Nearo logoNearo
BenefitsHow it worksExamplesDownload
Download the appPL

Nearo Privacy Policy

Version: 2.0 • Effective date: 2026-04-17

1. Controller and contact

The controller of personal data processed in connection with the Nearo App is Piotr Lechnio (Warsaw, Poland). Contact: contact@nearo.pl.

No Data Protection Officer (DPO) has been appointed. For data protection inquiries, please use the email address above.

2. Categories of data

The controller processes the following categories of personal data:

  • Account data: phone number in E.164 format, account identifier (UUID), session identifiers (JWT tokens).
  • Profile data: display name, street, building number, geographic coordinates (latitude and longitude) — collected once during registration.
  • Settlement membership data: settlement identifier, join code hash, join date.
  • User content: listings (title, description, category, status, optional address, optional photo, optional parking data), chat messages, abuse reports (reason, details), support messages (category, title, content).
  • Photos: optionally uploaded to listings (maximum 5 MB per photo), stored in Supabase Storage infrastructure.
  • Push notification data: push token (Expo Push Token), device identifier (UUID), platform (iOS/Android), app version, notification settings (enable/disable by type: messages, listings, system messages, selected listing categories).
  • Technical data: error and security event logs, IP addresses processed as part of network communication.

3. Data stored locally on device

The App stores the following data on the User’s device:

  • Secure storage (encrypted at OS level): session tokens (accessToken, refreshToken), push device identifier.
  • Cache (unencrypted): feed listings, chat data and messages, notifications, parking data, settlement data, and onboarding data.
  • All local data is cleared on logout.

4. Purposes and legal bases

  • Service delivery (GDPR Art. 6(1)(b)): account creation and management, resident verification (SMS OTP, settlement code), listing publication, chat, push notifications, settlement membership verification.
  • Legitimate interests of the controller (GDPR Art. 6(1)(f)): service security, abuse prevention, violation report handling, account blocking, content moderation, legal claims defense.
  • Consent (GDPR Art. 6(1)(a)): device GPS location access one-time during registration, push notifications, camera and photo library access.
  • Legal obligations (GDPR Art. 6(1)(c)): where required by law (e.g., archival obligations, law enforcement requests).

5. Recipients and processors

Personal data may be shared with the following categories of recipients (processors and sub-processors):

  • Supabase Inc. (database, authentication, file storage) — EU region (Frankfurt, aws-eu-central-1) or another EU region configured for the project. DPA in effect.
  • Vercel Inc. (application hosting, edge network, Vercel Analytics on the website nearo.pl) — global edge network with EU-based origin. DPA in effect.
  • Expo / 650 Industries Inc. (push notification delivery via Expo Push Service) — USA. Standard Contractual Clauses (SCC) apply.
  • Google LLC / Firebase Cloud Messaging (push notification routing on Android) — USA. Standard Contractual Clauses (SCC) apply. The controller does NOT use Firebase Analytics nor Firebase Crashlytics.
  • SMS provider integrated with Supabase (e.g. Twilio Inc.) (OTP code delivery) — data center in EU or USA depending on provider configuration.
  • Upstash Inc. (Redis — OTP rate limiting) — EU region.

6. International transfers

Data may be transferred outside the EEA by processors listed in Section 5. Where this occurs, appropriate safeguards are ensured, in particular Standard Contractual Clauses (SCC) pursuant to European Commission decisions, or adequacy decisions.

7. Retention

  • Account and profile data: retained until account deletion by the User.
  • Listings: active for up to 14 days (configurable per category); automatically closed thereafter. Data deleted no later than 30 days after listing creation.
  • Chat messages: retained until account deletion. After account deletion, the display name is replaced with “Deleted user” and the phone number is anonymized.
  • Abuse reports and support messages: retained for up to 30 days, or longer only if required by applicable law or necessary for the defense of legal claims.
  • Technical and security logs: up to 30 days.
  • Push notification tokens: deactivated and anonymized upon account deletion or token refresh.

8. Account deletion

Users can delete their account directly in the App (Profile → Delete account). The deletion process is irreversible.

After deletion: a) the account status is changed to deleted; b) the phone number is anonymized; c) all active push tokens are deactivated; d) all active listings are closed; e) the display name in chat conversations is replaced with “Deleted user”.

The User may also request account deletion by emailing contact@nearo.pl.

9. App permissions

The App may request the following device permissions:

  • Camera and photo library: for adding photos to listings. Access is granted only after explicit user consent and only while the App is in use.
  • Push notifications: for receiving information about new messages, listing updates, and system messages.
  • Location (GPS): one-time access during onboarding to verify that the User is within the declared settlement area. The App does NOT track location in the background.
  • The App does NOT request access to the microphone, contacts, calendar, or other sensors.

10. Analytics and cookies

The Nearo mobile App does NOT use advertising SDKs, analytics SDKs, or crash reporting tools.

The Nearo website (nearo.pl) uses Vercel Analytics — an aggregated, privacy-friendly analytics service that does not use cookies and does not track individual users across sites.

The website does not use advertising cookies or third-party tracking scripts.

11. Security measures

The controller applies technical and organizational measures to protect data, including:

  • Row Level Security (RLS) policies enforced at the database level — each User can access only their own data and data of settlements they belong to.
  • Authentication via SMS OTP with rate limiting (maximum 3 attempts per 15 minutes per phone number).
  • HTTPS/TLS encryption for all network communication.
  • Encrypted local storage (SecureStore) for session tokens on the device.
  • Automated session expiry and token refresh mechanisms.

12. Age requirement

The App is intended for users aged 18 or older. The controller does not knowingly collect data from minors. If the controller becomes aware that data of a person under 18 has been collected, it will be deleted promptly.

13. Changes to this Policy

The controller reserves the right to amend this Privacy Policy. The current version is always available in the App (Profile → Legal) and on the website nearo.pl/en/legal/privacy.

In the event of material changes, users will be notified via push notification or a message within the App.

Nearo · A private app for verified neighborhood residents

About NearoSupportPrivacyTermsDelete account