Skip to content
ZURO GO
Back to home

Privacy Policy

In effect since: 01.06.2026

This English text is a translation provided for convenience. The legally binding version is the Serbian one.

1. Data controller

NameDOO “Beo invest stroy” (brand: ZURO GO)
Registered officeJurija Gagarina 231, lokal 329, Belgrade, Serbia
Registration number21985678
Tax ID (PIB)114190641
Data protection contactinfo@zurogo.com

This Privacy Policy is drawn up in accordance with the Law on Personal Data Protection (ZZPL, Official Gazette of RS 87/2018).

2. What data we process

2.1 Client data

  • First and last name, email address, phone number.
  • Pick-up and drop-off addresses, including saved addresses (Home / Work), GPS coordinates, entrance, floor and apartment details.
  • Name and phone of the recipient or sender, given per order.
  • Description of the shipment contents.
  • Payment data: we store only the PayPal transaction ID, the amount and the EUR/RSD rate. Card data is never stored on our servers.
  • Push notification tokens.
  • Ratings and comments left by the Client.

2.2 Courier data

  • Date of birth, home address.
  • Identity documents: photo of passport or ID card, selfie with the document.
  • Driver’s licence, vehicle registration, vehicle photo (for motorised couriers).
  • Residence permit (VNZ) for foreign nationals.
  • Real-time GPS location — only during an active delivery.
  • Payout details: PayPal email or IBAN account number.

3. Purpose and legal basis of processing

PurposeData categoryLegal basis
Performing the order and deliveryClient + Courier — basic dataPerformance of a contract
Verifying Courier identityDocuments, selfie with ID, VNZLegitimate interest + consent
Payouts to CouriersIBAN / PayPal emailPerformance of a contract
Security and fraud preventionAll user dataLegitimate interest
Push notifications about order statusPush tokensPerformance of a contract
Marketing notificationsPush tokens, emailConsent
Accounting and legal obligationsFinancial documentationLegal obligation

4. Processors (sub-processors)

ProcessorPurposeLocationTransfer basis
SupabaseDatabase and authenticationEU regionNot a transfer
CloudflareCDN and web-layer protectionUSA / EUStandard Contractual Clauses (SCC)
PayPalPayment processingUSA / EUSCC / adequacy
MapboxMaps and geolocationUSASCC

5. Security measures

  • Supabase PostgreSQL database — EU region; Row-Level Security on every table (a user sees only their own data).
  • Courier identity documents are stored in a private storage bucket, accessible only via short-lived signed URLs.
  • Payment-card data does not pass through our servers (PayPal-hosted checkout).
  • Passwords hashed by Supabase Auth; email verification and password reset implemented.
  • Cloudflare TLS encryption and DDoS protection of the web layer.

6. Retention periods

Data categoryRetention period
Order and transaction data10 years (Accounting Law of RS, art. 27 — mandatory period for accounting records)
Client accountFor the life of the account + 90 days after closure
Courier identity documents2 years after account deactivation
GPS location data30 days after delivery completion
Marketing push tokensUntil consent is withdrawn or the account is closed

7. Your rights

In accordance with the ZZPL, you have the right to:

  • Access — information about which of your data we hold.
  • Rectification — correction of inaccurate or incomplete data.
  • Erasure — request deletion of data when there is no valid basis for further processing.
  • Portability — receiving your data in a machine-readable format.
  • Objection — objecting to processing based on legitimate interest.
  • Restriction — requesting temporary suspension of processing.

Requests are submitted to: info@zurogo.com. We respond within 30 days.

8. Cookies and local storage

The mobile application uses local storage (AsyncStorage) to keep the session token and user preferences. This data is not shared with third parties.

The marketing website uses functional and analytics cookies. The user manages their choice via the banner on first visit.

8a. Right to delete account and data

How to request deletion

  • In the app: Settings → Account → Delete account
  • By email: info@zurogo.com with the subject “Data deletion request”

The Platform confirms receipt of the request within 5 business days and carries out deletion within 30 days.

What is deleted immediately

CategoryDeletion period
Account data (name, email, phone)30 days from request
Saved addresses and preferencesImmediately / within 30 days
Push tokensImmediately on request
GPS location historyImmediately (deleted after 30 days anyway)
Ratings and comments30 days from request

What is retained by law

CategoryRetention periodLegal basis
Transaction and order data10 years from the transactionAccounting Law of RS (art. 27)
Courier identity documents2 years from deactivationLegitimate interest / evidentiary purpose
Courier PIB / JMBG5 years from the last transactionTax regulations of RS

9. Changes to the Policy and contact

The Platform may amend this Policy with notice via the Application. For any questions: info@zurogo.com

Open app