This Privacy Notice for SMALA ("we," "us," or "our") describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you download and use our mobile application (SMALA) or engage with us in other related ways. If you do not agree with our policies and practices, please do not use our Services. If you have any questions or concerns, please contact us at smala@smala.is.
Summary of Key Points
What personal information do we process? When you use our Services, we may process personal information depending on how you interact with SMALA, the choices you make, and the features you use. We do not process sensitive personal information. We do not collect information from third parties.
How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. Some features use AI (OpenAI) for theme generation and content moderation.
Who do we share information with? We share information only with specific third parties necessary to operate the service. We never sell your data.
How do we keep your information safe? We have organizational and technical processes in place to protect your personal information. However, no electronic transmission over the internet can be guaranteed to be 100% secure.
What are your rights? Depending on where you are located, you may have certain rights regarding your personal information, including the right to access, correct, delete, or export your data.
How do you exercise your rights? The easiest way is through the app settings or by contacting us at smala@smala.is.
1. What Information Do We Collect?
In Short: We collect personal information that you provide to us.
We collect personal information that you voluntarily provide when you register on the Services, participate in activities on the Services, or otherwise contact us. The personal information we collect depends on the context of your interactions with us and the features you use.
Personal information provided by you
Account information — phone number, first name, last name, birthday (optional), and profile picture.
Event data — event title, description, cover image, date/time, location name and address, capacity, and theme preferences.
RSVP and participation data — your attendance status, answers to custom event questions, and event membership role.
Photos — profile pictures and photos you upload to event albums.
Posts and replies — text content and GIFs you post within events.
Usage data — moderation reports and content interaction data (e.g., reactions).
We do not process sensitive information (such as racial or ethnic origins, sexual orientation, or religious beliefs).
Information collected through the app
Contacts — when you choose to invite friends, we access phone numbers from your device contacts to match them with registered users. We do not store your full contact list.
Device tokens — your Apple Push Notification token so we can send you notifications. You can opt out by turning off push notifications in your device settings.
SMS invitations — when a user invites someone by phone number who is not yet on SMALA, we send a single SMS to that number letting them know they've been invited to an event on SMALA.. The phone number is stored to associate the invitation with the recipient. We do not send marketing or promotional messages via SMS.
Camera and photo library — we may request access to your camera or photo library when you upload a profile picture or event photos. You can change this permission in your device settings at any time.
All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.
We do not collect any information from third parties.
2. How Do We Process Your Information?
In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.
We process your personal information for a variety of reasons, including:
To provide the service — creating events, sending invitations, managing RSVPs, and enabling communication between event participants.
To facilitate account creation and authentication — so you can create and log in to your account via phone number verification.
To send notifications — informing you of new invitations, event updates, comments, and reminders via push notifications and, for non-registered users, SMS messages.
To match contacts — helping you find and invite friends who already use SMALA.
To enable user-to-user communication — allowing users to post, comment, and interact within events.
To ensure safety — moderating content, handling reports, and enforcing our Terms of Service, including fraud monitoring and prevention.
To improve the service — understanding how features are used so we can make SMALA better.
To comply with legal obligations — responding to lawful requests from authorities when required by Icelandic or EU law.
3. What Legal Bases Do We Rely On?
In Short: We only process your personal information when we have a valid legal reason to do so under applicable law.
The General Data Protection Regulation (GDPR) requires us to explain the valid legal bases we rely on to process your personal information. We may rely on the following:
Consent — we may process your information if you have given us permission to use your personal information for a specific purpose (e.g., accessing your contacts or enabling push notifications). You can withdraw your consent at any time through your device settings or by contacting us.
Performance of a Contract — we process your personal information when necessary to fulfill our contractual obligations to you, including providing the Services.
Legitimate Interests — we may process your information when reasonably necessary to achieve our legitimate business interests, provided those interests do not outweigh your rights and freedoms. For example: diagnosing problems, preventing fraud, and understanding how users use the service to improve the experience.
Legal Obligations — we may process your information where necessary to comply with our legal obligations, such as cooperating with law enforcement or regulatory agencies.
Vital Interests — we may process your information where necessary to protect your vital interests or those of a third party, such as situations involving potential threats to safety.
4. When and With Whom Do We Share Your Information?
In Short: We do not sell your personal data. We share information only with specific third parties necessary to operate the service.
Supabase — our backend and database provider, which hosts all app data.
Apple (APNs) — to deliver push notifications to your device.
Twilio — to send SMS invitation messages to invited phone numbers.
OpenAI — to power AI-generated event themes and content moderation. Only event-related content is shared, not your account information.
GIPHY — when you search for GIFs, your search query is sent to GIPHY's API.
Meta (Facebook/Instagram) — only when you choose to share event content to Instagram or Facebook Stories.
Other users — your name, profile picture, and event activity are visible to other participants of the same event. Public events are visible to all users. When you share personal information or interact with public areas of the Services, such information may be viewed by all users.
Law enforcement — if required by Icelandic or EU law or valid legal process.
Business transfers — we may share or transfer your information in connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
5. Do We Use Artificial Intelligence?
In Short: We use AI-powered features provided by OpenAI to enhance your experience.
As part of our Services, we use artificial intelligence through a third-party provider (OpenAI) for the following purposes:
Theme generation — when you create an event, AI may be used to generate visual theme suggestions based on your event details.
Content moderation — we use AI-powered moderation to help detect and flag content that may violate our Terms of Service, such as inappropriate text or images.
When these features are used, relevant data (such as event descriptions or user-submitted content) is sent to OpenAI for processing. We do not share your account information (name, phone number, etc.) with OpenAI. All data processed through AI features is handled in line with this Privacy Notice and OpenAI's usage policies.
6. How Long Do We Keep Your Information?
In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this Privacy Notice unless otherwise required by law.
Account data — retained for as long as your account is active.
Event data — retained for as long as the event exists. Archived events are kept until deleted by the host.
Photos and posts — retained until you or the event host deletes them, or until the event is deleted.
Device tokens — retained while your account is active and updated when your token changes.
SMS invitation logs — retained to prevent duplicate messages and for rate-limiting purposes.
Deleted accounts — when you delete your account, we will deactivate or delete your account and information from our active databases, including events, photos, posts, contacts, device tokens, and notifications. We may retain some information to prevent fraud, troubleshoot problems, assist with investigations, enforce our legal terms, and/or comply with applicable legal requirements.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it. If this is not immediately possible (for example, because information has been stored in backup archives), we will securely store it and isolate it from further processing until deletion is possible.
7. How Do We Keep Your Information Safe?
In Short: We aim to protect your personal information through a system of organizational and technical security measures.
All data is transmitted over HTTPS/TLS encryption.
Database access is controlled through row-level security policies — users can only access data they are authorized to see.
Authentication is handled via one-time passcodes (OTP) sent to your phone number.
Photos are stored in secure, access-controlled storage buckets.
We do not use third-party analytics or tracking SDKs.
Despite our safeguards and efforts to secure your information, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure. We cannot promise or guarantee that unauthorized third parties will not be able to defeat our security and improperly access your information. Transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.
8. Do We Collect Information From Minors?
In Short: We do not knowingly collect data from or market to children under 13 years of age.
We do not knowingly collect, solicit data from, or market to children under 13 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 13 or that you are the parent or guardian of such a minor and consent to such minor dependent's use of the Services. If we learn that personal information from users less than 13 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 13, please contact us at smala@smala.is.
9. What Are Your Privacy Rights?
In Short: In the EEA, UK, and Switzerland, you have rights that allow you greater access to and control over your personal information.
Under applicable data protection laws (including the GDPR), you have the following rights:
Access your data — request a copy of the personal data we hold about you.
Correct your data — update your name, birthday, profile picture, and other account information directly in the app, or request rectification of inaccuracies.
Delete your data — delete your account from within the app, which permanently removes all associated data. You may also request erasure by contacting us.
Export your data — request a portable copy of your data by contacting us.
Restrict processing — request that we restrict the processing of your personal information in certain circumstances.
Object to processing — object to the processing of your personal information where we rely on legitimate interests as our legal basis.
Withdraw consent — revoke permissions (contacts, notifications) at any time through your device settings. You may also delete your account to withdraw all consent. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
We will consider and act upon any request in accordance with applicable data protection laws.
If you have questions or comments about your privacy rights, you may email us at smala@smala.is.
10. Do We Make Updates to This Notice?
In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.
We may update this Privacy Notice from time to time. The updated version will be indicated by an updated date at the top of this page. If we make material changes, we may notify you by prominently posting a notice or by sending you a notification through the app. We encourage you to review this Privacy Notice frequently to stay informed of how we are protecting your information.
11. How Can You Contact Us?
If you have questions or comments about this notice, you may contact us at:
12. How Can You Review, Update, or Delete Your Data?
Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You can review and update your information directly in the app settings. To delete your account, use the account deletion option in the app. For any other data requests, please contact us at smala@smala.is.