This Privacy Policy explains how Samla ("we", "us", "our") collects, uses, and protects your personal data when you use the Samla mobile application (the "App"). We are based in Norway and we comply with the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (Personopplysningsloven).
1. Who we are
Samla is operated by Jarosław Urbański, an individual based in Akershus, Norway. You can contact us at any time at hi@samla.studio.
For the purposes of GDPR, we are the data controller for the personal data processed through the App.
2. What data we collect
We only collect data that is necessary to make the App work. We do not use any analytics SDKs, advertising SDKs, or crash-reporting services that share data with third parties. We do not access your phone contacts.
Account data
- Email address
- Display name
- Password (stored only as a salted hash by our authentication provider; we never see your password in plain text)
- Preferred language and region
Profile data
- Optional profile picture (avatar) you choose to upload
- Birthday, if you choose to add it
Content you create in the App
- Events you create or are invited to: title, date, time, description, location, cover image
- Invitations and RSVPs (Going / Interested / Pending / Declined), including the optional "companions" field
- Lists tied to events (wishlists, supplies, packing lists) and items inside them
- Crew entries: names, optional contact details, and optional birthdays of people you add to your "My Crew" list. Birthdays are used to power upcoming-birthday reminders inside the App. These entries are typed in by you manually — we do not read your phone contacts.
Technical data
- App version, operating system version, device language (used to render the App correctly)
- Timestamps of account creation and last activity
- IP address at the moment your device contacts our backend (kept transiently for security purposes only — see Section 10)
Communications
- Transactional emails we send you (account confirmations, invitations, password resets) and the metadata around them (delivery status, bounce status)
We do not collect: your phone contacts, your location in the background, your camera roll, your microphone input, advertising identifiers, or behavioral analytics.
3. How we use your data and the legal basis for it
| Purpose | Legal basis (GDPR) | |---|---| | Creating and operating your account | Performance of a contract — Art. 6(1)(b) | | Sending invitations and RSVPs to your guests | Performance of a contract — Art. 6(1)(b) | | Sending transactional emails (confirmations, password resets) | Performance of a contract — Art. 6(1)(b) | | Showing maps for event locations | Performance of a contract — Art. 6(1)(b) | | Keeping the service secure (rate limiting, abuse detection) | Legitimate interest — Art. 6(1)(f) | | Complying with our legal obligations | Legal obligation — Art. 6(1)(c) | | Sending optional product updates, if you opt in | Consent — Art. 6(1)(a) |
We do not use your data for advertising, profiling, or training AI models.
4. Who we share data with (sub-processors)
We use a small number of trusted infrastructure providers to run the App. They process your data only on our instructions and only to the extent necessary to provide their service.
| Provider | Role | Location of processing | |---|---|---| | Supabase, Inc. | Authentication and database | EU (Frankfurt, Germany) | | Railway Corp. | Backend hosting | EU (Amsterdam, Netherlands) | | Resend, Inc. | Sending transactional emails | EU sending region (Ireland); account data stored in the United States | | OpenStreetMap Foundation | Map tiles for event locations | United Kingdom / EU | | Google LLC (Google Play) | App distribution and required platform APIs | Global |
We do not sell your personal data to anyone, ever.
5. International data transfers
Your account data and the content you create in the App are stored in the European Union (Supabase Frankfurt region). Backend services run in the EU (Railway Amsterdam). Transactional emails are dispatched from the EU (Resend Ireland region).
However, some of our sub-processors are corporate entities based in the United States:
- Resend, Inc. (United States) — although emails are dispatched from the EU (Ireland), Resend stores account data, email metadata, and delivery logs on US infrastructure.
- Supabase, Inc. — the data itself is stored in the EU, but Supabase as a corporate entity is based in the United States.
Where personal data is transferred to or accessible from outside the EEA, we rely on the Standard Contractual Clauses (SCC) approved by the European Commission to ensure your data continues to receive an adequate level of protection.
6. How long we keep your data
- While your account is active: we keep your data for as long as you use the App.
- After you delete your account: your personal data is removed from our active systems within 30 days and from our backups within an additional 30 days (so a maximum of 60 days end-to-end).
- Security and legal logs (e.g. records of failed login attempts, abuse signals): kept for up to 12 months for security and legal-defense purposes.
- Email delivery logs at Resend: kept according to Resend's retention policy (currently up to 30 days for the email body, longer for delivery metadata).
If we are required by law to keep certain data longer (for example, to respond to a legal request), we will keep only the minimum necessary and only for as long as the law requires.
7. Your rights under GDPR
You have the following rights regarding your personal data:
- Right of access — get a copy of the data we hold about you.
- Right to rectification — correct data that is inaccurate or incomplete.
- Right to erasure ("right to be forgotten") — ask us to delete your data.
- Right to restrict processing — ask us to pause processing in certain situations.
- Right to data portability — get your data in a machine-readable format.
- Right to object — object to processing based on legitimate interest.
- Right to withdraw consent — where processing is based on consent.
- Right to lodge a complaint with a supervisory authority (see Section 12).
You can exercise most of these rights directly inside the App.
8. How to delete your account and export your data
We have built both of these into the App so you don't have to ask us:
- Delete your account: Profile → Delete account. This permanently removes your account and personal data from our active systems within 30 days.
- Export your data: Profile → Export my data. This generates a machine-readable file containing your account and content data, which we send to your registered email address.
If you cannot access the App for any reason, you can also email us at hi@samla.studio and we will do this for you.
9. Children
The App is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. In jurisdictions where the digital age of consent is higher than 13 (such as Poland, where it is 16), users below the local age of consent should have a parent or legal guardian's permission to use the App.
If you believe a child under 13 has created an account, please contact us at hi@samla.studio and we will remove the account.
10. How we keep your data safe
- All data in transit between the App and our servers is encrypted with TLS 1.2 or higher.
- All data at rest in our database is encrypted by Supabase using AES-256.
- Passwords are stored only as salted hashes — we never store or see your password in plain text.
- Access to production systems is restricted to the operator and protected by two-factor authentication.
- We do not embed third-party SDKs that send data outside the providers listed in Section 4.
- IP addresses observed at the backend are used only transiently for rate limiting and abuse prevention and are not associated long-term with your account.
No system is perfectly secure, but we take reasonable steps to protect your data and we will inform you and the relevant supervisory authority without undue delay if a breach affecting your personal data occurs.
11. Changes to this policy
If we make material changes to this Privacy Policy, we will notify you in-App and update the "Last updated" date at the top. Continued use of the App after a change means you accept the updated policy. Older versions remain available on request.
12. Contact and supervisory authority
For any privacy-related question or to exercise your rights, contact us at:
Email: hi@samla.studio Operator: Jarosław Urbański Address: Akershus, Norway
You also have the right to lodge a complaint with your local data protection authority. The most relevant authorities for our users are:
- Norway — Datatilsynet (datatilsynet.no)
- Poland — Urząd Ochrony Danych Osobowych / UODO (uodo.gov.pl)
- Other EU/EEA countries — your national data protection authority
This document was prepared for Samla, operated by Jarosław Urbański. It is a binding agreement between you and the operator with respect to the processing of your personal data through the Samla App.
Questions? Email us at hi@samla.studio.