Privacy Policy

1. Introduction

PNASTAPP is a social networking platform aimed at users in Cyprus and Greece, operated by PNASTAPP (the "Controller", "we", "us", "our").

This Privacy Policy explains what personal data we process about you, why we process it, who we share it with, how long we keep it, and the rights you have. It applies whenever you use our website, our mobile app, or communicate with us.

We comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Cyprus Processing of Personal Data (Protection of Individuals) Law 125(I)/2018, the Greek Data Protection Law 4624/2019, the ePrivacy Directive 2002/58/EC as implemented locally, and the EU Digital Services Act (Regulation 2022/2065, "DSA").

If you disagree with any part of this policy, please do not use PNASTAPP.

2. Who we are (Data Controller)

We have not appointed a Data Protection Officer because we do not meet the mandatory thresholds in Art. 37 GDPR. All data-subject requests are handled directly by the Controller at the address above.

3. Supervisory authorities & your right to complain

You may lodge a complaint with the supervisory authority of your country of residence or place of alleged infringement:

• Cyprus — Office of the Commissioner for Personal Data Protection
  Iasonos 1, 1082 Nicosia — www.dataprotection.gov.cy — [email protected]
• Greece — Hellenic Data Protection Authority (HDPA / ΑΠΔΠΧ)
  Kifisias 1-3, 115 23 Athens — www.dpa.gr — [email protected]

4. Personal data we process

4.1 Data you give us when you sign up

We use Google OAuth as our sole authentication method. When you sign in, Google shares the following with us: your email address, your full name, your Google account ID, and your Google profile picture. We do not receive your Google password.

4.2 Data in your profile

• Nickname (unique username, 3–17 characters)
• Bio / intro text (maximum 100 characters)
• Profile picture and cover image (either uploaded by you or selected from our defaults)
• Optional social links (Facebook, Instagram, YouTube, Twitch, TikTok, Gmail)
• Historical profile pictures and covers you have used (kept for moderation and impersonation protection)

4.3 Content you create

• Posts (text, images, videos, link previews)
• Comments and replies
• Tags of other users inside your posts and comments
• Reports you submit against other users' content
• Messages you send through the contact form

4.4 Interactions we record

• Which posts and comments you like and unlike
• Which users you follow, unfollow, block and unblock
• Which posts you repost
• Which posts you save

4.5 Technical data we collect automatically

• Session tokens to keep you logged in
• IP address and user-agent string, stored with every active session and with security-relevant entries in our activity log (see section 6)
• CSRF tokens used to protect form submissions
• Push notification tokens if you opt in to mobile push (delivered via Apple APNs or Google Firebase Cloud Messaging)
• Cookies and local storage entries on the web — see our Cookies Policy

5. Why we process your data & our legal basis

6. Activity log (important disclosure)

We maintain an internal table called activity_logs that records specific actions you take on the platform. We disclose it here in full because we believe users have the right to know.

What is logged:

• Post actions: create, edit, delete, like, unlike, report
• Comment actions: create, reply, edit, delete, like, unlike, report
• User actions: follow, unfollow, block, unblock, avatar change, cover change, intro change, profile update
• Each row stores: the action type, the actor's user ID and nickname, the target (if any), the related post or comment ID, a permalink, and a timestamp
• On security-relevant rows (login, post create, post delete, post edit, report, block, unblock, account changes) we additionally store the IP address and user-agent.
• On routine engagement rows (like, unlike, follow, unfollow, repost) we do not store IP or user-agent.

Why we keep this log: fraud and abuse prevention, detection of coordinated like / report rings, content-moderation dispute resolution under DSA Art. 20, responses to lawful law-enforcement requests, and detection of account takeovers.

Legal basis: legitimate interest under Art. 6(1)(f) GDPR. Our internal Legitimate Interest Assessment is available to supervisory authorities on request.

Retention:

• Routine engagement rows: 90 days, then automatically deleted.
• Security-relevant rows: 12 months, then automatically deleted.

On account deletion: your actor ID, nickname, IP and user-agent are removed from all of your remaining activity log rows in the same operation that anonymises your profile. The action type and timestamp are kept as anonymous statistics.

You have the right to object to this processing under Art. 21 GDPR. If you exercise that right we will null the identifying fields on your existing rows, but we cannot delete the row itself because that would defeat the moderation-integrity purpose that justifies the processing.

7. Automated image moderation (NSFW scanning)

Every image you attempt to upload to PNASTAPP — whether a post image, a comment image, a profile picture or a cover image — is automatically scanned before it is stored, to detect nudity, sexual content, violence, weapons, drugs and other content that our Terms prohibit. We do this to protect other users, including minors, and to meet our obligations under DSA Art. 14.

The scan is performed by Sightengine SAS, a processor established in France, using their online image-moderation API. The image bytes are sent to Sightengine over TLS, Sightengine returns a set of scores, and the image is then either stored in our database (if the scores are below our thresholds) or rejected and not stored at all. We do not keep the raw Sightengine scores tied to your identity — only a pass/fail outcome in our logs.

Legal basis: legitimate interest under Art. 6(1)(f). International transfer:Sightengine processes in the EU, so no third-country safeguard is required. Data-processing agreement: governed by Sightengine's standard DPA. See sightengine.com/privacy for their own privacy terms.

8. Who we share your data with (processors)

We do not sell or rent your personal data. We share it only with the processors listed below, each of which is bound by a Data Processing Agreement requiring them to process your data only on our instructions and to apply appropriate security measures.

We may also disclose personal data to Cyprus or Greek courts, the police and other public authorities when we are legally required to do so (for example, in response to a lawful production order).

9. International data transfers

Some of our processors (Google, Mux, Apple) are established in the United States. When your data is transferred outside the European Economic Area we rely on one or more of the following safeguards required by Chapter V of the GDPR:

• Standard Contractual Clauses adopted by the European Commission (Decision 2021/914).
• EU-US Data Privacy Framework certification where available (Google and Apple are DPF-certified).
• Where applicable, Transfer Impact Assessments documenting the additional measures taken.

You may request a copy of the specific transfer mechanism for any processor by emailing us.

10. Data retention

11. What happens when you delete your account

You can delete your account at any time from the Settings page. When you do, we run a single atomic operation that:

• Marks your users row as deleted and replaces your full name with "This user has deleted their account".
• Randomises your unique identifier so nothing new can be linked to you.
• Nullifies your Google OAuth link, social links, nickname, and profile picture (replaced with a default avatar).
• Deletes your push notification tokens, your unexpired sessions, your CSRF tokens, your saved profile-picture history and cover history, and your notification inbox.
• Nullifies your actor ID, nickname, IP and user-agent in all of your remaining activity log rows.
• Revokes all your active sessions, signing you out everywhere.

Your posts and comments remain visible. This is lawful under Art. 17(3)(a) GDPR: the freedom of expression and information of the other users who replied to, liked or depend on those threads is a legitimate reason to keep the content, provided the author is no longer identifiable — which, after the anonymisation above, is the case.

If you need specific posts or comments to be removed as well (for example because they contain personal data of yours), email us at [email protected]and we will remove them individually. We will do this within one month under Art. 12(3) GDPR.

12. Your rights under GDPR

13. Cookies & local storage

On the web we use a small number of cookies and browser storage entries. On first visit you are asked whether you accept functional, analytics and marketing cookies — analytics and marketing cookies are denied by default and no third-party script (Google Analytics, Google AdSense) loads until you opt in.

The full list of cookies, their purposes, durations and the local-storage entries we set is in the Cookies Policy.

14. Children's privacy

If we learn that an account belongs to a child under 16, we delete the account without delay. If you are a parent or guardian and believe a child under 16 is using PNASTAPP, please contact us at [email protected].

15. Security

• TLS encryption for all traffic
• OAuth 2.0 sign-in (we never see your Google password)
• HTTP-only, SameSite=Lax session cookies
• CSRF tokens on state-changing requests
• Row-level security at the database layer
• Server-side file type and size validation for uploads
• Automated image moderation before any image is stored
• Automated text moderation for posts, comments, nicknames and bios

No system is perfectly secure. We will notify the competent supervisory authority within 72 hours of becoming aware of a personal data breach likely to result in a risk to your rights, as required by Art. 33 GDPR, and we will notify you directly if the breach is likely to result in a high risk (Art. 34).

16. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices, our processors, the law, or the service. When we make a material change we will give you reasonable advance notice — in-app, by email, or with a banner on the website — before it takes effect. Minor clarifications may be made with only a change of the "Last Updated" date above.

17. Language

This Privacy Policy is available in English and Greek, both accessible via the language toggle at the top of this page. The English version is the legally prevailing version; the Greek version is provided for convenience and to meet Greek consumer-protection obligations. In case of conflict, the English version prevails.

18. Contact