Privacy Policy

1. Who We Are

Librack is a library management platform. In this document, "we" refers to the Librack team. We are the data controller responsible for your personal data. For any privacy-related enquiries, please contact us at [email protected].

2. Data We Collect

Account Data

When you register or sign in (including via Google Sign-In), we collect your first name, last name, email address, phone number, and profile photo. You may optionally provide your address, city, and country. Providing your name, email, and phone number is required to use the service; without them, we cannot create your account.

Library Data

Data you create within the platform: books, book copies, loans, reading goals, bookmarks, posts, events, and reactions.

Dependent Profiles

Parents or guardians may create dependent profiles for children who do not have their own email address. This may include the dependent's name, date of birth, phone number, and a PIN for login. Dependent profiles are created and managed exclusively by the parent account holder.

Technical Data

We collect push notification subscription data, your language and theme preferences (stored locally on your device), and standard server logs (IP address, browser type, access timestamps).

3. How We Use Your Data

We use your data to:

• Provide and operate the library management service (legal basis: contract)
• Authenticate your identity and manage your sessions (legal basis: contract)
• Send push notifications about loans and library updates (legal basis: consent)
• Process book cover images for text recognition to assist with cataloguing (legal basis: contract)
• Look up book metadata such as descriptions and cover images (legal basis: contract)
• Maintain security and prevent misuse (legal basis: legitimate interest — protecting users and the platform)

4. Legal Basis for Processing

We process your data based on:

• Contract performance (GDPR Art. 6(1)(b)): to provide the library management service you registered for, including account creation, loan management, and book cataloguing
• Consent (GDPR Art. 6(1)(a)): for push notifications — you can withdraw consent at any time by disabling notifications in your browser settings
• Legitimate interest (GDPR Art. 6(1)(f)): for platform security, fraud prevention, and service improvement — we have assessed that these interests do not override your rights and freedoms

5. Who We Share Data With

We use third-party service providers based in the United States to operate the platform, including infrastructure hosting, authentication, file storage, book cover text recognition, book metadata lookup, and AI-based metadata extraction.

We do not sell your personal data. We do not use your data for advertising. Our use of data received via Google Sign-In complies with Google's Limited Use Requirements.

6. International Data Transfers

Our service providers are based in the United States. These transfers are protected under the EU-US Data Privacy Framework adequacy decision and Standard Contractual Clauses, in compliance with GDPR.

7. Data Retention

We retain your data as follows:

• Account data: retained while your account is active, deleted within 30 days of account deletion
• Library data (books, loans, posts): retained while your account is active, deleted with your account
• Server logs: retained for up to 90 days for security purposes
• Book cover images sent for text recognition: processed in real time and not stored after processing
• Push notification subscriptions: deleted when you disable notifications or delete your account

We may retain data longer if required by law.

8. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erase your data (Art. 17) — you can delete your account directly in the app
• Restrict processing (Art. 18)
• Data portability (Art. 20) — request a copy of your data in a machine-readable format
• Object to processing (Art. 21)
• Withdraw consent at any time (Art. 7(3)) — withdrawal is as easy as giving consent

To exercise any of these rights, contact us at [email protected]. We will respond within one month.

You also have the right to lodge a complaint with the Romanian Data Protection Authority: Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP), B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania — www.dataprotection.ro

9. Cookies and Local Storage

We use strictly necessary authentication cookies to keep you signed in. Duration: 7 days, or 30 days if you select "Remember me". These are essential for the service to function and do not require consent.

Your language preference and theme setting are stored locally on your device and are never sent to our servers.

We do not use analytics, advertising, or tracking cookies.

10. Children's Privacy

Children who have their own email address may create a Librack account. For children who do not have an email address, a parent or guardian may create a dependent profile on their behalf. Dependent profiles are managed exclusively by the parent account holder.

In accordance with GDPR Article 8 and Romanian Law 190/2018, for users under 16 years of age, the parent or guardian is responsible for providing consent for the processing of their child's personal data.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you. Book metadata extraction from cover images is used solely to assist with cataloguing and can always be manually corrected.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you through the platform or by email. Your continued use of Librack after such changes constitutes acceptance of the updated policy.

13. Contact Us

For any questions about this Privacy Policy or to exercise your data protection rights, contact us at [email protected].