Summary

Below you will find a very brief summary of how we handle your personal data. If you want more information, you can scroll down for the extended text.

· The 433 App is created and made available by 433 Horizon B.V., Johan Huizingalaan 763A, 1066VH, Amsterdam, the Netherlands. Contact: support@by433.com.

· By using the App we process the following categories of your personal data: identity & contact data, profile data, device data, tracking & attribution data and data processed by our third-party service providers (Airship, Branch, Segment, UXCam, Google Ad Manager).

· By accepting the Terms & Conditions and this Privacy Policy you acknowledge our processing of your personal data as set out below. Some processing relies on your consent (managed via OneTrust); other processing is based on contract performance, legitimate interest or legal obligations. If you're under 16 years of age, you cannot give legally valid consent and need the consent of your parent(s).

· We only pass your personal data on to third parties if this is necessary to provide the technical functionality of the App, or if another legal basis exists. Our main third-party data processors are: Airship (push notifications & CRM messaging), Branch (deep linking & attribution), Segment (customer data platform), UXCam (session recording) and Google Ad Manager (programmatic advertising).

· We have put in place appropriate security measures to prevent your information from being lost, used or accessed in an unauthorised way. If you feel that your Personal Data is not properly secured or there are indications of abuse, do not hesitate to contact us.

· Under certain circumstances, you have rights in relation to your Personal Data, including the right to access, correct, erase and withdraw your consent. Please send a request to: support@by433.com. In case you are unhappy with the way we treat your Personal Data or request, you can complain to the Dutch Data Protection Authority.

1. Applicability

This data privacy policy applies to the 433 App with all content, functions and services. 433 Horizon B.V. has developed and operates the 433 App and acts as data controller for the purposes of applicable data protection laws, including the General Data Protection Regulation (GDPR). Please find our contact details below:

433 Horizon B.V.
Johan Huizingalaan 763a
1066VH Amsterdam
The Netherlands

In case you have any questions relating to data protection, please contact us via support@by433.com.

2. Personal Data

We collect, store and transfer broadly the following types of information:

1.  Device Data

Certain information when you use the 433 App that may identify you as an individual, but the purpose of which is to identify the device you use to access our services, such as:

a.  Technical Data, such as your IP-address, time zone setting and location, browser type and version, browsing action, browser plug-in types, operating system, platform and other technologies on the devices you use with the 433 App.

b.  Usage Data: how you use the 433 App.

c.  Device Data: language setting, device model, device operating system version, 433-installed application version.

d.  Aggregated Data, such as statistical or demographic data, which is not considered to be personal data.

e.  Profile Data, such as your interests and preferences based on your activity and your responses to surveys/polls and quizzes.

f.   Social Media Profile: we collect your social media profile details when you connect with the 433 App through your social media account. You may log in using Google, Apple or Facebook. The data received from each provider depends on your account settings and the permissions you grant. Legal basis: consent (Art. 6(1)(a) GDPR).

Google Sign-In: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (EEA users) / Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (all other users). Data received: email address, Google ID, name, profile picture URL. Transfer basis: EU-US Data Privacy Framework (adequacy decision, Art. 45 GDPR). Privacy policy: https://policies.google.com/privacy.

Sign in with Apple: Apple Distribution International Ltd, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland (EEA users) / Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA (all other users). Data received: email address (or Apple Relay address if chosen), Apple ID. Transfer basis: Standard Contractual Clauses (SCCs).

Facebook Login: Meta Platforms Ireland Ltd, Serpentine Avenue, Block J, Dublin 4, Ireland (EEA users) / Meta Platforms Inc., 1601 Willow Road, Menlo Park, CA 94025, USA (all other users). Data received: email address, Facebook ID, name, profile picture and any other public profile information you choose to share. Transfer basis: EU-US Data Privacy Framework (adequacy decision, Art. 45 GDPR). Privacy policy: https://www.facebook.com/privacy/policy/.

g.  Tracking & Attribution Data, including advertising identifiers (IDFA/GAID), deep link click data, install source and campaign attribution data, collected subject to your consent preferences.

2.  Identity Data and Contact Data

We collect information which relates directly to you (such as your username, full name and e-mail address) when you sign up and register.

3.  Profile Data

The data you voluntarily add to your profile during onboarding.

4.  Marketing Data

We collect information in relation to your response to the marketing activities carried out by us, after you have given specific consent, for example for sending you our Newsletter or promotional communications.

3. Legal Bases for Processing

We process your personal data on the following legal bases under Article 6 GDPR, depending on the type of data and purpose:

- Consent (Art. 6(1)(a) GDPR): We rely on your freely given, specific and informed consent for analytics and performance measurement, personalisation and enhanced features, targeted advertising, social media integrations and marketing communications. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

- Contract performance (Art. 6(1)(b) GDPR): We process identity and contact data and essential device data, to the extent necessary to provide the 433 App to you as agreed in our Terms & Conditions.

- Legitimate interest (Art. 6(1)(f) GDPR): We rely on legitimate interest in two situations. First, we may process certain technical data for security, fraud prevention and the integrity of our systems, where our interest in protecting the service does not override your rights. Second, we may process pseudonymous usage data in aggregated form for essential product analytics (limited to first-party, aggregate metrics such as daily active users, retention rates and session counts) where this processing is strictly necessary to operate, maintain and improve the 433 App and does not override your fundamental rights and freedoms. This essential analytics processing is distinct from the more detailed analytics, session recording and performance measurement covered by consent category C0002, which requires your consent. The aggregated metrics produced are not used to profile individual users, are not shared with third parties for their own purposes and are retained only for as long as necessary for the analytical purpose.

- Legal obligation (Art. 6(1)(c) GDPR): We may process your data where required to comply with applicable law, court order, or regulatory requirement.

We manage your consent preferences through OneTrust, our Consent Management Platform. The following consent categories apply:

- C0001 :  Strictly Necessary: Essential for core app functionality and security. Always active; no consent required.

- C0002 :  Performance & Analytics: App usage measurement and product improvement. Requires consent.

- C0003 :  Functional & Personalisation: Enhanced features and personalised experience. Requires consent.

- C0004 :  Targeting: Personalised advertising based on your interests. Requires consent. When disabled, contextual ads only are shown.

- C0005 :  Social Media: Social login and content sharing. Requires consent.

4. Consent and Children

We will ask for separate and specific consent to process your data related to in-app tracking and for our marketing communications. The 433 App is not designed for or intentionally targeted at children 13 years of age or younger. Children under 16 years of age cannot give legally valid consent and need the consent of their parent(s) to download and use the 433 App. To comply with these obligations, we ask users to provide their date of birth when registering. It is not possible for children under 13 years of age to register for the App and children under 16 years of age will be asked for parental consent to register and use the 433 App.
 

5. Third-Party Data Processors

We work with a number of third-party data processors who process personal data on our behalf in order to provide the technical functionality of the App. We have entered into Data Processing Agreements with each of these processors and require them to implement appropriate security and data protection measures. The third-party processors listed below are activated based on your consent preferences (C0002–C0005) and do not process data under the legitimate-interest basis described in  Article 3. Our main processors are:

Airship (Airship Group, Inc.)

- Purpose: Push notifications, in-app messaging and CRM communications.

- Data processed: Push tokens, device identifiers, channel IDs, notification preferences and (where consented) email addresses and mobile phone numbers.

- Consent required: C0003 (Functional & Personalisation) is required before any Channel IDs or device identifiers are sent to Airship. This applies even for push notification setup, as Channel IDs are pseudonymous identifiers under GDPR. Additional consent (C0004) may be required for targeted messaging. A separate, channel-specific opt-in is required for each notification type (push, email, SMS) under GDPR.

- Data location: United States. Transfers are governed by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework as applicable.

Branch (Branch Metrics, Inc.)

- Purpose: Deep linking and mobile attribution.

- Data processed: The volume of data sent to Branch is determined by your consent level and configured using Branch’s Consumer Protection Attribution (CPA) levels. NONE (no consent given): deterministic deep linking only, no attribution data sent; or MINIMAL (C0002: Performance & Analytics accepted):  device IDs and basic analytics, no campaign attribution. NONE is the default initial state under GDPR.

- Data location: United States. Transfers are governed by Standard Contractual Clauses (SCCs).

Segment (Twilio Segment, Inc.)

- Purpose: Customer data platform: event routing and data orchestration between tools in our technology stack.

- Data processed: Behavioural events, identity data and any other data you generate in the App, routed to downstream tools based on your active consent categories (C0003, C0004, C0005). Segment acts as a data processor and routes data only to the tools for which you have given the relevant consent. No data is sold to third parties.

- Data location: United States (with EU-hosted processing available). Transfers are governed by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.

UXCam

- Purpose: Session recording and UX analytics to help us understand and improve user experience.

- Data processed: Screen recordings, touch interactions and usage events. Sensitive data (e.g. personal information visible on screen) is masked before transmission.

- Consent required: C0002 (Performance & Analytics).

Google Ad Manager (Google LLC)

- Purpose: Programmatic advertising, serving personalised and contextual ads within the 433 App.

- Data processed: Advertising identifiers, device data and behavioural signals used to serve and measure ads. When targeting consent is not given, contextual ads only are displayed and no personal data is used for ad targeting.

- Consent required: C0004 (Targeting) is sufficient to activate personalised advertising via Google Ad Manager.

- Data location: United States. Transfers are governed by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.

We reserve the right to use or disclose personal information to law enforcement, regulatory, or other government agencies where we reasonably believe that use or disclosure is necessary to protect the 433 App’s rights and/or to comply with a judicial proceeding, court order, or legal process.

6. International Data Transfers

Some of our third-party processors are based outside the European Economic Area (EEA), in particular in the United States. Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards include:

- Standard Contractual Clauses (SCCs) adopted by the European Commission;

- The EU-US Data Privacy Framework, where the recipient is certified;

- Other approved transfer mechanisms as applicable.

You may request a copy of the relevant transfer safeguards by contacting us at support@by433.com.

7. Security and Data Retention

We take appropriate security measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. These include internal reviews of our data collection, storage and processing practices, as well as physical and technical security measures to guard against unauthorised access to systems where we store personal data. In the agreements with the third parties we work with, we have agreed the same measures to ensure that their security level is also sufficient to protect your personal data.

In the event of a personal data breach, we will notify the Dutch Data Protection Authority within 72 hours of becoming aware, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

We will retain your personal data for as long as necessary to fulfil the purposes we collected it for (e.g. providing you access to the 433 App), including for the purpose of satisfying any legal, accounting, or reporting requirements. Where it is no longer necessary to process your personal data, we will delete it or anonymise it. This means, among other things, that we retain your personal data for the time your account is active. Even if you delete the 433 App, for example to install it on a new device, your personal data will remain. If you delete your account, all your personal data will also be deleted automatically.

8. Cookies and Tracking Technologies

The 433 App uses cookies, software development kits (SDKs) and similar tracking technologies to provide and improve the App and to serve relevant content and advertising. These technologies may collect device identifiers, advertising IDs (IDFA on iOS, GAID on Android) and behavioural data. You can manage your preferences for non-essential tracking at any time through the App’s privacy settings, powered by OneTrust. Strictly necessary technologies (C0001) cannot be disabled as they are required for the App to function. Aggregated essential analytics processed on the basis of legitimate interest (see Article 3) do not involve storing or reading information on your device beyond what is strictly necessary for the App to function, and therefore do not require consent under Article 11.7a of the Dutch Telecommunications Act.

9. User Rights

Under the General Data Protection Regulation (GDPR) you may exercise the following rights regarding your personal data processed with the use of the 433 App:

- Withdraw consent: you can withdraw your consent at any time, including through the App’s privacy settings (OneTrust), without affecting the lawfulness of processing based on consent before its withdrawal.

- Access: you have the right to access your personal data and receive information about how it is processed.

- Rectification: if your personal data is incorrect or incomplete, you can ask us to update or correct it.

- Restriction: under certain circumstances you have the right to ask us not to process your data for any purpose other than storing it.

- Erasure (‘Right to be Forgotten’): you can request that we delete your personal data and stop using it, subject to applicable legal obligations.

- Data portability: you have the right to receive your data in a structured, commonly used and machine-readable format and to have it transmitted to another controller.

- Object: you have the right to object to the processing of your data where processing is carried out on the basis of legitimate interest or for direct marketing purposes.

If you have a question about the processing of your personal data, or wish to exercise the above rights, please contact us via support@by433.com. Your requests will be handled free of charge and addressed as soon as possible and always within one month.

If you are not satisfied with the way in which we handle your personal data or related requests, you can also submit a complaint to the Dutch Data Protection Authority via: https://autoriteitpersoonsgegevens.nl.

Where Personal Data is processed for a public interest, in the exercise of an official authority vested in 433 Horizon B.V., or for the purposes of legitimate interests, you may object to such processing by providing a ground related to your particular situation to justify the objection.

10. Legal Information / Version

This Privacy Policy has been prepared based on provisions of relevant privacy and data protection legislation, including the General Data Protection Regulation. Latest update: May 4, 2026.