Privacy Policy
This Privacy Policy explains what personal data Suviy collects when you use our news-aggregation mobile app and related services, why we collect it, who we share it with, how long we keep it, and what rights you have over it.
We have written this in plain English. If anything is unclear, write to privacy@suviy.app and we'll explain.
1. Who we are (data controller)
Suviy is operated by an independent developer based in Ukraine, acting as the data controller. For all privacy matters the controller's contact address is privacy@suviy.app. Full identification of the controller (legal name and postal address) is provided on a documented request from a supervisory authority, a court, or a data subject exercising their rights under applicable law.
Suviy is not currently established in the European Union and has not designated an Article 27 representative. EU residents may still exercise all rights below by contacting us at privacy@suviy.app; we respond to GDPR requests within 30 days.
2. What we collect and why
2.1 When you create a registered account
- Email address — to identify your account and send transactional messages (verification codes, password resets, account-deletion confirmations).
- Password (hashed) — to authenticate you. We store only a one-way bcrypt hash; we never see the plaintext.
- Optional profile — display name, avatar URL, if you provide them.
Legal basis: performance of the contract you enter into when you sign up (Art. 6(1)(b) GDPR).
2.2 When you use the app anonymously
- Device-generated identifier (
device_id) — a random UUID created on your device the first time you open the app. Lets the server distinguish your device from others. No personally identifying information.
Legal basis: legitimate interest in providing a working app to anonymous users (Art. 6(1)(f)).
2.3 Content and activity
- Reading history — which articles you opened, time spent, scroll depth, where you arrived from (feed, search, related).
- Favorites, comments, reactions — content you explicitly create or save in the app.
- Source subscriptions and preferences — followed topics, source language overrides, focus country, theme, app language.
- AI usage logs — which AI features (summarize, translate) you used, on which article, when. Used for quota enforcement and abuse prevention.
Legal basis: performance of the contract (Art. 6(1)(b)) and our legitimate interest in personalizing the feed and preventing AI-quota abuse (Art. 6(1)(f)).
2.4 Technical data
- IP address and request metadata — captured by web servers and our error-tracking service, used for security, abuse prevention, and debugging.
- Authentication tokens — short-lived JWT access tokens and refresh tokens, plus one-time codes (OTP) for email verification and password reset.
Legal basis: legitimate interest in operating a secure service (Art. 6(1)(f)).
3. Who else processes your data (sub-processors)
We use the following third-party services to run Suviy. Each one is bound by a Data Processing Agreement (DPA) and processes only the data we strictly need to send them.
| Provider | Role | Region | DPA |
|---|---|---|---|
| Hetzner Online GmbH | Hosting (servers + databases) | Germany (EU) | link |
| Resend | Transactional email delivery | US / EU | link |
| Cloudflare, Inc. | DNS, CDN, inbound email routing | Global | link |
| Sentry (Functional Software, Inc.) | Error tracking and performance monitoring | US | link |
| OpenAI, L.L.C. | AI summarization and translation of articles you explicitly request | US / EU | link |
We have configured Sentry to not auto-attach your email address, request cookies, or authentication headers to error reports. OpenAI is contacted only when you tap "Summarize" or "Translate" inside the app, and only the article content needed for that single request is sent. We do not train AI models with your data.
4. International data transfers
The primary database is hosted in Germany. Some sub-processors above are based in the United States; for those, transfers are protected by the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses signed in the DPAs linked above.
5. How long we keep your data
| Category | Retention |
|---|---|
| Account data (email, password, profile) | Until you delete the account, then 14 days grace period, then permanent deletion. |
| Reading history, favorites, reactions, comments, preferences | Until account deletion (same 14-day grace). |
| AI usage logs | Until account deletion. |
| Authentication tokens (JWT, refresh, OTP) | Up to the token's natural expiry; refresh tokens revoked on logout, password change, or deletion request. |
| Outgoing email log (audit of transactional emails sent) | Up to 1 year for fraud-prevention; deleted with the account if shorter. |
Anonymous-account data (device_id + activity) |
Automatically deleted after 90 days of inactivity. You can also request deletion manually — see § 7.4. |
| Account deletion audit log (UUID, request method, timestamps; no personal data) | 1 year, for fraud audit. |
| Database backups | Up to 30 days, encrypted. Deleted user data is removed from backups as they roll over. |
| Sentry error reports | Sentry default 90 days, after which Sentry deletes them automatically. |
6. Your rights
If you are in the EU, UK, Ukraine, or another jurisdiction with comparable rights, you can:
- Access the personal data we hold about you.
- Correct any data that is wrong or out of date — most fields you can edit yourself in the app.
- Delete your account and all associated data (see § 7).
- Restrict or object to processing for legitimate-interest purposes.
- Port your data to another service in a machine-readable format.
- Withdraw consent at any time where processing is based on consent (e.g. marketing communications, if we ever introduce them).
- Lodge a complaint with your national data-protection authority. EU users can find theirs at edpb.europa.eu. Ukrainian users can complain to the Ukrainian Parliament Commissioner for Human Rights (Ombudsman).
We never charge for these requests and we respond within 30 days. Where strictly necessary we may extend this by up to 60 days for complex requests and will let you know if so.
7. How to delete your account
7.1 If you can sign in to the app
Open the app, go to Settings → Account → Delete account, re-enter your password, and confirm.
7.2 If you cannot sign in
Use our public deletion form at https://api.suviy.app/account/delete-request. Enter the email address attached to your account; we'll send a confirmation link to that address. Click the link within 60 minutes. This is the same flow Apple and Google require for app stores.
7.3 What happens after a deletion request
Your account is locked immediately (active sessions are invalidated and you cannot sign in). For the next 14 days you can cancel the
deletion using the link in the confirmation email. After 14 days, all data tied to your user is permanently removed:
account row, reading history, favorites, reactions, comments, preferences, source subscriptions, AI usage logs, refresh tokens, OTP codes, and
outgoing-email audit rows. The only thing kept is an anonymous record (uuid, requested_via, timestamps — no personal data) for 1 year for fraud auditing.
You will receive one final email confirming the deletion. After that we will not contact you again at that address.
7.4 Anonymous accounts
Anonymous accounts have no email or password — they are tied only to the random device_id generated on your device. To request deletion of an
anonymous account's data, contact privacy@suviy.app with the device_id shown in
Settings → About. We process anonymous-account requests manually within 30 days. Uninstalling the app or clearing the app's local
data does not delete server-side rows on its own — the manual request is the way to be sure.
8. Security
Passwords are stored as bcrypt hashes. Database connections use TLS. Web traffic is served over HTTPS with HSTS. Authentication tokens are short-lived and can be revoked centrally if we detect compromise. Backups are encrypted at rest.
No system is unbreakable. If we ever discover a personal-data breach that is likely to result in risk to your rights, we will notify the relevant supervisory authority within 72 hours and contact affected users without undue delay.
9. Children
Suviy is not directed to children under 16. By using the service, you confirm you are at least 16 years old. If we learn we have collected personal data from a child under that age, we will delete it. Parents and guardians who believe their child has registered can write to privacy@suviy.app.
10. Where this service is offered
Suviy is offered globally with one exception: the service is not directed to users in the Russian Federation, and we do not actively market the app in that jurisdiction.
11. Changes to this policy
If we change this policy in a way that materially affects you (for example, adding a new sub-processor or changing retention periods), we will update the "Last updated" date above and, where required, notify you in the app or by email at least 30 days before the change takes effect. The latest version is always available at this page.
12. Contact
Privacy and DSAR requests: privacy@suviy.app
Legal and IP / takedown: legal@suviy.app
Anything else: support@suviy.app