PRIVACY
POLICY

Last updated: 10 May 2025  ·  Effective date: 10 May 2025

This Privacy Policy describes how Summoner ("we", "our", or "us") collects, uses, and protects your personal data when you use the Summoner mobile application and the website summoner-app.com (collectively, the "Service"). We are committed to processing your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable Bulgarian data protection law.

1. DATA WE COLLECT

1.1 Account Data

When you register, we collect:

• Email address — used for authentication and account recovery.
• Phone number — collected after OTP verification. Stored in hashed form (using a one-way hash of your normalised number) in a server-side lookup table. The plaintext number is stored only in your private account record, accessible solely by you.
• Username — the display name you choose.
• Profile avatar — an image you upload voluntarily.

1.2 Content You Create

• Circle messages and photos — stored on our cloud infrastructure.
• Private messages — stored as end-to-end encrypted ciphertext. We cannot read the content of private messages. Your encryption keys are generated on your device and never transmitted to our servers.
• Summons — including activity description, duration, and the geographic coordinates you choose to share.

1.3 Technical & Usage Data

• Push notification token — a device token used to deliver push notifications. Stored privately and never exposed to other users.
• Last activity timestamps — used to sort circles and determine notification eligibility.
• Standard server logs generated by our cloud infrastructure (IP address, device type, request timestamps). These are processed by our infrastructure provider under their own terms.

1.4 Contacts (Optional)

If you grant the READ_CONTACTS permission, your device contacts' phone numbers are normalised to E.164 format and hashed client-side. Only the hashes are transmitted to our servers to identify mutual connections. Raw phone numbers from your contacts are never sent to or stored by us.

2. LEGAL BASIS FOR PROCESSING

We process your personal data on the following legal bases under Article 6 GDPR:

• Contract performance (Art. 6(1)(b)) — processing necessary to provide the Service you signed up for (account creation, messaging, Summons).
• Consent (Art. 6(1)(a)) — for optional features such as contact matching and push notifications. You may withdraw consent at any time in the app settings.
• Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention, and service improvement, where our interests are not overridden by your rights.
• Legal obligation (Art. 6(1)(c)) — where required by applicable law.

3. HOW WE USE YOUR DATA

• To create and maintain your account.
• To enable real-time messaging, Summons, and social features within the app.
• To deliver push notifications for messages, Summons, and friend requests.
• To allow optional contact-based friend discovery.
• To enforce our Terms of Service and prevent abuse.
• To operate and maintain the technical infrastructure of the Service.

We do not sell your personal data. We do not use your data for advertising profiling.

4. DATA SHARING & THIRD PARTIES

We use the following third-party processors, each bound by data processing agreements:

• Cloud infrastructure provider — authentication, database, file storage, push notifications, and hosting. Data may be stored on servers within the EU or the United States under Standard Contractual Clauses approved by the European Commission.
• Google Maps Platform — used to display location maps on the public Summon share page. Only the coordinates you explicitly attach to a Summon are passed to Google Maps.

We do not share your data with any other third parties except where required by law or a court order, in which case we will notify you to the extent permitted by law.

5. DATA RETENTION

• Account data — retained for as long as your account is active.
• Messages — retained until you or the other participant deletes the conversation.
• Summons — auto-expired and deleted within 5 minutes of expiry by our Cloud Function.
• Account deletion — when you delete your account, your authentication entry, profile, circle memberships, and social connections are removed via an automated cascade. Encrypted private message history may be retained in read-only form for the other participant with a clear "account deleted" indicator.
• Backups — residual data may remain in infrastructure backups for up to 30 days after deletion.

6. YOUR RIGHTS UNDER GDPR

As a data subject in the EU, you have the following rights:

• Right of access (Art. 15) — request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — request correction of inaccurate data.
• Right to erasure (Art. 17) — request deletion of your personal data ("right to be forgotten"). You may delete your account directly from the app, which triggers an automated erasure cascade.
• Right to restriction (Art. 18) — request that we restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20) — request your data in a structured, machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interests.
• Right to withdraw consent — withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at support@vaultpointlabs.com. We will respond within 30 days. You also have the right to lodge a complaint with the Commission for Personal Data Protection of Bulgaria (CPDP) at www.cpdp.bg.

7. SECURITY

We implement industry-standard technical and organisational measures to protect your data:

• Private messages are end-to-end encrypted. Keys are generated and stored on your device, protected by biometric authentication. Our servers receive only encrypted data and have no means to decrypt it.
• All data in transit is encrypted via TLS.
• Access controls restrict each user's data strictly to their authenticated identity.
• Push notification tokens and phone numbers are stored in private records inaccessible to other users.

No system is 100% secure. In the event of a personal data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Art. 33–34 GDPR.

8. CHILDREN'S PRIVACY

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, contact us immediately at support@vaultpointlabs.com and we will delete it promptly.

9. INTERNATIONAL TRANSFERS

Your data may be processed by Google LLC on servers located outside the European Economic Area (EEA), including in the United States. Such transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission, as part of Google's Data Processing Addendum. You may request a copy of the applicable transfer mechanisms by contacting us.

10. COOKIES & TRACKING

The Summoner mobile application does not use cookies. The website summoner-app.com does not use analytics or advertising cookies. The only external resources loaded by the website are Google Fonts (for typography) and Google Maps (only on active Summon share pages), which may set cookies governed by Google's own Privacy Policy.

11. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where required, notify you via email or in-app notification. Continued use of the Service after changes constitutes acceptance of the updated Policy.

12. CONTACT & DATA CONTROLLER

For any privacy-related questions, requests, or complaints: