Privacy Policy
In effect since: 01.06.2026
This English text is a translation provided for convenience. The legally binding version is the Serbian one.
1. Data controller
| Name | DOO “Beo invest stroy” (brand: ZURO GO) |
| Registered office | Jurija Gagarina 231, lokal 329, Belgrade, Serbia |
| Registration number | 21985678 |
| Tax ID (PIB) | 114190641 |
| Data protection contact | info@zurogo.com |
This Privacy Policy is drawn up in accordance with the Law on Personal Data Protection (ZZPL, Official Gazette of RS 87/2018).
2. What data we process
2.1 Client data
- First and last name, email address, phone number.
- Pick-up and drop-off addresses, including saved addresses (Home / Work), GPS coordinates, entrance, floor and apartment details.
- Name and phone of the recipient or sender, given per order.
- Description of the shipment contents.
- Payment data: we store only the PayPal transaction ID, the amount and the EUR/RSD rate. Card data is never stored on our servers.
- Push notification tokens.
- Ratings and comments left by the Client.
2.2 Courier data
- Date of birth, home address.
- Identity documents: photo of passport or ID card, selfie with the document.
- Driver’s licence, vehicle registration, vehicle photo (for motorised couriers).
- Residence permit (VNZ) for foreign nationals.
- Real-time GPS location — only during an active delivery.
- Payout details: PayPal email or IBAN account number.
3. Purpose and legal basis of processing
| Purpose | Data category | Legal basis |
|---|---|---|
| Performing the order and delivery | Client + Courier — basic data | Performance of a contract |
| Verifying Courier identity | Documents, selfie with ID, VNZ | Legitimate interest + consent |
| Payouts to Couriers | IBAN / PayPal email | Performance of a contract |
| Security and fraud prevention | All user data | Legitimate interest |
| Push notifications about order status | Push tokens | Performance of a contract |
| Marketing notifications | Push tokens, email | Consent |
| Accounting and legal obligations | Financial documentation | Legal obligation |
4. Processors (sub-processors)
| Processor | Purpose | Location | Transfer basis |
|---|---|---|---|
| Supabase | Database and authentication | EU region | Not a transfer |
| Cloudflare | CDN and web-layer protection | USA / EU | Standard Contractual Clauses (SCC) |
| PayPal | Payment processing | USA / EU | SCC / adequacy |
| Mapbox | Maps and geolocation | USA | SCC |
5. Security measures
- Supabase PostgreSQL database — EU region; Row-Level Security on every table (a user sees only their own data).
- Courier identity documents are stored in a private storage bucket, accessible only via short-lived signed URLs.
- Payment-card data does not pass through our servers (PayPal-hosted checkout).
- Passwords hashed by Supabase Auth; email verification and password reset implemented.
- Cloudflare TLS encryption and DDoS protection of the web layer.
6. Retention periods
| Data category | Retention period |
|---|---|
| Order and transaction data | 10 years (Accounting Law of RS, art. 27 — mandatory period for accounting records) |
| Client account | For the life of the account + 90 days after closure |
| Courier identity documents | 2 years after account deactivation |
| GPS location data | 30 days after delivery completion |
| Marketing push tokens | Until consent is withdrawn or the account is closed |
7. Your rights
In accordance with the ZZPL, you have the right to:
- Access — information about which of your data we hold.
- Rectification — correction of inaccurate or incomplete data.
- Erasure — request deletion of data when there is no valid basis for further processing.
- Portability — receiving your data in a machine-readable format.
- Objection — objecting to processing based on legitimate interest.
- Restriction — requesting temporary suspension of processing.
Requests are submitted to: info@zurogo.com. We respond within 30 days.
8. Cookies and local storage
The mobile application uses local storage (AsyncStorage) to keep the session token and user preferences. This data is not shared with third parties.
The marketing website uses functional and analytics cookies. The user manages their choice via the banner on first visit.
8a. Right to delete account and data
How to request deletion
- In the app: Settings → Account → Delete account
- By email: info@zurogo.com with the subject “Data deletion request”
The Platform confirms receipt of the request within 5 business days and carries out deletion within 30 days.
What is deleted immediately
| Category | Deletion period |
|---|---|
| Account data (name, email, phone) | 30 days from request |
| Saved addresses and preferences | Immediately / within 30 days |
| Push tokens | Immediately on request |
| GPS location history | Immediately (deleted after 30 days anyway) |
| Ratings and comments | 30 days from request |
What is retained by law
| Category | Retention period | Legal basis |
|---|---|---|
| Transaction and order data | 10 years from the transaction | Accounting Law of RS (art. 27) |
| Courier identity documents | 2 years from deactivation | Legitimate interest / evidentiary purpose |
| Courier PIB / JMBG | 5 years from the last transaction | Tax regulations of RS |
9. Changes to the Policy and contact
The Platform may amend this Policy with notice via the Application. For any questions: info@zurogo.com