Privacy Notice

The data controller for personal data processed through the Getit service is Goncalo Vardasca Fonseca, an independent sole proprietor based in Portugal ("Getit", "we", "our"). For any privacy enquiry contact info@getitapp.online.

• Account data: name, email address, password hash, language and theme preferences.
• Profile & lifestyle preferences: destinations, dietary needs, brands, dates, and other concierge briefs you provide.
• Conversation history: messages, attachments, and proposals exchanged with concierges.
• Transaction metadata: subscription plan, status, billing period, and customer/transaction identifiers returned by Stripe. Card details are processed directly by Stripe and are never stored by us.
• Technical & usage data: IP address, device/browser type, log timestamps, error reports, and basic usage telemetry to keep the service secure and reliable.
• Cookies: essential cookies for authentication and preference storage. No advertising or third-party tracking cookies.

• Provide the service (account creation, concierge interactions, proposals) — performance of the contract (Art. 6(1)(b) GDPR).
• Process payments and manage subscriptions via Stripe — performance of the contract and legal obligation (Art. 6(1)(b) and (c)).
• Security, fraud prevention & service integrity — legitimate interests (Art. 6(1)(f)).
• Service improvement and analytics using aggregated, non-identifying data — legitimate interests (Art. 6(1)(f)).
• Customer support — performance of the contract and legitimate interests.
• Legal & accounting compliance (tax, invoicing, dispute records) — legal obligation (Art. 6(1)(c)).
• Marketing emails, where applicable — your consent (Art. 6(1)(a)), withdrawable at any time.

We share personal data only with the following categories of recipients:

• Stripe Payments Europe, Ltd. — processes payments, calculates and collects applicable taxes, handles invoicing and subscription billing, and provides fraud protection.
• Supabase / Lovable Cloud — EU-based hosting, database, authentication, and file storage provider.
• Cloudflare — content delivery and DDoS protection at the network edge.
• Email delivery providers for transactional emails (e.g. account verification, receipts).
• Concierges assigned to your account — they access only the information needed to fulfil your requests.
• Professional advisers (legal, accounting) under confidentiality.
• Public authorities where required by law or to defend legal claims.

We never sell your personal data and we do not share it for third-party advertising.

Personal data is primarily stored on EU-based infrastructure. Where a service provider processes data outside the EEA/UK (for example Stripe group entities or Cloudflare edge nodes), we rely on adequacy decisions or the European Commission's Standard Contractual Clauses (SCCs) together with appropriate technical safeguards.

• Account, profile, and conversation data: kept while your account is active.
• After account deletion: deleted or anonymised within 30 days, except where longer retention is required by law.
• Billing and tax records: retained for up to 10 years as required by Portuguese tax law.
• Security and audit logs: retained up to 12 months.

Under the GDPR you have the right to:

• access your personal data and receive a copy;
• have inaccurate data rectified;
• request erasure ("right to be forgotten");
• restrict or object to processing;
• data portability in a structured, machine-readable format;
• withdraw consent at any time, where processing is based on consent;
• lodge a complaint with your supervisory authority (in Portugal: CNPD — Comissão Nacional de Proteção de Dados).

To exercise any of these rights, email info@getitapp.online. We respond within 30 days.

We apply appropriate technical and organisational measures to protect your data, including: TLS encryption in transit, encryption at rest of database backups, row-level security policies, role-based access controls, hashed credentials, audit logging, principle of least privilege for staff, and regular review of third-party subprocessors. No system is perfectly secure; if you believe your account has been compromised, contact us immediately.

We use only essential cookies necessary for authentication and to remember your preferences (theme, language). We do not use advertising cookies or third-party tracking. You can clear cookies in your browser at any time; doing so will sign you out.

Getit is not directed to children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

We may update this notice from time to time. Material changes will be communicated by email or in-app notice. The "last updated" date at the top reflects the latest version.

Goncalo Vardasca Fonseca · info@getitapp.online