Privacy Policy

Last updated: 2026-07-11

The Czech version of this document is the legally binding one for users in the Czech Republic. This English version is provided for convenience.

At a glance


1. Who we are

DrinksUp (the "app" or "service"), available at https://app.drinksup.eu, is operated by Alethe, s.r.o. ("we", "us", "our"). We are the data controller for personal data processed via the service. Our registered office is Sládkova 1728/17, 360 01 Karlovy Vary, Czech Republic. Contact us at info@alethe.eu.

2. Who the service is for

DrinksUp involves alcohol consumption and is intended exclusively for persons aged 18 and over. We verify age via date of birth at signup. If we find that an account was created by a person under 18, we close it and delete the related data.

3. What data we collect

CategoryExamplesSource
Account dataemail, display name (nickname), password (stored hashed)You provide at signup
Age verification (18+)date of birth is entered at signup for the age check only — we do not store it; we keep only the verification dateYou / automatic
Google sign-inemail and name from your Google account (if you use Google login)Google (with your consent at Google)
Profile photoavatar you uploadYou upload voluntarily
Game contentcrawls created, venues chosen, tasks completed/skipped, votes, points, ranking, punishmentsGenerated by your play
Task photosphotos you upload as proof of task completionYou upload voluntarily
Locationapproximate location to find venues and build a routeYour device (only if you allow it)
Analytics datade-identified usage events (action type, coarse time, region) grouped under a random per-crawl token — never under your name, account ID, or a specific crawlAutomatic
Payment datatransaction and payment identifiers needed for accounting; full card details are processed directly by Stripe — we have no access to themYou / Stripe
Technical dataIP address, browser, device (from provider logs), technical error logs (Sentry)Automatic

About drinking and "health" data. As part of gameplay the app records which tasks you complete — including tasks that involve drinking alcohol — as game content, in order to run the game, build your end-of-crawl recap, and rank the leaderboard. We process this to perform our contract with you (Art. 6(1)(b) GDPR), it is visible only to you and your fellow players in that crawl, and it is deleted when you delete your account. We do not use it to profile you, we never place per-person drink data into our anonymous analytics, and we do not otherwise intentionally process special-category data (biometrics, political opinions, etc.). When you upload photos, be aware they may capture other people — see §7.

4. Why we process it (purposes + legal basis)

PurposeLegal basis (Art. 6 GDPR)Notes
Operate the service, account and gameContract — Art. 6(1)(b)Without this data we cannot provide the service
Processing payment for a crawlContract — Art. 6(1)(b)Payment is handled by Stripe
Keeping accounting and tax recordsLegal obligation — Art. 6(1)(c)Accounting Act
Monitoring errors and app stabilityLegitimate interest — Art. 6(1)(f)Service reliability and security (Sentry)
Age verification (18+)Legitimate interest — Art. 6(1)(f)Responsible operation of an alcohol-related service
Security & abuse preventionLegitimate interest — Art. 6(1)(f)
Photos and game contentContract — Art. 6(1)(b)Uploaded voluntarily as part of play
Finding venues by locationConsent — Art. 6(1)(a)Location can be denied at any time on your device
De-identified usage analyticsLegitimate interest — Art. 6(1)(f)Grouped under a random per-crawl token, no account link; used only in aggregate to improve the service
Legal complianceLegal obligation — Art. 6(1)(c)E.g. authority requests

5. How long we keep it

CategoryRetentionReason
Account dataDuration of account + 30 days after deletionAccount recovery, dispute resolution
Age-verification dateDuration of accountEvidence of meeting the 18+ condition (we do not store the birth date)
Task photos and avatarDuration of account, or until crawl/account deletion
Game contentDuration of account
Anonymized analyticsRaw events 90 days, then aggregates onlyCannot be linked to an individual
Accounting and tax documents (payment receipts)The statutory period (generally 5 years under Act No. 563/1991 Coll. on accounting)Legal obligation
Operational logs and technical error logs30–90 daysSecurity and debugging
BackupsRolling cycle max 90 daysDisaster recovery

When the retention period ends we delete or anonymize the data.

6. Who we share it with (processors and recipients)

We share personal data only with:

We never sell your data or pass it to advertising networks or data brokers.

Main processors: Supabase (auth, database, photo storage, realtime — EU region); Stripe / Stripe Payments Europe, Ltd. (payment processing for crawls — EU / Ireland); Google Ireland Ltd. (Google sign-in and Google Places); Mapbox (map display); Seznam.cz / Mapy.cz (venue search, CZ); Vercel (hosting); Cloudflare / Cloudflare, Inc. (DNS and CDN/reverse proxy for the marketing site — DNS only for app.drinksup.eu); Sentry / Functional Software, Inc. (error and stability monitoring — USA, DPF/SCC). Each has a DPA meeting Art. 28(3) GDPR.

7. Photos and other people

You upload photos voluntarily. They may capture other people. You are responsible for having the consent of people captured in photos you publish in the app. Task photos are not public — they are shown only to fellow players in the crawl via temporary signed URLs. Report inappropriate content to info@alethe.eu; see Acceptable Use.

8. Public venue reviews

The app lets you rate venues you visit (with stars) and add a text comment. We may publish these ratings and comments to other users — in particular on the public venue map — but always only in anonymized form: without your name, nickname, account ID, or any other detail that could identify you. Only the comment text itself and the venue's aggregate rating are shown publicly.

9. International transfers

Some processors (Google, Mapbox, Vercel, Sentry, Cloudflare) may process data outside the EEA. We then rely on EU Commission adequacy decisions, the EU-US Data Privacy Framework (DPF) for certified US recipients, and the 2021 Standard Contractual Clauses (SCCs) otherwise. Supabase runs in the EU region; Mapy.cz processes in the Czech Republic.

10. Your rights under GDPR

You have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection to legitimate-interest processing (Art. 21), and withdrawal of consent (Art. 7(3)).

You can delete your account and data directly in the app settings, or ask us at info@alethe.eu. We respond within 30 days (extendable by 60 days for complex requests, with notice).

11. Automated decision-making

We do not use automated decision-making producing legal or similarly significant effects within the meaning of Art. 22 GDPR. The "Automatic route" feature only suggests venues from public map data (OpenStreetMap) and your preferences — you always confirm the final route yourself.

12. Cookies

See the separate Cookie Policy.

13. Complaints

You can lodge a complaint with the supervisory authority: Office for Personal Data Protection (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, https://uoou.gov.cz.

14. Changes to this policy

We update this policy when our processing changes. Material changes are notified to active users by email at least 30 days in advance. The "Last updated" date always reflects the current version.