Personal Data Protection

1) Data Controller and Contact

Data Controller (Controller): Artiwa Nova L.L.C

The supervisory authority for personal data protection in Kosovo is the Information and Privacy Agency (AIP).

2) What Data May We Process?

Depending on the service you use, the following types of data may be processed:

• Identity/contact: full name, email, phone number (account/communication/support).
• Account and support records: request/complaint contents, correspondence.
• Transaction information (if any): subscription/purchase information (the Company does not store payment card details; the payment provider may process them).
• Device and technical data: IP address, device/OS/app version, language settings, crash/error logs.
• Usage data: app/page interactions, performance and analytics measurements.
• Location data (if any): only when required for the relevant feature and when you have granted permission.

3) Purposes of Processing

We may process personal data particularly for the following purposes:

• To provide, operate, and improve the Services
• Account creation, authentication, and user management
• Customer support, communication, and management of requests
• Security, prevention of abuse/fraud, and protection of system integrity
• Analytics, debugging, and performance improvements
• (If applicable) Marketing/announcement communications and campaign measurement (based on your preferences)

4) Legal Bases

Personal data processing is carried out only based on at least one of the legal bases stipulated by law (e.g., explicit consent, necessity for the establishment/performance of a contract, legal obligation, legitimate interest).

For processing based on consent, you may withdraw your consent at any time; withdrawal does not affect the lawfulness of prior processing.

5) Sharing of Data (Recipient Categories)

We do not sell personal data. Data may be shared only to the extent necessary to provide the service, with the following recipients:

• Hosting and infrastructure providers
• Analytics and error monitoring services
• Customer support/communication systems
• (If applicable) Payment and invoicing providers
• Legally authorized institutions (upon a legal request)

6) International Data Transfers

Our service providers may be located outside Kosovo. In such cases, transfers are carried out in compliance with the protection and security requirements under the relevant legislation (e.g., adequacy and appropriate safeguards).

7) Retention Periods

Data is retained for the period required by the purpose of processing; when the purpose no longer exists, data is deleted, anonymized, or disposed of in a manner permitted by law. Retention periods may vary depending on contractual, operational, and legal obligations.

8) Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, misuse, and disclosure.

In case of a personal data breach, where applicable, notification to the AIP is envisaged without undue delay and, where possible, no later than 72 hours.

9) Children's Data

Where information society services are offered directly to a child, the child's consent may be valid if the child is 16 years or older; for under 16, parental/guardian approval is required and reasonable efforts are made for verification.

10) Your Rights and Application Methods

Under the legislation, you have rights such as access to your personal data, rectification, erasure, restriction of processing, data portability, objection, and withdrawal of consent.

To exercise these rights, you may contact us via the channels in Section 1. You also have the right to lodge a complaint/application with the AIP; the AIP accepts complaints regarding personal data protection.

11) Updates

This notice may be updated as our services or legal requirements change. The current version is always published on our website.