Notice

Privacy Policy

Last updated: June 13, 2026 · Version 1.1 · Courtesy translation — the Italian version prevails

This notice describes how the Hepcat mobile app ("the App") processes its users' personal data under Regulation (EU) 2016/679 ("GDPR"). The App is free, ad-free, and never sells your data.

I. Data controller

The data controller is Alessandro Di Già, reachable at info@hepcatapp.com.

II. Data we process

Account data: email address, username, display name and, if you provide them, city, country, year you started dancing, dance role, bio and profile photo.
Content you create: messages and photos in trip group chats, board announcements, bookings, polls, checklists, shared expenses, festival attendance and wishlists.
Social relations: friendships, friend requests, blocked users and reports you submit.
Push notification token: a technical device identifier required to deliver notifications.
Location: if you grant permission, the App detects only your country code (e.g. "IT") directly on your device, to show nearby festivals. Coordinates are never sent to or stored on our servers. You can deny the permission and still use the App.

We collect no advertising data and use no third-party analytics tools.

III. Purposes and legal bases

Purpose	Legal basis
Providing the service: account, profile, content, chat, notifications	Performance of a contract (Art. 6.1.b GDPR)
Showing festivals based on your detected country	Consent (Art. 6.1.a GDPR), revocable in your device settings
Security, moderation of reported content, abuse prevention	Legitimate interest (Art. 6.1.f GDPR)
Legal compliance	Legal obligation (Art. 6.1.c GDPR)

IV. Where your data lives and who processes it

Data is hosted on Supabase infrastructure (database, authentication and file storage) in the European Union — Frankfurt, Germany (AWS eu-central-1) region. Push notifications are delivered through Expo (Expo Push Service), Google (Firebase Cloud Messaging, Android devices) and Apple (Apple Push Notification service, iOS devices). These providers act as processors under agreements compliant with Art. 28 GDPR.

Any transfers to third countries rely on Standard Contractual Clauses or adequacy decisions (including the EU-U.S. Data Privacy Framework, where applicable). Your data is never sold or shared with third parties for marketing purposes.

We apply appropriate technical measures (Art. 32 GDPR): data is transmitted over encrypted connections (TLS/HTTPS) and stored encrypted at rest by the infrastructure. Chat messages are not end-to-end encrypted: they remain accessible to the controller for security, moderation and notification delivery purposes.

V. Who can see your content

Board announcements and social activity are visible only to your accepted friends.
Chat messages and photos are visible only to the members of the trip group.
Your profile (name, username, photo, dance styles) is visible to other registered users of the App.

VI. Retention and deletion

Data is kept for as long as your account is active. You can delete your account at any time from the App (Profile → menu → Delete account): your profile, friendships, announcements, photos and all other personal data are permanently deleted. Messages already sent in group chats remain visible to other members but are anonymised (no author).

VII. Your rights

Under Arts. 15–22 GDPR you may exercise your rights of access, rectification, erasure, restriction, portability and objection by writing to the email address above. You also have the right to lodge a complaint with your supervisory authority (in Italy, the Garante: garanteprivacy.it).

VIII. Minimum age

The App is intended for users aged 14 or older, the digital consent age in Italy under Legislative Decree 101/2018.

IX. Changes

Material changes to this notice will be communicated through the App. The current version is always available on this page.