Privacy Policy

Last updated: March 2026

1. Data Controller

Movida (movida-app.com) is the data controller responsible for processing your personal data as described in this policy. If you have questions about how your data is handled, contact us at [email protected].

2. Data We Collect

We collect only the data necessary to provide Movida's services. Here is what we collect and why.

Account data

When you create an account, we collect your name and email address. You can register using email and password or through social login (Google or Facebook). Authentication is handled by Ory Kratos, a self-hosted identity service — your credentials are never shared with third parties.

Location data

If you grant browser permission, we use your approximate location to show events near you on the map. Location access is entirely optional. You can revoke it at any time through your browser settings, and Movida will still work — you just will not see distance-based results.

Booking data

When you book an event, we store a record of the booking including the event details and payment status. This allows you to view your bookings and allows organisers to manage attendance.

Review data

If you leave a review after attending an event, we store the review text and rating you submit. Reviews are publicly visible and associated with your display name.

3. Cookies and Sessions

Movida uses a single essential cookie for authentication:

  • ory_kratos_session — keeps you signed in. This cookie is required for authenticated features (booking, reviewing, managing events). Session lifespan: 12 hours.

We do not use third-party tracking cookies, advertising cookies, or analytics cookies.

4. Payment Data

Payments are processed entirely by Stripe, a PCI DSS-compliant payment processor. When you pay for an event, you are redirected to Stripe Checkout. Movida never sees, stores, or processes your credit card number or payment card details. We only receive confirmation of whether a payment succeeded or failed.

5. Anonymous Presence on the Map

Movida has a feature that shows approximate user presence on the map (sometimes called "ghosts"). This feature stores only anonymous coordinate data in a temporary cache (Redis). No personally identifiable information is attached to this data. The coordinates expire automatically after a short period (typically minutes) and are never written to permanent storage.

6. Third-Party Services

We use the following third-party services to operate Movida:

  • Stripe — payment processing. Stripe Privacy Policy
  • Ory Kratos — authentication. Self-hosted on our infrastructure. No data is shared with Ory the company.
  • SMTP2GO — transactional email delivery (booking confirmations, account notifications). SMTP2GO Privacy Policy
  • Cloudflare — content delivery network, DNS, and secure tunnelling. Cloudflare Privacy Policy
  • Protomaps / OpenStreetMap — map tiles. Open data, no user tracking.

7. Your Rights

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

  • Access (Art. 15) — request a copy of the personal data we hold about you.
  • Rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
  • Erasure (Art. 17) — ask us to delete your personal data ("right to be forgotten").
  • Restriction (Art. 18) — ask us to temporarily stop processing your data.
  • Portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Objection (Art. 21) — object to processing of your data for specific purposes.

You also have the right to lodge a complaint with a supervisory authority if you believe your data is being processed unlawfully.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

8. Data Retention

  • Account data — retained while your account is active. Deleted upon your request to delete your account.
  • Booking records — retained for a minimum of 5 years after the transaction date to comply with legal and tax obligations under Polish law.
  • Reviews — retained while the associated event exists on the platform. If you delete your account, your reviews are anonymised (your name is removed) rather than deleted, to preserve the integrity of event ratings.
  • Location and presence data — geolocation coordinates used for the map are not persisted. Anonymous presence data (ghosts) expires automatically from the cache within minutes.

9. Data Security

We take the following measures to protect your data:

  • All connections to Movida are encrypted using TLS (HTTPS).
  • Passwords are hashed using bcrypt via Ory Kratos. We never store passwords in plain text.
  • Payment card data never touches Movida's servers — it is handled entirely by Stripe.
  • Access to production infrastructure is restricted and monitored.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. If we make material changes that affect how your personal data is processed, we will notify you through the platform or by email before the changes take effect.

11. Contact

If you have any questions about this Privacy Policy or how Movida handles your data, contact us at [email protected].

← Back to map