Privacy Policy

Last updated: February 2026

1. Introduction

This Privacy Policy describes how V.K. STONE PROPERTIES d.o.o. (inHits) (hereinafter "we", "our" or "Data Controller"), with registered office at Kačina 4, Selca (Općina Selca), Croatia, collects, uses, stores and protects the information of users (hereinafter "User" or "you") of the inHits mobile application (hereinafter "App" or "Service").

We are committed to protecting your privacy in compliance with Regulation (EU) 2016/679 (GDPR), the Croatian Act on the Implementation of the General Data Protection Regulation (NN 42/2018), and any other applicable European and international data protection legislation.

Use of the App implies acceptance of the practices described in this Policy. We invite you to read it carefully.

2. Data Controller

The Data Controller for personal data is:

V.K. STONE PROPERTIES d.o.o. (inHits)
Registered office: Kačina 4, Selca (Općina Selca), Croatia
Email: privacy@inhits.com

For any questions regarding the processing of your personal data, you can contact us at the email address above.

3. Data Collected

Our App is designed with a data minimization by design approach. We do not collect sensitive data or personal information that is not necessary for the operation of the Service.

3.1 Data voluntarily provided by the User

• Email address: provided only in case of voluntary registration. The App can also be used anonymously, without registration.
• Music preferences and personalized playlists created by the User.

3.2 Automatically collected data

• Listening data: tracks listened to, listening duration, frequency, timestamps of listening sessions. This data is used exclusively to generate aggregate charts, statistics on the most listened songs and personalized suggestions.
• Anonymous unique identifier (UUID): automatically generated to distinguish users for statistical purposes, without the possibility of tracing back to the real identity of the person.
• Technical device data: operating system, App version, device model, language setting, for compatibility and debugging purposes.
• Download data: information relating to tracks downloaded for offline listening, solely for the purpose of managing music licenses and rights.
• Push notification token: technical identifier necessary for sending notifications about new songs, updates and music content.

3.3 Data NOT collected

We do not collect in any way:

• Name, surname, date of birth, physical address or phone number.
• Geolocation data (GPS).
• Payment or financial data.
• Data relating to contacts, address book, camera or microphone of the device.
• Health, biometric, political, religious or other sensitive data under Art. 9 GDPR.

4. Purposes of Processing and Legal Basis

Your data is processed for the following purposes:

4.1 Service provision (Legal basis: performance of contract, Art. 6(1)(b) GDPR)

• Enabling the streaming and offline listening of music tracks.
• Managing the download of licensed tracks to the User's device.
• Managing the user account (if registered) and associated preferences.

4.2 Service improvement (Legal basis: legitimate interest, Art. 6(1)(f) GDPR)

• Generating aggregate charts of the most listened songs.
• Producing anonymous and aggregated statistical data on platform usage.
• Providing personalized music suggestions based on listening habits.

4.3 Communications (Legal basis: consent, Art. 6(1)(a) GDPR)

• Sending push notifications about new songs, suggested playlists, App updates and relevant music content.
• The User can revoke consent to notifications at any time through their device settings.

5. Offline Mode and Downloads

The App allows downloading music tracks for offline listening. Downloaded content is protected by DRM (Digital Rights Management) or equivalent protection systems to ensure compliance with music licenses.

Listening data in offline mode is stored locally on the device and synchronized with our servers when the User reconnects to the Internet, solely for the purpose of updating listening statistics and charts.

6. Data Retention

Personal data is retained for the time strictly necessary to achieve the purposes for which it was collected:

• Account data (email): retained until the account is deleted by the User or until a deletion request is made.
• Listening data: retained in aggregated and anonymized form for statistical purposes. Individual listening data is anonymized within 24 months from the last use of the App.
• Push notification tokens: retained until notifications are disabled or the App is uninstalled.
• Technical data and logs: retained for a maximum of 12 months for debugging and security purposes.

7. Data Sharing

We do not sell, rent or share your personal data with third parties for marketing purposes.

Your data may be shared exclusively with:

• Technical service providers (hosting, CDN, cloud services) acting as Data Processors under Art. 28 GDPR, bound by data processing agreements (DPA) that ensure adequate levels of protection.
• Music rights holders and collecting societies, limited to aggregate and anonymous data necessary for royalty reporting.
• Competent authorities, where required by law or by order of a judicial authority.

8. Extra-EU Data Transfers

Where data is transferred outside the European Economic Area (EEA), we ensure that the transfer complies with the GDPR through:

• Adequacy decisions of the European Commission (Art. 45 GDPR).
• Standard contractual clauses (SCC) approved by the European Commission (Art. 46(2)(c) GDPR).
• Other appropriate safeguards provided for by the GDPR.

9. Data Security

We adopt appropriate technical and organizational measures to protect your data from unauthorized access, loss, destruction or alteration, including:

• Encryption of data in transit (TLS/SSL) and at rest.
• Role-based access controls (RBAC).
• Continuous system monitoring and security incident management.
• Pseudonymization and anonymization of data where possible.
• Regular backups and disaster recovery procedures.

10. Your Rights

In accordance with the GDPR (Arts. 15-22), you have the right to:

• Access (Art. 15): obtain confirmation of the existence of processing and a copy of your personal data.
• Rectification (Art. 16): correct inaccurate or incomplete data.
• Erasure (Art. 17): request the deletion of your personal data ("right to be forgotten").
• Restriction (Art. 18): request the restriction of processing in certain circumstances.
• Portability (Art. 20): receive your data in a structured, commonly used and machine-readable format.
• Objection (Art. 21): object to processing based on legitimate interest.
• Withdrawal of consent: withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise your rights, you can contact us at privacy@inhits.com. We will respond to your request within 30 days.

You also have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP - www.azop.hr) or with the supervisory authority in your Member State of residence.

11. Minors

The App is not intended for minors under 16 years of age. We do not knowingly collect personal data from minors under 16. If a parent or legal guardian believes that their child has provided personal data without their consent, they are asked to contact us immediately at privacy@inhits.com so that we can arrange for the deletion of such data.

12. Cookies and Tracking Technologies

The App does not use third-party profiling cookies. Technical cookies or equivalent technologies strictly necessary for the operation of the Service and the storage of User preferences on the device may be used.

13. Changes to the Privacy Policy

We reserve the right to update this Policy at any time. Changes will be communicated via push notification in the App or by publishing the updated version within the App itself. The date of the last update is indicated at the beginning of the document.

Continued use of the App after the publication of changes constitutes acceptance of the updated Policy.

14. Contact Us

For any questions, requests or communications regarding this Privacy Policy or the processing of your personal data, you can contact us at:

V.K. STONE PROPERTIES d.o.o. (inHits)
Kačina 4, Selca (Općina Selca), Croatia
Email: privacy@inhits.com