gSgottaSay
Legal

Privacy Policy

Last updated: 26 May 2026

This Privacy Policy explains how gottaSay ("we", "us", or the "Service") collects, uses, and protects personal data when you use the Service available at gottasay.app.

The Service is operated from the Republic of Serbia. This policy is written to comply with the Serbian Law on Personal Data Protection(Zakon o zaštiti podataka o ličnosti, "ZZPL") and, where applicable, the EU General Data Protection Regulation ("GDPR").

1. Who we are

The Service is operated by the gottaSay team, based in the Republic of Serbia. Company and contact details will be added here before public launch.

2. Information we collect

When you create an account (box owner): your Google account email, display name, and unique Google identifier, provided to us by Google when you sign in. We also store any preferences you set within the Service.

When you create a suggestion box: the questions, prompts, response options, and settings you configure.

When someone responds to a box: the content of the response (free-form text or a selected option). Responses are submitted without sign-in and we do not collect identifying information from responders.

Automatically: server logs containing IP address, browser user agent, request timestamps, and pages requested. We use essential session cookies to keep you signed in. We do not use advertising or third-party tracking cookies.

3. Why we process this data

  • Contract performance — to create your account, store your suggestion boxes, and deliver responses to you.
  • Legitimate interests — to keep the Service secure, prevent abuse, and improve the product.
  • Consent — where required by law (for example, if optional analytics are added in the future).
  • Legal obligation — where we are required to retain or disclose information under applicable law.

4. Who we share data with

  • Google — used for sign-in. When you sign in with Google, Google receives information about your interaction with the Service in accordance with its own privacy policy.
  • Infrastructure providers — we use third-party services to host the application and store data. These providers act as processors on our behalf under appropriate contractual safeguards.
  • Law enforcement and authorities — only where required by valid legal process.

We do not sell personal data.

5. International transfers

Personal data may be transferred to and stored in countries outside the Republic of Serbia, including in the European Economic Area and the United States, by our infrastructure providers. Where we transfer personal data abroad, we apply appropriate safeguards as required under ZZPL and, where applicable, GDPR.

6. How long we keep data

  • Account information: while your account is active, deleted within a reasonable period after account closure.
  • Suggestion boxes and responses: kept until you delete them or close your account.
  • Server logs: typically retained for up to 90 days for security and abuse-prevention purposes.
  • Backups: residual copies may persist in encrypted backups for a limited additional period before being overwritten.

7. Your rights

Where your personal data is processed by us, you have the right to:

  • access the data we hold about you;
  • request correction of inaccurate data;
  • request deletion (the "right to be forgotten");
  • restrict or object to certain processing;
  • receive your data in a portable format;
  • withdraw consent where processing is based on consent;
  • lodge a complaint with the Serbian Commissioner for Information of Public Importance and Personal Data Protection (Poverenik), or, if you are in the EU/UK, with your local data protection authority.

To exercise these rights, use the contact details that will be provided in section 1.

8. Children

The Service is not intended for children under the age of 15. We do not knowingly collect personal data from children under 15. If you believe a child has provided us with personal data, please contact us and we will delete it.

9. Security

We take reasonable technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. No system is perfectly secure, and we cannot guarantee absolute security.

10. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Material changes will be communicated through the Service.