Privacy Policy - Alladro

Last Updated: October 21, 2025 | Version 2.0

1. Introduction and Controller Information

1.1 Who We Are

Alladro ("we", "us", "our") is a community-based crime reporting mobile application. We are the data controller responsible for your personal information.

Contact Information:

• Service Name: Alladro
• Email: alladro@appjuice.it

1.2 Scope of This Policy

This Privacy Policy applies to all personal information collected through:

• The Alladro mobile application (iOS)
• Our website: https://alladro.appjuice.it
• Any related services, features, or communications

1.3 Legal Basis

We process your personal data in compliance with:

• EU General Data Protection Regulation (GDPR) - Regulation 2016/679
• Italian Privacy Code (Legislative Decree 196/2003 as amended)
• EU ePrivacy Directive (Directive 2002/58/EC)
• Other applicable data protection laws

2. Personal Information We Collect

2.1 Information You Provide Directly

Data Category	Specific Data	When Collected
Account Information	• Email address • Username • Full name (optional) • Password (hashed)	Account registration
Profile Information	• Avatar/profile picture (optional) • User preferences • Theme settings	Profile setup/updates
Crime Report Content	• Report title • Report description • Crime type/category • Event date and time • Images/photos (up to 1) • User-provided location notes	When creating crime reports
User Interactions	• Upvotes on events • Contact requests • Direct messages • Report submissions (flagging content) • Bug reports and suggestions	When using platform features

2.2 Information Collected Automatically

Data Category	Specific Data	Purpose
Geolocation Data	• Precise GPS coordinates (latitude/longitude) • Reverse-geocoded addresses • Distance calculations • Location radius filters (3-20km)	• Display crime events on map • Filter events by proximity • Associate reports with locations
Device Information	• Device type (iOS version) • Operating system version • App version • Device identifiers (IDFA if consented) • Screen resolution	• Technical support • App optimization • Crash reporting
Usage Data	• Login timestamps • Last active time • Features used • Reports created/viewed • Messages sent/received • Search queries	• Service improvement • Analytics • Security monitoring
Network Information	• IP address • Connection type (WiFi/Cellular) • Network provider	• Security • Fraud prevention • Service delivery

2.3 Information from Third-Party Services

We integrate with the following third-party services that may collect data:

• Supabase (Database & Authentication)
  • Email authentication data
  • Session tokens
  • All user-generated content
  • Database queries and logs
• Google Maps API
  • Map tile requests
  • Geocoding requests (coordinates to addresses)
  • Location data for map display
• Google AdMob (Advertising)
  • Ad impressions and clicks
  • Device advertising ID
  • Ad performance metrics

3. How We Use Your Personal Information

3.1 Legal Bases for Processing

Purpose	Legal Basis (GDPR)
Account creation and authentication	Contract performance (Art. 6(1)(b))
Displaying crime reports on map	Contract performance + Legitimate interests
Geolocation processing	Consent (Art. 6(1)(a)) via iOS location permission
Direct messaging between users	Contract performance
Content moderation	Legitimate interests (safety, legal compliance)
Security and fraud prevention	Legitimate interests
Analytics and service improvement	Legitimate interests
Marketing communications (if any)	Consent (Art. 6(1)(a))
Legal obligations and law enforcement	Legal obligation (Art. 6(1)(c))

3.2 Specific Use Cases

We use your personal information to:

• Provide the Service:
  • Create and manage your account
  • Authenticate your identity
  • Display crime events on interactive map
  • Filter events based on your location and preferences
  • Enable voting, messaging, and social features
  • Process contact requests between users
• Content Moderation:
  • Review user-generated content for policy violations
  • Process user reports of inappropriate content
  • Use automated AI moderation tools (Claude/ChatGPT)
  • Remove violating content and suspend accounts
• Security & Safety:
  • Prevent fraud, spam, and abuse
  • Detect and prevent security threats
  • Enforce our Terms of Service
  • Monitor for illegal activity
• Communications:
  • Send account-related notifications
  • Respond to support inquiries
  • Send service updates and announcements
  • Facilitate messaging between users
• Analytics & Improvement:
  • Analyze usage patterns and trends
  • Improve app performance and features
  • Conduct research and development
  • Generate aggregate statistics (anonymized)
• Legal Compliance:
  • Comply with legal obligations
  • Respond to law enforcement requests
  • Protect our legal rights
  • Investigate potential violations
• Advertising:
  • Display personalized advertisements (via Google AdMob)
  • Measure ad performance
  • Generate revenue to support the Service

4. How We Share Your Personal Information

4.1 Public Disclosure

The following information is PUBLIC by default:

• Crime report titles and descriptions
• Precise GPS coordinates (latitude/longitude) of reported events
• Geocoded addresses of events
• Images/photos attached to reports
• Your username associated with reports
• Event date and time
• Crime category/type
• Number of upvotes on events

This public information may be:

• Viewed by any app user or visitor
• Indexed by search engines
• Archived by third parties
• Republished or redistributed
• Persistent even after deletion (in caches/backups)

4.2 Sharing with Third-Party Service Providers

Service Provider	Data Shared	Purpose	Location
Supabase (Database & Auth)	All user data, content, messages, location data	Backend infrastructure, database storage, authentication	Various (check Supabase DPA)
Google Maps	Location coordinates, geocoding requests	Map display, address conversion	United States, Global
Google AdMob	Device ID, ad interactions, app usage	Advertising and monetization	United States, Global
AI Moderation Services (Claude/OpenAI)	Crime report content, images (for moderation only)	Automated content moderation	United States

4.3 Sharing with Other Users

• Crime Reports: Visible to all users (public)
• Username: Visible on all your public content
• Direct Messages: Shared only with the specific recipient
• Contact Requests: Shared with the event creator you're requesting to contact
• Upvotes: Vote counts are public; individual voter identity may be visible

4.4 Legal and Safety Disclosures

We may disclose your information without consent when required or permitted by law:

• Law Enforcement Requests: In response to valid legal process (subpoena, court order, search warrant)
• Legal Compliance: To comply with applicable laws and regulations
• Safety Emergencies: To prevent death or serious bodily harm
• Rights Protection: To protect our rights, property, or safety
• Fraud Prevention: To investigate and prevent fraud or illegal activity
• Terms Enforcement: To enforce our Terms of Service

4.5 Business Transfers

If Alladro is involved in a merger, acquisition, sale of assets, or bankruptcy, your personal information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice in the app before your data is transferred.

4.6 Aggregate/Anonymized Data

We may share aggregate, anonymized, or de-identified information that cannot reasonably be used to identify you, including:

• Crime statistics by neighborhood or city
• Aggregate usage metrics
• Trend analysis and research

5. Data Retention

5.1 Retention Periods

Data Type	Retention Period	Reason
Account Information	Until account deletion + 30 days	Account management, legal obligations
Crime Reports (Published)	Indefinitely (public record)	Public safety information, platform purpose
Crime Reports (Rejected/Unverified)	90 days after rejection	Appeal process, moderation review
Direct Messages	Until deletion by user or account closure	User communication history
Contact Requests	7 days after expiration or until accepted/rejected	Operational necessity
Usage Logs	90 days	Security, analytics
IP Address Logs	30 days	Security, fraud prevention
Moderation Records	2 years	Legal defense, pattern detection
Backup Data	90 days (rolling backups)	Disaster recovery

5.2 Account Deletion

When you delete your account:

• Your account credentials and profile are deleted within 30 days
• Your private messages are deleted
• Your public crime reports MAY REMAIN VISIBLE as they constitute public safety information
• Your username may be anonymized on existing reports (e.g., "Deleted User")
• Backups may retain data for up to 90 days
• Legal holds or law enforcement requests may prevent deletion

6. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), UK, or Switzerland, you have the following rights:

6.1 Right of Access (Art. 15 GDPR)

• Request a copy of all personal data we hold about you
• Receive information about how we process your data
• How to exercise: Email [YOUR_EMAIL] with subject "Data Access Request"

6.2 Right to Rectification (Art. 16 GDPR)

• Correct inaccurate or incomplete personal data
• Update your profile information directly in the app
• How to exercise: Edit your profile or contact [YOUR_EMAIL]

6.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

• Request deletion of your personal data
• Limitations: We may retain data if required by law or for legitimate interests (e.g., public crime reports)
• How to exercise: Delete account in-app or email [YOUR_EMAIL]

6.4 Right to Restriction of Processing (Art. 18 GDPR)

• Request temporary suspension of data processing
• How to exercise: Email [YOUR_EMAIL]

6.5 Right to Data Portability (Art. 20 GDPR)

• Receive your data in machine-readable format (JSON)
• Transfer your data to another service
• How to exercise: Email [YOUR_EMAIL] with subject "Data Portability Request"

6.6 Right to Object (Art. 21 GDPR)

• Object to processing based on legitimate interests
• Object to direct marketing
• How to exercise: Email [YOUR_EMAIL]

6.7 Right to Withdraw Consent (Art. 7(3) GDPR)

• Withdraw consent for location tracking (disable in iOS Settings)
• Withdraw marketing consent
• Note: Withdrawal does not affect lawfulness of processing before withdrawal

6.8 Right to Lodge a Complaint

• File a complaint with your local data protection authority
• Italy (Garante): https://www.garanteprivacy.it
• EU Data Protection Authorities: https://edpb.europa.eu/about-edpb/board/members_en

6.9 Exercising Your Rights

To exercise any of these rights:

1. Email us at: [YOUR_EMAIL]
2. Include subject line: "GDPR Rights Request"
3. Specify which right(s) you wish to exercise
4. Provide identity verification (to prevent fraud)

Response Time: We will respond within 30 days (may be extended to 60 days for complex requests).

Cost: Free of charge, unless requests are manifestly unfounded or excessive.

7. International Data Transfers

7.1 Transfer Mechanisms

When we transfer data outside the EEA, we use the following safeguards:

• Standard Contractual Clauses (SCCs): EU-approved contracts with third-party processors (Supabase, Google)
• Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission (if applicable)
• Privacy Shield successor frameworks: If applicable for US transfers
• Binding Corporate Rules: For transfers within multinational corporate groups (if applicable)

7.2 Third-Party Data Locations

• Supabase: Data may be stored in various regions (check Supabase's data processing agreement)
• Google Services (Maps, AdMob): United States and global data centers
• AI Moderation (Claude/OpenAI): United States

For more information about international transfers, contact [YOUR_EMAIL].

8. Security Measures

8.1 Technical and Organizational Measures

We implement appropriate security measures to protect your data:

• Encryption:
  • HTTPS/TLS encryption for data in transit
  • Password hashing (not stored in plain text)
  • Encrypted database connections
• Access Controls:
  • Role-based access to backend systems
  • Authentication required for all actions
  • Limited employee access to personal data
• Monitoring & Logging:
  • Security event logging
  • Intrusion detection systems
  • Regular security audits
• Data Minimization:
  • Collect only necessary data
  • Delete data when no longer needed
  • Anonymize data where possible

8.2 Limitations

8.3 Data Breach Notification

In the event of a data breach affecting your personal information:

• We will notify affected users within 72 hours (as required by GDPR Art. 33-34)
• We will notify relevant supervisory authorities
• Notification will include nature of breach, affected data, and remedial actions

9. Children's Privacy

9.1 Age Restrictions

• Minimum Age: 13 years old
• Under 18: Parental or guardian consent required
• We do NOT knowingly collect data from children under 13

9.2 Parental Rights

Parents/guardians have the right to:

• Review their child's personal information
• Request deletion of their child's data
• Refuse further collection of their child's data

If you believe we have inadvertently collected data from a child under 13, contact us immediately at [YOUR_EMAIL].

10. Cookies and Tracking Technologies

10.1 Types of Technologies Used

• Essential Cookies: Authentication tokens, session management
• Analytics: App usage tracking, performance metrics
• Advertising: Google AdMob tracking (device advertising ID)
• Preferences: Theme settings, language preferences

10.2 Third-Party Tracking

• Google AdMob: Uses device advertising ID for personalized ads
• Google Maps: May use cookies for map functionality

10.3 Your Choices

• Limit Ad Tracking (iOS): Settings > Privacy > Tracking > Disable "Allow Apps to Request to Track"
• Reset Advertising ID (iOS): Settings > Privacy > Apple Advertising > Reset Advertising Identifier
• Opt-out of personalized ads: https://www.google.com/settings/ads

11. Location Data

11.1 Types of Location Data

• Precise Location (GPS): Latitude and longitude coordinates accurate to within meters
• Approximate Location: City or neighborhood level (not currently implemented)
• Geocoded Address: Human-readable street address derived from GPS coordinates

11.2 How We Use Location Data

• Display crime events on the map
• Filter events within specified radius (3-20km)
• Calculate distance from your location to events
• Associate crime reports with specific locations
• Generate location-based statistics

11.3 Location Permissions

• iOS Permission: "When in Use" - we only access location while app is active
• Required: Location access is essential for core app functionality
• Revocation: You can revoke location permission in iOS Settings, but this will severely limit app functionality

11.4 Location Privacy Risks

• Precise coordinates can reveal your home, workplace, or routine patterns
• Crime reports linked to your location may enable stalking or harassment
• Location history can be reconstructed from multiple reports
• Third parties may scrape and aggregate your location data

Recommendation: Only post crime reports if you are comfortable with your precise location being public.

12. AI and Automated Decision-Making

12.1 AI Moderation System

We use artificial intelligence (Claude/ChatGPT) to moderate user-generated content:

• What is processed: Crime report text, descriptions, and images
• Purpose: Detect spam, offensive content, policy violations
• Human review: Automated decisions may be reviewed by human moderators
• Impact: May result in content rejection or account suspension

12.2 Your Right to Human Review (GDPR Art. 22)

• You have the right not to be subject to solely automated decisions with significant effects
• If your content is rejected by AI, you may request human review by contacting [YOUR_EMAIL]
• You may contest automated moderation decisions

13. Changes to This Privacy Policy

• Right to Modify: We may update this Privacy Policy at any time
• Notice: Material changes will be notified via email or in-app notification
• Effective Date: Changes take effect immediately upon posting unless otherwise specified
• Review Obligation: You should review this Policy periodically
• Continued Use: Continued use after changes constitutes acceptance

Version History:

• Version 2.0 - October 21, 2025 - Comprehensive GDPR-compliant rewrite
• Version 1.0 - [Original Date] - Initial version

14. Contact Us

For privacy-related questions, concerns, or requests:

• Email: [YOUR_EMAIL]
• Subject Line for GDPR Requests: "GDPR Rights Request"
• Data Protection Officer: [DPO_EMAIL] (if applicable)
• Postal Address: [YOUR_ADDRESS]

Response Time: We aim to respond to all inquiries within 30 days.

15. Additional Rights for California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

15.1 Right to Know

• Categories of personal information collected
• Sources of personal information
• Business purpose for collecting data
• Categories of third parties with whom we share data

15.2 Right to Delete

• Request deletion of personal information (subject to exceptions)

15.3 Right to Opt-Out of Sale

• We do NOT sell your personal information as defined by CCPA

15.4 Right to Non-Discrimination

• We will not discriminate against you for exercising your CCPA rights

To exercise CCPA rights, email [YOUR_EMAIL] with subject "CCPA Request".

16. Data Processing Records (GDPR Art. 30)

Summary of our data processing activities:

Processing Activity	Legal Basis	Data Categories	Recipients
User Account Management	Contract	Email, username, password	Supabase
Crime Report Publishing	Contract + Consent	Location, report content, images	Public, Supabase
Geolocation Processing	Consent	GPS coordinates	Google Maps, Supabase
Content Moderation	Legitimate Interest	Report content, images	AI services (Claude/OpenAI)
Advertising	Legitimate Interest	Device ID, usage data	Google AdMob