Login
 

Privacy policy

GROUPANDA

Effective Date: March 22, 2026

 

1. Introduction

This Privacy Policy explains how GP Software Mateusz Klemczak (“Groupanda,” “we,” “us,” or “our”), a sole proprietorship registered in Poland at ul. Święty Marcin 29/8, 61-806 Poznań, VAT-EU: PL7773235105, collects, uses, stores, and protects your personal data when you use the Groupanda platform (“Platform”). Groupanda is a workspace platform for creating and operating closed online communities, providing real-time messaging, channel-based collaboration, and membership management tools.

We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR), the Polish Act on the Protection of Personal Data, and other applicable data protection laws.

By creating an account or using the Platform, you acknowledge that you have read and understood this Privacy Policy.

 

2. Data Controller

The data controller responsible for processing your personal data is:

GP Software Mateusz Klemczak

  1. Święty Marcin 29/8

61-806 Poznań, Poland

VAT-EU: PL7773235105

Email: hello@groupanda.com

 

3. What Data We Collect

3.1 Data You Provide Directly

Account Registration (required):

  • Email address
  • Password (stored as a cryptographic hash by our authentication provider; we never store plaintext passwords)
  • Nickname (minimum 3 characters)

 

Profile Information (optional):

  • First name and last name
  • Phone number (in E.164 international format, along with country code and dial code)
  • Country of residence
  • Profile description (bio)
  • Avatar image and profile header image
  • Social media links

 

Billing Information (for Group Owners receiving payouts):

  • Account type (individual or company)
  • Full name or company name
  • Billing address (street, city, postal code, country)
  • Tax identification number (NIP/VAT ID)

 

User Content:

  • Text messages sent in Group Channels and direct messages
  • Images uploaded in conversations (JPEG, up to 5 MB per image)
  • Documents uploaded in conversations (PDF, DOCX, XLSX, and other supported formats, up to 10 MB per file)
  • Voice messages recorded in conversations

 

3.2 Data Collected Automatically

Usage and Analytics Data: We may collect information about how you interact with the Platform, including pages and features accessed, actions taken, frequency and duration of use, device type, operating system, browser type, screen resolution, language preferences, and general geographic region (derived from IP address at a city or country level, not precise location). This data helps us understand how the Platform is used, measure performance, identify issues, and improve the user experience.

Device Tokens: If you enable push notifications, we collect your device token (a unique identifier assigned by Firebase Cloud Messaging) to deliver notifications to your device. We also store the platform type (iOS or web) and the date the token was last active.

Theme Preferences: We store your display preference (light mode, dark mode, or system default).

Authentication Logs: Our authentication infrastructure provider (Supabase) automatically logs authentication events (sign-in, sign-up, password reset) and maintains session records. These logs may include your IP address and are managed by Supabase in accordance with their privacy practices.

 

4. How We Use Your Data

We process your personal data for the following purposes and legal bases:

Purpose

Data Used

Legal Basis (GDPR)

Providing and operating the Platform

Account data, profile data, User Content

Art. 6(1)(b) — Performance of contract

Account creation and authentication

Email, password hash, nickname

Art. 6(1)(b) — Performance of contract

Displaying your profile to other Group Members

Nickname, display name, avatar, bio, social links

Art. 6(1)(b) — Performance of contract

Processing payments (via Stripe)

Email, user ID, group ID, payment amounts

Art. 6(1)(b) — Performance of contract

Issuing VAT invoices to Group Owners

Billing information (name, address, tax ID)

Art. 6(1)(c) — Legal obligation

Sending transactional notifications

Email, device tokens, notification preferences

Art. 6(1)(b) — Performance of contract

Delivering push notifications

Device tokens, platform type

Art. 6(1)(a) — Consent

Analytics, product improvement, and performance monitoring

Usage data, device info, general location

Art. 6(1)(f) — Legitimate interest

Generating link previews in chat

URLs shared by Users (fetched server-side)

Art. 6(1)(f) — Legitimate interest

Processing images (creating thumbnails and variants)

Uploaded images

Art. 6(1)(b) — Performance of contract

Enforcing Terms of Service and moderation

Account data, User Content, usage patterns

Art. 6(1)(f) — Legitimate interest

Rate limiting and abuse prevention

User ID, action timestamps

Art. 6(1)(f) — Legitimate interest

Maintaining transaction records

Transaction data, payment amounts, dates

Art. 6(1)(c) — Legal obligation

Responding to legal requests

Any data as required by law

Art. 6(1)(c) — Legal obligation

 

5. Data Sharing and Third-Party Services

We do not sell your personal data. We share data only with the following categories of service providers, strictly as necessary to operate and improve the Platform. We have entered into Data Processing Agreements (DPAs) with our service providers where required by applicable data protection law, to ensure appropriate safeguards for your personal data.

5.1 Stripe, Inc.

Purpose: Payment processing, subscription management, payouts to Group Owners.

Data shared: Email address, user ID, group ID, payment amounts, currency, payment type (subscription or one-time), and metadata necessary for transaction processing. For Group Owners using Stripe Connect Express: identity verification data is collected directly by Stripe during onboarding.

Note: Stripe independently collects and processes payment card details. Groupanda never receives or stores card numbers, CVVs, or expiration dates. When you make a payment or when a Group Owner completes Stripe onboarding, Stripe may independently collect additional data directly from you, including payment card details, device information, browser fingerprint, and IP address, in accordance with Stripe’s own Privacy Policy. Groupanda does not control or have access to this data.

Stripe’s privacy policy: https://stripe.com/privacy

5.2 Supabase, Inc.

Purpose: Cloud infrastructure, including authentication, database hosting, file storage, real-time messaging, and serverless functions.

Data shared: All Platform data is hosted on Supabase infrastructure, including user accounts, messages, media files, and transaction records.

Supabase’s privacy policy: https://supabase.com/privacy

5.3 Resend, Inc.

Purpose: Sending transactional emails.

Data shared: Recipient email address and email content (e.g., grace period notifications, price change notices, payment activation confirmations).

Resend’s privacy policy: https://resend.com/legal/privacy-policy

5.4 Google LLC (Firebase Cloud Messaging)

Purpose: Delivering push notifications to mobile devices.

Data shared: Device tokens (anonymous identifiers assigned by the operating system), notification type, title, and body text.

Google’s privacy policy: https://policies.google.com/privacy

5.5 Analytics Providers

We may use third-party analytics services to help us understand how Users interact with the Platform, measure feature adoption, monitor performance, and improve the user experience. These providers may collect usage data, device information, and general geographic information (at a city or country level) through cookies, similar technologies, or SDKs integrated into the Platform. We select analytics providers that offer adequate data protection safeguards and process data in accordance with applicable privacy laws. The specific analytics services in use at any given time may be updated; a current list is available upon request at hello@groupanda.com.

5.6 Legal Disclosures

We may disclose your personal data if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Groupanda, its Users, or the public.

 

6. Data Storage and Security

6.1 Where Your Data Is Stored

Your data is stored on Supabase’s cloud infrastructure. Supabase uses data centers provided by Amazon Web Services (AWS). The primary data region may include the European Union and/or the United States. Where data is transferred outside the European Economic Area (EEA), appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission.

6.2 Security Measures

We implement the following technical and organizational measures to protect your data:

  • All data in transit is encrypted using TLS (HTTPS).
  • Passwords are stored as cryptographic hashes (never in plaintext).
  • Database access is controlled through Row-Level Security (RLS) policies that ensure Users can only access data they are authorized to see.
  • API endpoints are protected by rate limiting to prevent abuse.
  • Edge Functions (serverless backend) use dual authentication (JWT tokens for client requests, service-role keys for internal operations).
  • File storage uses separate public and private buckets with appropriate access controls. Private documents require signed URLs for access.
  • Webhook payloads from Stripe are verified using cryptographic signatures before processing.
  • SSRF protection is implemented on server-side URL fetching to prevent access to internal network resources.

6.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, as required by GDPR Article 34.

 

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

Data Category

Retention Period

Account data (email, nickname, profile)

Until you delete your account

User Content (messages, images, documents, voice)

Until the message is deleted by the author or moderator, or the Group is deleted

Anonymized messages (after account deletion)

Until the Group is deleted

Media files in storage (images, documents, voice)

Until the associated message or Group is deleted, or upon specific request by the User

Transaction records

7 years from the date of the transaction (Polish tax law requirement)

Stripe webhook event logs

Retained for operational integrity and dispute resolution; periodically reviewed for deletion

Billing information

7 years from the last invoice (Polish tax law requirement)

Authentication audit logs

Managed by Supabase according to their retention policies

Device tokens (push notifications)

Until the token is revoked or the account is deleted

Rate limiting records

Automatically deleted after 1 hour

Analytics and usage data

Retained in accordance with the applicable analytics provider’s retention policies, or as configured by Groupanda (typically no longer than 26 months)

 

8. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. To exercise any of these rights, contact us at hello@groupanda.com. We will respond within 30 days of receiving your request.

8.1 Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you and information about how we process it.

8.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data. You can update most of your profile information directly through the Platform settings.

8.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data. You can delete your account through the Platform settings at any time. When you delete your account:

  • Your profile data (email, name, nickname, avatar, profile description, social links, phone number, billing information) is permanently deleted.
  • Your messages in Group conversations are anonymized — they remain visible as part of the conversation history but are attributed to “Deleted User” with no link to your identity.
  • Active subscriptions are canceled.
  • Transaction records are retained for the legally required period (7 years for tax purposes).
  • Device tokens associated with your account are deleted.
  • Media files you uploaded in Group conversations may be retained as part of Group conversations until the respective Group is deleted, unless you specifically request their removal.

Please note that we may retain certain data where we have a legal obligation to do so (e.g., transaction records for tax purposes) or where retention is necessary for the establishment, exercise, or defense of legal claims.

8.4 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

8.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. To request a data export, contact us at hello@groupanda.com.

8.6 Right to Object (Article 21)

You have the right to object to the processing of your personal data where we rely on legitimate interest as the legal basis. This includes processing for analytics, rate limiting, abuse prevention, and link preview generation. Where you object to processing for analytics purposes, we will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests.

8.7 Right to Withdraw Consent (Article 7)

Where we process your data based on consent (e.g., push notifications), you have the right to withdraw consent at any time. You can disable push notifications through the Platform settings or your device settings. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

8.8 Right to Lodge a Complaint

If you believe that we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority. The competent authority in Poland is:

Prezes Urzędu Ochrony Danych Osobowych (UODO)
Stawki 2, 00-193 Warszawa, Poland

https://uodo.gov.pl

 

9. Cookies and Tracking Technologies

9.1 Essential Cookies and Local Storage

The Platform uses the following strictly necessary cookies and local storage mechanisms:

  • Authentication tokens (JWT) — required to keep you signed in.
  • Theme preference (light/dark/system) — stored locally on your device.
  • Sidebar width preference — stored locally on your device.
  • Notification channel settings — stored locally for per-channel notification preferences.

9.2 Analytics and Performance Cookies

We may use cookies or similar technologies provided by third-party analytics services to collect usage data as described in Section 3.2. These cookies help us understand how the Platform is used and identify areas for improvement. You can manage your cookie preferences through your browser settings or through the cookie consent mechanism provided on the Platform where required by law.

9.3 Your Choices

Most web browsers allow you to control cookies through their settings. You may choose to block or delete cookies; however, disabling essential cookies may prevent the Platform from functioning properly. Where we use non-essential cookies (such as analytics cookies), we will obtain your consent before placing them, in accordance with applicable law.

 

10. Children’s Privacy

The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such data promptly. If you believe a child under 18 has created an account on the Platform, please contact us at hello@groupanda.com.

 

11. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, through our third-party service providers (Stripe, Supabase/AWS, Google FCM, Resend, and analytics providers). When such transfers occur, we ensure that appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Adequacy decisions by the European Commission where applicable (e.g., the EU-U.S. Data Privacy Framework).
  • Supplementary measures as necessary to ensure an adequate level of protection.

 

12. Group Owners as Joint Controllers

When a Group Owner operates a paid Group, they may have access to certain information about their Members (such as nicknames, display names, avatars, and subscription status). In this context, the Group Owner may act as an independent data controller or joint controller for the personal data they access or collect through the Platform.

Group Owners are responsible for:

  • Complying with applicable data protection laws in their jurisdiction when processing Member data.
  • Not using Member data for purposes beyond operating and managing their Group.
  • Not exporting, selling, or sharing Member data with third parties.

Groupanda provides the technical infrastructure but does not control how Group Owners use the data they access. If you have concerns about how a Group Owner handles your data, you should contact the Group Owner directly. You may also contact Groupanda at hello@groupanda.com.

 

13. Link Previews

When a User shares a URL in a message, the Platform may automatically fetch metadata (title, description, preview image, and site name) from the linked website to generate a link preview. This fetch is performed server-side and does not transmit any User personal data to the linked website. Link preview metadata is cached in our database to avoid repeated fetches. Private IP ranges are blocked to prevent server-side request forgery (SSRF).

 

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Provide at least 14 days’ advance notice through the Platform (via in-app notification and/or email).
  • Post the updated Privacy Policy with a new effective date.

Your continued use of the Platform after the effective date of the updated Privacy Policy constitutes acceptance of the changes. We encourage you to review this Privacy Policy periodically.

 

15. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a complaint regarding the processing of your personal data, please contact us at:

GP Software Mateusz Klemczak

Święty Marcin 29/8

61-806 Poznań, Poland

VAT-EU: PL7773235105

Email: hello@groupanda.com

 

We aim to respond to all data protection requests within 30 days. In complex cases, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for it.