Unlokie
Privacy PolicyCookie PolicyTerms & Conditions

Unlokie Legal

How Unlokie collects, uses, and protects personal data.

PRIVACY POLICY

Unlokie d.o.o.
Last updated: February 18, 2026

This Privacy Policy explains how Unlokie d.o.o. ("Unlokie", "we", "us", "our") collects, uses, shares, and protects personal data when you use:

  • our website at unlokie.com;
  • our iOS and Android mobile application;
  • related products, features, smart locker interactions, and support channels.

Together, these are the "Services".

1. Data Controller

Controller: Unlokie d.o.o.
Address: Rozmanici 23 B, 51221 Kostrena, Croatia
Email: privacy@unlokie.com
Website: unlokie.com

For end-user use of the Services, Unlokie acts as data controller and is responsible for GDPR compliance for personal data described in this policy.

Where municipalities, cities, venues, or other partners process data independently for their own purposes, they act as separate controllers for that separate processing.

2. Scope

This Privacy Policy applies to personal data processed through our Services, including when you:

  • create or use an account;
  • sign in with Google/Firebase Authentication;
  • use map/location features powered by Google Maps Platform;
  • scan a QR code, unlock equipment, and complete return flows;
  • make payments processed through Stripe;
  • contact support.

This Privacy Policy does not apply to third-party sites/services not controlled by Unlokie.

3. Personal Data We Process

Depending on your use of the Services, we may process:

  • account and identity data (name, email, account ID, username, profile details);
  • authentication data and tokens (from Firebase Authentication/Google Sign-In);
  • contact data (email, phone number if provided);
  • transaction data (purchase details, billing metadata, payment status);
  • technical and device data (IP address, device IDs, OS/app version, logs);
  • usage and diagnostics data (events, app activity, errors, performance data);
  • locker-session and event data (station ID, session start/end, return status, operational logs);
  • location data (precise or approximate, if enabled by you);
  • support communications and requests;
  • cookie and tracking data (website), and app identifiers/local app storage data (mobile apps).

We do not intentionally collect special category data unless required by law and properly disclosed.

4. Sources of Personal Data

We collect personal data:

  • directly from you;
  • automatically from your browser/app/device and locker interactions;
  • from third parties you choose to use (for example Google Sign-In);
  • from service providers supporting our Services (for example Stripe payment status).

5. Purposes and Legal Bases

We process personal data under GDPR and applicable local law using one or more legal bases.

PurposeLegal Basis
Create and manage accounts; authenticate usersContract performance
Provide locker rental sessions, unlock/return flows, and account featuresContract performance
Process payments, invoicing, and mandatory accounting/tax recordsContract performance; legal obligation
Prevent fraud, abuse, misuse, and unauthorized accessLegitimate interest; legal obligation (where applicable)
Provide service and transactional communications (for example session/return reminders)Contract performance; legitimate interest
Provide customer support and handle claims/disputesContract performance; legitimate interest; legal obligation (where applicable)
Provide map/location functionality requested by you in-appContract performance; consent for device location permissions where required
Improve service reliability, security, and product qualityLegitimate interest
Non-essential analytics and marketing communications/trackingConsent
Comply with legal requests and regulatory dutiesLegal obligation

Where processing is based on consent, you may withdraw consent at any time without affecting lawfulness of processing before withdrawal.

Where processing is based on legitimate interest, we apply a balancing test. You may object to such processing where permitted by law.

6. Key Service Providers and SDKs

6.1 Firebase Authentication and Google Sign-In

Used for secure sign-in and session management. Data may include account identifiers, email, profile metadata, and authentication/session tokens.

6.2 Stripe

Used for payment processing and fraud prevention. Unlokie does not store full payment card numbers.

6.3 Google Maps Platform

Used for map display and location-related features where used in the Services.

7. Sharing of Personal Data

We share personal data only when necessary and lawful, including with:

  • cloud and hosting providers;
  • authentication providers (Firebase/Google);
  • payment processors (Stripe);
  • map/location providers (Google Maps Platform);
  • technical, security, and operational vendors;
  • professional advisers and public authorities where legally required;
  • acquirers/successors in case of merger, acquisition, or restructuring.

Where third parties act as processors on our behalf, we use Article 28 GDPR data processing agreements.

We may provide municipalities/cities/partners with aggregated statistics that do not identify users.

We do not sell personal data.

8. International Data Transfers

Some providers may process data outside the EEA/UK/Switzerland. Where required, we apply appropriate safeguards (for example adequacy decisions and/or Standard Contractual Clauses with supplementary measures).

9. Data Retention

We retain personal data only as long as necessary for the purposes in this policy and to comply with legal obligations.

  • Account operational data (profile, authentication records, usage history): while your account is active and up to one (1) month after account termination, unless longer retention is required for security, fraud prevention, or legal claims.
  • Financial/accounting/transaction records (including invoices): up to ten (10) years under applicable Croatian accounting and tax laws.
  • Security, fraud, and system integrity logs: retained for an extended period where necessary to protect Services, prevent abuse, enforce rights, or comply with law.

When no longer required, personal data is securely deleted or irreversibly anonymized.

10. Your Rights

Subject to applicable law, you may have the right to:

  • access your personal data;
  • correct inaccurate data;
  • request deletion;
  • request restriction of processing;
  • object to certain processing;
  • request portability;
  • withdraw consent at any time (for consent-based processing);
  • lodge a complaint with a supervisory authority.

To exercise your rights, contact: privacy@unlokie.com.

We respond to verified data subject requests within one (1) month as required by Article 12 GDPR, extendable by up to two (2) additional months where legally permitted.

We may request additional information to verify identity before fulfilling a request.

Requests are free unless manifestly unfounded or excessive (Article 12(5) GDPR).

If you are located in Croatia, you may lodge a complaint with:

Croatian Personal Data Protection Agency (AZOP)
Marticeva 14
10000 Zagreb
Croatia
https://azop.hr

11. Cookies and Device Technologies

We use cookies and similar technologies on the website and app technologies (including local app storage) in mobile apps.

Strictly necessary technologies are used only where needed for core service operation and security. Non-essential analytics and marketing technologies are used only on the basis of consent where required.

Further details are available in our Cookie Policy.

12. Children

The Services are intended for users aged 18 or older. We do not knowingly provide Services to children. If we learn that personal data was collected from a child in violation of applicable law, we will delete it and take appropriate account measures.

13. Automated Decision-Making

We do not carry out solely automated decision-making (including profiling) that produces legal or similarly significant effects within the meaning of Article 22 GDPR.

14. Security

We implement reasonable technical and organizational safeguards to protect personal data. No online service can be guaranteed fully secure.

15. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version and date will be published in the Services.

16. Contact

For privacy questions or requests:

Unlokie d.o.o.
Rozmanici 23 B
51221 Kostrena
Croatia
Email: privacy@unlokie.com