Privacy Policy

TandemHQ is a product operated by MARAKUJA, športne storitve, d.o.o. ("Marakuja", "we", "us"), a Slovenian limited liability company registered at Ribarjeva ulica 5, 3000 Celje, Slovenia, with tax ID SI49790269 and registration number 9813381000.

We are the data controller for personal data processed through the TandemHQ application and our landing website under the EU General Data Protection Regulation (GDPR).

Contact for any privacy matter: info@marakuja-tech.com

We only collect what is needed to operate TandemHQ:

• Account data — name, email address, role (pilot or operator), password hash, profile photo (optional).
• Operational data — flight logs (date, site, duration, equipment used), invoices (amounts, customer contacts you enter), equipment records (wing, harness, reserve serial numbers + inspection dates), roster & shifts.
• Device data — device type, OS version, app version, language, time zone, IP address.
• Location data — only when you log a flight and you have granted location permission, used to auto-detect launch and landing sites. Not collected in the background.
• Usage data — anonymous analytics on which screens are used, to prioritise what we build next. We do not profile individual users.
• Payment data — processed entirely by Stripe (PCI-DSS certified). We never see your full card number.

• Contract performance (Art. 6(1)(b) GDPR) — to operate the TandemHQ service you signed up for: storing your logbook, generating invoices, broadcasting shifts.
• Legal obligation (Art. 6(1)(c) GDPR) — to retain accounting records required by Slovenian and EU tax law.
• Legitimate interest (Art. 6(1)(f) GDPR) — for product analytics, security monitoring, and fraud prevention. You can object at any time.
• Consent (Art. 6(1)(a) GDPR) — for marketing emails (waitlist updates, product news). You can withdraw at any time via the unsubscribe link.

All personal data is stored on infrastructure located within the European Union. Our primary database provider is Supabase (eu-central-1, Frankfurt, Germany). Backups are encrypted at rest in the same region.

We do not transfer your personal data outside the EU/EEA. Limited exceptions: Apple Push Notification Service and Stripe (US, certified under the EU-US Data Privacy Framework).

• Account data — for as long as your account is active, plus 30 days after deletion (in case you want to restore).
• Flight logs & equipment records — indefinitely while your account is active (this is your logbook). Exported as CSV on request, deleted on account closure unless legal retention applies.
• Invoices and accounting data — 10 years, as required by Slovenian accounting law (ZRač).
• Analytics & logs — 12 months, then aggregated and anonymised.
• Marketing emails — until you unsubscribe.

You have the right to access, correct, delete, export (portability), restrict processing, or object to processing of your personal data. You can exercise any of these by emailing info@marakuja-tech.com or from inside the app (Settings → Privacy).

We respond to all requests within 30 days. You can also lodge a complaint with the Slovenian Information Commissioner (Informacijski pooblaščenec) if you believe we have mishandled your data.

Only with vetted processors who help us deliver the service. We never sell your data. Current sub-processors:

• Supabase (EU) — database and authentication.
• Netlify (EU edge) — website hosting.
• Stripe — payment processing.
• Apple & Google — push notifications and app distribution.
• Google / Apple Calendar APIs — only if you connect them, only the calendars you authorise.

We will publish any new sub-processor here at least 14 days before it goes live.

The TandemHQ landing page uses only strictly necessary cookies for session state. No tracking, no advertising cookies, no third-party analytics scripts.

The TandemHQ app uses encrypted local storage (Keychain on iOS, EncryptedSharedPreferences on Android) to keep your session active. This is not a cookie.

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access is restricted to a small set of engineers operating under signed confidentiality agreements. We log all administrative access.

If we ever experience a breach affecting your data, we will notify you and the Slovenian authority within 72 hours, as required by Art. 33 GDPR.

We may update this policy as the product evolves. Material changes will be announced by email to active users at least 14 days before they take effect. The current version is always available at tandemhq-753.netlify.app/privacy.