Privacy Policy — Nasma

Effective date: 01 September 2025

This Privacy Policy explains how Nasma (“we”, “us”, “our”) collects, uses, shares, and protects your information when you use our mobile applications, websites, and related services (collectively, the “Services”).

By using the Services, you agree to this Policy. If you do not agree, please do not use the Services.

1) Who we are (Data Controller)

Controller: [Nasma]
Email: [ info@nasmah.de]

2) Information we collect

• Account & Profile: name, email, phone number, password, profile photo (if you add one).

• Orders & Payments: shipping/billing addresses, items purchased, order notes; payment tokens from our payment processors (we do not store full card numbers).

• Customer Support & Communications: messages, call/chat transcripts, feedback, and review content.

• Media you choose to share: images/videos you upload (e.g., order attachments or reviews).

• Device & Usage Data: device model, OS version, app version, unique identifiers, crash logs, diagnostic/analytics data, IP address, and general location derived from IP.

• Cookies/SDKs & Similar Technologies: used for authentication, preferences, analytics, crash reporting, and push notifications.

• Social Login (optional): if you sign in with Google/Apple/Facebook, we receive basic profile data as permitted by those services.

3) How we use your information

• Provide, operate, and improve the Services.

• Process orders, payments, deliveries, returns, and refunds.

• Authenticate users, maintain account security, prevent fraud/abuse.

• Provide customer support and communicate about orders and updates.

• Personalize content, recommendations, and promotions.

• Send push notifications and marketing communications (where permitted).

• Measure performance, fix bugs, and perform analytics.

• Comply with legal, tax, and regulatory obligations.

4) Legal bases (EEA/UK)

Where GDPR/UK GDPR applies, we process data based on:

• Contract: to provide the Services and fulfill orders.

• Legitimate interests: e.g., security, fraud prevention, analytics, and product improvement (without overriding your rights).

• Consent: for optional features like marketing or certain device permissions; you can withdraw any time.

• Legal obligation: record-keeping, tax, and compliance.

5) Sharing your information

We do not sell your personal information. We share it with:

• Service providers / processors: hosting, cloud storage, analytics (e.g., Firebase Analytics), crash reporting (e.g., Crashlytics), authentication, customer support tools, and email/SMS providers.

• Payment & logistics partners: payment gateways and delivery/shipping couriers to complete your orders.

• Marketing & notifications: push services (e.g., FCM/APNs) and, where consented, marketing tools.

• Professional advisors & legal: auditors, legal counsel, authorities if required by law or to protect rights and safety.

• Business transfers: in a merger, acquisition, or asset sale, your data may be transferred under appropriate safeguards.

6) International transfers

Your data may be processed outside your country. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses) to protect your information.

7) Data retention

We keep data only as long as necessary for the purposes above:

• Account & orders: retained while your account is active and as required by tax/accounting laws.

• Support & analytics: for the shortest time needed to diagnose issues and improve the product.
  When no longer needed, we securely delete or anonymize data.

8) Your rights & choices

Depending on your location, you may have the right to access, correct, delete, restrict, object, or port your data, and to withdraw consent at any time.

• Marketing: you can opt out via in-app settings or unsubscribe links.

• Push notifications: control in device settings.

• Permissions (camera/photos/media): you can deny or revoke at any time. Where possible on Android, we use the system Photo Picker so you can select specific items without granting broad media access.

To exercise rights, contact us at [privacy@yourdomain.com]. We may need to verify your identity.

9) Children’s privacy

Our Services are not directed to children under 13 (or the age required by local law). We do not knowingly collect personal data from children. If you believe a child provided data, contact us to delete it.

10) Security

We use technical and organizational measures to protect data (encryption in transit, access controls, monitoring). No method of transmission or storage is 100% secure; please use unique, strong passwords and keep your account details confidential.

11) Third-party services

Our Services may link to or use third-party SDKs and platforms (e.g., Google/Firebase, Apple, payment providers, couriers). Their use is governed by their own privacy terms. We encourage you to review those policies.

12) Do Not Track / “Sale” (US state laws)

We do not sell your personal information. If “Do Not Sell or Share” rules apply in your jurisdiction (e.g., California), you may exercise applicable rights via [link or email].

13) Changes to this Policy

We may update this Policy from time to time. We will post the new version with a new “Effective date” and, where required, notify you in the app or by email.