BottleUp BottleUp
RO Join

Privacy Policy

Last updated: June 3, 2026

This policy explains what personal data BottleUp processes, for what purposes and what rights you have. We comply with Regulation (EU) 2016/679 (GDPR) and applicable Romanian law.

1. The data controller

BITCRAFTERS SRL, CUI RO49900684, Trade Register No. J2024007383407, registered office at Str. Frații Golescu 4, Bucharest, Sector 1, acts as the data controller. Data protection contact: dpo@bottleup.ro, tel. +40 756 888 282. Response time: up to 30 days.

2. Definitions

Personal data = any information about an identified or identifiable person. Controller = who determines the purposes and means of processing. Processor = who processes data on behalf of the controller. Data subject = the user. Processing = any operation on the data. Consent = a freely given, specific and unambiguous agreement.

3. What data we collect

  • Account and authentication: email address, name/nickname, avatar (optional), the authentication provider (Magic Link, Google, Apple). We do not store passwords.
  • Contact: email and, optionally, phone number (for code verification).
  • Location: only with your permission, to show you nearby offers. You can refuse it; we then use a generic location (city).
  • User-generated content: listings, chat messages, ratings.
  • Technical data: IP address, push notification token, device type and operating system, app version, date and time of access.
  • Paid services: the App Store / Google Play purchase identifier, subscription status. We do not collect or store card data — payments are processed by Apple, Google or Stripe.

4. Purposes and legal basis

  • Providing the service (account, listings, chat, map) — performance of the contract, Art. 6(1)(b).
  • Push and service notifications — performance of the contract / consent.
  • Paid services and invoicing — performance of the contract and legal obligation (Fiscal Code), Art. 6(1)(b) and (c).
  • Security, abuse and fraud prevention — legitimate interest, Art. 6(1)(f).
  • Service improvement and statistics — legitimate interest.
  • Precise location, marketing, non-essential cookies — consent, Art. 6(1)(a), withdrawable at any time.

5. Who we disclose data to

We do not sell your data. We share it only with providers that help us operate the platform, under data processing agreements (DPA):

  • Google / Firebase — authentication, push notifications.
  • Apple, Google — authentication and payments for paid services (IAP).
  • Mailchimp / Mandrill — service and marketing emails.
  • Oblio — issuing invoices for paid services.
  • Stripe — payments for partners/web (where applicable).
  • The hosting provider — server infrastructure.

We may also disclose data to authorities (ANAF, ANSPDCP, courts) where the law requires it. Other users only see the public information on your profile (nickname, avatar, rating) and your listings.

6. International data transfers

Some processors (e.g. Google, Mailchimp, Stripe) may process data outside the EU/EEA, including in the US. In these cases the transfer is protected by Standard Contractual Clauses (SCC) approved by the European Commission and additional measures (encryption in transit, restricted access).

7. How long we keep data

  • Account and listings: for the lifetime of the account; on deletion, identifying data is anonymized and listings are taken out of circulation.
  • Chat messages: we keep them for moderation, fraud prevention and dispute resolution (legitimate interest, Art. 6(1)(f)). When an account is deleted, the messages are not deleted, but the sender is anonymized (“Deleted account”). We remove/anonymize them completely after a reasonable period of inactivity (indicatively 12 months from the end of the relationship).
  • Invoices and tax documents (paid services): 5 years — legal obligation.
  • Marketing email: until consent is withdrawn.
  • Technical data (IP, logs): generally 12 months.
  • Push notification token: for the lifetime of the account.

We may disclose messages to authorities only on the basis of a valid legal request (e.g. an order/request from competent bodies).

8. Your rights

Under the GDPR, you have the right to:

  • Access (Art. 15) — confirmation and a copy of your data.
  • Rectification (Art. 16) — correction of inaccurate data.
  • Erasure — the “right to be forgotten” (Art. 17), except for data we are required by law to keep.
  • Restriction of processing (Art. 18).
  • Portability (Art. 20) — receiving your data in a structured format.
  • Objection (Art. 21), including to marketing.
  • Not being subject to automated decisions with legal effects (Art. 22).
  • Withdrawal of consent at any time, without affecting prior processing.
  • Complaint to ANSPDCP (Art. 77).

You can delete your account directly in the app or by following the steps on the Delete account page.

9. How to exercise your rights

Send a request to dpo@bottleup.ro (or contact@bottleup.ro), stating the right you wish to exercise. We may ask for identity verification. We respond within 30 days at most (extendable by 2 months for complex requests). The first request each year is free.

10. Security

We apply technical and organizational measures to protect data:

  • encryption in transit (HTTPS / TLS) and storing tokens in Keychain (iOS) / Keystore (Android);
  • authentication with rotating JWT tokens and secure sessions;
  • rate limiting, injection protection and security headers;
  • no storage of card data (processed by Apple / Google / Stripe);
  • restricted internal access and data processing agreements with providers.

In the event of a breach with high risk to your rights, we notify ANSPDCP within 72 hours and inform you as required by law. No system is 100% secure, but we treat security with the utmost seriousness.

11. Cookies

The mobile app does not use cookies; tokens are stored securely on the device.

The website uses essential cookies (to function) and, only with your consent, analytics and marketing cookies. On your first visit we show a banner where you can accept, reject or customize your choice; you can change it at any time from “Cookie settings”. The sign-up form is protected by reCAPTCHA (Google), which may set its own cookies.

12. Minors

The service is not intended for people under 18. We do not knowingly collect data about minors. If you find that a minor has provided us with data, write to us at dpo@bottleup.ro and we will remove it.

13. Changes

We may update this policy. We mark the date of the last change above and, for significant changes, we notify you in the app or on the website.

14. Contact

BITCRAFTERS SRL
Str. Frății Golescu 4, Bucharest, Sector 1
GDPR: dpo@bottleup.ro · Contact: contact@bottleup.ro
Phone: +40 756 888 282

15. Supervisory authority (ANSPDCP)

The National Supervisory Authority for Personal Data Processing
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, 010336
Phone: +40 318 059 211 · Email: anspdcp@dataprotection.ro · dataprotection.ro

This is a convenience translation; the Romanian version prevails.