Legal
GDPR compliance
Last updated: 13 May 2026
This page summarises how mosc applies Regulation (EU) 2016/679 (GDPR) and the Belgian Data Protection Act. For the educational version, see the privacy policy.
1. Data controller
Mathieu Guffens, independent entrepreneur, acts as data controller within the meaning of Article 4.7 of the GDPR.
Contact (single GDPR point of contact): mathieu@mosc.app
In the absence of a designated Data Protection Officer (DPO) — not mandatory for the current structure under Articles 37–39 of the GDPR — Mathieu Guffens acts as the direct point of contact.
2. Processing activities
mosc carries out the following data processing activities:
| Activity | Purpose | Legal basis (Art. 6) | Retention |
|---|---|---|---|
| Account creation and management | Allow user access to the app | Art. 6.1.b — contract performance | Lifetime of account + 30 days after deletion |
| Tracking of added items | Monitor prices and alert on drops | Art. 6.1.b — contract performance | Same |
| Push notifications | Alert on price drops | Art. 6.1.a — consent (iOS/Android setting) | While notifications are enabled |
| Facebook authentication | Alternative sign-in | Art. 6.1.a — consent (at click time) | Lifetime of account |
| Shared item catalogue | Pool price history across users | Art. 6.1.f — legitimate interest | Indefinite (shared data, anonymised vs. user) |
| Technical logs (Cloud Functions) | Diagnostics, security, abuse prevention | Art. 6.1.f — legitimate interest | 90 days |
| Contact-form emails (website) | Respond to requests | Art. 6.1.f — legitimate interest | 3 years from last exchange |
3. Categories of data processed
- Identifiers: email, Facebook identifier (if OAuth), FCM token
- Authentication data: password in hashed form only (never plain text, handled by Firebase Auth)
- Preferences: app language, favourite e-shops
- Usage data: list of tracked item URLs (references to a shared catalogue)
mosc does not process any sensitive data within the meaning of Article 9 GDPR (health, ethnic origin, political opinions, etc.).
4. Sub-processors and recipients
Under Article 28 GDPR, mosc relies on the following sub-processors for hosting, authentication and communication:
| Sub-processor | Role | Location |
|---|---|---|
| Google Ireland Ltd (Firebase) | Auth, database, push notifications, cloud functions, hosting | EU (europe-west1) + US (us-central1 for secondary functions) |
| Apple Inc. | App distribution via the App Store | United States |
| Google LLC | App distribution via Google Play | United States |
| Meta Platforms Ireland Ltd | Facebook OAuth (only if enabled) | EU + US |
| Sinch France SAS (Mailjet) | Contact-form email delivery | EU (France) |
Transfers to sub-processors located outside the EEA (United States) are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, as well as the EU–US Data Privacy Framework to which Google, Apple and Meta adhere.
5. Rights of data subjects
You have the following rights (GDPR Articles 15 to 22):
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure or "right to be forgotten" (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to portability (Art. 20) — your data is returned in a structured, machine-readable format
- Right to object (Art. 21) — applicable to processing based on legitimate interest
- Right to withdraw consent at any time (Art. 7.3), without affecting past lawful processing
- Right to define what happens to your data after your death
6. Exercising your rights
To exercise any of these rights, email mathieu@mosc.app, specifying the right invoked and, if needed, a copy of an ID document (used only for verification, not retained).
Response time: 30 days from receipt, per Article 12.3 GDPR. This period may be extended by 2 months for complex requests (you will be notified).
Several rights can be exercised directly in the app:
- Erasure: Settings → Delete my account
- Rectification: Settings → Edit my profile
- Notification consent withdrawal: Settings → Notifications
7. Security of processing
Under Article 32 GDPR, mosc implements the following technical and organisational measures:
- Encryption in transit (TLS 1.2+) for all app-server communication
- Encryption at rest in Firebase (AES-256, managed by Google)
- Passwords stored in hashed form only (algorithm handled by Firebase Auth)
- Data access restricted to the data controller alone (least privilege)
- Secrets (API keys, tokens) stored in secure environment variables, never in source code
- Regular dependency updates to patch known vulnerabilities
8. Cookies and trackers
The mosc-fr.app website uses no audience-measurement cookies, no advertising trackers, and no third-party analytics. No consent banner is needed as no non-essential cookie is placed.
The mobile app does not use cookies (native apps don't need them). The FCM notification token is technically necessary for alert delivery and is purged as soon as the user disables notifications or deletes their account.
9. Data breach
In the event of a data breach that poses a risk to users' rights and freedoms, mosc notifies the competent supervisory authority within 72 hours (Art. 33 GDPR) and informs affected users without delay if the risk is high (Art. 34 GDPR).
10. Changes
This page may be updated to reflect technical or regulatory changes. The update date is shown at the top. Substantial changes will be notified directly in the app.