Privacy Policy

Effective from 12 June 2026 · District Zero — districtzero.app

1. Who is responsible

The data controller for districtzero.app is the entity identified in the Impressum ("we"). For any privacy matter, contact us at [privacy@districtzero.app — confirm mailbox].

2. What we collect, why, and on what legal basis

a) Alert subscriptions (Scanner, product watches).

Data: e-mail address, selected region, alert-type preferences, optional product interests and target prices, consent timestamp, IP address at the moment of consent, confirmation status, unsubscribe token.
Purpose: sending the price/restock alerts and digests you requested, and proving your consent (GDPR accountability).
Legal basis: your consent — Art. 6(1)(a) GDPR — given via double opt-in (you confirm by e-mail before we ever send alerts). You can withdraw it any time with one click.
Retention: until you unsubscribe. After unsubscription we keep a minimal suppression record (e-mail hash, consent/unsubscribe timestamps) to honour your opt-out and document past consent, then delete remaining data within 3 years.

b) Server logs. Our hosting providers process IP addresses and request metadata in short-lived technical logs for security and operation (legitimate interest, Art. 6(1)(f) GDPR).

c) Cookies and tracking. The public site currently sets no advertising or analytics cookies and uses no third-party trackers. Should we introduce analytics, this policy and the site will be updated first, with consent collected where required.

3. Who processes data for us

Google Cloud / Firebase Firestore (database) — data stored in the EU multi-region eur3; processor under Google Cloud's EU data-processing terms.
Vercel (website hosting) and Railway (background processing) — infrastructure providers acting as processors.
Resend (e-mail delivery, USA) — receives your e-mail address to deliver the messages you requested. Transfers outside the EEA rely on the EU Standard Contractual Clauses / EU–US Data Privacy Framework, as applicable.

We never sell personal data, and we never share it with shops or advertisers.

4. Your rights

Under the GDPR you can, at any time:

withdraw consent — the unsubscribe link in every e-mail does this with one click;
request access to the data we hold about you, and a portable copy;
request rectification or erasure;
object to, or request restriction of, processing;
lodge a complaint with a supervisory authority — in the Czech Republic the Úřad pro ochranu osobních údajů (uoou.gov.cz), or the authority of your own EU country.

Requests go to the contact in section 1; we respond within one month.

5. What we don't do

No profiling with legal effects, no automated decision-making about you.
No data sales, no ad networks, no cross-site tracking.
No processing of children's data knowingly — the alert service is intended for users 16 and over.

6. Security

Data is stored in access-controlled EU-region infrastructure with encrypted transport, secrets management and the principle of least access. E-mail addresses are additionally referenced internally by cryptographic hash where feasible.

7. Changes

We will post any updates to this policy on this page with a new effective date. Substantial changes affecting alert subscribers will be announced by e-mail.