Legal
Privacy Policy
Application
Free to call
Privacy Policy
Application: Free to Call (the “App”) Data Controller: Invicta Solutions, s.r.o. Pod Jiráskovou čtvrtí 752/14, 147 00 Praha 4 – Braník, Czech Republic Company ID (IČO): 21341303 VAT ID (DIČ): CZ21341303 Registered in the Commercial Register maintained by the Municipal Court in Prague Contact e-mail: info@invictas.cz Contact phone: +420 730 842 100
Effective date: 11 April 2026 Version: 1.0
This Privacy Policy (“Policy”) explains how Invicta Solutions, s.r.o. (“we”, “us”, “our”, the “Controller”) collects, uses, shares, retains, and protects your personal data when you use the “Free to Call” mobile application. It is intended to be read alongside our Terms of Service. Please read both documents carefully.
1. Scope and applicability
- This Policy applies to all natural persons who install, register on, or otherwise use the App (“Users” or “you”).
- It does not govern third-party websites, applications, or services that may be linked to or integrated with the App. Each such third party is independently responsible for its own data-processing practices.
- This Policy is drafted in English. An unofficial Czech translation may be provided for convenience; in case of conflict the English version prevails, without prejudice to mandatory consumer-information rights under Czech law.
2. Regulatory framework
We process your personal data in accordance with:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “GDPR”);
- Act No. 110/2019 Coll., on Personal Data Processing (the Czech GDPR adaptation act);
- Act No. 480/2004 Coll., on Certain Information Society Services (ePrivacy transposition);
- Act No. 127/2005 Coll., on Electronic Communications (where applicable);
- Regulation (EU) 2022/2065 (Digital Services Act), where applicable to content moderation and transparency obligations;
- any other applicable data-protection, consumer-protection, or electronic-communications legislation.
3. Data Protection Officer
Given the nature and scale of data processing, the Controller is not legally required to designate a Data Protection Officer under Article 37 GDPR at this time. If this changes, the DPO’s contact details will be published here and communicated to the competent supervisory authority. In the meantime, all data-protection inquiries should be directed to info@invictas.cz.
4. Categories of personal data we process
The table below describes the categories of personal data the App processes, together with their source and purpose. All fields marked “mandatory” are required for the App to function; fields marked “optional” can be omitted or withdrawn.
| # | Category | Data elements | Source | Mandatory / Optional |
|---|---|---|---|---|
| 1 | Account & authentication | Phone number (the primary account identifier), internal user ID (UUID), OTP session metadata, authentication timestamps | You (via onboarding) / Supabase Auth | Mandatory |
| 2 | Profile | First name, last name, username, supported languages (en, cs), onboarding-completion flag | You (via onboarding and settings) | Mandatory |
| 3 | Profile photo | Avatar image (JPEG), stored in Supabase Storage (bucket: avatars) | You (device camera or gallery) | Optional |
| 4 | Availability | Availability status (available / not available), free-text context tag (max 50 characters), expiry timestamp | You (via the floating action button) | Optional |
| 5 | Social graph | Friendship records: requester ID, addressee ID, status (pending / accepted / rejected), creation and update timestamps | You / system-generated | Generated from your actions |
| 6 | Device contacts (contacts-matching feature) | Phone numbers and contact names read locally on your device; only normalised digit strings of phone numbers are transmitted to our servers for matching queries | Your device address book | Optional (requires explicit OS permission) |
| 7 | Push-notification tokens | Expo Push token, platform identifier (iOS / Android) | Device / Expo SDK | Optional (requires explicit OS permission) |
| 8 | Notification preferences | Master notification toggle (on/off), per-type toggles: friend requests (on/off), friend availability (on/off) | You (via settings) | Generated from your preferences |
| 9 | Anti-abuse / rate-limiting metadata | Timestamp of last availability-notification sent (lastNotifiedAt) | System-generated | Automatic |
| 10 | Technical & diagnostic data | IP address, device type, operating system and version, app version, build identifier, crash reports, error logs, performance traces | Automatic (Sentry, device) | Automatic |
| 11 | Product analytics | Anonymised or pseudonymised interaction events (e.g., onboarding-step completion), session data | Automatic (PostHog, production only) | Automatic (see Section 6.5) |
Special-category data. We do not intend to collect or process special categories of personal data within the meaning of Article 9 GDPR (e.g., health data, biometric data used for identification, data concerning sex life or sexual orientation, political opinions, religious beliefs, trade-union membership, racial or ethnic origin). Do not include such data in your profile, availability tags, or any other free-text field. If you do, you do so entirely at your own risk and on your own legal basis; we bear no liability for the consequences.
5. Purposes and legal bases for processing
| # | Purpose | Legal basis (GDPR Art. 6(1)) | Balancing-test / notes |
|---|---|---|---|
| 1 | Providing the core service — account creation, authentication, profile hosting, availability broadcast, friendship management, call deep-link generation, User directory and search | (b) Performance of a contract — processing is necessary to perform the Terms of Service you accepted when creating your Account | — |
| 2 | SMS OTP delivery — sending the one-time password to your phone number via Twilio | (b) Contract and (f) Legitimate interest in securing accounts against unauthorised access | Interest: platform integrity and account security. Balance: minimal data (phone number + OTP code), limited retention, no alternative with equal security. |
| 3 | Contacts matching — reading device contacts, normalising phone numbers, querying the backend for registered Users | (a) Consent — you explicitly grant the OS-level “contacts” permission and initiate the feature | You may withdraw consent at any time by revoking the permission in device settings. See Section 4 row 6 and Terms of Service Section 7. |
| 4 | Push notifications — delivering friendship-request and availability notifications | (a) Consent — you explicitly grant the OS-level push-notification permission; and/or (b) Contract to the extent notifications are integral to the service you requested | You may withdraw consent at any time: master toggle in App settings, per-type toggles, or OS-level revocation. |
| 5 | Error monitoring and crash reporting (Sentry) | (f) Legitimate interest in maintaining service stability, diagnosing bugs, and ensuring security | Interest: software quality and user safety. Balance: data is pseudonymised at ingestion (user IDs, not names); no profiling; retention limited (see Section 8). |
| 6 | Product analytics (PostHog, production builds only) | (f) Legitimate interest in understanding aggregated product-usage patterns to improve the App | Interest: product development. Balance: analytics are pseudonymised; no advertising; no cross-site tracking; you may object (see Section 10). |
| 7 | Anti-abuse rate limiting — enforcing notification-frequency caps | (f) Legitimate interest in preventing notification spam and protecting all Users | Interest: platform health. Balance: minimal data (single timestamp per profile); no individual profiling. |
| 8 | Compliance with legal obligations — responding to lawful data-subject requests, court orders, and regulatory requirements | (c) Legal obligation | — |
| 9 | Establishment, exercise, or defence of legal claims | (f) Legitimate interest | — |
6. How we collect your data
- Directly from you — when you enter your phone number, profile data, availability tag, and preferences.
- From your device — when you grant OS permissions (contacts, push notifications, camera/photo gallery).
- Automatically — when the App transmits technical data (IP address, device metadata, crash reports) during normal operation.
- From Supabase Auth — authentication session metadata is generated when you sign in.
- PostHog analytics — events are captured only in production builds, only for the purposes stated in Section 5 row 6, and only where the analytics SDK is initialised (which is conditional on the
APP_ENV=productionenvironment variable). No analytics are collected in development or preview builds.
7. Recipients, processors, and international transfers
7.1 Categories of recipients
| Recipient | Role | Data shared | Purpose |
|---|---|---|---|
| Supabase, Inc. (USA; data hosted on Supabase’s managed infrastructure) | Processor | All Account, profile, social-graph, availability, push-token, notification-preference, and rate-limiting data (see Section 4 rows 1–5, 7–9) | Backend hosting, database, authentication, storage, realtime |
| Twilio, Inc. (USA) | Sub-processor (via Supabase Auth) | Phone number, OTP code | SMS delivery for authentication |
| Expo, Inc. / 650 Industries, Inc. (USA) | Processor | Expo Push token, platform identifier, notification payload (name, availability tag, expiry) | Push-notification delivery, over-the-air updates, build infrastructure |
| Apple, Inc. (USA) | Independent controller / processor | Expo Push token, APNS device token, notification content (as delivered by APNs) | Push delivery to iOS devices |
| Google LLC (USA) | Independent controller / processor | FCM registration token, notification content (as delivered by FCM) | Push delivery to Android devices |
| Functional Software, Inc. d/b/a Sentry (USA) | Processor | Error logs, stack traces, device metadata, pseudonymised user identifiers | Error monitoring and crash reporting |
| PostHog, Inc. (USA) | Processor | Pseudonymised event data, session identifiers, device metadata | Product analytics (production only) |
7.2 International data transfers
Several of the processors and sub-processors listed above are established in the United States of America. Where personal data is transferred outside the European Economic Area (“EEA”), the transfer is safeguarded by one or more of the following mechanisms, in order of preference:
- an adequacy decision of the European Commission under Article 45 GDPR (including, where applicable, the EU–US Data Privacy Framework);
- Standard Contractual Clauses (“SCCs”) adopted by the European Commission under Article 46(2)(c) GDPR (Commission Implementing Decision (EU) 2021/914), supplemented by a transfer-impact assessment where required;
- a derogation under Article 49 GDPR (e.g., explicit consent, or necessity for the performance of the contract) — relied upon only where no adequacy decision and no SCCs are in place and only for occasional, non-repetitive transfers.
You may request a copy of the applicable SCCs or a summary of the transfer-impact assessment by e-mailing info@invictas.cz.
7.3 No sale or sharing for advertising
We do not sell your personal data. We do not share your personal data with third parties for their own advertising or marketing purposes. We do not serve advertisements in the App.
8. Retention periods
| Data category | Retention rule |
|---|---|
| Account & profile data (rows 1–3) | Retained for the lifetime of your Account. Deleted when you delete your Account (see Section 9) or when the Provider terminates it for inactivity (24 months of inactivity, as stated in the Terms of Service). |
| Availability data (row 4) | Current availability is cleared automatically on expiry or manual toggle-off. Historical availability states are not retained; only the current state is stored in the database. |
| Friendship records (row 5) | Retained for the lifetime of both Users’ Accounts. Cascade-deleted when either Account is deleted. |
| Device-contact data (row 6) | Contact names are never transmitted to our servers. Normalised phone-digit strings are used in transient query execution and are not persisted on the server. Query logs that may incidentally contain such data are purged within 30 days. |
| Push tokens (row 7) | Retained until you log out, revoke push permission, or delete your Account. Cascade-deleted on Account deletion. |
| Notification preferences (row 8) | Retained for the lifetime of your Account. Cascade-deleted on Account deletion. |
| Rate-limiting metadata (row 9) | Single timestamp per profile; overwritten on each notification event. Cascade-deleted on Account deletion. |
| Error logs / crash reports (Sentry) (row 10) | Retained for 90 days from ingestion, unless a longer retention is required for an active incident investigation. |
| Product analytics (PostHog) (row 11) | Retained for 12 months from the date of capture, then deleted or fully anonymised. |
| Server infrastructure logs (Supabase) | Retained for up to 30 days by the infrastructure provider, then automatically purged. |
| Backup copies | Supabase maintains automated database backups in accordance with its infrastructure policies. Backup copies containing personal data are overwritten on a rolling basis and are not retained for more than 30 days after the data is deleted from the live database. Backup copies are encrypted at rest. |
9. Account deletion and data erasure
- Self-service deletion. You may delete your Account at any time from within the App (Settings → Account → Delete account). Deletion requires you to type “delete” as confirmation.
- What happens when you delete your Account:
- The deletion request is sent to a Supabase Edge Function that authenticates your identity via your current session token.
- Your avatar image is removed from Supabase Storage (
avatarsbucket). - Your Supabase Auth user record is deleted using the Supabase Admin API, which triggers cascading deletion of all associated rows in the following database tables:
profiles,friendships,push_tokens,notification_preferences. - Any Expo Push token previously associated with your Account becomes orphaned and will no longer receive notifications.
- Residual data. Despite the above:
- Backup copies may contain your data for up to 30 days after deletion (see Section 8).
- Aggregated or fully anonymised data that can no longer be attributed to you may be retained indefinitely.
- Third-party systems (Sentry, PostHog) may retain pseudonymised event data until their respective retention windows expire (see Section 8).
- Other Users’ devices — if another User has saved your phone number, name, or other information locally (e.g., in their device address book or by taking a screenshot), that data is outside our control.
- Requesting deletion by e-mail. If you are unable to use the in-app deletion flow for any reason, you may request Account deletion by writing to info@invictas.cz from a communication channel that allows us to verify your identity. We will act within 30 days.
10. Your rights under the GDPR and Czech law
Subject to the conditions and limitations of the GDPR and of Act No. 110/2019 Coll., you have the following rights in relation to your personal data:
| Right | Description | How to exercise |
|---|---|---|
| Access (Art. 15 GDPR) | Obtain confirmation as to whether we process your personal data, and if so, a copy of the data and supplementary information. | E-mail info@invictas.cz |
| Rectification (Art. 16 GDPR) | Have inaccurate data corrected and incomplete data completed. | Edit your profile in the App, or e-mail us. |
| Erasure (“right to be forgotten”) (Art. 17 GDPR) | Request deletion of your personal data where the grounds for processing no longer apply. | Delete your Account in the App (see Section 9), or e-mail us. |
| Restriction of processing (Art. 18 GDPR) | Request that we restrict processing of your data while a dispute is being resolved. | E-mail info@invictas.cz |
| Data portability (Art. 20 GDPR) | Receive a copy of the data you provided to us in a structured, commonly used, machine-readable format (JSON), and request transmission to another controller where technically feasible. | E-mail info@invictas.cz |
| Objection (Art. 21 GDPR) | Object to processing based on legitimate interests (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests or the processing is necessary for the establishment, exercise, or defence of legal claims. | E-mail info@invictas.cz |
| Withdrawal of consent (Art. 7(3) GDPR) | Where processing is based on consent (contacts matching, push notifications), withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. | Revoke OS-level permissions (contacts, notifications) in your device settings, or adjust in-app notification toggles, or e-mail us. |
| Complaint to a supervisory authority (Art. 77 GDPR) | Lodge a complaint with the competent data-protection authority. | Úřad pro ochranu osobních údajů (ÚOOÚ), Pplk. Sochora 727/27, 170 00 Praha 7, Czech Republic, www.uoou.cz, e-mail: posta@uoou.cz. If your habitual residence is in another EEA Member State, you may lodge a complaint with the supervisory authority of that state. |
Response time. We will respond to your request without undue delay and in any event within one month of receipt. If your request is complex or if we receive a large number of requests, we may extend the deadline by a further two months, in which case we will inform you within the first month. No fee is charged for exercising your rights unless requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse to act, with reasons).
11. Children
- The App is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16.
- The minimum age of 16 for creating an Account is set in accordance with Article 8 GDPR and in a manner that exceeds the Czech national threshold of 15 years (§ 7 of Act No. 110/2019 Coll.) to provide a conservative, EU-wide safe harbour.
- If you are a parent or legal guardian and you believe your child under 16 has created an Account or that we hold their personal data, please contact us at info@invictas.cz. We will verify the claim and, if confirmed, delete the Account and associated data without undue delay.
12. Security measures
- We implement technical and organisational measures appropriate to the risk, including without limitation:
- Encryption in transit (TLS 1.2+) for all communications between the App and the backend, and between backend services.
- Encryption at rest for database storage and backups (managed by Supabase).
- Row-Level Security (RLS) policies on all Supabase database tables to ensure that each User can access only data they are authorised to see.
- Phone-number OTP authentication — no long-lived passwords stored.
- Rate limiting on API endpoints to mitigate abuse and brute-force attempts.
- Principle of least privilege for all backend-service access.
- Automated backup with encryption at rest.
- Dependency scanning and updates through standard tooling.
- No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
- If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority (ÚOOÚ) within 72 hours and, where required, notify you without undue delay, in accordance with Articles 33 and 34 GDPR.
13. Automated decision-making and profiling
We do not use automated decision-making, including profiling, that produces legal effects or similarly significant effects on you within the meaning of Article 22 GDPR. The App does not employ machine-learning models, algorithmic scoring, or AI-based ranking to make decisions about your access to features or about your Account status.
14. Cookies and similar technologies
The App is a native mobile application and does not use browser cookies. However, the App and its third-party SDKs may use the following local-storage and identifier technologies:
| Technology | Purpose |
|---|---|
| Supabase Auth session token (stored in Expo SecureStore) | Maintaining your authenticated session |
| Expo Push token | Identifying your device for push-notification delivery |
| Sentry device context | Identifying the device environment in crash reports |
| PostHog anonymous ID | Pseudonymous session identifier for analytics (production only) |
None of these technologies are used for advertising, cross-app tracking, or behavioural profiling.
15. California and other US state privacy rights
Although the App is primarily operated from the Czech Republic and directed at Users in the European Economic Area, if you are a resident of a US state that grants specific consumer-privacy rights (e.g., California Consumer Privacy Act as amended by CPRA, Virginia CDPA, Colorado CPA, Connecticut CTDPA, or equivalent):
- We do not sell your personal information as defined under any of these statutes.
- We do not share your personal information for cross-context behavioural advertising.
- We do not use sensitive personal information for purposes beyond what is necessary to provide the App.
- You may exercise rights to know, access, correct, delete, and (where applicable) opt out of sale or sharing by e-mailing info@invictas.cz. We will verify your identity before fulfilling a request.
- We will not discriminate against you for exercising your privacy rights.
16. Changes to this Privacy Policy
- We may update this Policy from time to time to reflect changes in our processing activities, legal requirements, or the App’s functionality.
- Material changes will be communicated at least 15 days before the new effective date through an in-app notice. Where required by law, we will seek renewed consent.
- The “Effective date” and “Version” at the top of this document will be updated with each revision.
- We encourage you to review this Policy periodically.
17. Contact us
For any questions, complaints, or requests regarding this Privacy Policy or the processing of your personal data, please contact:
Invicta Solutions, s.r.o. Pod Jiráskovou čtvrtí 752/14 147 00 Praha 4 – Braník Czech Republic
E-mail: info@invictas.cz Phone: +420 730 842 100
We will acknowledge your communication within 5 business days and provide a substantive response within 30 calendar days (extendable by a further 60 days for complex requests, with prior notice).
By creating or continuing to use an Account, you acknowledge that you have read and understood this Privacy Policy.
Last updated: 11 April 2026