Privacy Policy

Last updated: 5 April 2026

This Privacy Policy describes how MINOMO collects, uses and protects the personal data of consumer App users.

Data Deletion Instructions

You can delete your MINOMO account and all associated personal data at any time, directly from the app:

Open the MINOMO app on your device (or visit app.minomo.io)
Go to Settings (gear icon)
Scroll to the bottom and find the Account section
Tap Delete my account, then type DELETE to confirm
Your account is immediately marked for deletion: personal data is anonymised, active sessions are revoked and followed merchants / loyalty data unlinked

If you can no longer sign in, email [email protected] from the address registered on the account and we will process the deletion for you.

1. Data Controller

AVi Kairos Srl

Strada Lungă 188, Corp C2, Ap. 2, Brașov 500051, Romania

CUI: 52477194 | J08/68/2025 | EUID: ROONRC.J2025068492002

Privacy email: [email protected]

Data Protection Officer (DPO): [email protected]

2. Scope

This Privacy Policy applies to:

Registered App users (consumers)
Visitors to merchant pages via the App
Holders of digital loyalty cards

For merchants, City Agents and Country Managers, please refer to the Privacy Policy on minomo.io.

3. Personal data collected

3.1 Voluntarily provided data

Data	When collected
Email address	Account registration
Preferred language	Profile settings
Selected city/location	App settings (Discovery and localised notifications)
Interest categories	App settings (e.g. Food & Drink, Shopping, Beauty)
Push notification preferences	Push enable/disable, merchant mute
Followed merchants	Follow action in the App

3.2 Automatically collected data

Data	Purpose
Device identifier (device_id)	Unique device identification
Device name, OS, browser	User experience optimisation
Push endpoint and encryption keys	Push notification delivery (WebPush protocol)
Native push token (iOS/Android)	Push notifications via native app
Last access date and time	Active device management
Push delivery statistics	Service quality monitoring

3.3 Loyalty programme data

Data	Purpose
Loyalty card QR code	Card identification at the merchant
Points balance and transaction history	Loyalty points management
Visits and spending amounts	Points calculation per merchant rules
Generated and redeemed vouchers	Benefit tracking

3.4 MINA virtual guide data

Data	Purpose
MINA feature usage history	Virtual guide service delivery
Generated content (tours, suggestions)	Experience personalisation

3.5 Browsing and analytics data

Data	Purpose
Pages visited and links clicked	Internal analytics, service improvement
IP address (anonymised)	Approximate geolocation, security
Browser user-agent	Technical statistics, compatibility
HTTP referrer	Traffic source analysis
Country, city, time zone	Localised content

3.6 Data NOT collected

The App does not collect:

Real-time GPS geolocation data
Access to contacts, camera, microphone or device files
Biometric data
Data relating to minors under 16 (knowingly)

4. Purposes and legal basis for processing

Purpose	Legal basis (GDPR)
Account creation and management	Performance of contract (Art. 6.1.b)
Push notifications from followed merchants	Performance of contract (Art. 6.1.b)
Broadcast push notifications (MINOMO network)	Consent (Art. 6.1.a)
Loyalty programme (points, vouchers)	Performance of contract (Art. 6.1.b)
MINA virtual guide (AI)	Performance of contract (Art. 6.1.b)
Content personalisation	Legitimate interest (Art. 6.1.f)
Analytics and service improvement	Legitimate interest (Art. 6.1.f)
Security, fraud prevention	Legitimate interest (Art. 6.1.f)
Legal obligations	Legal obligation (Art. 6.1.c)
Service communications	Legitimate interest (Art. 6.1.f)

Where processing is based on consent, the user may withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal.

5. Data sharing with third parties

5.1 Service providers

Provider	Service	Location
Amazon Web Services	Cloud storage, CDN (CloudFront)	EU (Germany)
Hetzner	Infrastructure hosting	Germany
Cloudflare	CDN and security	USA (with EU safeguards)
Paddle	Payment processing (MoR)	United Kingdom

5.2 Merchants

When a user follows a merchant or participates in a Loyalty programme, the merchant has access to:

The user's presence as a follower (aggregated and anonymous data)
Loyalty card data (QR code, points balance, visit history) — only for their own programme

The merchant does not have access to: user email, device identifier, or other personal data.

5.3 No data selling

MINOMO does not sell users' personal data to third parties.

6. Data transfers outside the EU

Primary storage is in the European Union (Germany). Some providers may process data outside the EEA, with safeguards:

Standard Contractual Clauses (SCC) approved by the European Commission
Adequacy decisions, where applicable
Additional technical and organisational security measures

7. Data retention

Data type	Retention period
Account data	Account duration + 5 years after deletion
Device and push data	Account duration or until device removal
Loyalty data	Account duration + 5 years
Server logs	12 months
Analytics data	26 months (then anonymised)
Consent records	3 years from last interaction or until withdrawal

8. Cookies and tracking technologies

8.1 Cookies used

Cookie	Type	Purpose	Duration
Session	Necessary	Authentication	Session
CSRF token	Necessary	Security	Session
Cookie consent	Necessary	Preferences	182 days

8.2 LocalStorage

Key	Purpose
minomo_device_id	Device identification
theme	Light/dark theme preference
minomo_lang	Preferred language

8.3 Service Worker

The App uses a Service Worker for PWA functionality: caching static resources for offline use and receiving push notifications in the background.

9. User rights

In accordance with the GDPR (EU Regulation 2016/679):

Right	Description
Access (Art. 15)	Obtain a copy of your personal data
Rectification (Art. 16)	Correct inaccurate or incomplete data
Erasure (Art. 17)	Request erasure of data ("right to be forgotten")
Restriction (Art. 18)	Restrict processing in certain circumstances
Portability (Art. 20)	Receive data in a structured, machine-readable format
Objection (Art. 21)	Object to processing based on legitimate interest
Withdraw consent (Art. 7.3)	Withdraw consent at any time

To exercise your rights:

Account deletion feature in App settings
Data Request Form on minomo.io
Email to [email protected] or [email protected]

Response within 30 days, extendable by 60 days in complex cases.

9.1 Complaint to supervisory authority

Romania — ANSPDCP

B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 București

Tel: +40.318.059.211 · Email: [email protected]

Italy — Italian Data Protection Authority (Garante)

Piazza Venezia 11, 00187 Roma

Tel: +39 06 696771 · Email: [email protected]

For other EU countries: list of authorities.

10. Data security

TLS/HTTPS encryption for all communications
End-to-end encryption for push notifications (WebPush with VAPID keys)
Bcrypt hashing for passwords
IP address anonymisation for analytics
Role-based access control (least privilege)
Encrypted backups on a regular basis
Continuous monitoring for unauthorised access

11. Processing of minors' data

The App is not intended for minors under 16. MINOMO does not knowingly collect personal data of minors under 16. For users aged 16 to 18, data processing is lawful insofar as consent is given or authorised by the holder of parental responsibility, in accordance with Art. 8 of the GDPR. Contact [email protected] to report concerns.

12. Changes to this Policy

MINOMO may update this Privacy Policy to reflect regulatory or operational changes. Material changes will be communicated via an in-app notification or email.

13. Contact

AVi Kairos Srl

Strada Lungă 188, Corp C2, Ap. 2, Brașov 500051, Romania

Privacy: [email protected]

DPO: [email protected]

Data Request Form: minomo.io