Resonant Labs ("we", "us", "our") operates Vagoshit. We are committed to protecting your personal data and being transparent about how we collect and use it. This policy explains what data we collect, why, and what rights you have over it.
1. Who We Are
Resonant Labs is the data controller for personal data processed through Vagoshit. We are based in the Czech Republic. For data-related enquiries, contact us at hello@resonantlabs.online.
2. Data We Collect
Account data
- Email address (for authentication and notifications)
- Display name and optional username
- Profile photo (if you upload one)
- Birthday (month/day required; year optional) — used to display birthday reminders within your groups
- Birthday visibility settings per group
Activity data
- Groups you create or join, including group names and settings
- Events and activities you create, attend, or vote on
- RSVPs, votes, and availability responses
- Messages and reactions in group channels
- Places you save within a group
Technical data
- Authentication tokens (stored as secure, http-only cookies)
- Consent logs (which cookie/tracking categories you accepted and when)
- Basic analytics via Google Analytics (only if you consent) — includes page views and session data; no precise location
3. Legal Basis for Processing (GDPR)
- Contract performance — we process your account and activity data to provide the Service you signed up for (Art. 6(1)(b) GDPR).
- Consent — we use analytics cookies only after you explicitly consent via our cookie banner (Art. 6(1)(a) GDPR). You can withdraw consent at any time.
- Legitimate interest — we retain logs for security and fraud prevention purposes (Art. 6(1)(f) GDPR).
4. How We Use Your Data
- To provide and operate the Service (authentication, group coordination, notifications)
- To display your profile and activity data to other group members you share groups with
- To send transactional notifications (event reminders, friend requests) — you can control these in Settings
- To improve the Service via aggregated, anonymised analytics (only with your consent)
- To detect and prevent fraud, abuse, and security incidents
We do not sell your personal data. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.
5. Data Sharing
We share your data only in the following limited circumstances:
- Supabase — our backend infrastructure provider (database, auth, storage). Supabase processes data on our behalf under a Data Processing Agreement. Data is stored in EU data centres.
- Google Analytics — only if you consent to analytics cookies. Google may process data in the US under Standard Contractual Clauses.
- Other group members — your display name, avatar, and activity within shared groups is visible to fellow group members by design.
- Legal requirements — we may disclose data if required by law, court order, or to protect the rights, safety, or property of Resonant Labs or others.
6. Data Retention
We retain your account and activity data for as long as your account is active. If you delete your account, we delete or anonymise your personal data within 30 days, except where we are required to retain certain records by law or for legitimate security purposes (e.g., consent logs, abuse reports).
7. Your Rights
Under GDPR, you have the following rights:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data (most data can be edited directly in Settings)
- Erasure — request deletion of your account and personal data
- Restriction — ask us to limit how we process your data in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — you can withdraw analytics consent at any time via the cookie settings widget
To exercise any of these rights, email us at hello@resonantlabs.online. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority (in Czech Republic: ÚOOÚ).
8. Cookies and Tracking
We use the following types of cookies:
- Strictly necessary — authentication session cookies required to keep you logged in. These cannot be disabled.
- Analytics (optional) — Google Analytics cookies to understand how the Service is used. Only set if you consent. You can change your preference at any time by clicking the cookie icon in the bottom corner of the screen.
9. Security
We implement industry-standard security measures including HTTPS encryption in transit, hashed passwords, row-level security policies on our database, and regular dependency updates. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security but we take reasonable precautions to protect your data.
10. Children
The Service is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with data, please contact us and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date and, where appropriate, via email or an in-app notice. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.