Privacy Policy

Last Updated: February 2025

This Privacy Policy explains how Globbi LTD. ("Globbi," "we," "us," or "our") collects, uses, shares, and protects your personal data when you use the Globbi mobile application and website (collectively, the "Service"). We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), Georgian data protection legislation, and other applicable privacy laws.

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent as a lawful basis for processing, we will obtain your explicit consent separately.

1. Data Controller

The data controller responsible for your personal data is:

• Company: Globbi LTD.
• Registered Address: Tbilisi, Georgia
• Email: contact@globbi.org
• Phone: +995 599-33-66-50
• Data Protection Officer (DPO): dpo@globbi.org

For any questions or concerns regarding your personal data or this Privacy Policy, you may contact our Data Protection Officer at dpo@globbi.org.

2. Definitions

Unless the context clearly indicates otherwise, the terms used in this Privacy Policy shall have the following meanings:

• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on personal data, including collection, recording, storage, use, disclosure, or deletion.
• Data Subject: The individual whose personal data is being processed (referred to as "you" or "User").
• Data Controller: The entity that determines the purposes and means of processing personal data (Globbi LTD.).
• Data Processor: A third party that processes personal data on behalf of the Data Controller.
• Consent: Any freely given, specific, informed, and unambiguous indication of your wishes by which you agree to the processing of your personal data.

In the event of a conflict between this Privacy Policy and our Terms and Conditions, the provisions of this Privacy Policy shall prevail regarding data protection matters.

3. Personal Data We Collect

To provide and improve our Service, we collect the following categories of personal data:

3.1. Data You Provide Directly

• Account Data: Name, email address, password (hashed).
• Profile Data: Date of birth (optional), gender (optional), profession (optional), languages spoken (optional), profile picture, "about" section, interest categories.
• Social Login Data: If you sign in via Google or Apple, we receive your name, email address, and profile identifier from the respective provider. We do not receive or store your social media passwords.
• Payment Data: If you purchase a Premium subscription or other paid services, payment is processed through Google Play, Apple App Store, or RevenueCat. We do not directly store your credit card or bank details.
• Communication Data: Chat messages you send through the platform, questions and answers you post, and any content you create within groups.
• Event Data: Events you create, attend, or express interest in, including event details and your participation history.
• Support Data: Any information you provide when contacting us for support, including feedback and correspondence.

3.2. Data We Collect Automatically

• Location Data: Your geographic location (with your permission), used for user matching, nearby event discovery, and location-based features.
• Device Data: Device type, unique device identifiers, mobile operating system and version, browser type and version.
• Usage Data: Pages and features accessed, session duration, app interaction patterns, date and time of access.
• Network Data: IP address, referrer URL, internet service provider information.
• Push Notification Tokens: Firebase Cloud Messaging (FCM) tokens used to deliver push notifications to your device.

3.3. Data Generated Through Your Use of the Service

• User-to-User Interaction Data: Records of your interactions with other users, including matching preferences and connection history.
• Group Membership Data: Groups you create, join, or participate in.
• AI Interaction Data: Inputs and outputs from AI-powered features within the Service, such as AI-assisted event suggestions or content recommendations.

4. Purposes and Lawful Bases for Processing

We process your personal data only when we have a valid lawful basis under Article 6 of the GDPR. The table below describes each processing purpose and its corresponding lawful basis:

4.1. Contract Performance (Article 6(1)(b) GDPR)

We process data as necessary to perform our contract with you, including:

• Creating and managing your user account.
• Providing core platform features: user matching, event discovery, messaging, questions and answers, and group functionality.
• Processing Premium subscription and paid service transactions (via third-party payment processors).
• Delivering push notifications related to your account activity (new messages, event updates, matches).
• Providing customer support and responding to your inquiries.

4.2. Consent (Article 6(1)(a) GDPR)

Where required, we obtain your explicit consent before processing, including for:

• Accessing your precise geolocation for location-based features.
• Sending direct marketing communications (promotional emails, in-app offers).
• Processing data through optional AI-powered features.
• Placing non-essential cookies and similar tracking technologies.

You may withdraw your consent at any time by adjusting your device settings, contacting us at dpo@globbi.org, or using the in-app privacy settings. Withdrawal of consent does not affect the lawfulness of processing performed before the withdrawal.

4.3. Legitimate Interests (Article 6(1)(f) GDPR)

We process data based on our legitimate interests, balanced against your rights and freedoms, for the following purposes:

• Improving and optimizing the Service, including app performance, user experience, and feature development.
• Detecting, preventing, and investigating fraud, security incidents, and violations of our Terms and Conditions.
• Compiling aggregated and anonymized statistics for business analytics.
• Ensuring platform safety and enforcing community standards.

4.4. Legal Obligation (Article 6(1)(c) GDPR)

We process data as necessary to comply with legal obligations, including:

• Responding to lawful requests from law enforcement and regulatory authorities.
• Maintaining records as required by Georgian law and applicable EU regulations.
• Fulfilling tax and accounting obligations related to paid services.

5. Automated Decision-Making and Profiling

We use automated processing in the following ways:

5.1. User Matching Algorithm

Our Service uses an automated matching algorithm that considers factors such as your geographic location, shared interests, language preferences, and activity patterns to suggest other users you may want to connect with. This matching is based on your profile data and does not produce legal effects or similarly significant effects on you. You can influence the matching results by updating your profile, interests, and location preferences at any time.

5.2. AI-Powered Features

Certain features of the Service use artificial intelligence (powered by OpenAI) to provide content suggestions, event recommendations, or other AI-assisted functionality. When you interact with these features, your inputs are processed to generate responses. We do not use AI outputs to make decisions that produce legal or similarly significant effects on you.

You have the right to request human review of any automated decision, express your point of view, and contest the decision by contacting us at dpo@globbi.org.

6. Data Sharing and Third Parties

6.1. Categories of Recipients

We may share your personal data with the following categories of recipients, solely for the purposes described in this Policy:

• Other Users: Your public profile information (name, profile picture, interests, "about" section) is visible to other users of the Service. Messages are shared with their intended recipients.
• Cloud Infrastructure: We use Amazon Web Services (AWS) for hosting, data storage (including S3 for media files), and computing services.
• Push Notification Services: Firebase Cloud Messaging (FCM) by Google to deliver push notifications.
• Authentication Providers: Google and Apple for social login functionality.
• Payment Processors: RevenueCat, Google Play, and Apple App Store for subscription and payment processing.
• AI Service Providers: OpenAI for AI-powered features within the Service.
• Analytics Providers: To understand usage patterns and improve the Service.
• Legal and Regulatory Authorities: When required by law, court order, or governmental request.

6.2. Data Processor Agreements

All third-party service providers acting as data processors are bound by Data Processing Agreements (DPAs) that require them to process your data only on our instructions and in accordance with applicable data protection laws.

6.3. Data Minimization

When sharing data with third parties, we transfer only the minimum information necessary to achieve the specific purpose. We do not sell your personal data to any third party.

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside of the European Economic Area (EEA), including the United States (for cloud infrastructure and third-party services) and Georgia (where Globbi LTD. is registered).

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our service providers to ensure your data receives an adequate level of protection.
• Adequacy Decisions: Where applicable, we transfer data to countries that the European Commission has determined provide an adequate level of data protection.
• Additional Safeguards: We implement supplementary technical and organizational measures, such as encryption in transit and at rest, to protect data during international transfers.

You may request a copy of the safeguards we use for international data transfers by contacting us at dpo@globbi.org.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The specific retention periods are:

• Account Data: Retained for the duration of your account and up to 2 years after account deletion to comply with legal requirements and resolve disputes.
• Chat Messages: Retained for 1 year after the last activity in the conversation, after which they are automatically deleted.
• Event Data: Retained for the duration of the event and up to 1 year after the event concludes.
• Location Data: Current location is updated in real time and not stored historically. Last known location is retained with your account data.
• Usage and Analytics Data: Retained in aggregated or anonymized form for up to 2 years.
• Payment Records: Retained as required by applicable tax and accounting legislation (typically up to 7 years).
• Consent Records: Retained for the duration of the processing activity and 3 years after consent withdrawal, as evidence of lawful processing.
• Support Correspondence: Retained for up to 2 years after the resolution of your inquiry.

When personal data is no longer needed, it is securely deleted or anonymized so that it can no longer be associated with you.

9. Your Rights as a Data Subject

Under the GDPR, you have the following rights regarding your personal data. You may exercise any of these rights by contacting our Data Protection Officer at dpo@globbi.org or by using the relevant functionality within the app.

1. Right of Access (Article 15): You have the right to obtain confirmation as to whether your personal data is being processed, and if so, to access that data along with information about the purposes, categories, recipients, retention periods, and your rights. You may request a copy of your personal data in a commonly used electronic format.
2. Right to Rectification (Article 16): You have the right to have inaccurate personal data corrected and incomplete data completed. You can update most of your data directly through your profile settings in the app.
3. Right to Erasure (Article 17): You have the right to request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, when you object to processing and there are no overriding legitimate grounds, or when the data has been unlawfully processed.
4. Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data when you contest its accuracy, when the processing is unlawful but you prefer restriction over erasure, when we no longer need the data but you require it for legal claims, or when you have objected to processing pending verification.
5. Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV), and to transmit that data to another controller without hindrance.
6. Right to Object (Article 21): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing your data for that purpose immediately.
7. Right Not to Be Subject to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects concerning you.
8. Right to Withdraw Consent: Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

How to Exercise Your Rights

To exercise any of the above rights, you may:

• Email our Data Protection Officer at dpo@globbi.org.
• Use the data subject rights features available within the app (where applicable).
• Write to us at: Globbi LTD., Tbilisi, Georgia.

We will respond to your request within one month of receipt. If your request is complex or we receive a large number of requests, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons for it within the initial one-month period.

We may ask you to verify your identity before fulfilling your request to ensure the security of your personal data.

Right to Lodge a Complaint

If you believe that our processing of your personal data infringes the GDPR or applicable data protection laws, you have the right to lodge a complaint with a supervisory authority. You may do so in the EU/EEA Member State of your habitual residence, place of work, or the place of the alleged infringement. In Georgia, you may contact the Personal Data Protection Service (State Inspector's Service).

10. Cookies and Tracking Technologies

Our website and Service use cookies and similar tracking technologies to provide, secure, and improve the Service.

10.1. Types of Cookies We Use

• Essential Cookies: Required for the basic functionality of the website and Service, such as authentication, security, and session management. These cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our website by collecting information about pages visited, time spent, and navigation patterns. This data is aggregated and anonymized.
• Preference Cookies: Remember your settings and preferences (such as language) to provide a more personalized experience.

10.2. Managing Cookies

When you first visit our website, you will be presented with a cookie consent banner allowing you to accept or reject non-essential cookies. You can change your cookie preferences at any time through your browser settings. Please note that disabling certain cookies may affect the functionality of the Service.

11. Security Measures

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: Data is encrypted both in transit (TLS/SSL) and at rest. Chat messages are encrypted using application-level encryption.
• Access Controls: Role-based access control (RBAC) ensures that only authorized personnel can access personal data, and only to the extent necessary for their role.
• Secure Authentication: We use JWT-based authentication with secure token management, and support multi-provider authentication (email/password, Google, Apple).
• Audit Logging: All access to and operations on personal data are logged for accountability and breach detection.
• Breach Detection: Automated monitoring systems detect potential data breaches. In the event of a breach, we will notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
• Regular Reviews: We conduct periodic security assessments and data protection impact assessments (DPIAs) for high-risk processing activities.

12. Children's Privacy

The Service is intended for users who are at least 18 years of age. We do not knowingly collect personal data from individuals under 18. If we become aware that we have inadvertently collected personal data from a person under 18, we will take steps to delete that data as promptly as possible. If you believe that a person under 18 has provided us with personal data, please contact us at dpo@globbi.org.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by:

• Posting the updated Privacy Policy on our website and within the app.
• Sending a notification via email or push notification for significant changes.
• Updating the "Last Updated" date at the top of this page.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes are posted constitutes your acknowledgment of the updated Privacy Policy. Where changes require your consent under applicable law, we will obtain your consent before the changes take effect.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

• General Inquiries: contact@globbi.org
• Data Protection Officer: dpo@globbi.org
• Phone: +995 599-33-66-50
• Address: Globbi LTD., Tbilisi, Georgia

We are committed to resolving any concerns you may have about our collection or use of your personal data. We welcome your feedback and will work to address any issues promptly and transparently.