Legal

Privacy Policy

Effective date: May 1, 2026  ·  DOO "Appricos"

This Privacy Policy explains how DOO "Appricos" ("ritm", "we", "us", or "our") collects, uses, stores, and transfers personal data when you use the ritm queue management platform available at ritm.cloud and its subdomains (the "Service").

We are committed to protecting your personal data and processing it in accordance with the EU General Data Protection Regulation (GDPR), the Montenegro Law on Personal Data Protection, and other applicable privacy laws. This policy applies to visitors of our website and to business customers ("Operators") who register for and use the Service.

1. Data Controller

The data controller responsible for your personal data is:

DOO "Appricos"
Bulevar Jovana Tomasevica br.19
81000, Podgorica, Montenegro
legal@appricos.com

2. Scope of This Policy

This policy covers personal data we process as a data controller — primarily the data of Operators (businesses and individuals) who create and manage accounts on ritm.

When Operators use the Remote Queue feature and their visitors voluntarily enter contact details, we process that visitor data strictly as a data processor acting on behalf of the Operator, who is the data controller for those individuals. The Operator's own privacy policy governs how visitor data is handled on their end.

For live (in-person) queue sessions, ritm does not collect or process any personal data — visitors are represented solely by anonymous ticket numbers.

3. Data We Collect and Why

3.1 Account and Registration Data

When you create an account we collect your email address, a hashed password, and any organization details you provide. This data is processed on the legal basis of performance of a contract (GDPR Art. 6(1)(b)) — it is necessary to provide you with access to the Service.

3.2 Technical and Usage Data

When you use the Service or visit our website, we automatically collect technical information including your IP address, browser type and version, device type, pages visited, and timestamps. This data is processed on the basis of our legitimate interests (GDPR Art. 6(1)(f)) in ensuring the security, stability, and performance of the Service, and in preventing fraud and abuse.

3.3 Payment Data

Paid subscriptions are handled by Paddle (Paddle.com Market Limited, UK), who acts as the Merchant of Record. When you purchase a paid plan, you provide your payment details directly to Paddle. We receive only a subscription status and a non-sensitive customer reference — we never see or store your card number or full billing information. Paddle is an independent data controller for payment data; please refer to Paddle's Privacy Policy for details.

3.4 Transactional Communications

We use your email address to send transactional messages necessary for the operation of the Service, such as account confirmation, password reset, and subscription-related notifications. We do not send marketing or promotional emails. This processing is based on performance of a contract (GDPR Art. 6(1)(b)).

3.5 Analytics Data

We use Cloudflare Web Analytics to understand how visitors interact with our website (page views, traffic sources, countries, device types, and performance metrics). Cloudflare Web Analytics does not use cookies, does not track individual users across sessions or sites, and collects only aggregated, non-identifiable data. This processing is carried out on the basis of our legitimate interests (GDPR Art. 6(1)(f)) in improving the website and understanding its usage. No cookie consent is required for this analytics method.

4. Remote Queue Visitor Data

When an Operator enables the Remote Queue feature, their visitors may voluntarily submit contact information (such as a phone number or email address) to receive their place-in-queue notifications. In this context:

  • The Operator is the data controller — they determine whether the feature is enabled and what information is requested.
  • ritm is the data processor — we store the contact detail solely for the purpose of dispatching the queue notification.
  • Once the visitor has been served and their session ends, all contact data is permanently and irreversibly deleted from our systems.
  • Queue history retained after that point contains only anonymous ticket numbers used to calculate average waiting times — no personal data is retained.

If you are a visitor who submitted your contact details to a queue managed by an Operator and have questions about how your data was used, please contact the Operator directly.

5. Cookies

We use only essential cookies strictly necessary for the Service to function — for example, to maintain your authenticated session. These cookies do not track you across sites and cannot be disabled without affecting core functionality.

Our website analytics (Cloudflare Web Analytics) are cookieless and do not require any consent. We do not use advertising, profiling, or third-party tracking cookies.

6. Third-Party Service Providers

We share data with the following sub-processors to operate the Service:

Provider Purpose Location
Hetzner Online GmbH Cloud infrastructure and hosting Finland, EU
Paddle.com Market Limited Payment processing (Merchant of Record) United Kingdom
Cloudflare, Inc. CDN, DDoS protection, website delivery, cookieless analytics United States (EU data processing available)

All sub-processors are contractually bound to process data only as instructed and to maintain appropriate technical and organisational security measures.

7. International Data Transfers

Our primary infrastructure is hosted by Hetzner in Finland, within the European Economic Area (EEA). Cloudflare, Inc. is headquartered in the United States; however, Cloudflare Web Analytics processes only aggregated, non-personal data and Cloudflare maintains EU-compliant data processing under Standard Contractual Clauses (SCCs) approved by the European Commission. Paddle is based in the United Kingdom, which the European Commission has recognised as providing an adequate level of data protection.

8. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy:

  • Account data — retained for the duration of your account. Upon account deletion, personal data is removed within 30 days, except where we are required to retain it longer for legal or accounting obligations.
  • Remote Queue visitor contact data — deleted permanently and immediately upon completion of the visitor's service session.
  • Anonymous queue statistics (ticket numbers only) — retained indefinitely for service quality calculations; these contain no personal data.
  • Technical logs — retained for up to 90 days for security and diagnostic purposes.

9. Your Rights Under GDPR

If you are located in the EEA or a jurisdiction that recognises equivalent rights, you have the following rights regarding your personal data:

  • Right of access — to obtain a copy of the personal data we hold about you.
  • Right to rectification — to have inaccurate or incomplete data corrected.
  • Right to erasure ("right to be forgotten") — to request deletion of your data where it is no longer necessary or where you withdraw consent.
  • Right to restriction of processing — to limit how we process your data in certain circumstances.
  • Right to data portability — to receive your data in a structured, machine-readable format.
  • Right to object — to object to processing based on legitimate interests.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at legal@appricos.com. We will respond within 30 days. We may request verification of your identity before processing your request.

10. Right to Lodge a Complaint

If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority. You may contact:

  • The Agency for Personal Data Protection and Free Access to Information of Montenegro (azlp.me), or
  • The data protection authority of your EU member state of habitual residence or place of work.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include encryption of data in transit (TLS) and at rest, strict access controls, and regular security reviews. However, no method of transmission over the internet is completely secure, and we cannot guarantee absolute security.

12. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us at legal@appricos.com and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and, where appropriate, notify Operators by email. Continued use of the Service after the updated policy takes effect constitutes acceptance of the changes.

14. Contact

For any questions, requests, or concerns about this Privacy Policy or the processing of your personal data, please contact us:

DOO "Appricos"
Bulevar Jovana Tomasevica br.19
81000, Podgorica, Montenegro
legal@appricos.com