Limited-time offer Use this code at checkout.
25% off First purchase only · Ends Aug 1, 2026Ends Aug 1 Get started

nerapo App – Privacy Policy

nerapo App — Privacy Policy

Effective date: 23 May 2026

Last updated: 23 May 2026

1. Who we are

This Privacy Policy explains how SC MOVING RECORDS SRL ("we", "us", "our", or "nerapo") collects, uses, shares and protects personal data when you use the nerapo mobile application for iOS and Android (the "App").

SC MOVING RECORDS SRL

  • Legal form: Sole-shareholder limited liability company
  • Registered office: Str. Vasile Alecsandri nr. 76, Alba Iulia, Alba County, Romania, 510201
  • Trade Register no.: J1/790/2016
  • Sole registration code (CUI): 36516097
  • VAT ID: RO48113896
  • Contact e-mail: [email protected]
  • Website: https://nerapo.com

2. About the App

nerapo is a mobile application that lets you listen to live radio streams, on-demand podcasts and other audio content we publish, receive notifications about new content and station news, and (where you choose to sign in) keep your favourites and listening history across devices.

This App is also our showcase product: it is built on the same white-label nerapo platform that we offer to broadcasters, creators, and organisations through our software-as-a-service. Anything you experience in this App is what our Customers can build for their own audiences.

This Policy covers the data we collect about you through the App. It does not cover:

  • the websites of radio stations whose streams you may listen to inside the App (each station operates its own stream and may have its own policy);
  • the practices of the App Store (Apple) or Google Play (Google) — installing and updating the App from those stores is governed by their respective policies;
  • our own corporate website nerapo.com, which is covered by a separate Privacy Policy.

3. The personal data we collect

We practise data minimisation: we collect only what the App needs to function and what you choose to give us. Categories below are organised by how the data enters the App.

3.1. Information collected automatically when you install or open the App

These are technical signals the App needs to deliver content and operate reliably. None of them identifies you by name.

  • Anonymous app instance identifier — a random API key issued by our back-end the first time the App connects. It identifies the App installation, not you, and lets the back-end serve you the right configuration and content.
  • Bundle / package identifier — the App's own identifier, sent so the back-end can validate the App on first launch.
  • Device language and time zone — read from the operating system so the App displays in the right language and shows the schedule in local time.
  • IP address — temporarily visible to our back-end and to our hosting provider for the duration of each request, for security, anti-abuse and audit-log purposes. We do not build long-term profiles from IPs.
  • Operating system version, device model and App version — included in request headers for compatibility diagnostics.

3.2. Push notification data

If you allow notifications when the App asks, the App registers with the relevant push service of your operating system to receive them.

  • On iOS, this uses the Apple Push Notification service ("APNs").
  • On Android, this uses Firebase Cloud Messaging ("FCM") operated by Google.
  • The App uses OneSignal (operated by OneSignal, Inc., USA) as the push delivery platform on top of APNs / FCM.

The push token (a long opaque string), your push opt-in state, your device's operating-system family, language and time zone are sent to OneSignal so we can deliver notifications targeted to your language and region. The token identifies the device, not you personally.

You can turn notifications off at any time in your device's system settings for the App. Doing so revokes the push token; nothing further is delivered.

3.3. Account data — only if you choose to sign in

The App offers optional sign-in via Apple, Google or e-mail. If you choose to sign in, we collect:

  • the e-mail address associated with your sign-in (which, for Sign in with Apple, may be a private relay address chosen by Apple — that is fine, delivery works either way);
  • the display name you chose to share at sign-in;
  • the public sub-identifier issued by the sign-in provider (Apple sub, Google sub).

Important — what we actually store on our back-end: for End Users of this App, we do not keep your raw e-mail address or your raw sign-in identifier. The identifier returned by the provider (e-mail, or the Apple/Google sub) is immediately converted into a one-way SHA-256 token, and only that token is stored. The original e-mail or sub cannot be recovered from the token. For e-mail/password sign-ups, only a bcrypt password hash is stored; we never see or store your password in readable form.

Signing in is optional. You can browse and listen anonymously without ever creating an account. We only ask for sign-in if you want to sync favourites across devices, manage a subscription you bought, or use features that require identifying you.

3.4. Listening and favourites data

The App keeps a local record on your device of:

  • the stations / shows / episodes you have marked as favourites;
  • your playback position on episodes you started but haven't finished;
  • your audio-quality, theme and language preferences inside the App.

By default this stays on your device and never leaves it. If you have chosen to sign in (Section 3.3), the same data can be synchronised to our back-end so it follows you to other devices on which you sign in with the same account. You can stop syncing at any time by signing out; doing so also removes the synchronised copy from our back-end on request (see Section 8 — Your rights).

3.5. User-added content (RSS feeds)

The App allows you to add your own podcast RSS feed URLs as a Pro feature. We store the URLs you submitted so they can be loaded the next time you open the App. We do not analyse the content of the feeds; we only fetch and display them. The URLs may be synchronised across your devices if you are signed in (Section 3.4).

3.6. Subscription and purchase data

If you purchase a subscription or other paid feature inside the App:

  • The payment itself happens inside Apple's App Store or Google Play and is governed by their terms and privacy policies. We never see your payment card or bank details.
  • We receive from the store a transaction receipt — the platform's internal identifier, the product purchased, the purchase date, and the current subscription / refund state. We forward that receipt to our back-end to validate it and unlock the corresponding paid features for your account.
  • If you signed in (Section 3.3), we link the validated entitlement to your account so it follows you across devices. If you did not sign in, the entitlement lives on the device only.

We do not have access to your payment method. Refunds and cancellations are handled by the store you bought from; we honour the entitlement state the store reports to us.

3.7. In-app advertising (free tier only)

If you are using the App on the free tier, the App displays advertisements served by Google AdMob(operated by Google LLC). To do so:

AdMob may read your device's advertising identifier (IDFA on iOS, Android Advertising ID on Android), only after you grant the system-level App Tracking Transparency permission on iOS, or where it is permitted in your jurisdiction on Android;

AdMob may collect data about ads shown and interacted with, for ad fraud detection, frequency capping and aggregate reporting;

on iOS, if you decline App Tracking Transparency, AdMob serves non-personalised ads only;

if you hold an active Premium subscription that includes ad-free access, the App does not initialise AdMob at all for you.

Google AdMob processes this data as an independent controller for its own purposes under Google's own privacy policy, available at https://policies.google.com/privacy.

3.8. Offline downloads

The App allows you to download audio content (episodes, audiobooks) for offline listening. Downloaded files are stored locally on your device in the App's private storage and are not transmitted back to us. You can remove downloaded content at any time from within the App. Uninstalling the App removes all downloaded content.

3.9. What we do NOT collect

We do not include Firebase Analytics, Mixpanel, Amplitude, or any other in-app analytics SDK. Google's google-services.json file is present in the Android build solely to enable Firebase Cloud Messaging (push notifications); no analytics data is collected.

We do not access your microphone, camera, contacts, photos, calendar, health or fitness data, precise or approximate location, or SMS — the App does not ask for any of those permissions.

We do not record what you say or hear; we stream audio FROM the radio station TO you, not the other way around.

We do not link your listening to your real-world identity unless you have signed in (Section 3.3), and even then only via the SHA-256 token described above.

We do not sell your personal data, ever.

4. How and why we use your data

4.1. Purposes and legal bases (GDPR Art. 6)

What we doWhyLegal basis
Deliver audio streams and configuration to the AppTo make the App work as you expectContract (Art. 6(1)(b)) — the Terms you accepted
Send push notifications you opted in forTo inform you about new content, station news, live eventsConsent (Art. 6(1)(a)) — your in-App opt-in
Maintain your account (if you signed in)To keep your sign-in working across sessionsContract (Art. 6(1)(b))
Sync favourites, playback position and user-added feeds across your devicesContinuity feature for signed-in usersContract (Art. 6(1)(b))
Validate purchases and unlock paid featuresTo deliver what you paid forContract (Art. 6(1)(b))
Investigate abuse and security incidentsTo keep the App stable and safe for everyoneLegitimate interests (Art. 6(1)(f))
Comply with legal obligations (tax, accounting, lawful requests)We have toLegal obligation (Art. 6(1)(c))
Show personalised ads (only if you allowed tracking via ATT on iOS, or where permitted by law on Android)Monetisation of the free tierConsent (Art. 6(1)(a)) via App Tracking Transparency / Android Ads permission
Show non-personalised ads on the free tierMonetisation of the free tier without trackingLegitimate interests (Art. 6(1)(f))

4.2. No selling, no profiling for ad-tech

We do not sell your personal data to anyone, in the GDPR sense or in the CCPA "sale or sharing" sense. We do not feed your data into ad-tech bidstream networks. The only third party that may receive ad-related signals is Google AdMob(Section 3.7), and only on the free tier, only with the appropriate consent or legal basis, and only for the purpose of showing the ad you are about to see in the App.

4.3. No automated decisions with legal effect

We do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects.

5. Who we share your data with

We share personal data only with the recipients listed below, only to the extent each one needs to do its job.

5.1. Service providers acting on our behalf

RecipientWhat they doWhere they process
Zenith TechnologyHosts the back-end of the App: configuration, content delivery, account state, audit loggingRomania (EEA)
Cloudflare, Inc.Content-delivery network, web application firewall, and off-site backup storage (R2)Global / EU edge
OneSignal, Inc.Push notification routing on top of APNs/FCMUSA
Google LLC (Firebase Cloud Messaging)Android push transportUSA + global edge
Apple Inc. (Apple Push Notification service)iOS push transportUSA + global edge
Google LLC (AdMob)In-app advertising on the free tierUSA + global

Each of these is bound by either a Data Processing Agreement (for those acting as our processors) or by Standard Contractual Clauses / their own published data protection terms.

5.2. Independent controllers

When you sign in with Apple or Google, or when ads are shown by AdMob, the respective provider receives some data as an independent controller for its own stated purposes (their own privacy policies apply on top of ours):

5.3. Apple App Store and Google Play

Distribution of the App and processing of in-app purchases are handled by Apple and Google as independent controllers under their own terms and privacy policies.

5.4. Authorities and legal requests

We may disclose personal data to public authorities when we are required to by valid legal process (e.g. a Romanian court order, a binding request from a law-enforcement authority with jurisdiction over us). We review every request, push back on overbroad ones, and disclose the minimum necessary.

5.5. Corporate transactions

If our business is sold, merged or reorganised, personal data may be transferred to the successor entity as part of that transaction. We will notify you and update this Policy if that ever happens.

6. International data transfers

SC MOVING RECORDS SRL is established in Romania, which is part of the European Union. Our primary hosting and database are located in Romania (EEA), through Zenith Technology.

Some of our service providers (Apple, Google, OneSignal, Cloudflare) are established in the United States or operate globally. When personal data is transferred outside the EU/EEA, we rely on:

  • the EU–US Data Privacy Framework where the recipient is certified under it (Apple, Google, OneSignal and Cloudflare are certified);
  • Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for any transfer not covered by an adequacy decision;
  • supplementary technical and organisational measures (encryption in transit, access controls) where the recipient country's laws require extra safeguards.

You can request a copy of the safeguards in place for a specific transfer by writing to [email protected].

7. How long we keep your data

Data categoryRetentionWhy
Anonymous App instance + push tokenUntil you uninstall the App or revoke notificationsWe need it to talk to your device
Account data (if signed in)While your account exists; deleted within 15 days of account closure, with routine backups cycling out within 30 days thereafterAccount continuity; recovery from accidental deletion
Favourites, playback position, user-added RSS feeds synced to back-endWhile your account exists; deleted with your accountSync feature
Subscription / receipt dataWhile the subscription is active; billing/accounting records retained for 10 years from the end of the financial year in which they were issuedRequired by Romanian accounting and tax law (Legea 82/1991 art. 25) — Art. 6(1)(c) GDPR
Push notification opt-in recordsWhile the App is installed; revoked on uninstallDemonstrate lawful consent (GDPR Art. 7(1))
Security and audit log entriesRetained only for as long as needed for security and diagnostics, in line with the standard retention practices of our hosting and CDN providersStability + incident response
Communications you send us (support e-mails)3 years after the last messageService quality + dispute defence
Consent and acceptance recordsRetained after account deletion for 3 years (the general civil-claims limitation period under Romanian law), to establish, exercise or defend legal claims (Art. 17(3)(e) GDPR), then deletedLegal defence

When retention expires, the data is deleted or irreversibly anonymised.

8. Your rights

If you are in the EU/EEA, the UK, Switzerland, or another jurisdiction that recognises equivalent rights, you have the right to:

  • access the personal data we hold about you;
  • rectify inaccurate or incomplete data;
  • erase your data ("right to be forgotten") — note that we may keep the categories listed in Section 7 for the stated legal-obligation periods even after you ask;
  • restrict processing in certain circumstances;
  • port your data to another service in a structured, machine-readable format;
  • object to processing based on legitimate interests;
  • withdraw consent at any time, where processing is based on consent (e.g. push notifications) — withdrawal does not affect lawfulness of processing before the withdrawal.

To exercise any of these rights, write to [email protected] with the subject "Privacy rights request". We respond within one month (extendable by two more months for complex requests, with notice).

Account deletion from within the App. The App also lets you delete your account directly: when you delete your account from the App's settings, your SHA-256 token, favourites, playback position and synced user-added feeds are permanently removed from our back-end.

If we cannot identify you from the request alone (e.g. you never signed in, you only ever browsed anonymously), we may not be able to fulfil the request — in that case we will explain what additional information is needed to verify the request.

You also have the right to lodge a complaint with a supervisory authority. Our lead authority is:

Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, Bucharest, Romania Website: www.dataprotection.ro

If you are in another EEA country, you may also complain to the supervisory authority of your country of residence or workplace.

For users in California: you have additional rights under CCPA / CPRA, including the right to know, the right to delete and the right to opt out of sale or sharing. We do not sell or share personal information in the CCPA sense, but you may still exercise the access and deletion rights above by writing to the same address.

9. Children's privacy

The App is not directed to children under 16 (the GDPR-default age in Romania). We do not knowingly collect personal data from children below the applicable age. If you are a parent or guardian and believe a child under that age has provided us with personal data, contact [email protected] and we will delete it.

The App's age rating in the App Store / Google Play reflects this position.

10. Security

We protect your personal data with a layered set of measures:

  • In transit: every connection between the App and our back-end uses HTTPS/TLS;
  • At rest: End-User identifiers are stored only as irreversible SHA-256 tokens; passwords only as bcrypt hashes; databases use row-level access control;
  • Local storage: authentication tokens on your device are kept in the iOS Keychain or Android EncryptedSharedPreferences and never written in cleartext;
  • Access: a small group of authorised personnel can access production systems, individually authenticated, with audit logging;
  • Backups: backups are encrypted and stored in EU data centres;
  • Incident response: in the event of a personal-data breach that poses a risk to your rights, we notify the supervisory authority within 72 hours and inform you when required by Art. 34 GDPR.

No system is 100% secure. Help us keep yours secure: use a strong password if you sign in, do not share your account, and keep your device's operating system up to date.

11. Cookies and similar technologies inside the App

The App does not show traditional web pages and therefore does not set browser cookies in the everyday sense. It does use:

  • Local storage for your preferences (theme, language, audio quality), favourites, playback position, and a cache of recent content — this lives on your device and is not shared with anyone;
  • An authentication token kept in the platform's secure storage (iOS Keychain / Android EncryptedSharedPreferences) while you are signed in;
  • The platform push token (Section 3.2) for as long as notifications are enabled;
  • The device advertising identifier (IDFA on iOS, Android Advertising ID), used by Google AdMob only on the free tier and only with the appropriate consent or legal basis (Section 3.7).

You can clear local storage by uninstalling the App, or by using your device's "Clear data" / "Offload App" controls.

If the App opens external web pages inside an in-App browser (e.g. for news article links), those pages may set their own cookies; this is governed by the relevant website's privacy policy, not ours.

12. Changes to this Policy

We may update this Policy from time to time to reflect changes to the App, to our practices, or to applicable law. The "Last updated" date at the top tells you when the current version was published.

Material changes (e.g. a new third-party processor, a new data category collected, a substantively changed retention period) will be notified to you through an in-App prompt or via the e-mail address associated with your account (if you signed in), and you will be asked to acknowledge the new version before continuing to use affected features.

Older versions of this Policy are kept for 10 years (in line with the Romanian accounting and record-keeping period applicable to our business), and a copy of any previous version can be obtained at [email protected] on request.

13. Contact us

If you have questions about this Policy, want to exercise a right, or want to report a concern:

SC MOVING RECORDS SRL (nerapo)

We aim to acknowledge every privacy-related e-mail within five working days.

nerapo is not legally required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. For any data-protection question, please use the contact details above.

End of Privacy Policy.