Werugo

Privacy Policy

Version in force as of 14 April 2026

This Privacy Policy (the "Policy") describes how WERUGO LIMITED ("Werugo", "we", "our" or "us"), a company incorporated in Malta, collects, uses and protects the personal data of users of the Werugo mobile application (the "App"), in compliance with Regulation (EU) 2016/679 of 27 April 2016 (GDPR) and with Maltese and European data protection laws.

1. Data Controller

The data controller for the personal data collected through the App is:

WERUGO LIMITED
St. Julian's Business Centre, Elia Zammit Street, Level 5, STJ 3153 St. Julian's, Malta
VAT: MT32608924
E-mail: contact@werugo.app

Data Protection Officer (DPO): no DPO has been formally appointed at this time. Any data protection request may be sent to contact@werugo.app.

2. Data Collected

We only collect data that is necessary to provide our services:

Category	Data concerned	Source
Identity and account	Last name, first name, display name, date of birth, profile picture (optional)	Provided by the user
Contact details	E-mail address, mobile phone number	Provided by the user
Authentication	Hashed password, SMS verification code	Generated at account creation
Transaction data	Reservation, pool and participation history, amounts, statuses	Generated by the use of the service
Payment data	Bank card information processed exclusively by Stripe; Werugo only stores a transaction identifier and the last 4 digits of the card	Entered through Stripe's interface
Location	Approximate or precise location (with your explicit consent)	Device GPS
User content	Photographs, reviews, ratings, comments, reports	Posted by the user
Technical data	Device type, OS, App version, push notification identifier (FCM token), logs	Collected automatically
Preferences	Language, notifications, favourites, search filters	Provided by the user

We do not collect any sensitive data within the meaning of Article 9 of the GDPR (racial origin, political opinions, religious beliefs, health, sexual orientation, etc.). Please do not post such information in your reviews or content.

3. Purposes and Legal Bases

Purpose	Legal basis (Art. 6 GDPR)	Retention period
Creation and management of the user account	Performance of a contract (Art. 6.1.b)	Duration of the account + deletion within 30 days after closure
Processing and follow-up of reservations / group pools	Performance of a contract (Art. 6.1.b)	5 years after the last transaction (commercial limitation)
Payment and fraud prevention	Performance of a contract and legitimate interest (Art. 6.1.b and 6.1.f)	13 months for fraud-related data
Accounting and tax obligations	Legal obligation (Art. 6.1.c)	10 years (Maltese Companies Act and EU accounting obligations)
Transactional push notifications	Performance of a contract (Art. 6.1.b)	Duration of the account
Marketing push notifications	Consent (Art. 6.1.a)	Until consent is withdrawn
Location data to suggest nearby offers	Consent (Art. 6.1.a)	Not retained after the session, unless saved as a preference
Content moderation and handling of reports	Legitimate interest and legal obligation (Art. 6.1.c and 6.1.f)	1 year after the report
Responding to support requests	Legitimate interest (Art. 6.1.f)	3 years after the last contact

4. System Permissions Requested

The App may request the following permissions from the iOS or Android system. You may decline or revoke them at any time from your device settings — bearing in mind that declining certain permissions may limit available features.

Location — to display nearby offers and directions.
Notifications — to alert you about the status of your reservations and group pools.
Photos / Photo library — to let you add a profile picture or illustrate your reviews.
Camera — to scan QR codes where needed.

5. Recipients and Processors

We do not sell or rent your data. Data is only accessible to authorised Werugo staff and to the technical providers strictly necessary to operate the App. These processors are bound by a data processing agreement that complies with Article 28 of the GDPR.

Processor	Role	Location
Google Ireland Limited (Firebase / Google Cloud)	Hosting, database, authentication, file storage, push notifications, Cloud Functions	European Union (`europe-west` region)
Stripe Payments Europe, Limited	Payment processing, Apple Pay, Google Pay, 3D Secure	Ireland / European Union
Resend, Inc.	Transactional e-mails (confirmations, password resets)	United States (with EU Standard Contractual Clauses)
Google LLC (Google Maps Platform)	Map display, geocoding	United States (with EU Standard Contractual Clauses)
Apple Inc. (APNs)	Delivery of iOS push notifications	United States (with EU Standard Contractual Clauses)

Data may also be disclosed, upon a reasoned request, to competent administrative or judicial authorities in the context of a legal obligation.

6. Transfers Outside the European Union

Some processors (Resend, Google LLC, Apple Inc.) may process data outside the European Union, in particular in the United States. These transfers are framed by:

the EU-US Data Privacy Framework where the recipients are certified under it;
Standard Contractual Clauses adopted by the European Commission;
additional measures recommended by the EDPB (encryption, minimisation).

7. Security

We implement appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure or destruction:

encryption in transit (TLS 1.2+) and at rest;
Firestore security rules restricting access to data on a per-user basis;
strong authentication and password hashing;
regular security reviews and least-privilege policies;
backups and logging of sensitive access.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where applicable, the data subjects, in accordance with Articles 33 and 34 of the GDPR.

8. Your Rights

Under the GDPR, you have the following rights:

Right of access to your personal data (Art. 15);
Right of rectification of inaccurate or incomplete data (Art. 16);
Right to erasure ("right to be forgotten") (Art. 17);
Right to restriction of processing (Art. 18);
Right to portability in a structured format (Art. 20);
Right to object to processing based on legitimate interest (Art. 21);
Right to withdraw your consent at any time where the processing is based on consent, without affecting the lawfulness of processing carried out prior to the withdrawal;
Right to lodge a complaint with the Office of the Information and Data Protection Commissioner in Malta (idpc.org.mt) or with the supervisory authority of your country of residence.

To exercise these rights, send a request to contact@werugo.app stating your identity and, where applicable, attaching a copy of an identity document. We undertake to reply within one (1) month from the receipt of your request.

9. Account Deletion

You can delete your account at any time from the App (Settings → Account → Delete my account) or by following the procedure detailed on the Account Deletion page. This procedure is also accessible without having to reinstall the App, in accordance with Google Play's requirements.

10. Minors

The App is reserved for individuals aged at least 13 years. Minors below the age of 15 must obtain prior authorisation from their legal representatives, in accordance with Article 8 of the GDPR.

Certain offers (bars, nightclubs, events serving alcohol) are restricted to adults and may be subject to additional verification by the Professional. If we become aware that a child under the age of 13 has registered, we will delete their account and the associated data without delay.

11. Trackers and Identifiers

The App does not use web cookies but may rely on technical identifiers (Firebase tokens, FCM tokens) that are strictly necessary for its operation. It does not engage in cross-app advertising tracking. For more details, see our Trackers Policy.

On iOS, in line with the App Tracking Transparency framework, Werugo does not request tracking permission for advertising purposes, as no data is shared with third parties for targeting.

12. App Store and Google Play Privacy Labels

12.1. Apple App Store — Privacy "Nutrition Labels"

The data we collect and how we use it, as declared on the App Store:

Contact info (name, e-mail, phone) — linked to the user — for app functionality.
User content (photos, reviews) — linked to the user — for app functionality.
Identifiers (user ID, device ID limited to notifications) — linked to the user — for app functionality.
Purchases (reservation history) — linked to the user — for app functionality.
Location (approximate or precise, with consent) — linked to the user — for app functionality.
Financial info (processed by Stripe) — linked to the user — for payment processing.

No data is used for cross-app Tracking.

12.2. Google Play — Data Safety

The information declared in the Play Store's "Data safety" section is consistent with this Policy. All data is:

encrypted in transit;
deletable upon user request;
collected solely to operate the service and comply with legal obligations;
never sold to third parties.

13. Policy Updates

This Policy may be updated at any time, in particular to reflect regulatory or technical developments. The date of the latest update is shown at the top of the document. In the event of a material change, you will be notified by in-app notification or by e-mail.

14. Contact

For any question relating to the protection of your data:
E-mail: contact@werugo.app
Postal address: WERUGO LIMITED — Privacy, St. Julian's Business Centre, Elia Zammit Street, Level 5, STJ 3153 St. Julian's, Malta