Privacy Policy
Last updated: 2026-07-11
The Czech version of this document is the legally binding one for users in the Czech Republic. This English version is provided for convenience.
At a glance
- Controller: Alethe, s.r.o., Sládkova 1728/17, 360 01 Karlovy Vary, Czech Republic, Company ID (IČO): 09531025 (not VAT-registered), registered with the Regional Court in Plzeň, section C, file no. 39786
- Contact: info@alethe.eu
- Data Protection Officer (DPO): Not appointed — we do not meet the Art. 37 GDPR thresholds.
- Main purpose of processing: Operating DrinksUp — a social pub-crawl game.
- The app is intended exclusively for persons aged 18 and over.
- Supervisory authority for complaints: Office for Personal Data Protection (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, https://uoou.gov.cz
1. Who we are
DrinksUp (the "app" or "service"), available at https://app.drinksup.eu, is operated by Alethe, s.r.o. ("we", "us", "our"). We are the data controller for personal data processed via the service. Our registered office is Sládkova 1728/17, 360 01 Karlovy Vary, Czech Republic. Contact us at info@alethe.eu.
2. Who the service is for
DrinksUp involves alcohol consumption and is intended exclusively for persons aged 18 and over. We verify age via date of birth at signup. If we find that an account was created by a person under 18, we close it and delete the related data.
3. What data we collect
| Category | Examples | Source |
|---|---|---|
| Account data | email, display name (nickname), password (stored hashed) | You provide at signup |
| Age verification (18+) | date of birth is entered at signup for the age check only — we do not store it; we keep only the verification date | You / automatic |
| Google sign-in | email and name from your Google account (if you use Google login) | Google (with your consent at Google) |
| Profile photo | avatar you upload | You upload voluntarily |
| Game content | crawls created, venues chosen, tasks completed/skipped, votes, points, ranking, punishments | Generated by your play |
| Task photos | photos you upload as proof of task completion | You upload voluntarily |
| Location | approximate location to find venues and build a route | Your device (only if you allow it) |
| Analytics data | de-identified usage events (action type, coarse time, region) grouped under a random per-crawl token — never under your name, account ID, or a specific crawl | Automatic |
| Payment data | transaction and payment identifiers needed for accounting; full card details are processed directly by Stripe — we have no access to them | You / Stripe |
| Technical data | IP address, browser, device (from provider logs), technical error logs (Sentry) | Automatic |
About drinking and "health" data. As part of gameplay the app records which tasks you complete — including tasks that involve drinking alcohol — as game content, in order to run the game, build your end-of-crawl recap, and rank the leaderboard. We process this to perform our contract with you (Art. 6(1)(b) GDPR), it is visible only to you and your fellow players in that crawl, and it is deleted when you delete your account. We do not use it to profile you, we never place per-person drink data into our anonymous analytics, and we do not otherwise intentionally process special-category data (biometrics, political opinions, etc.). When you upload photos, be aware they may capture other people — see §7.
4. Why we process it (purposes + legal basis)
| Purpose | Legal basis (Art. 6 GDPR) | Notes |
|---|---|---|
| Operate the service, account and game | Contract — Art. 6(1)(b) | Without this data we cannot provide the service |
| Processing payment for a crawl | Contract — Art. 6(1)(b) | Payment is handled by Stripe |
| Keeping accounting and tax records | Legal obligation — Art. 6(1)(c) | Accounting Act |
| Monitoring errors and app stability | Legitimate interest — Art. 6(1)(f) | Service reliability and security (Sentry) |
| Age verification (18+) | Legitimate interest — Art. 6(1)(f) | Responsible operation of an alcohol-related service |
| Security & abuse prevention | Legitimate interest — Art. 6(1)(f) | |
| Photos and game content | Contract — Art. 6(1)(b) | Uploaded voluntarily as part of play |
| Finding venues by location | Consent — Art. 6(1)(a) | Location can be denied at any time on your device |
| De-identified usage analytics | Legitimate interest — Art. 6(1)(f) | Grouped under a random per-crawl token, no account link; used only in aggregate to improve the service |
| Legal compliance | Legal obligation — Art. 6(1)(c) | E.g. authority requests |
5. How long we keep it
| Category | Retention | Reason |
|---|---|---|
| Account data | Duration of account + 30 days after deletion | Account recovery, dispute resolution |
| Age-verification date | Duration of account | Evidence of meeting the 18+ condition (we do not store the birth date) |
| Task photos and avatar | Duration of account, or until crawl/account deletion | |
| Game content | Duration of account | |
| Anonymized analytics | Raw events 90 days, then aggregates only | Cannot be linked to an individual |
| Accounting and tax documents (payment receipts) | The statutory period (generally 5 years under Act No. 563/1991 Coll. on accounting) | Legal obligation |
| Operational logs and technical error logs | 30–90 days | Security and debugging |
| Backups | Rolling cycle max 90 days | Disaster recovery |
When the retention period ends we delete or anonymize the data.
6. Who we share it with (processors and recipients)
We share personal data only with:
- processors acting on our instructions (full list with country of processing in Subprocessors);
- authorities when legally required — we will notify you unless prohibited.
We never sell your data or pass it to advertising networks or data brokers.
Main processors: Supabase (auth, database, photo storage, realtime — EU region); Stripe / Stripe Payments Europe, Ltd. (payment processing for crawls — EU / Ireland); Google Ireland Ltd. (Google sign-in and Google Places); Mapbox (map display); Seznam.cz / Mapy.cz (venue search, CZ); Vercel (hosting); Cloudflare / Cloudflare, Inc. (DNS and CDN/reverse proxy for the marketing site — DNS only for app.drinksup.eu); Sentry / Functional Software, Inc. (error and stability monitoring — USA, DPF/SCC). Each has a DPA meeting Art. 28(3) GDPR.
7. Photos and other people
You upload photos voluntarily. They may capture other people. You are responsible for having the consent of people captured in photos you publish in the app. Task photos are not public — they are shown only to fellow players in the crawl via temporary signed URLs. Report inappropriate content to info@alethe.eu; see Acceptable Use.
8. Public venue reviews
The app lets you rate venues you visit (with stars) and add a text comment. We may publish these ratings and comments to other users — in particular on the public venue map — but always only in anonymized form: without your name, nickname, account ID, or any other detail that could identify you. Only the comment text itself and the venue's aggregate rating are shown publicly.
- Notice at the point of entry. Next to the rating and comment field we tell you in advance that your comment may appear publicly and anonymously. We only publish ratings submitted after that notice went live.
- Legal basis: our legitimate interest in providing useful information about venues to other users (Art. 6(1)(f) GDPR); you may object to this processing at any time (Art. 21 GDPR).
- No link to you. A published comment cannot be publicly linked to a specific person. Even so, please do not put into a comment any details that could identify you or other people.
- Reporting and moderation. Anyone can report an inappropriate comment with the "Report" button; we may hide or remove such a comment.
9. International transfers
Some processors (Google, Mapbox, Vercel, Sentry, Cloudflare) may process data outside the EEA. We then rely on EU Commission adequacy decisions, the EU-US Data Privacy Framework (DPF) for certified US recipients, and the 2021 Standard Contractual Clauses (SCCs) otherwise. Supabase runs in the EU region; Mapy.cz processes in the Czech Republic.
10. Your rights under GDPR
You have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection to legitimate-interest processing (Art. 21), and withdrawal of consent (Art. 7(3)).
You can delete your account and data directly in the app settings, or ask us at info@alethe.eu. We respond within 30 days (extendable by 60 days for complex requests, with notice).
11. Automated decision-making
We do not use automated decision-making producing legal or similarly significant effects within the meaning of Art. 22 GDPR. The "Automatic route" feature only suggests venues from public map data (OpenStreetMap) and your preferences — you always confirm the final route yourself.
12. Cookies
See the separate Cookie Policy.
13. Complaints
You can lodge a complaint with the supervisory authority: Office for Personal Data Protection (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, https://uoou.gov.cz.
14. Changes to this policy
We update this policy when our processing changes. Material changes are notified to active users by email at least 30 days in advance. The "Last updated" date always reflects the current version.