Effective 23 May 2026 · Version 1.3.0

We care about your privacy

Your privacy is important to us at Quicks. We respect your privacy regarding any information we may collect from you across our platform.

Citește în Română

PRIVACY POLICY

QUICKS SRL — Rental Marketplace Platform

Last Updated: May 9, 2026 Effective Date: May 23, 2026

TABLE OF CONTENTS

  1. Introduction and Data Controller
  2. Information We Collect
  3. How We Use Your Information
  4. Legal Bases for Processing (GDPR)
  5. Information Sharing and Third Parties
  6. International Data Transfers
  7. Data Retention
  8. Your Rights Under GDPR
  9. Cookies and Tracking Technologies
  10. Children’s Privacy
  11. Security Measures
  12. Marketing Communications
  13. Automated Decision-Making and Profiling
  14. Changes to This Privacy Policy
  15. Data Protection Officer
  16. Contact Us

1. INTRODUCTION AND DATA CONTROLLER

1.1. QUICKS SRL (“Quicks”, “we”, “us”, or “our”) is committed to protecting your privacy and handling your personal data in compliance with Regulation (EU) 2016/679 (the General Data Protection Regulation — “GDPR”), Romanian Law No. 190/2018 (implementing the GDPR), and all other applicable data protection legislation.

1.2. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use the Quicks platform, including:

  • The Quicks mobile applications (iOS and Android);
  • The website at quicks-app.com;
  • Any future web application or service operated by Quicks;
  • Any communications from Quicks (email, push notifications, social media).

1.3. Data Controller. The data controller responsible for your personal data is:

QUICKS SRL Calea Turzii 239, Cod 400495 Cluj-Napoca, Cluj County, Romania CUI: 50382896 Trade Registry: J12/3251/2024 Email: [email protected] Phone: +40 752 012 527

1.4. By creating an account or using our Services, you acknowledge that you have read and understood this Privacy Policy. Where processing is based on consent, you provide that consent when indicated during your use of the Platform.

2. INFORMATION WE COLLECT

We collect the following categories of personal data:

2.1. Information You Provide Directly

Account Registration Data:

  • Email address
  • Password (stored in hashed form by our authentication provider)
  • Display name, first name, and last name
  • Phone number (optional)

Profile Information:

  • Profile photograph/avatar
  • Preferred language and currency

Billing Profile Data:

  • Profile type (personal or business)
  • Full name or company name
  • Billing address (street address, city, state/county, postal code, country)
  • Email address and phone number
  • Tax identification number (CUI/VAT number, for business profiles)

Listing Data (Owners):

  • Item descriptions and titles
  • Photographs of Items
  • Rental pricing, deposit amounts, and availability
  • Pickup location (address and/or GPS coordinates)
  • Rental rules and conditions

Booking Data:

  • Rental dates and quantities
  • Notes to the Owner or Renter
  • Cancellation reasons (optional)

Communication Data:

  • Messages exchanged with other Users through the Platform
  • Images shared in conversations
  • Dispute submissions, evidence, and communications

Review and Rating Data:

  • Ratings (1-5 stars)
  • Review titles and text content
  • Review images

Identity Verification Data:

  • Government-issued photo ID (processed by Stripe — we do not store copies)
  • Selfie photograph (processed by Stripe — we do not store copies)
  • Verification status and timestamp

Stripe Connect Data (Owners):

  • Business type (individual or company)
  • Full legal name, date of birth, address
  • Banking details (processed and stored by Stripe — we do not store these)
  • KYC information (processed by Stripe)

Support Communications:

  • Emails and inquiries sent to our support team

2.2. Information Collected Automatically

Device and Technical Data:

  • Device type (iOS or Android), device model, and device name
  • Operating system and version
  • App version
  • User identifier (Supabase auth.users.id) associated with your Account
  • Firebase Installation ID (pseudonymous, assigned by Firebase to your app install)
  • Identifier for Vendor (IDFV) on iOS
  • Identifier for Advertisers (IDFA) on iOS — collected only if you grant permission via Apple’s App Tracking Transparency prompt (see Section 9.5)
  • Android Advertising ID — collected on Android 13+ unless you have disabled ad personalisation at device level
  • IP address (seen by our backend; Sentry does not record IP addresses; Google Places requests are proxied server-side so Google does not receive your IP)
  • Browser type and version (for website access)

Usage Data:

  • Screens viewed (Firebase Analytics automatic screen_view events)
  • App opens (Firebase Analytics automatic app_open events)
  • Features used and actions taken
  • Access times and dates
  • Session duration
  • Search queries (transient — not persisted as search history)
  • Navigation paths within the app
  • Sentry breadcrumbs and performance transactions (e.g., rental.create, rental.payment.create, rental.handover.generate) used to diagnose errors and measure request latency; personal data (e-mail, phone, CNP, card numbers) is redacted client-side in release builds before submission

Location Data:

  • GPS coordinates (latitude, longitude) — collected only in the foreground, only with your explicit permission via the operating system’s permission prompt
  • Reverse-geocoded city and country

Push Notification Data:

  • Firebase Cloud Messaging (FCM) token for your device
  • Notification delivery and interaction data

2.3. Information from Third-Party Sources

Social Login Providers:

  • Google Sign-In: name, email address, profile photo
  • Apple Sign-In: name, email address (Apple may provide a private relay email)

Stripe (Payment Processor):

  • Payment confirmation status
  • Card brand and last four digits (for display purposes — we never receive full card numbers)
  • Card expiration date
  • Cardholder name
  • Payment and refund statuses
  • Identity verification status

Firebase (Google):

  • Analytics data and event logs
  • Push notification delivery status

2.4. Information We Do NOT Collect

We want to be transparent about what we do not collect:

  • Full credit card or debit card numbers
  • CVV/CVC security codes
  • Bank account numbers or routing numbers (handled exclusively by Stripe)
  • Biometric data (fingerprint, face scan data) — we do not process biometrics; Stripe may use liveness detection during identity verification, which is governed by Stripe’s privacy policy
  • Background location data (we only access location while the app is in active use)
  • Contact list or address book
  • Calendar data
  • Browsing history outside the Platform
  • SMS or call log data

2.5. Dispute Evidence and Handover Photos

The Platform’s Dispute framework (see Section 14 of our Terms and Conditions) processes two distinct categories of evidence data with separate storage surfaces and visibility rules.

Handover photographs captured at pickup and return are stored in the private rental-handover-photos storage bucket. Each Booking participant can view their own handover photographs at any time; the counterparty can view them only once a Dispute has been opened on the Rental. Data captured per photograph:

  • Image file (JPEG/PNG/HEIC)
  • Handover type (pickup or return)
  • Uploader identifier and upload timestamp
  • Optional caption
  • Cryptographic integrity metadata (see below)

Dispute evidence uploaded during an active Dispute is stored in the private disputes storage bucket and is visible to both Dispute parties and to Quicks administrators from the moment the Dispute is opened. Data captured per evidence item:

  • File (photograph, document, or free-text submission)
  • MIME type and file size
  • Uploader identifier and upload timestamp
  • Optional caption or description
  • Cryptographic integrity metadata (see below)

Integrity and tamper-detection. Both categories of evidence are stored with the following integrity controls to support their evidentiary value in Disputes and to allow Quicks to detect subsequent alterations:

  • EXIF metadata is preserved on upload (we do not strip, overwrite, or rewrite image metadata);
  • A SHA-256 file hash is computed at upload time and recorded alongside the file reference.

Retention windows, immutability, and erasure procedures specific to this data are set out in Section 7.4.

3. HOW WE USE YOUR INFORMATION

We process your personal data for the following purposes:

3.1. Providing and Operating the Platform

  • Creating and managing your Account
  • Facilitating Bookings between Owners and Renters
  • Processing payments, refunds, deposits, and payouts
  • Operating the Wallet system
  • Enabling in-app messaging between Users
  • Displaying Listings, search results, and recommendations
  • Managing reviews and ratings
  • Administering the Dispute resolution process

3.2. Identity Verification and Trust

  • Verifying User identity through Stripe Identity
  • Facilitating Stripe Connect onboarding for Owners
  • Anti-fraud detection and prevention
  • Compliance with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations

3.3. Communication

  • Sending transactional notifications (Booking confirmations, payment updates, Dispute notifications, review reminders)
  • Delivering push notifications via Firebase Cloud Messaging
  • Responding to support inquiries
  • Sending marketing and promotional communications (with your consent)

3.4. Safety, Security, and Compliance

  • Detecting and preventing fraud, abuse, and unauthorized access
  • Content moderation (text and image review)
  • Enforcing our Terms and Conditions and other policies
  • Complying with legal obligations (tax reporting, court orders, law enforcement requests)
  • Maintaining platform security (rate limiting, suspicious activity monitoring)

3.5. Improvement and Analytics

  • Analyzing usage patterns and trends to improve the Platform
  • Monitoring technical performance and diagnosing errors (via Sentry)
  • Conducting analytics to understand user behavior (via Firebase Analytics)
  • Developing new features and services

3.6. Location-Based Services

  • Displaying nearby Listings on the map
  • Facilitating pickup location selection
  • Calculating distances for search results

Under the GDPR, we process your personal data based on the following legal grounds:

PurposeLegal Basis (GDPR Article)
Account registration and managementContract performance (Art. 6(1)(b)) — necessary for the performance of our contract with you
Facilitating Bookings, payments, deposits, refunds, payoutsContract performance (Art. 6(1)(b))
In-app messaging and transactional notificationsContract performance (Art. 6(1)(b))
Wallet and financial operationsContract performance (Art. 6(1)(b))
Dispute resolutionContract performance (Art. 6(1)(b)) and Legitimate interest (Art. 6(1)(f)) — fair resolution of conflicts
Identity verification (Stripe Identity, KYC)Legal obligation (Art. 6(1)(c)) — AML/KYC compliance; Contract performance (Art. 6(1)(b)) — necessary for payout functionality
Fraud prevention and Platform securityLegitimate interest (Art. 6(1)(f)) — protecting Users and the Platform from fraud and abuse
Content moderationLegitimate interest (Art. 6(1)(f)) — maintaining a safe and lawful Platform; Legal obligation (Art. 6(1)(c)) — compliance with the Digital Services Act
Tax compliance and financial record-keepingLegal obligation (Art. 6(1)(c)) — fiscal/tax and accounting regulations
Fiscal invoice generation and eFactura / ANAF submission (Oblio)Legal obligation (Art. 6(1)(c)) — Romanian fiscal reporting requirements; Legitimate interest (Art. 6(1)(f)) — invoice delivery to the customer
Error tracking and technical monitoring (Sentry)Legitimate interest (Art. 6(1)(f)) — ensuring Platform stability and performance
Analytics and Platform improvement (Firebase)Legitimate interest (Art. 6(1)(f)) — improving services; Consent (Art. 6(1)(a)) for non-essential analytics
Location services (GPS)Consent (Art. 6(1)(a)) — via operating system permission prompt
Marketing and promotional communicationsConsent (Art. 6(1)(a)) — you can withdraw consent at any time
Social media advertising and retargetingConsent (Art. 6(1)(a))
Responding to support requestsContract performance (Art. 6(1)(b)) and Legitimate interest (Art. 6(1)(f))
Legal proceedings and claimsLegitimate interest (Art. 6(1)(f)) — establishing, exercising, or defending legal claims
Retention of anonymized transaction dataLegal obligation (Art. 6(1)(c)) — tax and audit requirements

Legitimate Interest Assessments. Where we rely on legitimate interest, we have conducted assessments to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.

5. INFORMATION SHARING AND THIRD PARTIES

5.1. Sharing with Other Users

When you participate in a Booking:

  • Renters can see the Owner’s display name, profile photo, average rating, listing details, and pickup location.
  • Owners can see the Renter’s display name, profile photo, average rating, and Booking details.
  • Both parties can exchange messages through the Platform’s messaging system.

We do not share your full address, email, phone number, or financial details with other Users unless you voluntarily disclose them.

5.2. Third-Party Service Providers

We share personal data with the following categories of third-party service providers, who process data on our behalf or as independent controllers:

Service ProviderData SharedPurposeRole
Stripe (Stripe, Inc.)Payment details, billing info, identity verification data, KYC data, banking detailsPayment processing, identity verification, Stripe Connect payoutsController (for payment/identity data)
Oblio (Oblio SRL, Romania)Full name, CNP (for individuals) or CIF (for companies), postal address, invoice line items (rental title, dates, amounts, VAT rate)Fiscal invoice generation and eFactura / ANAF submissionProcessor
Supabase (Supabase, Inc.)All Platform data (stored in our database)Database hosting, authentication, file storage, real-time infrastructure. Primary data hosted in EU (aws-eu-central-1).Processor
Sentry (Functional Software, Inc.)Anonymized user ID, breadcrumbs, stack traces, device model, OS version, app version, performance transactions. PII (email, phone, CNP, card numbers) is stripped client-side in release builds before submission. IP addresses are not captured.Crash reporting, performance monitoringProcessor
Stripe Identity (Stripe, Inc.)Government-issued ID document images, selfie, liveness data (captured inside Stripe’s hosted flow — we receive only a verification status and session identifier)Identity verification (KYC)Shared (Stripe acts as the regulated verification provider)
Stripe Connect (Stripe, Inc.)Owner full legal name, date of birth, address, tax identification, bank account, government ID (captured inside Stripe’s hosted onboarding — we receive only the Connect account identifier and status)Payout onboarding, AML/KYC complianceShared (Stripe acts as the regulated payment institution)
Google Places (Google LLC, via our Supabase edge function proxy)City-name text entered in the search field. Requests are relayed server-side through a Quicks edge function so that Google receives the query from our server rather than from your device; your IP address is not forwarded to Google.City autocomplete for listings, requests and billing profilesProcessor
Google Vision API (Google LLC)Listing/review imagesAutomated image content moderationProcessor
OpenAI (OpenAI, LLC)Listing/review text contentAutomated text content moderationProcessor
Google Sign-In (Google LLC)Authentication tokens, email, name, profile picture, Google account identifierSocial login authentication (user-initiated)Processor
Apple Sign-In (Apple Inc.)Authentication tokens, name, email or Apple-relay email, Apple account identifierSocial login authentication (user-initiated)Processor
Firebase Cloud Messaging (Google LLC)Firebase Cloud Messaging (FCM) device token, Firebase Installation ID, push notification delivery and interaction metadataDelivering transactional and opt-in marketing push notificationsProcessor
Firebase Analytics (Google LLC)Firebase Installation ID, Identifier for Vendor (IDFV) on iOS, Identifier for Advertisers (IDFA) on iOS — only with your ATT consent, Android Advertising ID (unless you have disabled it at device level), automatic events (app_open, screen_view), session metadata, device model, OS version, app versionUnderstanding Platform usage, diagnostics, marketing attribution (the last purpose only where ATT consent is granted on iOS)Processor; Google may use aggregated data per its service terms
Brevo (Sendinblue SAS, France)Recipient e-mail address, recipient name, transactional message content (rental confirmations, dispute notifications, password recovery, legal-acceptance reminders, marketing e-mails where consent is granted), send/open/bounce eventsDelivery of transactional and consent-based marketing e-mailProcessor

We may disclose your personal data where required by law, regulation, legal process, or governmental request, including:

  • Compliance with court orders, subpoenas, or legal proceedings;
  • Response to requests from law enforcement or regulatory authorities;
  • Protection of the rights, property, or safety of Quicks, our Users, or the public;
  • Investigation of suspected fraud, policy violations, or illegal activity.

5.4. Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and of any changes to the applicable privacy terms.

5.5. No Sale of Personal Data

Quicks does not sell, rent, or trade your personal data to third parties for their own commercial or marketing purposes.

6. INTERNATIONAL DATA TRANSFERS

6.1. Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where some of our third-party service providers are headquartered.

6.2. Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place, including:

  • European Commission adequacy decisions for countries deemed to provide an adequate level of data protection;
  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • Data Privacy Framework (DPF) certifications where applicable (e.g., certain US providers);
  • Binding Corporate Rules where applicable.

6.3. The following transfers outside the EEA are relevant:

ProviderCountrySafeguard
StripeUnited StatesEU-US Data Privacy Framework; SCCs
Google (Firebase, Maps, Vision, Sign-In)United StatesEU-US Data Privacy Framework; SCCs
SentryUnited StatesSCCs
OpenAIUnited StatesSCCs
Apple (Sign-In)United StatesEU-US Data Privacy Framework; SCCs
SupabaseEU (aws-eu-central-1, primary); US (backup infrastructure)Standard Contractual Clauses accepted with Supabase, Inc. as part of our subscription; primary data remains in the EU
Brevo (Sendinblue SAS)France (EU); no transfer outside the EEAWithin the EEA — no transfer mechanism required
OblioRomania (EU); no transfer outside the EEAWithin the EEA — no transfer mechanism required

6.4. Transfer Impact Assessments. In compliance with the CJEU Schrems II ruling (Case C-311/18), Quicks has conducted Transfer Impact Assessments (TIAs) for each international data transfer to evaluate whether the legal framework of the destination country provides essentially equivalent protection to that guaranteed within the EEA. These assessments take into account the nature of the data, the transfer mechanism, and any supplementary technical measures (e.g., encryption, data minimization, ephemeral processing). TIAs are maintained as part of our GDPR accountability documentation.

6.5. You may request a copy of the safeguards in place, including relevant TIA summaries, by contacting us at [email protected].

7. DATA RETENTION

7.1. We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law.

Data CategoryRetention PeriodReason
Active Account dataDuration of Account + 30 days after deletion requestService provision
Fiscal invoices and financial transaction records (invoices issued via Oblio; rentals, payments, payouts, wallet transactions)10 years after issuance / transactionRomanian fiscal and accounting law (Legea 82/1991 Art. 25)
Anonymized rental and review historyIndefinite (anonymized)Platform integrity; statistical analysis
Dispute recordsMinimum 7 years, or until all related legal claims are resolved (whichever is later)Legal compliance; defense of claims (GDPR Art. 17(3)(b) and (e))
Identity verification statusDuration of AccountService functionality
Identity documents (held by Stripe)Per Stripe’s retention policyStripe’s legal obligations
Payment method details (held by Stripe)Per Stripe’s retention policyPayment processing
Error logs (Sentry)90 daysTechnical troubleshooting
Analytics data (Firebase)14 months (standard Firebase retention)Platform improvement
Marketing consent records3 years after last interaction or consent withdrawalProof of consent (GDPR accountability)
Support communications3 years after resolutionQuality assurance; dispute reference
Messages between UsersDuration of both Accounts; anonymized upon Account deletionService provision
Listing photographsDeleted when Listing is deleted or Account is closedService provision
FCM device tokensDuration of device registration; revoked on logout, Account deletion or uninstallService provision
IDFV, IDFA, Firebase Installation ID, Android Advertising IDDuration of app install on the device; per Firebase Analytics’ 14-month defaultAnalytics; marketing attribution (where ATT consent is granted on iOS)
Audit-trail tables (api.rental_status_history, api.moderation_history, api.legal_release_email_log, api.rental_insert_audit, api.message_flag)IndefinitePlatform security, fraud investigation, legal defence (GDPR Art. 17(3)(b) and (e))
Soft-deleted records (removed Listings, deleted messages, archived Item Requests, detached payment methods)Soft-deleted state retained for audit; hard-deleted once all related legal retention windows (fiscal, dispute, audit) expireAudit trail; legal defence
api.user_deletions anonymisation recordIndefinite (anonymised — no longer contains directly identifying data)Proof that an erasure was performed; GDPR accountability

7.2. When data is no longer needed, it is securely deleted or anonymized so that it can no longer be attributed to an identified or identifiable natural person without additional information, meeting the irreversibility standard of the Article 29 Working Party Opinion 05/2014 on Anonymisation Techniques. Where we refer to “anonymized” data throughout this Privacy Policy and our Terms and Conditions, this means data processed to this standard.

7.3. Erasure Requests During Active Disputes. If you submit a GDPR Article 17 erasure request while you have an active Dispute, we will acknowledge the request and explain the applicable exception (Art. 17(3)(e) — establishment, exercise, or defense of legal claims). Your erasure request will be processed promptly once the Dispute is resolved and no further legal basis for retention applies.

7.4. Dispute Evidence Lifecycle and Immutability

This Section sets out the retention, immutability, and erasure rules specific to the evidence categories described in Section 2.5. These rules are complementary to, and should be read alongside, the retention table in Section 7.1.

Retention windows for evidence files:

DataRetentionReason
Handover photographs where no Dispute is opened on the RentalPurged 72h after Rental completionData minimisation — no ongoing evidentiary purpose
Handover photographs where a Dispute is opened on the RentalRetained until 30 days after Dispute resolution, then purgedSupporting evidence during the Dispute and any immediate follow-up
Dispute evidence files (photographs, documents, text submissions) attached during an active DisputeRetained until 30 days after Dispute resolution, then purgedAccess during the Dispute and any immediate follow-up

After a file is purged, the associated metadata (uploader identifier, upload timestamp, optional caption, MIME type, evidence type, and SHA-256 hash) is retained as part of the Dispute audit trail and is governed by the “Dispute records” retention window in Section 7.1. Where the underlying file has been purged, we surface a visible placeholder in place of the file indicating that the retention window has expired.

Immutability. To preserve the evidentiary value of the material and the fairness of the Dispute mechanic, once an item of handover or Dispute evidence has been uploaded:

  • The uploader may edit the caption or delete the item within a five (5) minute window following upload;
  • After the five-minute window closes, the uploader can no longer delete the item through the Platform interface.

This limitation is inherent to the Dispute framework — the ability to silently remove or modify evidence after submission would undermine the proposal and counter-proposal mechanic and Quicks’ administrative review. It is therefore a necessary and proportionate limitation on the exercise of the right to erasure, permitted under Article 17(3)(e) GDPR (establishment, exercise, or defence of legal claims).

Administrator-mediated erasure. Where you wish to exercise rights under Article 17 GDPR in respect of evidence that is outside the five-minute window, the request requires administrative intervention. Such requests may be submitted to [email protected]. We will evaluate each request against the exceptions in Article 17(3) (in particular, legal obligations and the establishment, exercise, or defence of legal claims) and respond within the timeframe set out in Section 8.3. Where a Dispute is active, processing of the erasure request may be deferred in accordance with Section 7.3. Separately, Quicks administrators may soft-delete evidence where its content violates our policies or applicable law (for example, non-consensual imagery, content harmful to minors, or content containing third-party personal data unrelated to the Dispute).

8. YOUR RIGHTS UNDER GDPR

8.1. As a data subject under the GDPR, you have the following rights:

Right of Access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and, if so, access to that data and information about how it is processed.

Right to Rectification (Art. 16): You have the right to have inaccurate personal data corrected and incomplete data completed.

Right to Erasure / “Right to Be Forgotten” (Art. 17): You have the right to request deletion of your personal data, subject to exceptions under Art. 17(3), including: (b) compliance with a legal obligation (e.g., tax record retention), (e) establishment, exercise, or defense of legal claims (e.g., active Disputes). You may request erasure of specific data categories without deleting your Account. If you wish to delete your Account entirely, see Section 27 of our Terms and Conditions for the Account deletion process and its effects on your data.

Right to Restriction of Processing (Art. 18): You have the right to request that we restrict processing of your data in certain circumstances (e.g., while verifying the accuracy of contested data).

Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where processing is based on consent or contract performance and is carried out by automated means.

Right to Object (Art. 21): You have the right to object to processing based on legitimate interest. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for the establishment, exercise, or defense of legal claims.

Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Right Not to Be Subject to Automated Decision-Making (Art. 22): You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you (see Section 13).

8.2. How to Exercise Your Rights. You may exercise your rights by:

  • Contacting us at [email protected];
  • Using the relevant features within the Platform (e.g., Account settings, notification preferences);
  • Writing to us at: QUICKS SRL, Calea Turzii 239, Cod 400495, Cluj-Napoca, Romania.

8.3. Response Time. We will respond to your request within one (1) month. This period may be extended by two (2) further months if necessary, taking into account the complexity and number of requests.

8.4. Complaints. If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336, Bucharest, Romania Website: www.dataprotection.ro Email: [email protected] Phone: +40 318 059 211

8.5. Account Deletion

You may delete your Quicks Account at any time through two independent paths:

  • In-app: Settings → Account → Delete account. On confirmation, a server-side trigger anonymises auth.users.email and inserts a record into api.user_deletions. Your session is terminated immediately.
  • Web: Visit https://quicks-app.com/delete-account from any browser, including from a device on which the app is not installed. The page explains the scope of deletion and lets you initiate the request (either by logging in to trigger the in-app flow or by submitting a deletion form that we action manually).

What is removed from active use immediately upon deletion:

  • Your public profile (display name, avatar, bio);
  • Your active Listings (unlisted from search);
  • Your Account authentication credentials;
  • Your FCM device tokens (you will stop receiving push notifications);
  • Your saved billing profile.

What is retained, and why:

  • Fiscal invoices, accounting records, and financial transaction records (rentals, payments, payouts, wallet transactions) are retained for the period required by Romanian fiscal and accounting law (10 years per Legea 82/1991 Art. 25), under GDPR Article 17(3)(b) (legal obligation);
  • Dispute records and related evidence metadata are retained until all related legal claims are resolved (GDPR Article 17(3)(e) — establishment, exercise, or defence of legal claims);
  • Audit-trail tables (api.rental_status_history, api.moderation_history, api.legal_release_email_log, api.rental_insert_audit, api.message_flag) are retained indefinitely for platform security, fraud investigation, and legal compliance; after deletion your identifier in these tables remains linked only to the anonymised api.user_deletions record;
  • Messages you sent to counterparties remain visible to those counterparties under their own retention rights, but are attributed to the anonymised Account;
  • Reviews you authored remain visible to preserve the integrity of other Users’ reputations, attributed to the anonymised Account.

You may also exercise your right to erasure in respect of specific data categories (rather than the whole Account) at any time — see Section 8.2.

9. COOKIES AND TRACKING TECHNOLOGIES

9.1. Website Cookies

Our website (quicks-app.com) may use the following categories of cookies:

Strictly Necessary Cookies: Essential for the website to function properly (e.g., session management, security). These cookies do not require consent.

Analytics Cookies: Used to collect information about how visitors use our website (e.g., pages visited, time spent). We use analytics services to understand website traffic and improve our services. These cookies are placed only with your consent.

Functionality Cookies: Used to remember your preferences (e.g., language selection). These cookies are placed only with your consent.

9.2. Mobile App Tracking

Our mobile applications use the following tracking technologies:

Firebase Analytics: Collects usage data (events, user properties, session data) to help us understand how Users interact with the app. Essential analytics (crash-related events, core feature usage metrics necessary for platform stability and security) are processed based on legitimate interest (Art. 6(1)(f)). Non-essential analytics (behavioral tracking, funnel analysis, marketing attribution) are processed based on your consent (Art. 6(1)(a)), which you can manage through your device settings.

Sentry: Collects error reports, crash data, and performance metrics to help us identify and fix technical issues. Processing is based on our legitimate interest in maintaining Platform stability.

Firebase Cloud Messaging (FCM): Uses device tokens to deliver push notifications. This is necessary for providing the notification service you have opted into.

9.3. Managing Cookies and Tracking

You can manage your cookie and tracking preferences through:

  • Website: Cookie consent banner (displayed on first visit and accessible via footer link);
  • Mobile App: Device settings for analytics and notification permissions;
  • Browser settings: Blocking or deleting cookies via your browser’s privacy settings.

Note that disabling certain cookies or tracking may affect the functionality of the Platform.

9.4. Do Not Track

We currently do not respond to “Do Not Track” (DNT) browser signals due to the lack of a universal standard. We will update this policy if a standard is adopted.

9.5. Apple App Tracking Transparency (iOS)

On iOS devices, Apple’s App Tracking Transparency (ATT) framework requires your explicit, opt-in permission before an app may access the Identifier for Advertisers (IDFA) or otherwise “track” you across apps and websites owned by other companies.

  • Prompt. When you first use the Quicks iOS app, we display the system ATT prompt asking whether you allow Quicks to track your activity across other companies’ apps and websites.
  • Effect of allowing. If you allow tracking, Firebase Analytics collects the IDFA and may use it for marketing attribution — for example, to measure which campaigns led to app installs.
  • Effect of declining. If you decline, the IDFA is not made available to the app and is not transmitted to Firebase. Firebase Analytics continues to function for non-tracking analytics purposes based on pseudonymous identifiers (IDFV, Firebase Installation ID). Declining the ATT prompt does not limit any other functionality of the Quicks app — you can still browse, rent, list, chat, upload photos, make payments, and receive notifications as normal.
  • Changing your choice. You can change your ATT choice at any time from iOS Settings → Privacy & Security → Tracking → Quicks.

10. CHILDREN’S PRIVACY

10.1. The Platform is not intended for use by anyone under the age of eighteen (18). We do not knowingly collect personal data from children under 18.

10.2. If we become aware that we have collected personal data from a child under 18, we will take immediate steps to delete that data and, if applicable, terminate the associated Account.

10.3. If you believe that a child under 18 has provided us with personal data, please contact us at [email protected].

11. SECURITY MEASURES

11.1. We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

Technical Measures:

  • Encryption of data in transit (TLS 1.2+) for all traffic to Supabase, Stripe, Firebase, Sentry, Oblio, Brevo, Google Sign-In, and Google Places;
  • Encryption of sensitive data at rest;
  • Secure authentication via Supabase Auth (hashed passwords, JWT tokens);
  • Encrypted storage of authentication tokens on device (via Flutter Secure Storage);
  • Row-Level Security (RLS) enforced at the database level, ensuring Users can only access their own data;
  • Rate limiting on sensitive API endpoints;
  • Raw card PANs and CVV/CVC codes are never stored on, nor transmitted through, Quicks servers. Card data is tokenised inside Stripe’s SDK on your device and sent directly to Stripe; our backend only stores card metadata (last four digits, brand, expiry month and year, cardholder name) returned by Stripe;
  • Sentry is configured to not capture IP addresses, and our release builds run a client-side PII scrubber that removes e-mail addresses, Romanian phone numbers, CNPs and card numbers from error breadcrumbs, tags, and messages before they are sent to Sentry;
  • PCI DSS compliance through Stripe (Quicks never handles raw payment card data);
  • Regular security updates and dependency patching.

Organizational Measures:

  • Principle of least privilege for data access;
  • Regular review of access controls;
  • Incident response procedures;
  • Secure development practices.

11.2. Despite our efforts, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security and encourage you to take your own precautions (e.g., strong passwords, not sharing credentials).

11.3. Breach Notification. In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the ANSPDCP within 72 hours of becoming aware of the breach, as required by GDPR Article 33;
  • Notify affected Users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34;
  • Document the breach, its effects, and the remedial actions taken.

12. MARKETING COMMUNICATIONS

12.1. Consent-Based Marketing. We will only send you marketing and promotional communications if you have provided your explicit consent. Marketing may be delivered via:

  • Email;
  • Push notifications;
  • Social media (targeted advertisements or sponsored content).

12.2. Opt-Out. You may withdraw your consent and opt out of marketing communications at any time through:

  • Your Account notification settings within the Platform;
  • The unsubscribe link included in every marketing email;
  • Your device’s push notification settings;
  • Contacting us at [email protected].

12.3. Transactional Communications. Opting out of marketing does not affect transactional communications (e.g., Booking confirmations, payment receipts, security alerts), which are necessary for the performance of our contract with you.

12.4. Social Media. If you interact with our social media accounts (e.g., Facebook, Instagram), the respective platform’s privacy policy applies to any data collected through those interactions. Quicks may use social media advertising features to reach potential users. You can manage your ad preferences through the respective social media platform’s settings.

13. AUTOMATED DECISION-MAKING AND PROFILING

13.1. Content Moderation. We use automated systems (powered by Google Vision API and OpenAI Moderation API) to review listing photographs and text for compliance with our policies. Content flagged by automated systems is placed in a pending state (not permanently deleted) and may be subject to the following safeguards under GDPR Article 22(2)(a) (necessary for contract performance) and Article 22(3):

  • Notification: You are notified immediately with specific reasons why your Content was flagged.
  • Appeal Right: You may request human review of any automated moderation decision through the Platform or by contacting [email protected].
  • Human Review: Appeals are processed within ten (10) business days by a human reviewer. Pending appeal, your existing Listings remain active.
  • Reversibility: If the automated decision is overturned on review, the Content is approved and published.

13.2. Fraud Detection. We use automated monitoring systems to detect potentially fraudulent activity (e.g., unusual transaction patterns, rate limit violations). Automated flags may result in temporary restrictions on your Account pending human review. You have the right to contest automated fraud flags and to obtain human intervention.

13.3. Search Ranking. Listing ranking in search results is determined by algorithms that consider factors such as relevance, price, availability, ratings, and user preferences. This ranking does not constitute automated individual decision-making within the meaning of GDPR Article 22, as it does not produce legal effects or similarly significantly affect you.

13.4. No Solely Automated Decisions with Legal Effect. We do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect you without the safeguards described above. For all automated decisions described in this Section, you have the right to obtain human intervention, to express your point of view, and to contest the decision.

14. CHANGES TO THIS PRIVACY POLICY

14.1. We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features.

14.2. Notification of Changes. Material changes will be communicated to you at least thirty (30) days before the effective date through:

  • Email notification;
  • In-app notification;
  • Publication of the updated Privacy Policy on the Platform.

14.3. The “Last Updated” date at the top of this Privacy Policy indicates when the most recent revision was made.

14.4. Continued use of the Platform after the effective date of changes constitutes acknowledgment of the updated Privacy Policy. For changes that require consent under GDPR, we will request your explicit consent before applying the changes.

15. DATA PROTECTION OFFICER

15.1. At this time, Quicks has not appointed a Data Protection Officer (DPO) as the conditions specified in GDPR Article 37 (large-scale processing of special categories of data, large-scale systematic monitoring) are not met based on our current operations and user base.

15.2. Reassessment Commitment. Quicks will reassess the need for a DPO annually, or upon reaching 10,000 active users, or upon any material change in data processing activities. The assessment is documented as part of our GDPR accountability records.

15.3. For all data protection inquiries, you may contact us directly:

  • Email: [email protected]
  • Subject line: “Data Protection Inquiry”
  • Postal address: QUICKS SRL, Calea Turzii 239, Cod 400495, Cluj-Napoca, Romania

15.4. If our operations change such that the appointment of a DPO becomes required, we will update this Privacy Policy accordingly and publish the DPO’s contact details.

16. CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

QUICKS SRL Calea Turzii 239, Cod 400495 Cluj-Napoca, Cluj County, Romania

Email: [email protected] Phone: +40 752 012 527

CUI (Tax ID): 50382896 Trade Registry: J12/3251/2024

For data protection complaints, you may also contact the Romanian supervisory authority:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336, Bucharest, Romania Website: www.dataprotection.ro

This Privacy Policy was last updated on May 9, 2026.

Effective 23 May 2026 · Version 1.3.0

Still have questions?

Can't find the answer you're looking for? Please chat to our friendly team.

Get in touch