PRIVACY POLICY

Chuse — Moldova

Last updated: 16/11/2025

1. General information

This Privacy Policy explains how Chuse SRL, a legal entity registered in the Republic of Moldova, collects, processes and protects the personal data of users of the Chuse mobile application (hereinafter the "Application").

Chuse acts as a Data Controller within the meaning of Law No. 133/2011 on personal data protection and the General Data Protection Regulation (GDPR).

By using the Application, you confirm that you have read and understood this Policy.

2. Data we collect

We collect only the data necessary for the operation of the Application and to fulfill contractual obligations:

2.1. Data provided directly by the user

  • First and last name
  • Phone number
  • Email address
  • Password (encrypted)
  • Information provided in technical support requests

2.2. Automatically generated data

  • Unique user ID
  • Device information (model, operating system)
  • Login and activity data in the Application
  • IP address and access time
  • Usage preference data

2.3. Order-related data

  • Mystery Box reservation history
  • Pickup time
  • Information about the partner restaurant

Note: Chuse does not collect or process banking data. Payments are processed by a licensed third-party operator.

3. Purposes of data processing

The collected data is used exclusively for legitimate purposes:

  1. Creating and managing the user account
  2. Enabling Mystery Box reservations
  3. Transmitting relevant information to partners for the purpose of preparing the order
  4. Preventing fraud and maintaining platform security
  5. Improving the user experience
  6. Customer support
  7. Legal obligations (invoicing, accounting, archiving)
  8. Anonymous statistical analysis

4. Legal basis for processing

We process data in accordance with the legislation of the Republic of Moldova on the basis of:

  • Art. 5 of Law 133/2011 – the user's consent
  • Art. 6 GDPR – performance of the contract with the user
  • Legal obligations – tax and accounting requirements
  • Legitimate interest – preventing abuse and improving the service

5. To whom we transmit data

Data transmission occurs only when necessary for the operation of the service:

5.1. Partner restaurants

We transmit:

  • the user's name
  • the reservation time
  • the order ID

Only for the purpose of preparing and handing over the Mystery Box. Restaurants are not entitled to contact users for any purpose other than fulfilling the order.

5.2. Service providers (processors)

  • hosting services (AWS)
  • licensed payment processors
  • analytics services (in anonymized form)

5.3. State authorities

Only on the basis of an official legal request.

Chuse does not sell, rent or trade users' data.

6. Data storage and security

Data is stored on secure AWS servers, compliant with the standards:

  • ISO 27001
  • GDPR
  • International cybersecurity policies

Protection measures include:

  • end-to-end encryption
  • access monitoring
  • regular backups
  • limiting internal access to authorized personnel only

7. Data retention period

  • Account data → kept as long as the user has an active account
  • Order data → 5 years (Moldovan tax requirements)
  • Technical data → 12 months
  • Support data → 24 months

The user may request account deletion at any time (details in section 10).

8. User rights

In accordance with the legislation of the Republic of Moldova and GDPR, the user has the right:

  1. to access their data
  2. to request the correction of data
  3. to request the deletion of data ("right to be forgotten")
  4. to request the restriction of processing
  5. to request the export of data (portability)
  6. to lodge a complaint with the National Center for Personal Data Protection (CNPDCP)

Requests can be sent to: info@chuse.md

9. Minors

The service is not intended for persons under 16 years of age. We do not intentionally collect data from minors.

10. Account deletion

The user may request account deletion by email or from within the Application.

After deletion:

  • account data is permanently removed
  • order history is kept in accordance with tax and accounting legislation
  • anonymous data is retained exclusively for internal statistics

11. International transfers

Data may be processed in the EU or in other GDPR-compliant countries through the AWS infrastructure. We do not carry out transfers to countries that are unsafe in terms of data protection.

12. Changes to the Policy

Chuse reserves the right to update this Policy. The updated version will be published in the Application, and users will be informed accordingly.

13. Contact

Email: office@chuse.md

Legal address: str. Ștefan cel Mare și Sfânt, nr. 115/1, Chișinău, Chișinău, 2001, Republic of Moldova

Operator: Chuse SRL