Privacy Policy

This policy explains how the iShopSync platform processes personal data in line with the EU General Data Protection Regulation (Regulation (EU) 2016/679 – “GDPR”) and, where the service is operated from Romania, with Romanian Law no. 190/2018 implementing the GDPR.

The data controller is the entity operating the iShopSync service at the public website you use. Full identification and contact details are provided on our contact page and, where applicable, elsewhere on the site.

1. What iShopSync is

iShopSync is a web application (including a mobile-friendly experience you can install to your home screen from the browser) for collaborative group shopping: groups, members, sessions, item lists, budgets and goals, splits and settlements, receipt uploads and OCR (on-device or cloud, depending on configuration), in-session messaging, share links protected by tokens, exports, and related features.

2. Categories of data we process

  • Account & security: name, email, password hash, optional Google OAuth identifiers, 2FA settings, UI preferences (language, dark mode), active group.
  • Group data: group name, description, members, roles, invitations (codes/links).
  • Session & finance data: items, prices, splits, budgets, goals, messages, activity needed to run the product.
  • Receipts/files: images or documents you upload; OCR output (e.g. local Tesseract and/or Google Gemini when enabled).
  • Public share links: technical tokens associated with read-only links you create.
  • Contact form: name, email, subject, message body.
  • Newsletter: email and optional name; unsubscribe handled via a dedicated link.
  • Contests: data required by each campaign.
  • Technical & security logs: IP addresses, session identifiers, server logs, abuse prevention signals.
  • Cookies: as described in the Cookie Policy.

Please do not submit special-category data in free-text fields unless strictly necessary and lawful.

3. Purposes and legal bases

  • Art. 6(1)(b) GDPR – performance of the service you request (account, groups, sessions, receipts, messaging, exports).
  • Art. 6(1)(c) GDPR – legal obligations, where applicable.
  • Art. 6(1)(f) GDPR – legitimate interests (security, fraud prevention, reliability, defence of legal claims).
  • Art. 6(1)(a) GDPR – consent for newsletter, optional cookie categories, and other marketing only where separately obtained.

4. Recipients and processors

We use infrastructure, email delivery, and (if configured) Google (OAuth / Gemini OCR), Pusher or similar for realtime features, and other subprocessors under appropriate agreements. We do not sell your personal data. We disclose information to public authorities when required by law.

5. International transfers

Where processors are outside the EEA, we rely on GDPR transfer tools (e.g. Standard Contractual Clauses) or other lawful mechanisms.

6. Retention

We keep data as long as needed for the purposes above, including configured retention/archiving rules and legal retention duties, then delete or anonymise where feasible.

7. Security

We apply reasonable technical and organisational measures (HTTPS, access controls, optional 2FA, logging). No system is perfectly secure.

8. Your rights

Subject to GDPR, you may have rights of access, rectification, erasure, restriction, objection, portability, and withdrawal of consent. You may lodge a complaint with your local supervisory authority. In Romania, this is the National Supervisory Authority for Personal Data Processing (ANSPDCP)www.dataprotection.ro.

Requests: use in-app tools where available and/or our contact form. We may verify identity before responding.

9. Children

If consent is the legal basis and the service is addressed to minors, parental authority rules under applicable national law apply.

10. Changes

We may update this policy; material changes will be communicated by reasonable means where appropriate.

Last updated: April 2026. A custom version published from the admin panel may override this default text.