nerapo — Privacy Policy
Effective date: 01 May 2026
Last updated: 29 May 2026
1. Introduction
1.1. This Privacy Policy explains how MOVING RECORDS SRL ("nerapo", "we", "us", "our") collects, uses, shares and protects personal data.
We are:
MOVING RECORDS SRL
Sole-shareholder limited liability company incorporated in Romania
- Trade Register no.: J1/790/2016
- Sole registration code (CUI): 36516097
- EU intra-Community VAT ID: RO48113896 (Art. 317 — used for reverse-charge on cross-border purchases only; Romanian VAT status = not registered for VAT for sales output, Art. 310)
- Registered office: Str. Vasile Alecsandri nr. 76, Alba Iulia, Alba County, Romania, 510201
- Contact e-mail: [email protected]
1.2. nerapo is a white-label mobile-app platform for radio and audio brands. It lets a business or individual (the "Customer") build, configure and publish their own branded iOS and Android applications, without writing code, through an online dashboard.
1.3. This Policy should be read together with the nerapo Terms and Conditions (the "Terms"), the nerapo Data Processing Agreement (the "DPA") and the nerapo Cookie Policy, which it cross-references. Capitalised terms not defined here have the meaning given to them in the Terms.
2. Scope — and the two different roles nerapo plays
This Policy covers the personal data nerapo handles as a data controller — that is, where nerapo decides why and how the data is processed. In practice that means:
- the nerapo website (nerapo.app) and its marketing pages;
- the nerapo dashboard, where Customers register, sign in and configure their app;
- the nerapo demo, the free no-signup sandbox;
- communications between you and nerapo (e.g. support e-mail).
It is important to distinguish two roles:
| Role | Whose data | Who is the controller | Document |
|---|---|---|---|
| nerapo as controller | the Customer's own nerapo account, billing and configuration data | nerapo | this Privacy Policy |
| nerapo as processor | data about End Users of the Customer's published app | the Customer | the DPA |
This Privacy Policy is about the first role. Data relating to the End Users of an app built with nerapo (the listeners who download a Customer's app) is processed by nerapo only on the Customer's behalf and on the Customer's instructions; for that data the Customer is the controller, and the processing is governed by the DPA, not by this Policy. Section 7 below summarises it and points to the DPA.
3. The personal data we collect as a controller
We practise data minimisation: we collect only what we need to operate the Service. As a controller, nerapo processes the following.
3.1. Account data
When you register a nerapo Account and use the dashboard, we collect and store:
- your e-mail address;
- a hashed password — your password is stored only in a securely hashed form; we never store or see it in readable form;
- your name and, optionally, your company name;
- account-lifecycle data: e-mail-verification and password-reset tokens, last login time, account status, and scheduled-deletion and payment-failure records;
- timestamps (account creation and updates).
3.2. Subscription and billing data
When you subscribe to a paid Plan:
- your payment is processed by Stripe. You enter your card details, billing name, billing address, country and any tax/VAT identifier directly on Stripe's secure checkout pages. nerapo never receives, sees or stores your full card number, and does not store your billing address in its own database — that information is entered into, and held by, Stripe.
- In nerapo's own database we store only: your Plan, billing cycle and billing mode; your subscription status and dates; and the customer and subscription identifiers assigned by Stripe.
- To issue your fiscal invoice, the billing name, address, country, e-mail and any VAT identifier you entered at Stripe checkout are used by our invoicing provider (Oblio) to prepare the invoice and, where legally required, to report it to the Romanian tax authority (ANAF).
3.3. Configuration and integration settings
The dashboard lets you enter settings that connect your app to your own third-party accounts. These are stored against your app so the platform can build and operate it. They are generally technical identifiers and credentials, not personal data, but you should know they are stored:
- Push notifications (OneSignal): your OneSignal App ID and OneSignal REST API Key (see Section 6);
- Sign-in (Apple / Google): your Apple Sign In bundle identifier, the Apple/Google sign-in toggles, and your Google web client ID (see Section 5);
- Advertising (Google AdMob): your AdMob app ID, banner ID and interstitial ID (see Section 5);
- App-store billing: your in-app-purchase product IDs for iOS and Android;
- Customer Content: radio stream URLs, podcast and RSS feed URLs, news feeds, audio, episodes, images, logos, artwork, banners, text, custom HTML/JavaScript views, branding and schedules.
The OneSignal REST API Key is a secret credential. We treat it as confidential, store it for the sole purpose of relaying your push-notification requests to OneSignal, and do not disclose it. You can change or remove it at any time in the dashboard.
3.4. Demo data
The demo is a free, temporary sandbox that requires no signup, no payment and no account. A demo session is identified by a session cookie (see the Cookie Policy) and everything created in it — together with the whole demo session — is automatically and permanently deleted about 12 hours after it is created. To prevent abuse, we apply rate-limiting: we read the visitor's IP address and User-Agent string and store only a combined one-way hash of them as a short-lived counter; the raw IP address and the raw User-Agent are not stored for the demo.
3.5. Technical and log data
Like any online service, our hosting and security infrastructure (including Cloudflare) automatically processes technical data needed to deliver and protect the Service — for example IP address, browser type, request times, pages requested and security events. This is used for delivery, security and diagnostics. Such technical logs are retained only for the period necessary for these purposes and are then automatically rotated out by the respective infrastructure providers in line with their standard retention practices.
3.6. Communications
If you contact us (for example by e-mailing [email protected]), we process the content of your message and your contact details in order to respond and to keep a record of the matter.
3.7. Customer action audit log
We maintain an internal append-only log of changes to critical app configuration initiated by Customers or by nerapo operators — specifically, registrations, resets, and per-platform overrides of the mobile application identifier (iOS Bundle ID, Android Package Name). Each entry records: the email of the Customer or nerapo operator who initiated the action, the action performed, the previous and new values, the action timestamp, the User-Agent and the IP address of the originating request. End-User device IP addresses and User-Agents are not recorded in this log — it captures only Customer (account-holder) and internal operator activity, never End-User device activity. A copy of each entry is mirrored as off-site backup to Cloudflare R2, under a per-Customer key prefix so that data-subject access or erasure requests can be fulfilled in a single targeted operation. This log is retained after account deletion for 3 years (the general civil-claims limitation period under Romanian law), to establish, exercise or defend legal claims (Article 17(3)(e) GDPR), then deleted.
3.8. Marketing-website analytics and advertising trackers
The nerapo marketing website (nerapo.app) uses third-party analytics, advertising and conversion-tracking technologies to measure performance, understand visitor behaviour and run advertising campaigns. These currently include Google services (such as Google Analytics, Google Ads and Google Site Kit), the Meta (Facebook/Instagram) pixel, the TikTok pixel, and embedded media (such as YouTube). The current list of trackers, the data each one collects, and the controls available to you are set out in the Cookie Policy.
These trackers are loaded only after you give consent through our consent-management banner (Complianz). You can change or withdraw your consent at any time from the cookie-settings link in the website footer.
The nerapo dashboard (the authenticated workspace where Customers manage their apps) does not use third-party advertising or behavioural-profiling trackers — those apply only to the public marketing website.
nerapo does not sell personal data, and does not make decisions about you by solely automated means that produce legal or similarly significant effects. We do not process special categories of personal data (Article 9 GDPR).
4. Why we process your data, and our legal bases
| Purpose | Legal basis (GDPR Article 6) |
|---|---|
| Creating and running your Account; providing the dashboard and the Service; building and operating your app | Performance of a contract with you — Art. 6(1)(b) |
| Processing payments and managing subscriptions | Performance of a contract — Art. 6(1)(b) |
| Issuing fiscal invoices and meeting accounting and tax obligations | Legal obligation — Art. 6(1)(c) |
| Securing the Service; preventing fraud and abuse; demo rate-limiting; diagnosing and improving the Service | Our legitimate interests in a secure, reliable, improving Service — Art. 6(1)(f) |
| Responding to your enquiries and support requests | Contract and/or legitimate interests — Art. 6(1)(b)/(f) |
| Sending service and transactional e-mails (e.g. e-mail verification, password reset, billing notices, material changes to the Terms or this Policy) | Contract and legal obligation — Art. 6(1)(b)/(c) |
| Sending optional marketing e-mails (newsletters, product announcements, promotions). You give consent by ticking the dedicated opt-in at signup or by enabling it later in your account settings. You can withdraw consent at any time, either from your account settings or via the unsubscribe link in every marketing e-mail. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal, and does not affect service or transactional e-mails. | Consent — Art. 6(1)(a) |
Where we rely on legitimate interests, we have weighed those interests against your rights and freedoms. You may object to such processing (see Section 11).
5. Sign-in and advertising integrations
5.1. Apple Sign In and Google Sign-In. A Customer may enable Apple and/or Google sign-in for the End Users of their app. To support this, the Customer enters in the dashboard their Apple Sign In bundle identifier and/or Google web client ID. nerapo uses these identifiers to verify the sign-in tokens that End Users present when they log in. When an End User signs in, the identifier returned by the provider (an e-mail address, or the Apple/Google "subject" identifier) is immediately converted into a one-way SHA-256 token and only that token is stored; the raw e-mail address and raw sign-in identifier are never stored. This End-User processing is covered by the DPA (see Section 7).
5.2. Google AdMob. A Customer may enable in-app advertising. Advertising is served through the Customer's own AdMob account, using the AdMob identifiers the Customer enters in the dashboard. nerapo only stores those identifiers and delivers them to the published app — the AdMob App ID is baked into the app at ZIP download time (Info.plist on iOS, AndroidManifest.xml on Android), while the Banner and Interstitial Unit IDs are delivered live via config refresh; nerapo does not operate the AdMob account and does not receive advertising or End-User data from AdMob. Any data collected by AdMob in the published app is governed by Google's terms and by the Customer's own privacy policy.
6. Push notifications via OneSignal
6.1. nerapo's push-notification feature works through OneSignal, but on the Customer's own OneSignal account — not nerapo's.
6.2. In the nerapo dashboard, a Customer enters only two values from their own OneSignal account: the OneSignal App ID and the OneSignal REST API Key. nerapo stores these so that, when the Customer sends a push notification from the dashboard, nerapo can relay that request (the App ID, the notification title and the message) to OneSignal's API on the Customer's behalf. nerapo records the identifier OneSignal returns for the message.
6.3. End-User push tokens, device identifiers and subscription data are held by OneSignal under the Customer's account — nerapo does not collect or store them. The processing of End-User data for push notifications is therefore governed by the Customer's own agreement with OneSignal and the Customer's own privacy policy, and by OneSignal's privacy policy. The Customer is responsible for disclosing its use of OneSignal to its End Users and for any consent required.
6.4. The REST API Key is a secret credential; see Section 3.3.
7. End-User data — nerapo acts only as a processor
7.1. Data about the End Users of an app published with nerapo (the people who download and use a Customer's app) is not governed by this Privacy Policy. For that data the Customer is the controller and nerapo is the processor, acting only on the Customer's instructions.
7.2. The platform is designed to be privacy-minimal for End Users. End Users authenticate exclusively through Apple Sign In (on iOS) and Google Sign-In (on Android); no password is stored for End Users. For End Users nerapo processes only: a pseudonymous SHA-256 identifier (derived from the Apple/Google sign-in identifier — the raw value is never stored); an optional display name; and the End User's favourites, self-added podcast RSS feeds and playback position. nerapo does not store End Users' raw e-mail addresses, raw social-login identifiers, device identifiers, push tokens, IP addresses, location or payment data.
7.3. The full, code-verified description of End-User data and the safeguards that apply to it is set out in the nerapo Data Processing Agreement (DPA). If you are an End User of an app and wish to exercise your rights, please contact the Customer whose app you use — they are the controller of your data. If you contact nerapo directly, we will refer you to that Customer.
8. Who we share data with — sub-processors and recipients
We do not sell personal data. We share data only with the service providers needed to operate the Service, and only to the extent each needs. Each is bound by appropriate contractual data-protection obligations.
| Recipient | What it does | What it receives |
|---|---|---|
| Stripe | Payment processing | Card and billing data you enter at checkout; subscription data |
| Oblio(Romanian invoicing provider) | Preparation of fiscal invoices and, where required, reporting to the Romanian tax authority (ANAF) | The billing identity (name, address, country, e-mail, VAT ID) associated with each invoice |
| OneSignal | Delivery of push notifications, under the Customer's own OneSignal account | Push requests relayed on the Customer's behalf (see Section 6) |
| Cloudflare | (1) Content-delivery network and security / WAF layer in front of the Service; (2) Cloudflare R2 object storage, used to hold an off-site backup copy of consent records and account snapshots (see Section 10) | Technical request data (IP address, request metadata, security signals); and the backup data described in Section 10 |
| Zenith Technology | Hosting and storage of the platform and its database; and sending nerapo's service e-mails | All data stored by the Service; recipient e-mail address and message content. Location: Romania (EEA) |
| GitHub | Hosting of the application build pipeline that assembles Customer mobile apps from the Customer's own configuration | The configuration data the Customer enters in the dashboard (logos, bundle ID, branding and similar build inputs) |
We may also disclose data where we are legally required to (for example to a competent authority under a valid legal request), or to establish, exercise or defend legal claims, or in connection with a merger, acquisition or sale of assets(on notice to you, as stated in the Terms).
We will keep this list current. The list of sub-processors that handle End-User data is maintained separately in Schedule 2 of the DPA.
9. International transfers
9.1. nerapo's primary hosting and database are located in Romania (European Economic Area), through Zenith Technology. Invoicing through Oblio is also performed within Romania.
9.2. Some of the service providers listed in Section 8 are established outside the EEA, including in the United States (notably Stripe, Cloudflare, GitHub and OneSignal). When personal data is transferred to or accessed from these providers in a country outside the EEA, we rely on the European Commission's Standard Contractual Clauses(Implementing Decision (EU) 2021/914), or another appropriate transfer mechanism recognised under the GDPR (such as an adequacy decision of the European Commission, where one applies). These safeguards are incorporated into the standard data processing agreements published by each provider, which are available on their respective websites.
9.3. For transfers of End-User Personal Data, the applicable safeguards are described in the nerapo DPA.
10. How long we keep data
We keep personal data only as long as needed for the purpose it was collected, and then delete or anonymise it. Key retention periods built into the platform:
| Data | Retention |
|---|---|
| Demo sessions and all demo content | Deleted automatically ~12 hours after creation |
| Demo rate-limiting record (hashed IP counter) | Short sliding window, then expires automatically |
| Closed Account and its Customer Content | Deleted after a ~15-day grace window (during which closure can be reversed) |
| Archived / unmaintained app and its content | Deleted after a ~30-day grace window |
| Password-reset token | 1 hour |
| E-mail-verification token | 24 hours |
| Server / security logs | Retained only for as long as needed for delivery, security and diagnostics, in line with the standard retention practices of our hosting and CDN providers |
| Invoices and billing / accounting records | Retained after account deletion for 10 years from the end of the financial year in which they were issued, as required by Romanian accounting and tax law (Article 6(1)(c) GDPR) |
| Consent and acceptance records, and the legal-notice e-mail log | Retained after account deletion for 3 years (the general civil-claims limitation period under Romanian law), to establish, exercise or defend legal claims (Article 17(3)(e) GDPR), then deleted |
| Customer action audit log (mobile application identifier changes) | Retained after account deletion for 3 years (the general civil-claims limitation period under Romanian law), to establish, exercise or defend legal claims (Article 17(3)(e) GDPR), then deleted from both the primary database and the off-site backup |
We also keep an off-site backup copy of consent records and account snapshots with Cloudflare R2 (see Section 8). Backup copies are deleted in line with the periods above; when a record is deleted or anonymised, it is also removed from the backup once that record's retention period ends.
When an app is discontinued, a minimal technical record (its identifier and a "no longer available" message) may be kept so that the published app can show that message to End Users instead of failing.
11. Your rights
11.1. Under the GDPR and applicable data-protection law, you have the right to:
- access the personal data we hold about you, and obtain a copy;
- request rectification of inaccurate or incomplete data;
- request erasure of your data ("right to be forgotten"), where applicable;
- request restriction of processing, where applicable;
- object to processing based on our legitimate interests;
- data portability — receive certain data in a structured, commonly used, machine-readable format;
- withdraw consent at any time, where processing is based on consent (without affecting processing already carried out);
- lodge a complaint with a supervisory authority (see Section 14).
11.2. To exercise any of these rights, contact us at [email protected]. We will respond within the time limits set by law (normally one month). We may need to verify your identity first.
11.3. What happens when you ask us to erase your data. When you close your account, or ask us to erase your personal data, we delete your operational account data — your name, e-mail, hashed password, company name, account tokens, and the Customer Content in your account. The right to erasure is, however, not absolute: the law requires us to keep a limited set of records even after erasure —
- Invoices and accounting records — we are legally obliged to keep these for the period set by Romanian accounting and tax law (Art. 6(1)(c) and Art. 17(3)(b) GDPR).
- Consent and acceptance records — the record that you accepted the Terms, this Policy and, at checkout, the immediate-performance acknowledgment — and the log of legal-notice e-mails we sent you. We keep these so we can establish, exercise or defend legal claims (Art. 17(3)(e) GDPR), for as long as such a claim could be brought, and then delete them.
- Customer action audit log — the record of changes to your mobile application identifier (registrations, resets, per-platform overrides). We keep this so we can establish, exercise or defend legal claims (Art. 17(3)(e) GDPR), for as long as such a claim could be brought, and then delete it.
We keep only these limited records, only for as long as the law allows or requires, and they are then deleted from our systems and from our backups. Everything else is deleted.
11.4. End Users of an app built with nerapo should address their requests to the Customer whose app they use, as that Customer is the controller of their data (see Section 7).
12. Security
We implement appropriate technical and organisational measures to protect personal data, including: passwords stored only as secure hashes; End-User identifiers stored only as irreversible SHA-256 tokens; encryption in transit (HTTPS/TLS); a content-delivery and security layer with a web application firewall (Cloudflare); restricted, authenticated administrative access; logical isolation of each Customer's data; and routine software maintenance and backups. No system can be guaranteed perfectly secure, but we work to protect your data and will notify you and the competent authority of a personal-data breach where the law requires. The security measures applying specifically to End-User data are detailed in Schedule 3 of the DPA.
13. Children
The nerapo Service (the website, dashboard and demo) is intended for businesses and adults and is not directed to children. You must be at least 18 years old to register a nerapo Account. We do not knowingly collect personal data from children through the Service. Apps built with nerapo are published by Customers under their own developer accounts; ensuring an app and its audience comply with children's-privacy and age-rating rules is the Customer's responsibility.
14. Complaints and the supervisory authority
If you believe we have not handled your personal data properly, please contact us first at [email protected] — we would always prefer to resolve the matter directly. You also have the right to lodge a complaint with a data protection supervisory authority.
In Romania, the competent authority is:
Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, Bucharest, Romania Website: www.dataprotection.ro
If you are in another EEA country, you may also complain to the supervisory authority of your country of residence or workplace.
15. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. If we make a material change, we will give reasonable advance notice — for example by e-mail or through the dashboard — before it takes effect. The "Last updated" date at the top of this Policy always shows when it was last revised. Continued use of the Service after a change takes effect means you have read the updated Policy.
16. Contact
For any question about this Privacy Policy or about how we handle personal data:
MOVING RECORDS SRL (nerapo) Str. Vasile Alecsandri nr. 76, Alba Iulia, Alba County, Romania, 510201 Trade Register: J1/790/2016 — CUI: 36516097 — VAT ID: RO48113896 E-mail: [email protected]
nerapo is not legally required to appoint a Data Protection Officer (DPO) under Article 37 GDPR, as it does not carry out large-scale processing of special categories of personal data, large-scale systematic monitoring of individuals, or processing as a public authority. For any data-protection question, please use the contact details above.