PEAVO
GDPR Compliance Record
Internal Reference Document — Article 30 GDPR · Version 1.0 · 10 March 2026
1. Controller Details
Controller: Martin Minárik
Trading as: Peavo
Registered address: Velehradská 1735/28, Prague, Czech Republic
Contact: hello@peavo.me
DPO: Not formally required (SME below threshold). Controller handles DSR requests directly.
Supervisory authority: Úřad pro ochranu osobních údajů (ÚOOÚ), Czech Republic — www.uoou.cz
⚠ Review DPO requirement annually or if user count exceeds 5,000 active EU users or if large-scale processing of special category data begins.
2. Record of Processing Activities (Art. 30)
The following table records all personal data processing activities carried out by Peavo, in accordance with GDPR Article 30.
| Processing Activity | Categories of Data | Legal Basis | Retention | Processors |
|---|---|---|---|---|
| Account registration | Name, DOB, phone number, profile photo | Contractual necessity (Art. 6(1)(b)); Consent for under-16 (Art. 6(1)(a)) | Duration of account | Supabase, Twilio |
| Event creation & discovery | Approximate location, usage data, event content | Contractual necessity (Art. 6(1)(b)) | 90 days post-event | Supabase |
| Precise location sharing | GPS coordinates | Contractual necessity (Art. 6(1)(b)); Consent | Active event duration only | Supabase |
| In-app messaging | Message content, sender/receiver IDs, timestamps | Contractual necessity (Art. 6(1)(b)) | 90 days post-event | Stream Chat |
| Phone verification | Phone number, verification token | Contractual necessity (Art. 6(1)(b)) | Deleted after verification | Twilio |
| Analytics & crash reporting | Device info, IP, usage events (anonymized) | Legitimate interests (Art. 6(1)(f)) | 24 months (aggregated) | Internal |
| Payment & subscriptions | Transaction reference, subscription status | Contractual necessity (Art. 6(1)(b)) | 7 years (legal/tax) | Apple / Google |
| Content moderation | Reported content, user IDs, moderation logs | Legal obligation (Art. 6(1)(c)); Legitimate interests | 3 years | Internal |
| Safety & law enforcement | Account data, content, IP (on legal request) | Legal obligation (Art. 6(1)(c)) | Per legal requirement | Authorities |
3. Third-Party Processors and International Transfers
All third-party processors are engaged under written Data Processing Agreements (DPAs). Where processors are located outside the EU/EEA, Standard Contractual Clauses (SCCs — EU Commission Decision 2021/914) are in place unless an adequacy decision applies.
| Processor | Service | Location / Transfer Mechanism | Data Categories Processed |
|---|---|---|---|
| Supabase, Inc. | Database & backend hosting | USA (SCCs in place) | Account data, event data, location, messages |
| Stream (GetStream.io) | In-app messaging infrastructure | USA (SCCs in place) | Message content, user IDs |
| Twilio Inc. | SMS / phone verification | USA (SCCs in place) | Phone numbers, verification tokens |
| Apple Inc. | App distribution, payments (iOS) | USA (Adequacy / SCCs) | Transaction references, subscription status |
| Google LLC | App distribution, payments (Android) | USA (Adequacy / SCCs) | Transaction references, subscription status |
⚠ Action required: Confirm DPA and SCC documentation is obtained and filed for Supabase, Stream, and Twilio before public launch. Review annually and on each new processor engagement.
4. Data Subject Rights Procedures
The following procedures govern how Peavo handles requests from data subjects exercising their rights under GDPR Chapter III.
| Right | How User Submits | Internal Action | Response Deadline |
|---|---|---|---|
| Access (Art. 15) | User emails hello@peavo.me | Verify identity, compile data export | 30 days |
| Rectification (Art. 16) | User updates in-app or emails | Correct data in Supabase DB | 30 days |
| Erasure (Art. 17) | User deletes account or emails | Delete/anonymize account data; check retention exceptions | 30 days |
| Restriction (Art. 18) | User emails hello@peavo.me | Flag account; pause active processing | 30 days |
| Portability (Art. 20) | User emails hello@peavo.me | Export JSON data package | 30 days |
| Object (Art. 21) | User emails hello@peavo.me | Cease processing unless compelling legitimate grounds | 30 days |
| Withdraw Consent | User toggles in-app or emails | Disable consent-based processing; retain where other basis exists | Immediate |
All requests should be logged with: date received, right exercised, identity verification method, date responded, and any exemptions applied. Responses are provided free of charge. If requests are manifestly unfounded or excessive, a reasonable fee or refusal may apply (Art. 12(5)).
5. Processing of Minors' Data
Peavo is available to users aged 16 and above. The following measures apply:
- Date of birth is collected at registration to enforce the minimum age threshold
- Users aged 16–17 are treated as minors; parental/guardian consent is required via acknowledgment at registration
- Peavo does not knowingly collect data from children under 16; if identified, the account is deleted immediately
- Special anonymization features apply to minor users: their identity is not displayed to non-event-members
- No targeted advertising or profiling is applied to users under 18
- Data minimization is strictly applied to minor users
⚠ GDPR Art. 8 sets the consent age at 16 for information society services (Czech Republic has not lowered this threshold). Verify annually whether Czech law has been amended. The DSA (EU 2022/2065) imposes additional obligations on platforms accessible to minors — review DSA compliance separately.
6. Consent Management
Where processing is based on consent (Art. 6(1)(a) or Art. 9(2)(a)), the following standards apply:
- Consent must be freely given, specific, informed, and unambiguous
- Consent is collected via clear opt-in mechanisms (not pre-ticked boxes)
- Records of consent are stored with timestamps and mechanism details
- Users can withdraw consent at any time via in-app settings or by contacting hello@peavo.me
- Withdrawal of consent does not affect the lawfulness of prior processing
Consent is NOT relied upon as the legal basis for processing that is necessary for contractual performance or legitimate interests.
7. Personal Data Breach Procedure
7.1 Detection and Initial Assessment (within 24 hours of discovery)
- Identify the nature of the breach: confidentiality, integrity, or availability
- Estimate categories and approximate number of data subjects affected
- Assess risk to rights and freedoms of data subjects
7.2 Supervisory Authority Notification (within 72 hours — Art. 33)
- Notify ÚOOÚ if the breach is likely to result in risk to individuals
- Include: nature of breach, categories/volume of data, likely consequences, measures taken
- If full information is not available within 72 hours, notify with available information and follow up
⚠ Notification is NOT required if the breach is unlikely to result in a risk to rights and freedoms (e.g. encrypted data on a lost device where the key is secure). Document the reasoning if not notifying.
7.3 Data Subject Notification (without undue delay — Art. 34)
- Notify affected users directly if the breach is likely to result in HIGH risk
- Notification must include: nature of breach, DPO/contact details, likely consequences, measures taken
- May be replaced by a public communication if individual notification is disproportionate
7.4 Documentation (Art. 33(5))
- Log all breaches regardless of whether notification was required
- Record: date/time discovered, nature, data categories, number affected, impact assessment, actions taken, notification decisions and rationale
8. Data Protection Impact Assessment (DPIA)
A DPIA is required under Art. 35 GDPR where processing is likely to result in a high risk. Peavo must conduct a DPIA before implementing:
- Systematic tracking of precise user location
- Profiling of users for event matching using automated decision-making
- Any large-scale processing of data relating to minors
- New processing purposes not covered by this record
Current assessment: Peavo's MVP processing activities fall below the DPIA mandatory threshold. However, a DPIA is recommended proactively for location-sharing features given the sensitivity of the data and the presence of minor users.
⚠ Conduct a DPIA before enabling persistent background location tracking or any automated profiling/matching features. Document outcomes and consult ÚOOÚ if residual risk remains high.
9. Digital Services Act (DSA) — Compliance Notes
Peavo is an online platform under Regulation (EU) 2022/2065 (DSA). As a small/micro provider (below 45M average monthly EU users), Peavo is subject to the baseline obligations:
- Maintain terms of service that are clear, accessible, and include content moderation rules
- Provide in-app reporting mechanisms for illegal content and conduct
- Act expeditiously on notices of illegal content
- Cooperate with national authorities and trusted flaggers
- Do not display targeted advertising to minors or based on sensitive data categories
- Provide a single point of contact for authorities: hello@peavo.me
Peavo is not subject to Very Large Online Platform (VLOP) obligations unless it reaches 45M average monthly EU users.
⚠ Confirm DSA registration with the Czech Digital Services Coordinator (DSC) once the app is publicly available. Monitor threshold regularly.
10. Document Control and Review
Document owner: Martin Minárik
Version: 1.0
Date: 10 March 2026
Review cycle: Annually, or on any material change to processing activities, new processor engagement, or regulatory update
This document is confidential and intended for internal use and regulatory compliance purposes. It should be made available to ÚOOÚ upon request.