Privacy Policy — GateVia

This Privacy Policy explains how MalexSoftware ("we", "us", "our") processes personal data when you use GateVia (the "Service"). It applies to the GateVia dashboard at app.gatevia.app, the public marketing site at gatevia.app, and the guest access pages.

1. Who we are (Controller)

MalexSoftware is the data controller for personal data described in this policy.

General contact: [email protected]
Privacy / data protection inquiries: [email protected]

2. The personal data we process

We deliberately limit collection to what the Service needs:

Account data — email address, first/last name, organisation name, role, preferred language, account creation and last-login timestamps.
Device (gate) data — gate name, internal location label, GSM phone number, optional notes. This is not personal data unless you choose to put a person's name in those free-text fields.
Membership and access data — which gates you can open or invite for, role within an organisation, audit log of administrative actions.
Guest data — guest name and (where you provide them) email, phone number, schedule, and a single-use access token.
Usage data — gate-open events (timestamp, gate identifier, success/failure, the user or guest token used). For guest events we may also log the IP address that triggered the open, for security review.
Technical data — IP address and user-agent on requests we receive, used for rate-limiting and fraud prevention; pino-formatted server logs retained for a short period.
Communications — the content of emails or messages you send to [email protected] and our reply.

We do not record audio of the GSM voice calls used to open gates. The GSM call is a one-tone "ring and hang up" signalling channel. We do not collect content of your messages, contacts, or microphone/camera data of any kind.

3. Lawful bases (Art. 6 GDPR)

Contract (Art. 6(1)(b)) — to provide the Service to you under our Terms of Service: account creation, gate-open routing, guest access invitations, member/guest management.
Legitimate interest (Art. 6(1)(f)) — to keep the Service secure (rate-limiting, fraud detection, audit logging of admin actions), to debug failures, and to communicate service-related updates. We balance this interest against your rights and freedoms.
Legal obligation (Art. 6(1)(c)) — accounting and tax records, responses to lawful requests from authorities.
Consent (Art. 6(1)(a)) — only where applicable (e.g. optional non-essential cookies or marketing emails). You may withdraw consent at any time.

4. Sub-processors and where data is stored

The following providers process personal data on our behalf:

Provider	Purpose	Region	Transfer mechanism
MongoDB Atlas	Application database	EU (Frankfurt)	EU/EEA — no transfer
Firebase Authentication (Google Cloud)	Sign-in and identity	EU multi-region	EU/EEA, with SCCs for any incidental transfer
Resend	Transactional email delivery	US	EU SCCs (2021/914) + DPA
DigitalOcean	Hosting / compute	EU	EU/EEA — no transfer
Cloudflare	DNS, TLS, edge protection	Global edge with EU datacentre routing	EU SCCs + DPA
SMS Hub gateway	Routing voice-call signalling to GSM gates	Customer-controlled	The gateway is a thin signalling relay; no message content is stored

We update the list of sub-processors as the Service evolves and notify customers materially affected at least 30 days before adding a sub-processor that handles new categories of personal data.

5. International transfers

Where personal data leaves the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and on supplementary measures (encryption in transit, access controls) to provide an essentially equivalent level of protection. You may request a copy of the relevant transfer mechanism by emailing [email protected].

6. Retention

Account and organisation data — for as long as your account is active. We retain it for up to 30 days after a verified deletion request, or longer if required by law (e.g. accounting).
Audit logs — 12 months from the event date, then deleted.
Gate-open call history — 12 months from the event, then aggregated/anonymised for service-quality analysis.
Guest access tokens — for the active lifetime of the schedule, plus 90 days after expiry, then deleted.
Server / request logs — at most 30 days, except entries flagged for security investigation, which may be retained for up to 12 months.
Backups — encrypted backups are retained on a rolling 30-day window. Personal data persists in those backups until they are rotated out.
Communications — emails to [email protected] are retained for 24 months unless required longer for an open dispute.

7. Your rights under the GDPR

You have the right to:

Access the personal data we hold about you (Art. 15).
Have inaccurate data corrected (Art. 16).
Have data erased ("right to be forgotten") where applicable (Art. 17).
Restrict processing in certain cases (Art. 18).
Receive your data in a portable, machine-readable format (Art. 20).
Object to processing based on legitimate interest (Art. 21).
Not be subject to a decision based solely on automated processing that produces legal effects on you (Art. 22) — we do not perform such processing.
Withdraw consent at any time, where processing is based on consent.
Lodge a complaint with a supervisory authority. In Romania this is ANSPDCP — Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (www.dataprotection.ro). You may also contact the supervisory authority of your habitual residence or place of work.

To exercise any of these rights, email [email protected]. We will respond within one month and may extend by up to two further months for complex requests, in which case we will inform you within the first month.

8. Cookies and similar technologies

The marketing site uses no third-party tracking cookies. The dashboard uses browser storage (localStorage, IndexedDB) for the Firebase Authentication session and for remembering UI preferences such as language and active organisation. These are strictly necessary for the Service to function and do not require consent under Art. 5(3) of the ePrivacy Directive.

If we add privacy-friendly analytics (e.g. Plausible, with no personal identifiers and EU-hosted), we will list them in our Cookie Policy and give you the choice to opt out where required.

9. Security

We implement appropriate technical and organisational measures to protect personal data, including:

TLS 1.2+ encryption in transit for all connections.
Encryption at rest for the application database and backups.
Per-organisation isolation of data and least-privilege access for staff.
Strict environment-variable validation at boot, server-side request validation, and rate-limiting.
Audit logging of administrative actions and access to gate hardware.
Periodic dependency and vulnerability review.

No system is perfectly secure. We commit to acting in good faith and to the breach-notification process below.

10. Breach notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours of becoming aware of it (Art. 33 GDPR). Where the breach is likely to result in a high risk, we will inform affected data subjects without undue delay (Art. 34 GDPR), with information sufficient for you to take protective steps.

11. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, contact us and we will delete it.

12. Automated decision-making

We do not engage in automated decision-making that produces legal effects on you or significantly affects you. We do apply automated rate-limiting and fraud rules to protect the Service; these decisions can be reviewed by a human on request.

13. Changes to this policy

We will notify account holders by email of material changes at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Contact

For privacy questions, requests, or complaints: [email protected].
For all other questions: [email protected].