Last Updated: 20 April 2026 | Version: 2.0
SmartKalathi is a grocery price comparison application for supermarket chains in Cyprus, published by Madingley Technologies Ltd ("we", "us", "our"). This Privacy Policy explains what information the SmartKalathi mobile application ("the App") collects, how it is used, the legal bases on which we rely, who it may be shared with, how long it is retained, and the rights you have under the EU General Data Protection Regulation (GDPR), the Cyprus Law 125(I)/2018, and the ePrivacy Directive.
The App is designed to operate without user accounts, logins, or direct personal identifiers. Most processing is either fully anonymous or strictly on-device. Any processing that involves personal data in the GDPR sense is gated behind explicit, withdrawable consent.
SmartKalathi uses two distinct analytics pipelines and a small number of functional data flows. The table below summarises each; detailed sections follow.
| Data flow | Personal data? | Consent required? | Purpose |
|---|---|---|---|
| Anonymous usage counters | No | No (GDPR Recital 26) | Aggregate feature popularity |
| Firebase Analytics | Pseudonymous | Yes — explicit opt-in | Product improvement |
| Google AdMob advertising | Yes (if personalised) | Yes — UMP + (iOS) ATT | Monetisation |
| Approximate location | Yes | Yes — OS permission | Nearby stores, distance sort |
| Camera (barcode scan) | No (on-device only) | OS permission | Scan product barcodes |
| Shopping cart & preferences | No direct identifiers | No | App functionality |
| Product interaction logs | No | No | Price trend analytics |
| Security / rate-limit logs | Yes (short-lived IP) | Legitimate interest | Abuse prevention |
SmartKalathi does not require registration, sign-in, or any account. We do not collect your name, email address, phone number, postal address, payment details, or any government identifier. There is no password to reset because there is no account.
We collect anonymous, aggregate usage counters — such as how many times a given feature is used per day across the whole user base. These counters contain no device identifiers, no IP addresses, no timestamps beyond a daily bucket, and no user-linkable fields. They cannot identify any individual, either alone or in combination with other data we hold. Under GDPR Recital 26 this is not personal data, and we collect it regardless of your consent choice.
If — and only if — you opt in (during onboarding or later in Settings > Privacy & Consent), we additionally use Google Firebase Analytics. This pipeline processes:
You can withdraw this consent at any time, with immediate effect, via Settings > Privacy & Consent. Withdrawal does not affect the lawfulness of processing carried out beforehand.
SmartKalathi displays advertisements served by Google AdMob to support free access to the App. For users in the European Economic Area, United Kingdom, and Switzerland, we use Google's User Messaging Platform (UMP) to collect a GDPR-compliant consent choice before any personalised advertising identifiers are processed.
On iOS, Apple's App Tracking Transparency (ATT) prompt is shown before any cross-app tracking identifier (IDFA) can be accessed. Denying ATT prevents IDFA access regardless of your UMP choice.
We implement Google Consent Mode v2, which passes your consent signals to Google's SDKs so that ad and analytics behaviour adapts accordingly.
We do not currently use Meta Audience Network or any other ad network beyond AdMob.
The App can show distances to nearby supermarkets and sort
stores by proximity. This requires your device's location,
which is accessed only with your explicit OS-level permission
and only while the App is in use (whenInUse). We
do not request background location.
The App includes a barcode scanner to help you look up products. The camera is accessed only when you open the scanner and only with your explicit OS-level permission. Frames are processed entirely on-device; no image, video, or scan result is uploaded, transmitted, or stored by us.
Your shopping cart contents, saved lists, and in-app preferences are stored locally on your device and optionally synchronised to our backend (Cloud Firestore, EU region) to preserve them across reinstalls on the same device. These records contain no direct identifiers (no name, email, account ID, phone number, or hashed device identifier) — they are keyed by app-generated, cart-scoped random IDs.
When you add a product to a cart, or select a supermarket
offer, we record the event (product ID, supermarket ID,
timestamp) via an authenticated Cloud Function
(logProductAddition). These logs contain
no user identifier and are used to understand
aggregate product demand and price trends. Because they are not
linkable to an individual, our legal basis is legitimate
interest (GDPR Art. 6(1)(f)).
Our backend applies rate limiting to public endpoints. When a request exceeds the limit, the client IP address is recorded in short-lived Cloud Functions logs (retained for 30 days by default) so we can investigate abuse. IP processing is carried out on the legal basis of legitimate interest (GDPR Art. 6(1)(f)) in preserving service integrity. We do not use these logs for marketing or analytics.
All traffic between the App and our backend is encrypted with HTTPS/TLS. We use Firebase App Check (App Attest on iOS, Play Integrity on Android) to ensure requests originate from genuine, unmodified installations of the App.
The App does not integrate Firebase Crashlytics or any third-party crash reporting SDK. Basic, non-personal crash counts may be reported by the mobile operating systems to their respective developer consoles (Apple App Store Connect, Google Play Console) under those platforms' own terms.
On first launch, SmartKalathi presents an analytics consent dialog with three options:
You can review or change your choice at any time via Settings > Privacy & Consent. Location and camera permissions are managed separately via your device's system settings. On iOS, ATT can be reset under Settings > Privacy & Security > Tracking.
| Processing activity | Legal basis |
|---|---|
| Anonymous aggregate counters | Not personal data — GDPR Recital 26 |
| Firebase Analytics | Consent — Art. 6(1)(a) |
| Personalised advertising | Consent — Art. 6(1)(a) |
| Location features | Consent — Art. 6(1)(a) |
| Cart / list sync, barcode scan | Performance of service — Art. 6(1)(b) |
| Product interaction logs | Legitimate interest — Art. 6(1)(f) |
| Rate-limit / security logs (IP) | Legitimate interest — Art. 6(1)(f) |
We rely on the following processors, each bound by appropriate data-processing terms and EU Standard Contractual Clauses where applicable:
| Processor | Role | Data | Region |
|---|---|---|---|
| Google Ireland Ltd — Firebase (Firestore, Functions, App Check, FCM, Analytics) | Backend & analytics | App data, pseudonymous analytics IDs (if consented) | EU (eur3) |
| Google Ireland Ltd — AdMob | Advertising | Advertising identifiers, ad interactions (subject to consent & ATT) | Global (Google infrastructure) |
| Google — Maps SDK | Store maps | Map tile requests (your IP is seen by Google as part of normal network operation) | Global |
| Apple Inc. / Google LLC | App Store / Play distribution, App Attest / Play Integrity | Platform attestation tokens | Per platform terms |
International transfers to Google and Apple infrastructure outside the EEA are covered by the European Commission's Standard Contractual Clauses and the EU–US Data Privacy Framework where applicable.
You have the right to:
Because SmartKalathi does not collect direct identifiers, most user-initiated deletion can be achieved instantly by clearing the App's data or uninstalling the App. For Firebase Analytics data tied to your device's Firebase Instance ID (if you previously consented), or for any other request, email info@madingleytechnologies.com and we will action it within 30 days.
SmartKalathi is a general-audience utility application and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us and we will delete it.
TLS 1.2+ encryption in transit and Google-managed encryption at rest.
Firebase App Check blocks unauthorised clients from reaching our backend.
Strict Firestore security rules and restricted administrative access.
No method of electronic storage or transmission is 100% secure; we continuously review our controls.
We may update this Privacy Policy from time to time. Material changes will be communicated via an in-App notice and by updating the "Last Updated" date above. Continued use of the App after such changes constitutes acceptance of the revised policy, to the extent permitted by law. Where changes affect processing that requires consent, we will re-request consent.
For any question relating to this policy or to exercise any of your rights:
Company: Madingley Technologies Ltd, Cyprus
Email: info@madingleytechnologies.com
We aim to respond within 30 days.