Privacy Policy of the Solaya Live application

Last updated: 3 April 2026

1. General provisions

This Privacy Policy describes the rules for processing personal data of users of the Solaya Live mobile application available on iOS and Android devices.

The Solaya Live application is a platform that enables individual 1-on-1 decision sessions conducted live by specialists, in particular via text chat and the exchange of attachments. Each session is carried out personally by a live specialist and is individual in nature.

The application is offered to users in selected countries of the European Union, in particular Poland, Italy, Hungary, the Czech Republic and France.

The Administrator processes personal data in accordance with UK GDPR and — to the extent applicable to persons in the European Economic Area — in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR"), as well as with the relevant national provisions implementing the GDPR, in particular:

- in Poland — the Act of 10 May 2018 on the protection of personal data,
- in Italy — Decreto Legislativo 30 giugno 2003, n. 196 (Codice in materia di protezione dei dati personali), as amended,
- in Hungary — Act CXII of 2011 on the right to informational self-determination and freedom of information (Infotv.),
- in the Czech Republic — Act No. 110/2019 Sb. on the processing of personal data,
- in France — Act No. 78-17 of 6 January 1978 (Loi Informatique et Libertés), as amended.

2. Data Administrator

The Administrator of your personal data is:

Solaya LLP
United Kingdom
Office 1.01, 411 Oxford Street, London, Greater London W1C 2PE
email: kontakt@solaya.live
website: https://solaya.live

For matters concerning the processing of personal data, you may contact the Administrator at: kontakt@solaya.live.

3. Administrator's representative in the EEA

In connection with offering services to persons in the European Economic Area, in accordance with Article 27 of the GDPR, the Administrator has appointed a representative in the EEA:

Nykolaichuk Mykola
02-454, Szczęsna 5B, Warsaw, Poland
email: kontakt@solaya.live

For matters related to the processing of personal data, you may also contact us via the EEA representative.

4. Scope of data we process

Depending on how you use the application, we may process the following personal data:

registration and identification data, such as: email address, name, password (in the form of an encrypted hash);

authentication data from external sign-in services, such as Google or Apple identifier;

profile data, such as avatar, if added by the user;

technical and application data, such as device locale, push notification token, information needed to maintain the session and login security;

data on the use of the services, such as the history of conversations with specialists, message content, photos and other files sent within sessions;

transactional data, such as amount, currency, purchase date, type of session ordered and payment status;

data concerning the country or language version, determined automatically based on device or interface settings;

data related to contact with customer support, complaints and reports.

We do not store user passwords in plain text. Passwords are protected using the bcrypt mechanism.

5. Sources of data

We receive personal data:

directly from you during registration, login, account creation, the use of sessions, payments or contact with us;

from external sign-in providers, if you choose to log in via Google or Apple — in accordance with their privacy policies (Google Privacy Policy: https://policies.google.com/privacy; Apple Privacy Policy: https://www.apple.com/legal/privacy/);

automatically from your device and the application, to the extent necessary for service operation, security and matching the language, country and currency.

6. Purposes and legal bases of processing

We process your personal data for the following purposes:

a) creating and maintaining a user account
including registration, login, session maintenance, password reset and user authentication
legal basis: Article 6(1)(b) of the GDPR — performance of a contract or steps taken prior to entering into a contract;

b) providing the session services available in the application
including enabling individual conversations with specialists, sending messages and attachments and the provision of paid 1-on-1 decision sessions
legal basis: Article 6(1)(b) of the GDPR — performance of a contract;

c) handling payments and settlements
including the recording of purchases, transaction confirmations, handling complaints and refunds
legal basis: Article 6(1)(b) of the GDPR and Article 6(1)(c) of the GDPR — performance of a contract and compliance with legal obligations;

d) sending technical and organisational messages
including emails related to the account, welcome messages, security messages and codes or links for password reset
legal basis: Article 6(1)(b) of the GDPR, and to the extent justified, also Article 6(1)(f) of the GDPR — our legitimate interest in ensuring security and efficient user service;

e) sending push notifications related to session activity
including notifications about new messages from a specialist;
legal basis: Article 6(1)(b) of the GDPR — performance of a contract, and Article 6(1)(f) of the GDPR — our legitimate interest in ensuring smooth communication;

f) sending push notifications of a reminder and engagement nature
including reminders about ongoing sessions or encouragement to contact a specialist;
legal basis: Article 6(1)(f) of the GDPR — our legitimate interest in maintaining the relationship with the user;
the user may at any time disable push notifications in the system settings of their device;

g) ensuring the security of the service, preventing abuse and enforcing the rules of use of the application
including detecting spam, offensive content, threats, abuse and protection against unauthorised access
legal basis: Article 6(1)(f) of the GDPR — our legitimate interest;

h) analytics, statistics and measurement of the effectiveness of sales processes and the operation of the application
to the extent limited to business and technical needs, including the use of conversion analytics tools
legal basis: Article 6(1)(f) of the GDPR — our legitimate interest in developing, analysing and optimising the service;

i) establishing, asserting or defending against claims
legal basis: Article 6(1)(f) of the GDPR — our legitimate interest.

If we process personal data in the future for direct marketing purposes that require consent, we will inform users accordingly and — if required — request a separate consent.

7. Profiling

As part of providing the service, we may use limited forms of profiling within the meaning of Article 4(4) of the GDPR, consisting of automatic analysis of selected data on user activity in order to adjust service handling and prioritise communication.

In particular, we may analyse a user's purchase history in order to categorise customer activity for the purposes of internal service handling. This profiling does not lead to decisions producing legal effects on the user or similarly significantly affecting them. It serves solely to internally organise the work of specialists.

The user has the right to object to profiling under the rules set out in Article 21 of the GDPR.

8. Whether providing data is mandatory

Providing personal data is generally voluntary, however, some data is necessary to conclude and perform the contract for the provision of services by electronic means within the Solaya Live application.

In particular:

providing an email address, name and login data is necessary to create and operate a user account;

providing data necessary for authorisation by Google or Apple is necessary if the user chooses this method of login;

providing data necessary to process payments and settle the purchase is necessary to acquire paid sessions;

providing data related to the content of the conversation and attachments is necessary to the extent that the user wishes to use sessions and communication with a specialist;

providing a push notification token, adding an avatar or sending photos is voluntary, but failure to provide them may make it impossible to use certain application features.

Failure to provide the data required for registration, login, purchase or service performance results in the inability to enter into a contract or to provide the service in full.

9. Recipients of the data

Your data may be made available to the following categories of recipients:

the chosen specialist with whom you have a session — to the extent including the content of the conversation, attachments and data necessary to perform the session;

cloud infrastructure, hosting and data storage providers;

payment system providers;

email and notification service providers;

analytics service providers;

external sign-in service providers, if you choose Google Sign-In or Apple Sign-In;

entities providing technical, legal, accounting or organisational support;

public authorities, where the obligation to provide data follows from provisions of law.

We currently use, in particular, the following providers:

Stripe — payment handling for selected countries, in particular Italy, Hungary, the Czech Republic and France;

PayU — payment handling for Poland;

Google Cloud Platform — hosting, data processing and file storage;

MongoDB Atlas (MongoDB, Inc.) — database;

Brevo (Sendinblue SAS) — emails, including welcome messages and password reset messages;

Expo (650 Industries, Inc.) — technical handling of push notifications;

Strimix — conversion analytics.

Entities processing personal data on our behalf act on the basis of appropriate data processing agreements (Article 28 of the GDPR) and only in accordance with our instructions, unless they act as separate data administrators, e.g. in the area of payment services performed independently.

We do not sell your personal data to third parties.

10. Payments

The application is free to download. 1-on-1 decision sessions with specialists are paid services.

Payments for individual 1-on-1 decision sessions are processed via external payment providers, in particular Stripe or PayU. Payment card data or other detailed payment data is processed by the relevant payment provider in accordance with their own privacy policy and terms.

The Administrator stores information about the purchase, such as date, amount, currency, type of session ordered and transaction status.

Refunds are considered individually within 14 days of the date of purchase, if the service has not been performed.

11. Data retention period

We store personal data for no longer than is necessary to achieve the purposes for which it was collected, and then for the period required by law or necessary for protection against claims.

In particular:

we store user account data for the duration of the account, and after its deletion — for up to 30 days for the purposes of completing the deletion process;

we store data of conversations with specialists and attachments for 3 years from the date of the user's last activity, unless a shorter or longer period results from the needs of providing the service, handling complaints or defending against claims;

we store transactional and settlement data for 5 years from the end of the tax year in which the transaction took place, or longer if required by tax, accounting or claims-related provisions of the law in the relevant country;

we store security and audit logs for 90 days;

we store session logs for 12 months;

we store notification logs for 90 days;

we store push notification tokens until they are deactivated, the user revokes the permission, the user logs out or they become invalid.

After the relevant period, the data is deleted or anonymised.

12. Place of data processing and transfers outside the EEA

In principle, users' personal data is stored and processed in infrastructure located within the European Economic Area, in particular in the europe-west1 region (Belgium), used by our backend, database and file storage services.

Since the Administrator is established in the United Kingdom, data may also be made available or accessible in the United Kingdom to the extent necessary for managing the service, handling users, security and fulfilling the Administrator's obligations. Transfer of data to the United Kingdom is based on the Implementing Decision of the European Commission of 28 June 2021 finding an adequate level of protection of personal data in the United Kingdom (C(2021) 4800).

In connection with the use of selected technology providers (including MongoDB Atlas and Expo), data may also be transferred to the United States or other third countries outside the EEA. In such cases, the transfer is carried out solely in accordance with applicable law, in particular:

on the basis of an adequacy decision (including the EU-US Data Privacy Framework), or

with appropriate safeguards, in particular standard contractual clauses approved by the European Commission (Implementing Decision 2021/914).

Information on the safeguards applied to transfers outside the EEA, as well as information on how to obtain a copy of these safeguards, can be obtained by contacting us at: kontakt@solaya.live.

13. User rights

In accordance with the GDPR, you have the right to:

a) access your data (Article 15 of the GDPR);

b) rectify the data (Article 16 of the GDPR);

c) erasure of the data (Article 17 of the GDPR);

d) restriction of processing (Article 18 of the GDPR);

e) data portability in a commonly used machine-readable format (Article 20 of the GDPR);

f) object to processing based on our legitimate interest, including profiling (Article 21 of the GDPR);

g) withdraw consent — if processing is based on consent; withdrawal of consent does not affect the lawfulness of prior processing;

h) lodge a complaint with the competent supervisory authority.

To exercise your rights, you may contact us at: kontakt@solaya.live. We respond to requests without undue delay, generally within 1 month of receipt, subject to the cases provided by law.

If you believe that the processing of your data violates the law, you have the right to lodge a complaint with the competent supervisory authority, in particular:

in Poland — to the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, https://uodo.gov.pl;

in Italy — to Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Roma, https://www.garanteprivacy.it;

in Hungary — to Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH), Falk Miksa utca 9-11, 1055 Budapest, https://www.naih.hu;

in the Czech Republic — to Úřad pro ochranu osobních údajů (ÚOOÚ), Pplk. Sochora 27, 170 00 Praha 7, https://www.uoou.cz;

in France — to Commission nationale de l'informatique et des libertés (CNIL), 3 Place de Fontenoy, 75007 Paris, https://www.cnil.fr;

in the United Kingdom — to the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow SK9 5AF, https://ico.org.uk.

14. Automated decision-making

We do not make decisions concerning users that produce legal effects or similarly significantly affect them, made solely on an automated basis within the meaning of Article 22(1) of the GDPR.

Information regarding the profiling used for internal service handling has been described in section 7 of this Policy.

We may use limited technical mechanisms related to security, matching the language version, currency or operation of the application, but they do not lead to decisions concerning the user that have legal or similarly significant effects.

15. Children's data and age limit

The Solaya Live application is intended exclusively for persons over 18 years of age.

We do not direct our services to children and do not knowingly collect personal data of persons under 18 years of age. If we learn that an account has been created by a person under 18 years of age, we may block the account and delete the data in accordance with applicable law.

16. Rules for using sessions and privacy

The user is responsible for the content sent within sessions, including messages and photos.

When using sessions, it is prohibited to send unlawful, offensive content, content containing threats, spam, indecent content or content that infringes the rights of other persons. In the event of a breach of the rules, we may take action provided for in the terms and conditions, including restricting access to the service or blocking the account.

The service is informational and entertainment in nature. It does not constitute medical, legal or financial advice.

Due to the nature of the service, please do not share, in the course of sessions, excessive data or special category data within the meaning of Article 9 of the GDPR (such as data concerning health, religious beliefs, sexual orientation or ethnic origin), unless this is necessary for the session to take place. If such data is voluntarily shared, the basis for its processing is Article 9(2)(e) of the GDPR — data manifestly made public by the data subject.

17. Data security

We apply appropriate technical and organisational measures to protect personal data, including in particular:

encryption of data transmission (TLS);

secure password storage (bcrypt);

authentication and access control mechanisms (JWT, roles, session restrictions);

protection against brute-force attacks (login attempt limits, account blocking);

restriction of access to data in accordance with the principle of least privilege;

solutions to protect against loss, misuse and unauthorised access.

Despite applying appropriate safeguards, no method of data transmission over the Internet or method of electronic storage guarantees complete security.

18. Data protection breaches

In the event of a personal data breach that may pose a high risk to the rights or freedoms of users, we will inform users without undue delay, in accordance with Article 34 of the GDPR, indicating the nature of the breach, its possible consequences and the measures taken to address the breach.

19. Changes to the Privacy Policy

We may update this Privacy Policy from time to time, in particular in the event of legal, technological or organisational changes.

The new version of the Privacy Policy will be published in the application and on the Administrator's website. In case of material changes, we will provide users with additional information via an in-app notification or email.

20. Contact

For matters concerning privacy, personal data or the exercise of user rights, please contact us:

Solaya LLP
email: kontakt@solaya.live
website: https://solaya.live

Representative in the EEA:
Nykolaichuk Mykola
02-454, Szczęsna 5B, Warsaw, Poland
email: kontakt@solaya.live