Skip to main content
NYTHY.
Nythy PRO

GDPR Compliant

Information on the processing of your personal data

Privacy
Policy

Information document compliant with Regulation (EU) 2016/679 (GDPR)

GDPRDSAePrivacyEncryptedAuditable

Sommaire

Document outline

Section · Chapter 1

Introduction

This privacy policy describes the conditions under which Nythy SASU collects and processes your personal data when you use the Nythy mobile application and associated website.

Scope

This policy applies to all Nythy services: mobile application (iOS and Android), showcase website, and merchant interfaces.

1.1 Regulatory framework

This policy is established in accordance with the following texts:

Regulation (EU) 2016/679 of April 27, 2016 (GDPR)
French Data Protection Act No. 78-17 of January 6, 1978 as amended
Regulation (EU) 2022/2065 (Digital Services Act)
Directive 2002/58/EC (ePrivacy)

1.2 Data controller

Data controller

Nythy SASU

221 b route de Schirmeck, 67200 Strasbourg, France
privacy@nythy.com
SIRET : [To be completed before publication]
RCS Strasbourg [To be completed before publication]

Registration information will be provided before official publication of this document.

1.3 Data Protection Officer

Pursuant to Article 37 of GDPR, Nythy is not required to designate a DPO given the nature and volume of processing activities. For any questions regarding your personal data:

privacy@nythy.com
— End of section 01 —Contents

Section · Chapter 2

Data collected and legal bases

In accordance with Article 13 of GDPR, we inform you of the categories of data collected, their purposes, and the legal basis applicable to each processing activity.

2.1 Registration and profile information

  • First and last name
  • Email address
  • Profile photo (optional)
  • Profile background image (optional)
  • Biography (optional)

2.1 bis Newsletter

  • Email address
  • Communication preferences
  • Newsletter signup date
  • Signup source (website, blog, form)

2.1 ter Waitlist

  • When you sign up for the waitlist, we record your approximate country, region and town or city (IP geolocation from our Hostinger VPS server in the European Union; the IP address is not stored in our databases).
  • This information is used to measure geographic coverage of our service and plan future roll-outs.
  • No IP address is stored in our databases for this form.
  • This is separate from technical or security logs that may record an IP address: see Technical information and the clarification displayed just below the category grid.

2.6 Favorites

  • Merchants and offers: IDs and names, linked category and image, date added, optional personal notes
  • Favorite user gifts: gift ID (reference to published content) and date added

2.2 Social data

  • List of users you follow
  • List of users who follow you
  • Profile privacy settings

2.3 Location data

  • Real-time geographic position
  • Location search history
  • Saved favorite addresses

2.4 Maps data

  • Current position (if allowed) to center the map
  • Addresses entered for geocoding
  • Displayed points/markers (IDs, coordinates, title)
  • Route requests (origin, destination, waypoints)

2.5 Usage data

  • Interface preferences and feed filters (theme, language, distance, categories, price, active tab) — local SharedPreferences storage
  • Last seen date for offers/gifts tabs — local storage
  • Recent merchant searches (last 10 max.) — local storage
  • Payment-related events (status, order IDs) — Firebase/Firestore
  • Crash diagnostics: current route and recent navigation (in memory, max. 20 screens) sent to Firebase Crashlytics if crash reporting is not disabled

2.8 Security data

  • Login history (date, time, device, approximate location)
  • List of trusted devices
  • Active sessions
  • Authentication preferences

2.9 Technical information

  • Device type and operating system
  • Unique device identifier
  • IP address that may appear in server and application logs, security systems and abuse prevention (separate from data stored for the showcase website waitlist — see Waitlist card)
  • Error logs and crashes
  • Application version

2.11 Messaging data

  • Sent text messages
  • Images shared in conversations
  • Shared audio files
  • Conversation metadata (date, participants)

2.7 Community data

  • Posts (text, images) and associated metadata
  • Comments, reactions, shares and bookmarks
  • Polls, options and votes
  • Reports and report reasons
  • User mentions
  • Location attached to posts (city, postal code, approximate coordinates if provided)

2.10 Transaction data

  • Reservation history
  • Visited merchants
  • Transaction amounts (future)
  • Pickup status

2.12 Merchant account data

  • Business name and legal name
  • SIRET number (tax identifier)
  • Point of sale address
  • Professional email and phone
  • Business type and description
  • Logo and banner
Clarification — IP addresses and the waitlist: For showcase website waitlist sign-up, we do not store IP addresses in our databases; only approximate country, region and town or city are retained (Waitlist card). The “IP address” item in this subsection refers to other processing (infrastructure, mobile application, logs, security) carried out in accordance with applicable law and the retention periods stated later in this policy.
Biometric authentication : If you enable biometric authentication (fingerprint or facial recognition), this data is stored only on your device via the operating system's secure mechanisms (iOS Keychain / Android Keystore). Nythy never has access to your biometric data.
2.5 Usage data : Firebase Analytics is disabled in the mobile app: we do not keep browsing history on our servers for statistics. Reservations are covered in section 2.10; favorites in section 2.6. Local preferences are detailed in section 8.
2.6 Favorites : Merchants and offers: primary local storage on the device (SharedPreferences), with synchronization to Firebase/Firestore when you are signed in and online. User gifts: stored on Firebase/Firestore only. Offline, merchant/offer favorites remain available on the device. When you reconnect, they sync with your account. For a favorite merchant, its ID is also kept on your user profile to track gamification progress.
Messagerie : Messaging is intended for exchanges between users and associations only. Messages are not subject to automated AI moderation on send; only reported content may be reviewed by the moderation team (DSA). Messages are retained for the duration of registration.

2.13 Payments and financial data (Stripe)

Sensitive financial data is entirely managed by our payment provider Stripe. Nythy does NOT collect and does NOT have access to the following data:

  • Bank details (IBAN, account numbers)
  • Credit card information (number, CVC, expiration date)
  • Merchant or legal representative ID
  • Personal proof of address
  • Bank statement
  • Company documents (articles of incorporation, registration)
Transactions : Payment data (credit card) is not stored by Nythy. Payment is made online via Stripe or directly to the merchant depending on configuration. Banking data is managed exclusively by Stripe.
— End of section 02 —Contents

Section · Chapter 3

Processing purposes

Your personal data is processed for the following purposes:

Create and manage your account
Display nearby offers
Personalize your experience
Process your reservations
Manage your favorites
Send important notifications
Improve our application
Ensure security and prevent fraud
Respond to your support requests
Comply with our legal obligations

Legal basis for processing (Article 6 GDPR)

1.Contract performance: account management, reservations, support
2.Consent: geolocation, marketing notifications
3.Legitimate interest: service improvement, security, fraud prevention
4.Legal obligation: tax retention, logs, judicial requests

3.1 Display personalization

Nythy does not analyze your browsing history and does not generate automatic recommendations. The feed display may only be adapted as follows:

  • Sorting offers and gifts by proximity, if you have authorized geolocation
  • Applying filters you choose manually (distance, categories, price), stored locally on your device

There is no behavioral profiling, no recommendations based on your favorite categories, and no sorting based on browsing history.

Important clarifications

This personalization does NOT fall within the scope of Article 22 of GDPR because:

  • It does not produce legal effects concerning you
  • It does not significantly affect your situation
  • No decision is made in an entirely automated manner
  • You can reset your filters or withdraw your geolocation consent at any time

In accordance with Article 21.1 of GDPR, you may object to this processing by writing to privacy@nythy.com

3.2 No automated decision-making

Nythy does not make any entirely automated decisions within the meaning of Article 22 of GDPR that would produce legal effects or significantly affect you. Any account suspension is subject to human review.

— End of section 03 —Contents

Section · Chapter 4

Sharing your data

Nythy does not sell or trade your personal data.

Your data may be disclosed to the following categories of recipients:

Partner merchants

Data strictly necessary for your reservation: first name and pickup time. For associations, the association name and pickup time slot are shared with the donor merchant.

Partner associations

When an association reserves a donation, the merchant name, pickup address and donation details are shared with the association.

Technical subprocessors

Hosting, email sending, analytics (see list below)

Public authorities

Upon judicial requisition or request from a competent authority

Potential acquirer

In case of restructuring, merger or business transfer (after prior notice)

Subprocessor list

In accordance with Article 28 of GDPR, Nythy has concluded data processing agreements with the following subprocessors:

Google Cloud / Firebase

Hosting, authentication, databaseEuropean Union (Cloud Functions europe-west1, Belgium) / United States depending on Google services (DPF certified)

Google Maps Platform

Map display, geocoding, directionsEuropean Union / United States (DPF certified)

Stripe

Payments, merchant payouts, identity verification (KYC)European Union / United States (DPF certified)

Redis (self-hosted)

Abuse protection (rate limiting), request throttlingEuropean Union (Nythy VPS server)

SMTP / Nodemailer

Transactional email delivery (verification, notifications, support)European Union

Google Gemini AI (via Cloud Functions)

AI conversational assistant for user support (gemini-2.5-flash model)European Union (Cloud Functions europe-west1) / United States (DPF certified)

Firebase Crashlytics

Collection of anonymized crash reports (stack trace, app version, device model)European Union / United States (DPF certified)

Google Sign-In (OAuth)

Optional authentication via Google accountEuropean Union / United States (DPF certified)

Apple Sign-In (Sign in with Apple)

Optional authentication via Apple ID (iOS and web)European Union / United States (DPF certified)

Vettly

Automated AI moderation of public community content (text and image URLs in posts and comments)European Union / United States (depending on Vettly infrastructure)

Google reCAPTCHA Enterprise

Abuse protection and Firebase App Check verificationEuropean Union / United States (DPF certified)

Hostinger (VPS)

Hosting of the nythy.com showcase website and Next.js APIs on a virtual private server (VPS)European Union

— End of section 04 —Contents

Section · Chapter 5

International transfers

Your data is primarily hosted in the European Union. Some subprocessors may process data in third countries:

Safeguards for transfers

Adequacy decision (Art. 45 GDPR)For countries recognized as providing an adequate level of protection by the European Commission
Data Privacy Framework — DPF (Art. 45 GDPR)For transfers to the United States to certified companies (adequacy decision of July 10, 2023)
Standard Contractual Clauses — SCCs (Art. 46.2.c GDPR)Clauses adopted by the European Commission (Decision 2021/914)

Transfers to third countries

Nythy does not currently maintain a formal, documented Transfer Impact Assessment (TIA) for each sub-processor, as recommended by the EDPB. Transfers to third countries (including the United States) rely on the mechanisms described above: adequacy decisions (Data Privacy Framework), Standard Contractual Clauses (SCCs), and sub-processor agreements compliant with Article 28 GDPR.

You can obtain a copy of the applicable safeguards by writing to privacy@nythy.com

— End of section 05 —Contents

Section · Chapter 6

Data security

In accordance with Article 32 of GDPR, Nythy implements appropriate technical and organizational measures:

Encryption and integrity

  • Encrypted communications (HTTPS/TLS)
  • Password hashing for professional web accounts (merchant, association) via Firebase Authentication (scrypt)
  • Device identifier derived and hashed locally (SHA-256)

Authentication and access control

  • Consumer authentication via Firebase Auth (OAuth 2.0 — Google Sign-In, Sign in with Apple); email/password reserved for professional web spaces
  • Optional biometric authentication stored locally on the device
  • Two-factor authentication (2FA) available for professional accounts (merchant, association, admin)
  • Session and trusted device management
  • Role-based access control and Firestore security rules

Protection and infrastructure

  • Anti-abuse measures on the website and app (rate limiting, security checks)
  • Disposable email domain blocking on web signup (merchants, associations)
  • Application data hosted on Firebase / Google Cloud (Cloud Functions in europe-west1, Belgium)
  • Showcase website hosted on Hostinger VPS (European Union)

Breach notification

In case of a personal data breach, Nythy:

  • Notifies the CNIL within 72 hours (Art. 33 GDPR) if the breach poses a risk to your rights
  • Informs you directly if the breach poses a high risk (Art. 34 GDPR)
  • Documents the incident in an internal register
— End of section 06 —Contents

Section · Chapter 7

Your rights

In accordance with GDPR, you have the following rights over your personal data:

Right of access

Article 15 GDPR

Obtain confirmation that your data is being processed and receive a copy

Right to rectification

Article 16 GDPR

Have inaccurate data corrected or incomplete data completed

Right to erasure

Article 17 GDPR

Obtain the deletion of your data in the cases provided by the regulation

Right to restriction

Article 18 GDPR

Request restriction of processing in the cases provided by the regulation (via privacy@nythy.com or mail)

Right to portability

Article 20 GDPR

Receive your data in a structured, commonly used, machine-readable format (ZIP/JSON export in the app)

Right to object

Article 21 GDPR

Object to certain processing based on legitimate interest (Nythy does not perform behavioral profiling)

Withdrawal of consent

Article 7.3 GDPR

Withdraw your consent at any time (marketing notifications, crash reports, geolocation via device settings), without affecting the lawfulness of prior processing

Post-mortem directives

Article 85 French Data Protection Act

Define directives regarding the fate of your data after your death (you or your heirs, via privacy@nythy.com or mail)

Exercising your rights

  • Access and portability: Profile > Settings > Security > Data and privacy (export your data)
  • Erasure: Profile > Delete my account (effective deletion after 30 days, cancellable during this period)
  • Rectification: personal information and profile settings in the app
  • Withdrawal of consent: notifications (marketing emails), crash reports (Settings > Security > Data and privacy), geolocation (device settings)
  • Restriction, objection and post-mortem directives: privacy@nythy.com
  • By mail: Nythy SASU, 221 b route de Schirmeck, 67200 Strasbourg, France

We process your request within one month maximum (Art. 12.3 GDPR). This period may be extended by two months in case of complexity or high number of requests.

For security reasons, certain requests (including exporting your data) may be subject to enhanced verification including recent authentication and, where applicable, a local biometric check on your device.

Exercising these rights is free. Reasonable fees may be charged for manifestly unfounded or excessive requests.

Complaint to supervisory authority

If you believe that the processing of your data does not comply with applicable regulations, you can file a complaint with:

Commission Nationale de l'Informatique et des Libertés (CNIL)

3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France

www.cnil.fr

+33 1 53 73 22 22

— End of section 07 —Contents

Section · Chapter 8

Local storage on your device

The Nythy application uses your device's local storage for the following data:

Interface preferences

  • Theme (light/dark/system)
  • Selected language
  • Navigation bar style (Nythy/standard)
  • Navigation bar auto-hide on scroll
  • Floating action buttons display (community feed, donations)
  • Haptic feedback (vibrations) enabled/disabled
  • Audio equalizer settings (preset, custom gains)
  • Social feed filters (distance, categories, price) and last tab displayed (gifts/offers)
  • Messaging background customization
  • Profile shortcuts
  • Onboarding screen status (seen)
  • Crash report submission preference (Crashlytics)

Authentication and security

  • Firebase Auth session (encrypted persistence managed by the SDK on the device)
  • Derived and hashed device identifier (SHA-256, secure storage)
  • Local cryptographic salt (Device ID generation)
  • Device first-use date
  • Anti-spam data: attempt counters and timestamps (local rate limiting)

Application cache

  • Offer images (temporary cache)
  • Last known GPS location (latitude, longitude, timestamp, limited duration ~2 h)
  • Offline posts and comments pending sync
  • Offline messaging pending sync (secure storage)
  • Anonymized technical error queue pending sync (20 maximum)

Functional data

  • Merchant/offer favorites (local copy — see section 2.6 for cloud sync)
  • Recent search history (10 maximum)
  • AI assistant conversations (stored locally, 50 maximum)

The local data listed above is deleted when you uninstall the app. On logout, some application caches (images, in-memory caches) are cleared automatically without erasing your preferences or local favorites copy. Saved post drafts are stored on Firebase (cloud), not only on the device. The cloud copy of favorites is kept for the duration of your registration and deleted with your account (section 9.2). See section 2.6 for details.

Cookies (website)

The nythy.com website uses cookies. For detailed information on cookies placed, their purposes, retention periods, and how to manage them, please see our Cookie Policy accessible from the consent banner or the site footer.

— End of section 08 —Contents

Section · Chapter 9

Retention periods

In accordance with the storage limitation principle (Art. 5.1.e GDPR), your data is retained for a period not exceeding what is necessary for the purposes for which it is processed.

9.1 Active account

  • Profile data (personal info, photos, bio) : Duration of registration
  • Social relationships (followers/following) : Duration of registration
  • Reservation history : 5 years after last transaction
  • Messages and media : Duration of registration
  • Login history and sessions : 1 year
  • Connection logs : 1 year
  • Merchant account (profile, products) : Duration of registration + 3 years
  • Merchant transaction history (amounts only) : 5 years
  • Association account (profile, logistics capabilities) : Duration of registration + 3 years
  • Association donation and reservation history : 5 years
  • Events and volunteer registrations : Duration of registration
  • Association impact statistics (kg saved, meals, CO₂) : Duration of registration
  • AI assistant conversations (local storage) : Until manual deletion or app uninstall
  • Merchant/offer favorites (Firebase/Firestore cloud copy) : Duration of registration
  • User gift favorites (Firebase/Firestore) : Duration of registration

9.2 After account deletion

  • Personal data (profile, photos, bio) : Deletion within 30 days
  • Social relationships (followers/following) : Immediate deletion
  • Messages and media : Deletion within 30 days
  • Public contributions (reviews) : Immediate anonymization
  • Merchant profile and products : Deletion within 30 days
  • Merchant financial data : Managed by Stripe
  • Association profile and logistics capabilities : Deletion within 30 days
  • Collected donation history : Retained 5 years (accounting obligation)
  • Events and volunteer data : Deletion within 30 days
  • Favorites (merchants, offers and user gifts — cloud copy) : Deletion within 30 days

9.3 Legal retention obligations

  • Billing data : 10 years (Article L123-22 of French Commercial Code)
  • Connection logs : 1 year (Article 6 II of LCEN)
  • Moderation data (DSA) : 6 years (Civil limitation period (Art. 2224 French Civil Code) to respond to potential appeals)
  • Fraud data : 5 years after case closure (CNIL recommendation on unpaid debts and fraud management)
— End of section 09 —Contents

Section · Chapter 10

Protection of minors

Nythy pays particular attention to the protection of minors' data.

Minimum age

The use of Nythy is strictly reserved for persons aged at least 16 years.

Currently, Nythy does not collect or verify user age during registration. By using the application, users confirm that they are at least 16 years old.

The minimum age to use Nythy is 16 years
Nythy does not knowingly collect data from minors under 16 years of age
If an account of a minor under 16 is identified, it will be deleted
Parents or guardians may report a minor account to request its deletion

Report a minor's account: privacy@nythy.com

— End of section 10 —Contents

Section · Chapter 11

Changes to this policy

This policy may be modified to reflect legal, regulatory, or practice changes.

Notification of substantial changes

Publication on nythy.com with the updated effective date
In-app information if necessary (re-acceptance may be required at login)
Email to affected users, where appropriate, depending on the significance of the changes

Previous versions are retained internally and may be provided upon request at privacy@nythy.com.

Depending on the significance of the changes, continued use of the service may be subject to prior notice or explicit re-acceptance.

— End of section 11 —Contents

Section · Chapter 12

Data controller identification

The controller of your personal data is:

Company name

Nythy SASU

Legal form

Simplified Joint Stock Company

Registered office

221 b route de Schirmeck, 67200 Strasbourg, France

Hosting provider

App and data: Google Cloud Platform / Firebase (EU). Showcase website nythy.com: Hostinger VPS (EU).

— End of section 12 —Contents

Got a question?

Write to our data protection team

For any request regarding your personal data, your GDPR rights or a report, contact us directly.

This policy aims to provide you with complete and transparent information about the processing of your personal data by Nythy.