Privacy Policy

Effective Date: February 13, 2026

1. Data Controller

The data controller responsible for processing your personal data is:

JJEEM Labs AB (Org. No. 559574-2684) Sweden

Email: support@tervika.app

If you have any questions about how your personal data is processed, you can contact us at the email address above.

2. What Data We Collect

2.1 Data You Provide

• Account information: Email address and password when you create an account via Supabase Auth.
• Sign data: Locations, destinations, coordinates, design settings, dimensions, and other data you enter while creating and editing signs.
• Subscription and payment data: When you subscribe to a paid plan, your payment is processed by Stripe. We receive confirmation of your subscription status but do not store your full credit card number or payment details — Stripe handles this as an independent data controller.
• Feedback and bug reports: Information you voluntarily provide when contacting us.

2.2 Data Collected Automatically

• Usage data: Statistics about how you interact with the Service, including features used and actions taken.
• Device information: Browser type, operating system, screen resolution, and language preferences.
• Log data: IP addresses, access times, and referring URLs collected by our servers.
• Cookies and similar technologies: See Section 8 below.

2.3 Data from Third Parties

• Google AdSense: When ads are active, Google may collect device identifiers, IP addresses, and browsing behavior to serve and measure advertisements. See Section 7.

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

| Purpose | Legal Basis | |---------|-------------| | Providing the Service and managing your account | Performance of contract (Art. 6(1)(b)) | | Syncing your data across devices | Performance of contract (Art. 6(1)(b)) | | Processing payments and subscriptions | Performance of contract (Art. 6(1)(b)) | | Displaying personalized advertisements | Consent (Art. 6(1)(a)) | | Placing non-essential cookies | Consent (Art. 6(1)(a)) | | Improving the Service and developing features | Legitimate interest (Art. 6(1)(f)) | | Monitoring performance and diagnosing issues | Legitimate interest (Art. 6(1)(f)) | | Preventing fraud and enforcing Terms of Use | Legitimate interest (Art. 6(1)(f)) | | Responding to legal obligations | Legal obligation (Art. 6(1)(c)) |

Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

4. How We Use Your Data

We use the data we collect to:

• Provide, operate, and maintain the Service.
• Manage your account and authenticate your identity.
• Process subscriptions and payments.
• Sync your sign data across devices when you opt into cloud storage.
• Improve the Service and develop new features.
• Monitor performance and diagnose technical issues.
• Display advertisements (with your consent).
• Communicate with you about updates or changes to the Service.
• Enforce our Terms of Use and protect against misuse.
• Comply with legal obligations.

5. Local and Cloud Storage

Your sign data is stored locally on your device using local storage (Hive). If you create an account, your data may also be synced to the cloud using Supabase, allowing access across multiple devices. Cloud data is stored on servers located within the European Union (EU).

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

• Account data: Retained for as long as your account is active. If you delete your account, your data will be deleted within 30 days, except where retention is required by law.
• Sign data (cloud): Retained for as long as your account is active. Deleted when you delete individual signs or your account.
• Sign data (local): Stored on your device and under your control. Not affected by account deletion.
• Log data: Retained for up to 12 months for security and diagnostic purposes.
• Payment records: Retained as required by applicable tax and accounting laws (typically 7 years under Swedish law).

7. Third-Party Services

We use the following third-party services that may process your personal data:

7.1 Supabase (Authentication and Cloud Storage)

Supabase provides authentication and database services. Your account data and cloud-synced sign data are stored on Supabase servers within the EU. Supabase acts as a data processor on our behalf under a Data Processing Agreement (DPA).

• Privacy policy: https://supabase.com/privacy

7.2 Google AdSense (Advertising)

We may use Google AdSense to display advertisements inside the Service. Google may collect and process device identifiers, IP addresses, and usage data to serve personalized or non-personalized ads. Personalized ads require your consent where required by law.

Google is an independent data controller for the data it collects through its advertising services. Data may be transferred to the United States — see Section 9.

• Privacy policy: https://policies.google.com/privacy
• Ad settings: https://adssettings.google.com

7.3 Stripe (Payment Processing)

Stripe processes subscription payments on our behalf. When you subscribe, Stripe collects your payment information directly. Stripe acts as an independent data controller for payment data.

• Privacy policy: https://stripe.com/privacy

7.4 Nominatim / OpenStreetMap (Geocoding)

The Service uses Nominatim (OpenStreetMap) to search for locations. Search queries (place names) are sent to Nominatim servers. No account data or personal identifiers are included in these requests.

• Privacy policy: https://wiki.osmfoundation.org/wiki/Privacy_Policy

8. Cookies and Tracking Technologies

The Service may use the following types of cookies and similar technologies:

• Essential cookies: Required for the Service to function (e.g., session management, consent preferences). These do not require consent.
• Analytics cookies: Used to understand how the Service is used and to improve it. Set only with your consent.
• Advertising cookies: Used by Google AdSense to serve and measure ads when ads are active. Personalized advertising cookies are set only with your consent where required by law.

You can manage advertising preferences in the app's Settings when ad serving is active. You can also configure your browser to block or delete cookies, though this may affect functionality.

9. International Data Transfers

Our primary data storage (Supabase) is hosted within the European Union. However, some third-party services may transfer data outside the EU/EEA:

• Google (advertising): May transfer data to the United States. Google relies on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs) as transfer mechanisms.
• Stripe (payments): May transfer data to the United States. Stripe relies on the EU-U.S. Data Privacy Framework and SCCs.

We ensure that any international transfers are made with appropriate safeguards in place as required by GDPR Chapter V.

10. Advertising

The Service may display advertisements provided by Google AdSense inside the editor for users on the Standard (free) tier and unauthenticated users. Ads are not placed on the marketing, guide, blog, FAQ, privacy, or terms pages. Premium subscribers do not see advertisements, and no advertising-related data is collected for Premium users.

When ad serving is active, you may be asked to choose between:

• Personalized ads — based on your interests and browsing behavior, served with consent where required.
• Non-personalized ads — contextual ads that do not rely on personalized ad targeting.

Your choice is stored locally on your device and is not synced to the cloud.

We do not sell your personal data to advertisers or any other third parties.

You can manage your ad preferences at any time through:

• Ad Preferences in the app's Settings page.
• Google's ad settings: https://adssettings.google.com

11. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Right of access (Art. 15): You can request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You can request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): You can request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
• Right to restriction (Art. 18): You can request that we restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): You can object to processing based on legitimate interest. You can object to direct marketing at any time.
• Right to withdraw consent (Art. 7): Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority (see Section 12).

To exercise any of these rights, please contact us at support@tervika.app. We will respond to your request within 30 days.

12. Supervisory Authority

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. For Sweden, the relevant authority is:

Integritetsskyddsmyndigheten (IMY) Box 8114 104 20 Stockholm, Sweden https://www.imy.se Email: imy@imy.se

You may also lodge a complaint with the supervisory authority in the EU/EEA member state of your habitual residence or place of work.

13. Sharing Your Information

Beyond the third-party services described in Section 7, we may share your information in the following limited circumstances:

• Legal compliance: When required by law, regulation, or legal process.
• Protection of rights: To protect the rights, safety, or property of Tervika, our users, or the public.

We do not sell your personal data.

14. Sign Data

You remain the owner of the sign designs, destination names, coordinates, notes, imported fonts, and other project data you create in Tervika. We process this data only to provide the Service, including local storage, cloud sync, previews, exports, account recovery, and support.

If you delete your account, cloud-synced sign data is deleted as described in Section 6. Locally stored sign data remains on your device unless you delete it from the app or clear your browser storage.

15. Feedback and Suggestions

Any feedback, suggestions, or ideas you provide to us may be used by Tervika to improve the Service. Such feedback is provided voluntarily and no compensation or attribution is required.

16. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS) and at rest, access controls, and regular security reviews.

However, no method of electronic storage or transmission is completely secure, and we cannot guarantee absolute security. If you become aware of a security breach, please notify us immediately at support@tervika.app.

17. Children

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16, in accordance with GDPR Article 8. If you believe we have collected data from a child under 16, please contact us at support@tervika.app so we can take appropriate action.

18. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the effective date at the top of this page.
• Notify you through the Service or by email where appropriate.

We encourage you to review this policy periodically to stay informed about how we protect your data.

19. Governing Law

This Privacy Policy is governed by the laws of Sweden and the European Union, including the General Data Protection Regulation (EU) 2016/679 (GDPR). Any disputes arising from or relating to this policy shall be subject to the exclusive jurisdiction of the courts of Sweden.

20. Contact

For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

Email: support@tervika.app

You may also write to us at:

JJEEM Labs AB (Org. No. 559574-2684), Källådersgatan 1, SE-582 52 Linköping Sweden