Home Legal Privacy Policy

Privacy Policy.

How we collect, use and protect your personal data when you visit HartaFarmacii. Drafted in line with the GDPR (EU Regulation 2016/679).

Last updated: 2026-05-01

1. Data controller

The hartafarmacii.ro service and the HartaFarmacii mobile app (hereinafter “HartaFarmacii” or “we”) are an independent price comparison tool and a pharmacy locator for Romania. The data controller within the meaning of Regulation (EU) 2016/679 (the “GDPR”) is Andrei-Șerban, a Romanian natural person, reachable at contact@hartafarmacii.ro.

This policy explains, in plain language and in line with Art. 12 GDPR, what data we collect, why, how long we keep it and how to exercise your rights.

2. Categories of data we collect

2.1. Web — visiting hartafarmacii.ro

  • Technical log data: IP address (pseudonymised after 24 hours), browser type, operating system, visited URLs, referrer, timestamp;
  • Cookies and storage: see the dedicated section below;
  • Search queries you enter: kept anonymised, without IP, to improve result relevance;
  • Approximate location derived from IP (city/county): used only to pre-fill map filters, never stored as a long-term profile.

2.2. iOS app — data on the device

  • Device identifier (UUID): a random RFC 4122 v4 identifier generated on first launch and stored in the Keychain under the key device_id. It is not the IDFA, it is not shared with ad networks; it exists only to keep your preferences (favourites, language, theme, consent) across launches and to sync settings between an iPhone and iPad signed in with the same Apple ID via iCloud Keychain. You can reset it at any time from Settings → “Reset device identifier” (equivalent to DeviceService.reset() in code). Resetting deletes the favourites tied to it;
  • Favourites: stored locally in the app database, tied to the UUID. Never sent to the server;
  • Location permission: if you grant it, the app uses requestWhenInUseAuthorization with reduced accuracy (~100 m). Coordinates are never sent to the server; they are processed exclusively on the device to compute the distance to the nearest pharmacies. The permission can be withdrawn at any time from iOS Settings → Privacy & Security → Location Services → HartaFarmacii;
  • App Tracking Transparency (ATT): per App Store rules, when relevant, iOS shows the standard ATT prompt. Your answer determines whether ad networks may use the IDFA for attribution. Refusing does not affect the app's functionality.

2.3. iOS app — consent-gated telemetry

  • Firebase Crashlytics (Google LLC): sends anonymised crash reports (stack trace, device model, iOS version, app version, Firebase install ID). It does not send the IDFA, our UUID, or location. Purpose: diagnose and fix bugs;
  • Firebase Analytics (Google LLC): enabled only after explicit consent. Events collected: search_performed (query length only, no text), pharmacy_view (chain slug, e.g. “catena”), product_view (product slug), purchase (IAP transaction outcome), ad_impression_internal (in-app ad impression frequency). Events carry no direct personal identifier;
  • Google AdMob: for users in the EEA / UK / CH, before any ad impression, the app shows the Google UMP form. If you decline consent, AdMob delivers non-personalised ads (NPA), with no profiling. You can revisit the choice at any time from Info → “Ad privacy options”;
  • Tracking domains declared in PrivacyInfo.xcprivacy (per Apple App Store):
    • googleads.g.doubleclick.net
    • googlesyndication.com
    • google-analytics.com
    • firebase-settings.crashlytics.com
    • app-measurement.com
  • SKAdNetwork (Apple): the app declares 53 SKAdNetwork identifiers in Info.plist for the advertising networks. SKAdNetwork is Apple's privacy-preserving attribution system: it reports only aggregated signals (an install happened after an ad was viewed in another app) to networks, with no user identifier.

2.4. iOS app — payment data (IAP)

  • When you buy premium_lifetimeMed, Apple returns to us via StoreKit: an anonymous transaction ID, the product ID, the price, the currency, the timestamp;
  • We do not receive your card details, your Apple ID, your address or any other billing information. Apple handles payment processing and invoicing directly.

3. API endpoints used by the app

The mobile app talks to our server to fetch map and pricing data. The main calls and what we log on the server:

  • GET /api/pharmacies.geojson — pharmacy list (static cache, no personal data);
  • GET /api/hospitals.geojson — hospital list (static cache);
  • GET /api/search?q=… — product search;
  • GET /api/product/{slug} — product details;
  • GET /api/product-by-gtin/{gtin} — lookup by barcode scanned locally;
  • GET /api/chain-logos.json — chain logo manifest;
  • POST /api/device — optional, sends the device UUID to allow announcements or remote-config updates; the request body contains no other personal information.

On the server we log: IP address (pseudonymised after 24 h), endpoint, timestamp, response code and user-agent. These logs are kept for 30 days for debugging and abuse protection, then purged automatically. We do not sell or share logs with third parties.

4. Cookies and storage on the web

4.1. Strictly necessary cookies

Set without consent (essential for operation):

  • hf_consent — stores your consent preferences; duration: 12 months;
  • hf_session — temporary CSRF protection session; duration: session.

4.2. Analytics cookies (consent-based)

  • Google Analytics 4 (G-36128FW2PK): _ga, _ga_*, session identifiers. We use Google Consent Mode v2: if you decline, GA receives signals without cookies and without persistent identifiers (statistical modelling instead of per-user data);
  • Google Tag Manager (GTM-PHB25JNF) — tag loader, sets no cookies of its own.

4.3. Advertising cookies (consent-based)

The site shows ads served by Google AdSense (publisher ca-pub-5475769399695434). Typical cookies:

  • __gads, __gpi — frequency, attribution, fraud detection;
  • NID, IDE, DSID — ad delivery and conversion measurement.

If you decline advertising consent, AdSense delivers non-personalised ads, with no profiling based on your history.

5. How we manage consent

We store your consent state in two distinct places, so that your choice persists across devices and sessions:

  • On the web, in the hf_consent cookie and in localStorage under the same key. The cookie banner appears on first visit; it re-appears automatically if you clear cookies or 12 months have elapsed since the last decision;
  • In the iOS app, in two layers: (a) the ATT response, managed by iOS at system level; (b) the UMP response (for AdMob and Firebase Analytics), persisted by the Google SDK. You can reset UMP via Info → “Ad privacy options”, in which case the form re-appears at next launch.

A subsequent change of consent takes effect immediately: if you decline analytics, GA4 / Firebase Analytics stop sending events; if you decline advertising, ad networks receive the “NPA” (non-personalised) signal.

6. Legal basis for processing (Art. 6 GDPR)

  • Legitimate interest (Art. 6(1)(f)): server logs, security, abuse prevention, attack protection. Our legitimate interest is balanced against your rights and does not prevail when the data is sensitive;
  • Consent (Art. 6(1)(a)): analytics and advertising cookies (web), Firebase Analytics and personalised AdMob (iOS). Consent can be withdrawn at any time;
  • Contract performance (Art. 6(1)(b)): delivering the premium_lifetimeMed benefit after StoreKit payment;
  • Legal obligation (Art. 6(1)(c)): keeping financial records for IAP payments for 10 years, per the Romanian Tax Code.

7. Who we share data with (processors and sub-processors)

Our list of data processors:

  • Hetzner Online GmbH (DE) — VPS hosting for our servers and database. Server in Germany (Falkenstein), EU;
  • Google LLC and Google Ireland Ltd. — Google Analytics 4, Google Tag Manager, Google AdSense, Google AdMob, Firebase Analytics, Firebase Crashlytics, Google UMP. Depending on the service, data may be processed in the EU and/or in the US;
  • Apple Inc. and Apple Distribution International Ltd. — App Store Receipts, StoreKit, push notifications, App Store Connect Analytics (aggregate).

For US transfers we rely on the European Commission's Standard Contractual Clauses and on the EU-US Data Privacy Framework certification, where applicable. We do not sell personal data to third parties.

8. Retention periods

  • Server logs: 30 days;
  • Consent cookies: 12 months;
  • Google Analytics data: 14 months (max GA4 recommended duration);
  • Crashlytics crash reports: 90 days;
  • IAP financial records: 10 years (legal obligation);
  • Device UUID in the Keychain: until you reset it or uninstall the app.

9. Your rights (Art. 15-22 GDPR)

As a data subject you have the following rights:

  • Access (Art. 15) — a copy of the data we hold about you;
  • Rectification (Art. 16) — correction of inaccurate data;
  • Erasure (Art. 17) — the “right to be forgotten”;
  • Restriction of processing (Art. 18);
  • Portability (Art. 20) — receive your data in a structured format (JSON);
  • Objection (Art. 21) — to processing based on legitimate interest;
  • Withdrawal of consent (Art. 7) — without retroactive effect on processing already performed;
  • Complaint to the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) — dataprotection.ro.

How to exercise these rights:

  • On the web: email contact@hartafarmacii.ro from the address you suspect we have data on. We respond within 30 days;
  • In the iOS app: Info → “Delete all local data” removes favourites, UUID, consents, cache. To cancel the IAP, you must use your Apple ID account (support.apple.com/billing); we cannot do it on your behalf.

10. Automated decision-making (Art. 22 GDPR)

HartaFarmacii does not subject you to automated decisions producing legal effects on you, or similarly significant effects (for example, refusing access to a service or applying differential pricing). The ordering of results on a product page is driven by raw price and geographic proximity (when you granted location permission); there is no individual ad scoring or personalisation model tied to your identity.

11. Data security

We apply technical and organisational measures per Art. 32 GDPR:

  • HTTPS-only (HSTS) on every page and API;
  • passwords hashed with modern algorithms where applicable (admin);
  • encrypted daily database backups;
  • IP pseudonymisation in logs after 24 hours;
  • data minimisation principle: we do not collect what we do not use;
  • code reviews (linting + peer review) before deploy.

In the unlikely event of a breach posing a risk to your rights and freedoms, we will notify you within 72 hours per Art. 33-34 GDPR.

12. Children under 16

HartaFarmacii is not intended for children under 16, and we do not knowingly collect data on minors. The iOS app carries an App Store rating of “4+”, but it contains medical information and ads, so use by minors should be supervised by a responsible adult. If you are a parent or guardian and suspect a minor under 16 has shared data with us, contact us for immediate deletion.

13. International transfers

Data is stored in the EU (Hetzner servers in Germany). Some Google and Apple services may process data in the US. For these transfers we rely on:

  • The European Commission's Standard Contractual Clauses (SCCs);
  • The EU-US Data Privacy Framework certification of Google LLC and Apple Inc. (verifiable at dataprivacyframework.gov);
  • Additional contractual safeguards where appropriate.

14. Changes to this policy

We will update this policy whenever significant changes occur in our processing or in the law. Substantial changes are announced at least 30 days in advance, via a website banner and an in-app information screen. The last-updated date appears at the top of this document.

15. What we do not collect and do not do

For clarity, a short list of what we do not do:

  • we do not collect your full name, national ID, address, phone number or card details — there is no user account where you would enter them;
  • we do not build an individual ad profile on you and we do not sell data to data brokers;
  • we do not use the iOS IDFA for cross-app tracking — Firebase Analytics runs on Firebase install IDs, not the IDFA;
  • we do not transmit your GPS location to the server and do not log it;
  • we do not send marketing newsletters and we do not ask for your email address to use the service;
  • we do not use push notifications for commercial promotion. If we introduce notifications in the future (for example, important service announcements), the iOS permission will be asked explicitly and can be revoked from Settings.

16. Glossary — technical terms

  • Pseudonymisation: a technique that replaces a direct identifier (e.g. IP address) with a hash so that the link to the natural person can be re-established only with a separate secret;
  • UMP (User Messaging Platform): Google's SDK for showing GDPR/ePrivacy consent forms in mobile apps;
  • SKAdNetwork: Apple's API that enables advertising conversion measurement without a user identifier, reporting only aggregated signals;
  • Consent Mode v2: Google's scheme where analytics and advertising tags adapt their behaviour based on the user's consent state;
  • Sub-processor: a third party that a processor (e.g. Google) uses to deliver part of the service commissioned by the controller (e.g. cloud infrastructure).

17. Contact

For any question about this policy or your personal data, write to: contact@hartafarmacii.ro.

We answer every request personally, in plain language, in line with Art. 12 GDPR (“concise, transparent, intelligible and easily accessible”).

Questions or requests? Email us at contact@hartafarmacii.ro.

Back to homepage