Privacy Policy

Pikarama is operated by an individual based in Prague, Czech Republic (EU).

For any privacy-related questions, you can reach us at support@pikarama.com.

When you sign in with Google or Facebook, we receive and store:

• Name — displayed to other group members
• Email — used to identify your account
• Profile picture — shown in groups and events

As you use the app, we also store:

• Groups you create or join
• Events and options you submit
• Your votes and karma score
• Telegram chat ID (if you link your account)

Under the GDPR, we process your data based on:

• Consent (Art. 6(1)(a)) — when you sign in via Google or Facebook, you explicitly consent to sharing your profile data with us. You can withdraw consent anytime by requesting account deletion.
• Legitimate interest (Art. 6(1)(f)) — for core app functionality: storing your groups, events, votes, and karma so the app works as expected. Our legitimate interest is providing the service you signed up to use.
• Legitimate interest (Art. 6(1)(f)) — for analytics (Google Analytics) to understand usage patterns and improve the app. We only collect anonymized, aggregated data and do not use it for advertising or profiling.
• Consent (Art. 6(1)(a)) — for optional Telegram notifications. You opt in by linking your account and can disconnect anytime in Settings.

• Authentication — to log you in and keep your session
• App functionality — to show your groups, events, votes, and karma
• Notifications — to send Telegram messages about events (only if you opt in)

We don't sell your data. We don't run ads. We use Google Analytics to understand how people use the app (page views, feature usage, general traffic patterns).

We use the following types of cookies:

Strictly necessary cookies

• NextAuth.js session cookie — keeps you logged in. This is an encrypted, HTTP-only cookie that contains your session token. It's essential for the app to work and is deleted when you sign out.
• Locale preference — remembers your language choice.

Analytics cookies

• Google Analytics (_ga, _ga_*) — used to distinguish users and track page views, session duration, and general usage patterns. Data is anonymized and not used for advertising. These cookies expire after up to 2 years.

Google Analytics collects information such as your device type, browser, approximate location (country/city level), and pages visited. This data helps us understand how people use the app and improve it. Google may process this data on servers outside the EU — see Google's Privacy Policy for details.

Pikarama relies on these services to function:

• Google OAuth — sign-in authentication
• Facebook OAuth — sign-in authentication
• Telegram Bot API — optional notifications
• Google Analytics — anonymous usage analytics
• Vercel — hosting and deployment (US-based)
• Neon — PostgreSQL database hosting

Each of these services has its own privacy policy. We only share the minimum data needed for each service to work.

While the data controller is based in the EU (Prague, Czech Republic), some of your data is processed outside the EU:

• Vercel — the app is hosted on Vercel, which primarily uses infrastructure in the United States.
• Neon — the database may be hosted in US or EU regions depending on availability.

These transfers are covered by the providers' own data processing agreements, including Standard Contractual Clauses (SCCs) and the EU–US Data Privacy Framework where applicable.

By using the app, you acknowledge that your data may be transferred to and processed in the United States.

Pikarama uses the following third-party sub-processors to deliver the service:

• Vercel Inc. (United States) — application hosting, serverless functions, and content delivery
• Neon Inc. (United States) — managed PostgreSQL database hosting
• Google LLC (United States) — OAuth authentication provider (Google Sign-In)
• Meta Platforms Inc. (United States) — OAuth authentication provider (Facebook Login)
• Microsoft Corporation (United States) — OAuth authentication provider (Microsoft Sign-In)
• Slack Technologies LLC / Salesforce Inc. (United States) — Slack integration for event notifications and interactions
• Telegram FZ-LLC (United Arab Emirates) — Telegram bot integration for event notifications and interactions
• Resend Inc. (United States) — transactional email delivery
• Google LLC (United States) — Google Analytics for anonymous usage tracking and site improvement

Each sub-processor processes data only as necessary to provide its specific service. All sub-processors maintain their own privacy policies and data processing agreements.

Your data is kept as long as your account exists. If you delete your account, your personal data is removed within 30 days.

Some anonymized data (like vote counts on past events) may remain to keep group histories consistent.

As an EU resident, you have the following rights under the General Data Protection Regulation:

• Right of access (Art. 15) — you can view your data in the app (profile, groups, events) or request a full export by email.
• Right to rectification (Art. 16) — if your data is inaccurate, contact us and we'll correct it.
• Right to erasure (Art. 17) — you can request deletion of all your personal data. See our Data Deletion page.
• Right to data portability (Art. 20) — you can request your data in a machine-readable format.
• Right to object (Art. 21) — you can object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7(3)) — you can withdraw consent at any time (e.g., by disconnecting Telegram or deleting your account).
• Right to lodge a complaint — you have the right to complain to a supervisory authority. For Czech Republic residents, this is the Office for Personal Data Protection (ÚOOÚ).

To exercise any of these rights, email us at support@pikarama.com. We will respond within 30 days.

We may update this policy from time to time. Significant changes will be communicated through the app.

Last updated: February 2026