Privacy Policy

Effective date: 3 June 2026 · Last updated: 3 June 2026

1. Who we are

Renly is a digital loyalty card service for cafes. The joint data controllers responsible for your personal data are:

Jovan Zdravković and Aleksandar Lalić, doing business as Renly

Serbia

Contact: support@apprenly.com

“Renly”, “we”, “us”, and “our” refer to the controller above throughout this policy.

2. Data we collect and why

We collect only what is necessary to operate the service. The table below lists every category of personal data we process, together with the purpose and legal basis under the EU General Data Protection Regulation (GDPR) and the Serbian Law on Personal Data Protection (ZZPL).

Category	Examples	Purpose	Legal basis
Account data	Email address, account role (customer or café owner), language preference	Create and manage your account; send password-reset and magic-link emails	Performance of contract (Art. 6(1)(b) GDPR / Art. 12(1)(b) ZZPL)
Café profile data (owners only)	Café name, logo image, street address, phone number, opening hours, GPS coordinates (latitude/longitude)	Display your café to customers; enable location-based discovery	Performance of contract (Art. 6(1)(b)); legitimate interests — helping customers find nearby participating cafés (Art. 6(1)(f) GDPR / Art. 12(1)(f) ZZPL)
Loyalty activity data	Stamps collected, points balance, visit-streak count and timestamp, scan timestamps and associated café ID	Track and display your loyalty progress; award stamps, points, and streak bonuses	Performance of contract (Art. 6(1)(b))
Redemption records	Redemption codes, reward title, points spent, redemption timestamp, confirming staff member	Process and validate reward claims; prevent fraud	Performance of contract (Art. 6(1)(b)); legitimate interests — fraud prevention (Art. 6(1)(f))
Task-completion data	Which tasks you completed, completion timestamps, points awarded, confirming staff member	Award bonus points for completing café challenges	Performance of contract (Art. 6(1)(b))
Referral data	Your unique referral code; the user ID of anyone who referred you; relationship metadata	Credit referral bonuses to both sides of a referral	Performance of contract (Art. 6(1)(b))
In-app notifications	Announcement and weather-deal content sent by café owners to enrolled customers; comeback-offer codes	Deliver relevant promotions from cafés you have joined	Legitimate interests — enabling café owners to communicate with opted-in customers (Art. 6(1)(f))
Technical/log data	IP address, browser type, and timestamp collected by Supabase Auth during sign-in	Security; detecting suspicious login attempts	Legitimate interests — service security (Art. 6(1)(f))

3. Data we do not collect

Payment card numbers or any financial account details (café subscription billing is handled externally by Polar.sh — see Section 5).
Precise real-time device location. The GPS coordinates stored are those entered by the café owner for their business premises, not derived from your device.
Special categories of data such as health, religion, or biometric data.
Any data from third-party advertising networks, tracking pixels, or social-media SDKs. Renly contains no analytics or advertising trackers.

4. How long we keep your data

Data	Retention period
Account and profile data	Kept until you delete your account.
Loyalty activity (scans, streaks, points, stamps)	Kept for the life of your account, then deleted within 30 days of account deletion.
Redemption and task-completion records	Kept for 2 years after the event for fraud prevention, then deleted.
Referral records	Kept until your account is deleted.
Authentication/security logs	Up to 90 days, then automatically purged by Supabase.

When you delete your account, all data in the rows above is deleted or anonymised within 30 days unless a longer retention period is legally required.

5. Who we share data with

We do not sell, rent, or trade your personal data. We share it only with the following sub-processors under written data-processing agreements:

Supabase Inc. (United States)

Hosts our database, authentication service, and file storage.

Transfer safeguard: EU Standard Contractual Clauses (SCCs) — European Commission Decision 2021/914.

Polar.sh Inc. (United States)

Processes café-owner subscription payments. Polar receives only what is needed to fulfil billing; it is an independent controller for payment data.

Transfer safeguard: Polar's own Privacy Policy and EU SCCs. Renly never receives or stores payment-card numbers.

We may also disclose personal data if required by applicable law, court order, or to protect the rights and safety of our users.

6. International data transfers

Renly is operated from Serbia. Both Supabase and Polar.sh are based in the United States. Transfers to these providers are protected by EU Standard Contractual Clauses, which provide an adequate level of protection equivalent to that guaranteed within the EEA/Serbia.

7. Cookies and similar technologies

Renly uses only a single session cookie set by Supabase Authentication to keep you logged in. This cookie is strictly necessary for the service to function and does not require your consent under the ePrivacy Directive. We do not use any advertising cookies, analytics cookies, or third-party tracking technologies.

8. Your rights

Under the GDPR and the ZZPL you have the following rights regarding your personal data:

Access — request a copy of the data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure — request deletion of your data (“right to be forgotten”), subject to legal retention requirements.
Restriction — ask us to pause processing of your data in certain circumstances.
Data portability — receive your data in a structured, machine-readable format.
Objection — object to processing based on legitimate interests.
Withdraw consent — where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at support@apprenly.com. We will respond within 30 days. If you are unhappy with our response you have the right to lodge a complaint with:

Serbia: Commissioner for Information of Public Importance and Personal Data Protection (poverenik.rs)
EU/EEA: The supervisory authority in your country of residence.

9. Children

Renly is not intended for anyone under the age of 16. We do not knowingly collect personal data from persons under 16. If you believe a child under 16 has provided us with personal data, please contact us at support@apprenly.com and we will delete it promptly.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Row-level security on all database tables — each user can only access their own records.
HMAC-signed QR tokens — café QR codes cannot be forged or replayed.
TLS encryption for all data in transit.
Supabase infrastructure encryption at rest.

No method of transmission over the internet is 100% secure. If you discover a security vulnerability, please disclose it responsibly to support@apprenly.com.

11. Changes to this policy

We may update this policy from time to time. When we make material changes we will update the “Last updated” date at the top of this page and, where required by law, notify you by email or in-app message. Continued use of Renly after the effective date constitutes acceptance of the revised policy.

12. Contact

For any questions, requests, or complaints about this policy:

Jovan Zdravković and Aleksandar Lalić, doing business as Renly

Serbia

support@apprenly.com

Privacy Policy

Effective date: 3 June 2026 · Last updated: 3 June 2026

1. Who we are

Renly is a digital loyalty card service for cafes. The joint data controllers responsible for your personal data are:

Jovan Zdravković and Aleksandar Lalić, doing business as Renly

Serbia

Contact: support@apprenly.com

“Renly”, “we”, “us”, and “our” refer to the controller above throughout this policy.

2. Data we collect and why

Category	Examples	Purpose	Legal basis
Account data	Email address, account role (customer or café owner), language preference	Create and manage your account; send password-reset and magic-link emails	Performance of contract (Art. 6(1)(b) GDPR / Art. 12(1)(b) ZZPL)
Café profile data (owners only)	Café name, logo image, street address, phone number, opening hours, GPS coordinates (latitude/longitude)	Display your café to customers; enable location-based discovery	Performance of contract (Art. 6(1)(b)); legitimate interests — helping customers find nearby participating cafés (Art. 6(1)(f) GDPR / Art. 12(1)(f) ZZPL)
Loyalty activity data	Stamps collected, points balance, visit-streak count and timestamp, scan timestamps and associated café ID	Track and display your loyalty progress; award stamps, points, and streak bonuses	Performance of contract (Art. 6(1)(b))
Redemption records	Redemption codes, reward title, points spent, redemption timestamp, confirming staff member	Process and validate reward claims; prevent fraud	Performance of contract (Art. 6(1)(b)); legitimate interests — fraud prevention (Art. 6(1)(f))
Task-completion data	Which tasks you completed, completion timestamps, points awarded, confirming staff member	Award bonus points for completing café challenges	Performance of contract (Art. 6(1)(b))
Referral data	Your unique referral code; the user ID of anyone who referred you; relationship metadata	Credit referral bonuses to both sides of a referral	Performance of contract (Art. 6(1)(b))
In-app notifications	Announcement and weather-deal content sent by café owners to enrolled customers; comeback-offer codes	Deliver relevant promotions from cafés you have joined	Legitimate interests — enabling café owners to communicate with opted-in customers (Art. 6(1)(f))
Technical/log data	IP address, browser type, and timestamp collected by Supabase Auth during sign-in	Security; detecting suspicious login attempts	Legitimate interests — service security (Art. 6(1)(f))

3. Data we do not collect

Payment card numbers or any financial account details (café subscription billing is handled externally by Polar.sh — see Section 5).
Precise real-time device location. The GPS coordinates stored are those entered by the café owner for their business premises, not derived from your device.
Special categories of data such as health, religion, or biometric data.
Any data from third-party advertising networks, tracking pixels, or social-media SDKs. Renly contains no analytics or advertising trackers.

4. How long we keep your data

Data	Retention period
Account and profile data	Kept until you delete your account.
Loyalty activity (scans, streaks, points, stamps)	Kept for the life of your account, then deleted within 30 days of account deletion.
Redemption and task-completion records	Kept for 2 years after the event for fraud prevention, then deleted.
Referral records	Kept until your account is deleted.
Authentication/security logs	Up to 90 days, then automatically purged by Supabase.

When you delete your account, all data in the rows above is deleted or anonymised within 30 days unless a longer retention period is legally required.

5. Who we share data with

We do not sell, rent, or trade your personal data. We share it only with the following sub-processors under written data-processing agreements:

Supabase Inc. (United States)

Hosts our database, authentication service, and file storage.

Transfer safeguard: EU Standard Contractual Clauses (SCCs) — European Commission Decision 2021/914.

Polar.sh Inc. (United States)

Processes café-owner subscription payments. Polar receives only what is needed to fulfil billing; it is an independent controller for payment data.

Transfer safeguard: Polar's own Privacy Policy and EU SCCs. Renly never receives or stores payment-card numbers.

We may also disclose personal data if required by applicable law, court order, or to protect the rights and safety of our users.

6. International data transfers

7. Cookies and similar technologies

8. Your rights

Under the GDPR and the ZZPL you have the following rights regarding your personal data:

Access — request a copy of the data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure — request deletion of your data (“right to be forgotten”), subject to legal retention requirements.
Restriction — ask us to pause processing of your data in certain circumstances.
Data portability — receive your data in a structured, machine-readable format.
Objection — object to processing based on legitimate interests.
Withdraw consent — where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at support@apprenly.com. We will respond within 30 days. If you are unhappy with our response you have the right to lodge a complaint with:

Serbia: Commissioner for Information of Public Importance and Personal Data Protection (poverenik.rs)
EU/EEA: The supervisory authority in your country of residence.

9. Children

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Row-level security on all database tables — each user can only access their own records.
HMAC-signed QR tokens — café QR codes cannot be forged or replayed.
TLS encryption for all data in transit.
Supabase infrastructure encryption at rest.

No method of transmission over the internet is 100% secure. If you discover a security vulnerability, please disclose it responsibly to support@apprenly.com.

11. Changes to this policy

12. Contact

For any questions, requests, or complaints about this policy:

Jovan Zdravković and Aleksandar Lalić, doing business as Renly

Serbia

support@apprenly.com