Privacy Policy

1. Data Controller

The data controller responsible for your personal data is: Provare Ltd. Email: dpo@ronda.community Website: https://ronda.zone If you have any questions about how we handle your data, please contact us at the email address above.

2. Personal Data We Collect

We collect the following categories of personal data when you use Ronda:

3. Legal Basis for Processing

Under UK GDPR Article 6, we process your personal data on the following legal bases:

4. How We Use Your Data

We use your personal data for the following purposes: • Displaying incident reports on the interactive map (without revealing reporter identity) • Generating safety scores, risk heatmaps, and hotspot areas for community awareness • Sending push notifications about nearby incidents (if you opt in) • Moderating content to enforce our anti-discrimination policy and prevent false reports • Detecting and preventing abuse, including duplicate reports (within 200m / 7 days), area flooding (max 5 reports per user per 2km area per day), and rate limiting (10 reports per 60 seconds per IP) • Corroborating community reports with official police data where available • Logging anonymised data improvements to our public Data Log • Improving the platform based on aggregated usage patterns • Communicating with you about your account or material changes to our policies

5. Who We Share Data With

We do not sell your personal data to anyone. Incident report locations, types, and descriptions are displayed publicly on the map, but the reporter's identity is never shown. Your identity is available only to Ronda moderators and, where required by a valid legal request, to law enforcement authorities. Anonymised and aggregated incident data (with no personal identifiers) may be shared with researchers, local authorities, or community safety organisations for public safety purposes. We share data with the third-party service providers described in Section 6 below, solely for the purposes of operating the platform.

6. Third-Party Services

We use the following third-party services to operate Ronda. Each processes data as described below:

7. Data Retention

We retain your data for the following periods: • Account data: retained for as long as your account is active. If you do not log in for 24 months, we may contact you before deleting inactive account data. • Personal data after deletion request: erased within 30 days of your request. • Anonymised incident reports: retained indefinitely for public safety purposes. Once anonymised, this data can no longer be linked to you. • Consent logs: retained for 5 years after the consent action to meet our UK GDPR record-keeping obligations. • Technical logs (hashed IPs, rate-limit data): retained for 90 days, then automatically purged. • Push notification subscriptions: retained until you unsubscribe or delete your account.

8. Cookies

Cookies are small text files stored on your device. We use the following types of cookies:

You can manage your cookie preferences at any time using the cookie banner, which is accessible from the bottom of any page. You can also clear cookies through your browser settings. Rejecting non-essential cookies will not affect the core functionality of Ronda.

9. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation, you have the following rights regarding your personal data. These rights apply to all personal data we hold about you.

• Right of Access (Article 15) — You can request a copy of all personal data we hold about you. Use the 'Export Data' feature in your Account Settings to download your data in JSON format instantly.
• Right to Rectification (Article 16) — You can correct inaccurate personal data at any time by editing your profile in Account Settings, or by contacting us.
• Right to Erasure (Article 17) — You can request deletion of your account and all associated personal data from Account Settings. Deletion is completed within 30 days. Anonymised incident data may be retained for public safety.
• Right to Data Portability (Article 20) — You can export your data in a structured, machine-readable JSON format from Account Settings.
• Right to Restrict Processing (Article 18) — You can request that we limit how we process your data in certain circumstances, for example while we verify the accuracy of your data.
• Right to Object (Article 21) — You can object to processing based on legitimate interest. We will stop processing unless we can demonstrate compelling legitimate grounds.
• Right to Withdraw Consent — Where processing is based on consent, you can withdraw it at any time. This does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, visit your Account Settings page at /account, or contact us at dpo@ronda.community. We will respond to your request within 30 days. If we need more time, we will inform you within the initial 30-day period.

10. Data Security

We take the security of your data seriously and implement the following measures: • All data in transit is encrypted using TLS/HTTPS. • IP addresses are cryptographically hashed before storage — we never store raw IP addresses. • Passwords (for email/password accounts) are securely hashed using industry-standard algorithms. • Our database uses row-level security (RLS) policies to ensure users can only access data they are authorised to see. • We apply rate limiting and flood protection to prevent abuse of the reporting system. • Content filtering automatically flags reports containing discriminatory language. • Security headers (Content Security Policy, HSTS, X-Frame-Options) protect against common web attacks. While no system can guarantee absolute security, we regularly review our security practices and respond promptly to any identified vulnerabilities.

11. International Data Transfers

Ronda is operated by Provare Ltd., a UK company. Our hosting providers Supabase and Vercel may process data in data centres located outside the United Kingdom, including in the United States and the European Economic Area. Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place, including: • Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner. • Adequacy decisions where the UK government has determined that a country provides an adequate level of data protection. • Contractual commitments from our service providers to protect your data to UK GDPR standards.

12. Children's Data

Ronda is not intended for use by anyone under the age of 13. We do not knowingly collect personal data from children under 13. If you are between 13 and 18, you should review this privacy policy with a parent or guardian. If we become aware that we have collected personal data from a child under 13, we will take steps to delete that data as soon as possible. If you believe a child under 13 has provided us with personal data, please contact us at dpo@ronda.community.

13. Anonymised Data Licence

By submitting incident reports to Ronda, you grant Provare Ltd. a non-exclusive, worldwide, royalty-free licence to use, display, and distribute the anonymised incident data (with all personal identifiers removed) as part of the community safety dataset. This is a licence, not a transfer of ownership. You retain all rights over your personal data under UK GDPR, including the right to request deletion at any time. Anonymised data that can no longer be linked to you is not considered personal data and may be retained after account deletion. We do not claim ownership of your personal data. We do not sell personal data to third parties.

14. Contact Us

For any questions about this privacy policy, your personal data, or to exercise your data protection rights, please contact our Data Protection Officer: Email: dpo@ronda.community Website: https://ronda.zone Provare Ltd. England and Wales

15. Complaints and Supervisory Authority

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection: Information Commissioner's Office Wycliffe House, Water Lane Wilmslow, Cheshire, SK9 5AF Telephone: 0303 123 1113 Website: https://ico.org.uk/make-a-complaint/ We would appreciate the opportunity to address your concerns before you contact the ICO. Please reach out to us at dpo@ronda.community first.

16. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. For material changes, we will notify registered users by email before the changes take effect. The updated policy will be posted on this page with a new effective date. We encourage you to review this page periodically. Your continued use of Ronda after changes are published constitutes acceptance of the updated policy.