Privacy Policy

Last Updated: November 12, 2025

1. Who We Are

Gruplato ("we", "us", or "our") is a travel planning and group coordination platform. This Privacy Policy explains how we collect, use, and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR).

Data Controller: Gruplato

Niklas Winter Vor den Balken 6d 38120 Braunschweig Germany

Support: support@gruplato.com, +49 170 4451782

2. Information We Collect

2.1 Information You Provide

Account Information:

Name and email address

Password (encrypted)

Optional profile photo and preferences

Payment Information:

Billing details (processed by Stripe)

Transaction history

VAT identification number (if applicable)

Group and Trip Data:

Group names and descriptions

Trip destinations, dates, and itineraries

Your availability and budget preferences

Comments, messages, and shared content

Photos and documents you upload

2.2 Information Collected Automatically

Usage Data:

Pages visited and features used

Time spent on the platform

Device type, browser, and operating system

IP address (for security and approximate location)

Cookies: We use cookies for:

Essential functionality (required for the service to work)

Analytics (with your consent)

Performance improvements

You can control cookies through your browser settings or our cookie consent tool.

3. How We Use Your Information

We process your personal data based on the following legal grounds:

3.1 Contract Performance (GDPR Art. 6(1)(b))

To provide our service:

Create and manage your account

Process payments

Enable group travel planning

Provide customer support

Send essential service notifications

3.2 Legitimate Interests (GDPR Art. 6(1)(f))

For business operations:

Improve and optimize the platform

Analyze usage patterns

Prevent fraud and ensure security

Fix technical issues

3.3 Legal Obligation (GDPR Art. 6(1)(c))

To comply with laws:

Maintain transaction records for tax purposes

Respond to legal requests

Meet accounting and regulatory requirements

3.4 Consent (GDPR Art. 6(1)(a))

With your permission:

Send marketing communications

Use analytics cookies

Track marketing effectiveness

You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

4. How We Share Your Information

We do not sell your personal data.

We share information only in these circumstances:

Within Groups: Group members can see information you share within that group (name, availability, budget preferences, contributions).

Service Providers:

Stripe (Payment processing) - EU-U.S. Data Privacy Framework certified

Hosting providers - EU-based servers

Email services - For transactional emails

All service providers are contractually required to comply with GDPR and process data only as instructed.

Legal Requirements: When required by law or to protect rights and safety.

Business Transfers: In case of merger or acquisition (with notice to you).

5. International Data Transfers

Your data is stored in the European Union. When we transfer data outside the EU, we use:

Standard Contractual Clauses approved by the European Commission (2021/914)

Additional security measures including encryption and access controls

EU-U.S. Data Privacy Framework for certified organizations (like Stripe)

You can request information about data transfers and safeguards by contacting support@gruplato.com.

6. Data Security

We protect your data using:

Encryption in transit (TLS/SSL) and at rest (AES-256)

Secure password hashing

Access controls and monitoring

Regular security audits

You are responsible for keeping your password confidential and using a strong password.

7. Data Retention

Active Accounts: We retain your data while your account is active.

After Account Deletion:

Most data is deleted within 30 days

Transaction records are kept for 7 years (legal requirement)

Security logs are kept for 90 days

Backups may persist for up to 90 days before permanent deletion

8. Your Rights Under GDPR

You have the following rights:

Right to Access (Art. 15) Request a copy of your personal data

Right to Rectification (Art. 16) Correct inaccurate or incomplete data

Right to Erasure (Art. 17) Request deletion of your data ("right to be forgotten")

Right to Restriction (Art. 18) Limit how we process your data in certain circumstances

Right to Data Portability (Art. 20) Receive your data in a machine-readable format

Right to Object (Art. 21) Object to processing based on legitimate interests or for marketing

Right to Withdraw Consent (Art. 7(3)) Withdraw consent for marketing and optional features

Right to Lodge a Complaint (Art. 77) File a complaint with your national data protection authority

How to Exercise Your Rights

Email: support@gruplato.com Response Time: Within 30 days (may extend to 60 days for complex requests)

We will verify your identity before processing requests to protect your data.

Find Your Data Protection Authority: https://edpb.europa.eu/about-edpb/board/members_en

9. Cookies and Tracking

We use three types of cookies:

Essential Cookies (Required)

Session management

Authentication

Security features

Analytics Cookies (Optional)

Usage statistics

Feature adoption

Performance monitoring

Marketing Cookies (Optional)

Campaign effectiveness

User acquisition tracking

You can accept or reject optional cookies through our cookie banner. Essential cookies cannot be disabled as they're necessary for the service to function.

10. Children's Privacy

Gruplato is not intended for anyone under 16 years of age (GDPR Art. 8 requirement for EU member states).

If we discover that we've collected data from someone under 16, we will delete it within 24-48 hours.

Parents/Guardians: If you believe your child has provided personal information to us, contact us immediately at support@gruplato.com.

11. Data Protection Officer

For questions about data protection, contact our DPO:

Email: support@gruplato.com Responsibilities:

Monitoring GDPR compliance

Handling data subject requests

Cooperating with supervisory authorities

Advising on data protection matters

12. Data Breach Notification

If a personal data breach occurs that poses a risk to your rights:

We will notify the relevant supervisory authority within 72 hours

We will notify affected users without undue delay if the breach poses high risk

We will provide information about the breach and remedial actions taken

13. Updates to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements.

When we make significant changes:

We'll update the "Last Updated" date

We'll notify you via email

We'll provide 30 days' notice for material changes

Your continued use after changes take effect means you accept the updated policy.

14. Legal Basis Summary

| Processing Activity | Legal Basis | |-------------------|-------------| | Account management | Contract performance | | Payment processing | Contract performance | | Service delivery | Contract performance | | Customer support | Contract performance | | Security & fraud prevention | Legitimate interests | | Analytics & improvements | Legitimate interests | | Marketing emails | Consent | | Tax compliance | Legal obligation |

15. Contact Us

General Support: support@gruplato.com

Response Times:

Privacy inquiries: 5 business days for acknowledgment

GDPR requests: 30 days maximum

Urgent security matters: 24-48 hours

Your Data, Your Rights

This policy is designed to be transparent about how we handle your personal data. If you have concerns or questions about our practices, please don't hesitate to contact us.

You have the final say over your personal data.

Document Version: 2.0 Effective Date: November 12, 2025 Next Review: May 12, 2026