Privacy Policy
Last updated · 2026-05-10
This Privacy Policy explains how MB "Moku programuoti" ("we", "us") processes personal data when you use Mokam Kartu ("Kartu", the "Service"). We comply with the EU General Data Protection Regulation (GDPR) and the Lithuanian Law on Legal Protection of Personal Data.
1. Data controller
MB "Moku programuoti" Lithuania Email: maksim@mokuprogramuoti.lt
For any privacy-related question or to exercise your rights, contact us at the email above.
2. What data we process
| Category | Examples | Source |
|---|---|---|
| Account identity | Google user ID, name, email, avatar URL | Google / Firebase Authentication when you sign in |
| Plan data | Plan names, monthly amounts, currency | You |
| Member data | Member email addresses (encrypted at rest with AES-256-GCM) | Plan owner |
| Payment-method data | Revolut handle, IBAN, BIC, recipient name, phone number (all encrypted at rest with AES-256-GCM) | You |
| Payment records | Period, amount, status, payment-method snapshot (CTAs encrypted at rest), reminder timestamps | Generated by the Service |
| Session cookie | Firebase session cookie (kartu_session) | Generated when you sign in |
| Locale preference | Cookie (kartu_locale) holding lt or en | You (via the language switcher) |
| Technical logs | IP address, user-agent, request paths, error reports | Vercel hosting platform |
| Email events | Delivery, open, bounce metadata for transactional emails | Resend |
| Product analytics | Pageviews, web-vitals performance metrics, error reports, product-funnel events — keyed by your Firebase user ID with a hashed (non-reversible) email | Generated by the Service via PostHog |
We use privacy-preserving, cookieless product analytics (PostHog — see §4) to understand how the Service is used and to diagnose errors. We do not use advertising or cross-site behavioural-tracking tools, and we do not set analytics cookies. We do not collect special-category data (e.g. health, biometric, political opinions).
3. Why we process it (legal bases)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide the Service (manage plans, send payment notifications, mark payments) | Performance of a contract — Art. 6(1)(b) |
| Authenticate you and keep your session secure | Performance of a contract — Art. 6(1)(b) |
| Send transactional emails (payment due, reminders, receipts) | Performance of a contract — Art. 6(1)(b) |
| Keep technical logs for security, debugging, and abuse prevention | Legitimate interests — Art. 6(1)(f) |
| Understand product usage and diagnose errors via cookieless analytics | Legitimate interests — Art. 6(1)(f) |
| Comply with legal, accounting, and tax obligations | Legal obligation — Art. 6(1)(c) |
4. Who we share data with (processors)
We use the following sub-processors, each governed by a Data Processing Agreement and EU Standard Contractual Clauses where data leaves the EEA:
- Google LLC / Google Cloud — Firebase Authentication and Firestore (data storage). Data may be stored or processed in the EU and the United States.
- Resend, Inc. — transactional email delivery (United States).
- Vercel Inc. — application hosting, scheduled jobs, request logs (United States; EU regions where available).
- PostHog Inc. — cookieless product analytics and error tracking, hosted on PostHog EU Cloud (Frankfurt, Germany). PostHog Inc. is incorporated in the United States; analytics traffic is proxied through our own domain.
We do not sell, rent, or share your personal data with advertisers or data brokers.
5. International transfers
Where personal data is transferred outside the European Economic Area (e.g. to the United States), we rely on the European Commission's Standard Contractual Clauses and, where applicable, supplementary safeguards offered by each processor. You can request a copy of the relevant safeguards by emailing us.
6. How long we keep your data
| Data | Retention |
|---|---|
| Account, plan, and member data | While your account is active. After account deletion, data is removed within 30 days from primary storage and within 90 days from backups. |
| Payment records | Up to 7 years where required by Lithuanian accounting and tax law; otherwise removed with the account. |
| Session cookie | Up to 14 days, or until you sign out. |
| Locale cookie | Up to 1 year, or until cleared by you. |
| Technical logs | Up to 30 days. |
| Product analytics events | Up to 12 months. |
7. Security
We protect personal data with the following measures:
- HTTPS/TLS for all client-server traffic.
- Session cookies marked
HttpOnly,Secure(in production), andSameSite=Lax. - Member emails, payment-method details, and stored payment CTAs are encrypted at rest using AES-256-GCM.
- Server-side authorization on every request (owner-vs-member checks).
- Access to production infrastructure limited to the controller.
No system is perfectly secure; if a breach occurs that is likely to result in a risk to your rights, we will notify the Lithuanian data protection authority within 72 hours and inform affected users without undue delay.
8. Your rights under GDPR
You have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data ("right to be forgotten") — subject to legal retention obligations.
- Restrict or object to processing in certain situations.
- Portability — receive your data in a structured, machine-readable format.
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with the Lithuanian supervisory authority — Valstybinė duomenų apsaugos inspekcija (vdai.lrv.lt) — or with the authority in your country of residence.
To exercise any right, email maksim@mokuprogramuoti.lt. We will respond within one month.
9. Cookies
See our separate Cookie Notice. We only set strictly-necessary and preference cookies; our product analytics runs cookieless, and we use no advertising or third-party tracking cookies.
10. Children
The Service is not directed to children under 16. If you believe a child has provided us personal data, contact us and we will delete it.
11. Automated decision-making
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you.
12. Changes to this Policy
If we update this Policy in a way that materially affects your rights, we will notify you by email or in-app notice at least 14 days before the change takes effect.
13. Acceptance and audit records
When you accept a plan invite, we record the time, your IP address, browser identifier, and the terms you agreed to, so you and the plan owner have a shared record of the arrangement.
We retain these records for the life of the plan plus six years after archival, in line with the typical contract-claim limitation period.
14. Contact
MB "Moku programuoti" Lithuania Email: maksim@mokuprogramuoti.lt