAX) and the networks they mediate.
  • Do Not Sell or Share My Personal Information / Opt out of targeted advertising: you can opt out by using the privacy choices control in the Application where available, by using device-level privacy choices (such as denying the App Tracking Transparency prompt on iOS, or resetting or limiting your advertising identifier on Android), or by contacting us at [email protected]. After you opt out, we disable interest-based advertising and pass applicable opt-out signals to supported SDKs and partners; you may still see contextual, non-personalised or limited ads, or no ads.
  • We honour recognised opt-out preference signals where we can detect them and where required by law; in the mobile Application, please use the device and in-app privacy choices above. We do not knowingly sell or share the personal information of consumers under 16 years of age.

15. Website cookies and analytics

The oAlert.pl website uses cookies and third-party services to analyze traffic and measure advertising effectiveness. This section applies only to website visitors, not mobile app users.

  • Google Ads (gtag.js) – We use Google Ads conversion tracking (ID: AW-17864085751) to measure the effectiveness of advertising campaigns. This service sets cookies on your device and may collect information such as: IP address, browser type, device information, pages visited, and time spent on the site.
  • Cookie consent banner – When you first visit the website, you will see a cookie consent banner. You can choose to accept all cookies, only necessary cookies, or manage your preferences. Your choice is stored in your browser localStorage.
  • Cookie categories: (1) Necessary cookies – required for basic website functionality, always enabled; (2) Analytics cookies – Google Analytics cookies (_ga, _gid) used to understand how visitors use the website, retained for up to 2 years; (3) Marketing cookies – Google Ads cookies (_gcl_*) used for conversion tracking and remarketing, retained for up to 90 days.
  • Google Consent Mode v2 – We implement Google Consent Mode to respect your privacy choices. If you reject analytics or marketing cookies, Google tags will operate in limited mode without collecting personal data.
  • Legal basis – Article 6(1)(a) GDPR (consent) for analytics and marketing cookies. Necessary cookies are based on Article 6(1)(f) GDPR (legitimate interest in website operation).
  • Third-party data processing – Google LLC processes data as a processor under their Privacy Policy (https://policies.google.com/privacy). Data may be transferred to the United States under EU-US Data Privacy Framework.
  • Your rights – You can withdraw consent at any time by clicking "Manage preferences" in the cookie banner, or by clearing your browser cookies. You can also opt out of personalized advertising at https://www.google.com/settings/ads.

16. Updates to this document

We may update the Privacy Policy when we add features, integrate new SDKs or when legal requirements change. The latest version is always available inside the Application and on oAlert.pl.

Contact

ADAKS MEDIA DANIEL DOBROWOLSKI
59-800 Lubań, Mściszów 112B, Poland
[email protected]

Back to homepage Terms of service Privacy policy