Privacy Policy
This Privacy Policy describes how personal data of users of the Meritup mobile application ("the App") is processed, in compliance with Regulation (EU) 2016/679 ("GDPR"), the Italian Data Protection Code, the Apple App Store Review Guidelines, and the Google Play policies.
1. Data Controller
Controller: Nicholas Urru
Privacy contact: privacy@meritup.app
2. Categories of data collected
| Category | Examples | Source |
|---|---|---|
| Identifiers | Name, surname, date of birth | User |
| Contact data | Email, phone number | User |
| Credentials | Hashed password, Apple/Google Sign-In tokens | User / provider |
| Professional data | CV, profile photo, intro video, skills | User |
| Usage data | User ID, registration date, technical logs | App |
| Approximate location | GPS coordinates (when authorised) | Device |
| Payment data | Subscription history, transaction IDs; never raw card data | Apple/Google/Stripe |
| User content | Posts, messages, reviews | User |
3. Purposes and legal basis
| Purpose | Legal basis (GDPR) |
|---|---|
| Account creation and management | Art. 6(1)(b) |
| Job-search and matching services | Art. 6(1)(b) |
| Premium subscription processing | Art. 6(1)(b) |
| Tip processing via Stripe | Art. 6(1)(b) |
| Security, fraud prevention, legal compliance | Art. 6(1)(c)(f) |
| Service communications | Art. 6(1)(b) |
| Marketing communications (optional) | Art. 6(1)(a) — consent |
| Aggregated analytics | Art. 6(1)(f) — legitimate interest |
4. Mandatory vs optional data
Name, email and credentials are required. All other data (photo, CV, video, location, contacts) is optional.
5. How data is processed
Data is hosted on Google Firebase (europe-west1, Belgium), with TLS 1.2+ encryption, at-rest encryption, MFA on admin access, logging and access control.
6. Recipients and sub-processors
| Vendor | Service | Location |
|---|---|---|
| Google Ireland Ltd. | Firebase Auth, Firestore, Cloud Functions, FCM | EU |
| Apple Inc. | Sign in with Apple, IAP, ASSN | USA (SCCs) |
| Google LLC | Play Billing, Google Sign-In, Google Maps | USA (SCCs) |
| Stripe Payments Europe Ltd. | Tip and legacy subscription payments | Ireland |
7. International data transfers
Transfers to the US rely on the Standard Contractual Clauses (EU Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework.
8. Retention periods
| Category | Duration |
|---|---|
| Active account | Duration of membership |
| Deleted account | 30 days, then permanent deletion |
| Financial records | 10 years (Italian Civil Code art. 2220) |
| Security logs | 12 months |
9. Rights of the data subject
Under GDPR Art. 15-22 users may:
- Access their data
- Request rectification, erasure, restriction
- Port data
- Object to processing based on legitimate interest
- Withdraw consent
- Lodge a complaint with the Italian DPA (garanteprivacy.it)
Requests: privacy@meritup.app — answered within 30 days.
9.1 In-app account deletion
Profile → Settings → Delete account.
10. Minors
The App is intended for users aged 16 or over.
11. Changes
Material changes are notified in-app at least 15 days in advance.