Privacy Policy for PandaGo

DE EN

1. Data Controller

PandaGo (Sole Proprietorship)

Registered in: Carinthia, Austria

Email: pandago.app@gmail.com

Website: www.pandago.at

2. Active Data Minimization – As Little as Possible

PandaGo practices active data minimization:

We store ONLY what is strictly necessary for platform functionality
No profile pictures, no chats, no personal preferences
Login: Only email and first/last name (for identification)
Optional phone number: Only if the user wishes to provide it
Property data: Exclusively for property brokerage purposes

3. Legal Basis for Data Processing

Contract Performance (Art. 6(1)(b) GDPR):

For property brokerage and establishing contact
Account management and listing creation

Legitimate Interest (Art. 6(1)(f) GDPR):

Platform operation and technical security
Improving search results and user experience

Consent (Art. 6(1)(a) GDPR):

For login and sharing of contact details
Voluntary provision of phone number

4. What Data Is Stored?

a) Account Data (mandatory):

Email address (for login and contact)
First and last name (for identification)
Firebase Authentication UID (technical ID)

b) Optionally provided by user:

Phone number (if desired for faster contact)
Postal code and city (for regional search)

c) Property data (only when creating a listing):

Property description, images, price, location
Contact details for interested parties (only when shared by user)

d) Contact Inquiries:

Name, email/phone of the interested party (only upon contact)
Inquiry details (viewing request, callback, etc.)
Retention period: 24 months after creation

e) Technical Data (minimal):

Server logs (anonymized after 30 days)
No IP storage, no tracking cookies, no profiling

5. Camera and Media Access

To take and select property photos, the app requires access to your camera and photo library. This permission is only requested after your explicit consent. Images are transmitted encrypted and stored on secure servers within the EU. You can delete your uploaded images at any time.

6. Firebase Authentication

We use Firebase Authentication (Google) for login. Only your email address and an encrypted identifier (UID) are stored. All data is hosted on servers within the EU (Frankfurt, Germany). Firebase Authentication meets GDPR standards (ISO 27001, SOC 2/3).

7. Image Storage (Cloudinary)

Uploaded images are stored and optimized via Cloudinary (EU servers, GDPR-compliant). Cloudinary processes images exclusively on behalf of PandaGo and does not share them with third parties.

8. Data Deletion

Deletion upon Account Deletion:

When you delete your account, all personal data is immediately and completely removed from our active systems.

Retention Obligation for Billing Data:

If paid transactions have occurred in connection with your account, we are required under § 132 of the Austrian Federal Tax Code (BAO) to retain the associated billing data for 7 years. In this case, your personal data in these records will be pseudonymized immediately after account deletion.

Automatic Deletion Due to Inactivity:

User accounts inactive for more than 24 months are automatically deleted.

Additional Retention Periods:

Property listings: 12 months after deactivation (then automatic archival)
Contact inquiries: 24 months (warranty periods)
Technical logs: 30 days (anonymized)

9. Data Hosting – Google Firebase (Frankfurt, EU)

All data is stored GDPR-compliantly within the EU:

Data hosting: Google Firebase (Server location: Frankfurt, Germany)
Encryption: End-to-end encrypted transmission (TLS/SSL)
Access: Only technical administrator (PandaGo)
No third-country transfer: All data remains within the EU

Privacy certification: Google Firebase meets ISO 27001, SOC 2/3, and GDPR standards.

10. Data Sharing with Third Parties

To property providers: Only upon explicit contact initiation by you
To authorities: Only when legally required (§ 12 DSG)
No commercial sharing with advertising partners or data brokers
Email delivery: SendGrid (EU servers, GDPR-compliant) only for contact inquiries
Payment processing: Stripe Inc. for secure payment processing (GDPR-compliant through EU-US Data Privacy Framework)

11. Your Rights Matter to Us

You have the right at any time to:

Access (Art. 15 GDPR): Find out what data is stored about you
Rectification (Art. 16 GDPR): Correction of inaccurate data
Erasure (Art. 17 GDPR): Immediate and complete deletion of your account
Data portability (Art. 20 GDPR): Export of all your data upon request
Objection (Art. 21 GDPR): Object to data processing
Restriction (Art. 18 GDPR): Restriction of processing

Delete your account at any time with immediate effect: Use the account deletion function in your profile or contact us via email.

12. Security Measures

TLS/SSL encryption for all data transmissions
Firebase authentication with modern security standards
Firestore Security Rules: Users can only view/edit their own data
Regular security audits
Passwords are never stored in plain text

13. Cookies and Tracking

PandaGo uses no tracking cookies and no third-party analytics tools.

Session cookies: Only technically necessary for login status
No advertising cookies
No profiling

14. Contact and Right to Complain

For questions or to exercise your rights:

Email: pandago.app@gmail.com

Right to lodge a complaint with the supervisory authority:

Austrian Data Protection Authority

Barichgasse 40-42, 1030 Vienna

Phone: +43 1 52 152-0

Email: dsb@dsb.gv.at

For our app users: Privacy Promise

In the PandaGo app, you can find a user-friendly summary of our data protection approach under "Information" → "Privacy Promise".

This summary is for better understanding. This complete privacy policy is the legally binding document.

Last updated: February 2026
This privacy policy complies with the current legal requirements of the GDPR and the Austrian Data Protection Act (DSG).
Built with passion in Austria by PandaGo