This Privacy Policy explains how We, at Qvit, collect, use, share, and protect Your information. By using the Services, You accept this Privacy Policy. If You do not agree, do not use the Services.
1. Who We Are
- Qvit is a loyalty app for cafés in Georgia, available on the Apple App Store and Google Play Store.
- We, Us, Our: the operator of Qvit, based in Tbilisi, Georgia.
- Contact: support@qvit.ge
- Partner Café: A café participating in the Qvit loyalty program.
2. What We Collect
You provide:
- Name or display name, email address, and an authentication identifier when You sign in with Apple or Google.
- Optional profile preferences (favourite cafés, drinks).
- Referral codes when You invite or are invited by a friend.
- Messages You send to support.
Collected automatically:
- Loyalty activity: stamps and points earned, redemption history, and the Partner Café where each transaction occurred.
- Presence verification data: Bluetooth Low Energy (BLE) signals from beacons and/or NFC tag reads at Partner Cafés. Used only to confirm physical presence at the moment of a stamp claim. Raw signals are not retained beyond what is needed to validate the transaction.
- Location: only while the App is in use, to match You to a nearby Partner Café. We do not collect location in the background.
- Device and usage data: device identifier, App version, operating system, error reports, crash logs.
- Push notification tokens issued by Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM), used only to deliver notifications You have opted into.
We do not collect payment card data. Loyalty rewards are settled directly between You and the Partner Café.
3. How We Use It
- Operate the loyalty program: track stamps, verify visits, deliver rewards.
- Show You nearby Partner Cafés and active offers.
- Process referrals.
- Send push notifications You have opted into, and service-related emails (security, account, technical updates).
- Prevent fraud (for example, attempts to bypass presence verification).
- Diagnose errors and improve the App.
- Respond to Your support requests.
4. Lawful Bases for Processing
Under the Georgian Law on Personal Data Protection, and where applicable the EU GDPR, We process Your data on the following grounds:
- Contract: to deliver the Services You signed up for.
- Consent: for features You explicitly opt into (push notifications, marketing).
- Legitimate interests: fraud prevention and product improvement, where these do not override Your rights.
- Legal obligations: when required by law.
You can withdraw consent at any time via in-App settings or by emailing support@qvit.ge. Withdrawal does not affect prior processing and may limit some features.
5. Who We Share It With
We share Personal Data only as follows, and We do not sell it.
Partner Cafés: when You claim a stamp or redeem a reward, the relevant Partner Café receives confirmation of the transaction and a non-identifying token or display name needed to honor the reward. Partner Cafés do not receive Your email address, full account, or location history.
Service providers who process data on Our behalf:
- Supabase
- Railway
- Apple (APNs) and Google (FCM)
- Titan Email
Legal and protective disclosures: We may share data when required to comply with the law, respond to lawful requests, enforce Our Terms, prevent fraud, or protect the rights and safety of Users or third parties.
6. Storage, Security, and Retention
Your data is stored on servers operated by the providers listed above, which may be located outside Georgia (primarily in the EU and United States). We rely on these providers' contractual safeguards (such as Standard Contractual Clauses) for international transfers.
We use TLS encryption, access controls, and authentication through established identity providers. No system is fully secure; We cannot guarantee absolute protection of data transmitted over the Internet.
Retention:
- Active accounts: for as long as the account is active.
- Deleted accounts: removed within 30 days of a deletion request, except where We are legally required to retain data.
- Support correspondence: up to 2 years from last interaction.
- Analytics and crash logs: up to 12 months.
Data breaches: If a breach affects Your Personal Data, We will notify You within 72 hours, describe what happened, explain the steps We are taking, and cooperate with the State Audit Office of Georgia as required.
7. Your Rights
Under the Georgian Law on Personal Data Protection, and where applicable the EU GDPR, You have the right to:
- Access the data We hold about You.
- Rectify inaccurate or incomplete data.
- Erase Your data (right to be forgotten), subject to legal retention requirements.
- Restrict processing in certain circumstances.
- Object to processing based on legitimate interests, including direct marketing.
- Data portability: receive Your data in a structured, machine-readable format.
To exercise any of these rights, email support@qvit.ge. We respond within one month.
8. App Permissions
Qvit requests:
- Location
- Bluetooth
- NFC
- Push notifications
- Camera
These permissions are used for the purpose of scanning and presence verification during stamp collection, and to show nearby points of interest (Partner Cafés).
Manage permissions in Your device settings. Some features may be limited if denied; the App remains functional without push notifications.
9. Age Restrictions
- Qvit is intended for users aged 13 and over.
- Users aged 13 to 15 must have the consent of a parent or legal guardian.
- We do not knowingly collect data from children under 13. If You believe a child under 13 has provided Us with data, contact support@qvit.ge and We will delete it.
10. Cookies
Our Website uses essential and functional cookies. The mobile App does not use browser cookies but stores local identifiers on Your device for authentication. You can manage Website cookies via Your browser settings.
11. Changes to This Policy
We may update this Privacy Policy as the Services or applicable laws evolve. Material changes will be communicated via email or in-App. Continued use of the Services after a change constitutes acceptance.
12. Governing Law and Complaints
This Policy is governed by Georgian law. Disputes are subject to the jurisdiction of the courts of Tbilisi, Georgia.
You may lodge a complaint with the State Audit Office of Georgia (სახელმწიფო აუდიტის სამსახური), which has assumed personal data protection functions in Georgia as of 2 March 2026. Website: sao.ge.
13. Contact
Questions, requests, or complaints regarding this Privacy Policy: support@qvit.ge. We respond within 7 business days.