Privacy Policy

Last updated: March 2026

1. Introduction

Welcome to Horexa. This Privacy Policy explains how Horexa SRL, a company registered in Romania (CUI 52231407), with its registered office at Corabia 88, ap. 2, Bucharest, sector 2 (hereinafter "Horexa", "we", "us", or "our"), collects, uses, shares, and protects your personal data when you use our mobile application and related services (collectively, the "Service").

Horexa is a social media platform focused on food and beverage experiences, connecting guests with restaurants, bars, and culinary professionals. This Policy applies to all users of the Service, including guests (consumers), hospitality workers, and business account holders.

Horexa SRL is the data controller responsible for processing your personal data in accordance with the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and the Digital Services Act (Regulation 2022/2065, "DSA").

2. Age Restriction

The Service is intended for users aged 18 and over. We do not knowingly collect personal data from individuals under the age of 18. Given that the platform features content related to alcoholic beverages, including cocktails, wine, beer, and spirits, we have set this threshold to comply with applicable alcohol-related regulations across EU Member States and to ensure an appropriate user experience.

If we become aware that a user is under 18, we will promptly delete their account and all associated personal data. If you believe a minor has registered on Horexa, please contact us at privacy@horexa.com.

3. Personal Data We Collect

3.1 Data You Provide to Us

Account registration data: name, email address, date of birth (for age verification), username, and profile photo. You also indicate whether you are registering as a guest (consumer), a hospitality worker, or a business.

Profile data: biography, cuisine interests and food preferences (e.g., favourite cuisines, dietary preferences), and — for users who opt to complete a professional profile as a hospitality worker — current and past job roles in the industry.

Phone number: your phone number is collected only if you apply for a job posted by a business on the platform, or if you are a business posting job opportunities. Phone numbers are shared with the relevant business solely for the purpose of contacting applicants in connection with a specific job application and may not be used for any other purpose.

Content you create: photos, videos, text posts, reviews, comments, and any other content you share through the Service, including metadata embedded in such content (e.g., EXIF data from photos).

Business account data: for business account holders (restaurants, bars, etc.), we collect additional identity verification information, which may include business registration documents (CUI/CIF or equivalent), business name, address, and authorised representative details. This information is collected to comply with Article 30 of the Digital Services Act (traceability of traders).

Communications: messages you send through the Service, and correspondence with our support team.

3.2 Data We Collect Automatically

Device and usage data: IP address, device type, operating system, app version, language settings, unique device identifiers, pages visited, features used, timestamps, and interaction patterns.

Location data: with your consent, we collect precise (GPS) and approximate location data from your device. We also access location metadata (EXIF geotags) embedded in photos and videos you upload. We explain how we use location data in Section 4.

Camera and microphone data: the app accesses your camera and microphone when you actively choose to take photos, record videos, or record audio. We do not access these sensors in the background.

Storage data: the app reads from and writes to your device's storage to enable you to upload photos and videos, and to cache content locally for a better user experience.

3.3 Data We Receive from Third Parties

If you sign in using a third-party service (e.g., Google Sign-In), we receive your name, email address, and profile photo from that provider, as authorised by you.

We use location data services to provide location-based features. When you search for or tag a venue, we receive place data from the relevant provider.

4. How We Use Your Personal Data

We process your personal data for the following purposes and on the legal bases indicated:

Providing the Service — Account creation, content hosting, social networking features, messaging. Legal basis: Contract performance (Art. 6(1)(b)).

Location-based features — Recommending nearby restaurants to guests; recommending job opportunities near workers; suggesting venue tags for posts. Legal basis: Consent (Art. 6(1)(a)).

Food & beverage recognition — Automatic tagging of food and drinks in photos to enhance content discovery and search. Legal basis: Legitimate interest (Art. 6(1)(f)).

Content moderation — Detecting and removing illegal or policy-violating content using automated tools and human review. Legal basis: Legal obligation (Art. 6(1)(c)) & legitimate interest.

Recommender system — Personalising your feed based on your interactions, cuisine preferences, and location. Legal basis: Legitimate interest (Art. 6(1)(f)).

Job connections — Sharing your phone number with a business when you apply for a job they posted, and vice versa. Legal basis: Contract performance (Art. 6(1)(b)).

Safety and security — Fraud prevention, spam detection, age verification, and business account verification. Legal basis: Legitimate interest (Art. 6(1)(f)).

Analytics and improvement — Understanding how users interact with the Service, improving features, fixing bugs. Legal basis: Legitimate interest (Art. 6(1)(f)).

Legal compliance — Responding to legal requests, enforcing our terms, DSA obligations. Legal basis: Legal obligation (Art. 6(1)(c)).

5. Advertising

As of the date of this Policy, Horexa does not display advertising within the Service. We may in the future introduce advertising features, including personalised advertising. If we do so, we will update this Privacy Policy to detail how your personal data is used in connection with advertising. Where required under the GDPR, we will obtain your consent before using personal data for ad targeting or profiling for advertising purposes.

In accordance with Article 26 of the Digital Services Act, if and when advertising is introduced, each advertisement will be clearly identifiable as such, and you will be informed of the identity of the advertiser and the main parameters used to determine why the advertisement was shown to you.

6. Recommender System and Algorithmic Feed

Horexa uses a recommender system to personalise the content displayed in your feed. In compliance with Articles 27 and 38 of the Digital Services Act, we provide the following information about how this system works.

Main parameters used to determine what content you see:

  • Your geographic location (to prioritise local and nearby content)

  • The types of content you have previously interacted with (likes, comments, saves, shares)

  • How recent the content is (recency)

  • The popularity of the content among other users

  • Your declared cuisine interests and food preferences

  • Your connections and the accounts you follow

In accordance with Article 38 of the DSA, Horexa offers you the option to switch to a chronological feed that is not based on profiling. You can toggle between the personalised feed and the chronological feed at any time in your app settings.

7. Content Moderation

In compliance with the Digital Services Act, Horexa employs a combination of automated tools and human review to detect and manage content that violates our Terms of Service or applicable law.

Automated moderation: we use AI-powered services provided by EU-based third-party processors to scan user-generated content for potentially harmful material, including explicit imagery, hate speech, harassment, spam, and other policy violations. Image and video content is analysed using computer vision models; text content is analysed using natural language processing. These tools flag content for further review or automatic removal based on configurable confidence thresholds.

Human review: content flagged by automated systems, as well as content reported by users, is reviewed by members of our team. Human moderators make final decisions on complex or ambiguous cases.

Reporting mechanism: you can report any content or account you believe violates our policies or applicable law using the in-app reporting feature. We will acknowledge receipt, process your report in a timely manner, and inform you of the outcome and your right to appeal.

Right to appeal: if your content is removed or your account is restricted as a result of moderation, you have the right to appeal the decision through our in-app appeals process.

8. Who We Share Your Personal Data With

8.1 Service Providers (Data Processors)

We share your data with third-party service providers who process data on our behalf. These processors are contractually bound to process your data only on our instructions and in compliance with the GDPR. All of our core data processors are based within the European Union and process your data on EU-based infrastructure.

Our processors fall into the following categories:

  • Content moderation providers — EU-based services that analyse images, videos, and text for policy-violating or illegal content.

  • Food and beverage recognition providers — EU-based services that identify food items and beverages in user-uploaded photos for automatic tagging and content enrichment.

  • Cloud infrastructure and hosting providers — EU-based services that store and process your data on servers located within the European Union.

  • Analytics and reporting providers — EU-based services that help us understand usage patterns and improve the Service.

  • Location data providers — services that provide venue and place data for location-based features.

  • Authentication providers — services that enable sign-in functionality (e.g., Google Sign-In).

  • Push notification providers — services that deliver notifications to your device.

A current and detailed list of our specific sub-processors, including their names, locations, and purposes, is available at horexa.com/subprocessors. This list is updated whenever we add or change a sub-processor.

8.2 Sharing Between Users

Your public profile and the content you choose to post are visible to other users of the Service.

Phone number sharing for job applications: if you apply for a job posted by a business on Horexa, your phone number will be shared with that business solely for the purpose of contacting you about your application. Similarly, if you are a business that posts a job, your contact phone number will be shared with applicants. Phone numbers shared through this feature may not be used for any purpose other than the specific job application and are subject to the receiving party's obligation to handle them in accordance with applicable data protection law.

8.3 Other Disclosures

We may also share your personal data in the following circumstances:

  • With law enforcement or regulatory authorities, where required by law or in response to a valid legal process.

  • In connection with a merger, acquisition, or sale of assets, in which case you will be notified.

  • With the Digital Services Coordinator of Romania or other relevant authorities, as required by the DSA.

9. International Data Transfers

Your personal data is stored and processed on servers located within the European Union. Our core data processors are EU-based and process your data within the EEA.

Certain auxiliary services, such as Google Sign-In and location data services provided by Google LLC, may involve the transfer of limited personal data to the United States. Where such transfers occur, they are protected by appropriate safeguards, including the EU–US Data Privacy Framework or Standard Contractual Clauses (SCCs) adopted by the European Commission. Details of applicable transfer mechanisms are available upon request by contacting privacy@horexa.com.

10. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law.

  • Account data: retained for the duration of your account and deleted within 30 days of account deletion, unless retention is required for legal purposes.

  • Content: retained for the duration of your account. When you delete specific content, it is removed from public visibility immediately and permanently deleted from our systems within 90 days.

  • Phone numbers (job applications): retained for the duration of the application process and deleted within 30 days of the position being filled or the application being withdrawn.

  • Location data: precise location data used for real-time recommendations is not stored beyond the session. Location tags attached to posts are retained as part of the content.

  • Moderation records: records of content moderation decisions (including statements of reasons) are retained for a minimum period as required by the DSA.

  • Business verification data: retained for the duration of the business account and for 6 months thereafter, as required by Article 30 of the DSA.

  • Log data: server logs and analytics data are retained for up to 12 months.

11. Your Rights Under the GDPR

As a data subject, you have the following rights, which you can exercise at any time by contacting us at privacy@horexa.com or through the in-app privacy settings:

  • Right of access (Art. 15) — you can request a copy of the personal data we hold about you.

  • Right to rectification (Art. 16) — you can ask us to correct inaccurate or incomplete data.

  • Right to erasure (Art. 17) — you can ask us to delete your data ("right to be forgotten").

  • Right to restriction of processing (Art. 18) — you can ask us to restrict how we use your data in certain circumstances.

  • Right to data portability (Art. 20) — you can request your data in a structured, commonly used, machine-readable format.

  • Right to object (Art. 21) — you can object to processing based on legitimate interests, including profiling for the recommender system.

  • Right to withdraw consent (Art. 7) — where processing is based on consent (e.g., location data), you can withdraw it at any time through your device settings or app settings, without affecting the lawfulness of prior processing.

  • Right to lodge a complaint — you have the right to lodge a complaint with the Romanian Data Protection Authority (ANSPDCP) or any other supervisory authority in the EU Member State of your habitual residence.

We will respond to your request within one month. In complex cases, this period may be extended by a further two months, and we will inform you accordingly.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS) and at rest, access controls, regular security assessments, and incident response procedures. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

13. Device Permissions

The Horexa mobile application requests the following device permissions. Each permission is used solely for the purposes described below:

Location (Fine & Coarse) — Recommending nearby restaurants and venues, suggesting location tags for posts, recommending jobs near workers. Requires your explicit consent.

Media Location — Reading location metadata from photos you upload, to suggest venue tags. Requires your explicit consent.

Camera — Taking photos and recording videos to share on the platform.

Microphone — Recording audio and video content.

Storage (Read & Write) — Uploading photos and videos from your device, and caching content locally.

Internet — Connecting to our servers and third-party services to deliver the Service.

Vibrate — Providing haptic feedback for notifications and interactions.

Foreground Service — Enabling media playback and background processing for content uploads.

You can manage most permissions through your device settings at any time. Revoking certain permissions may limit the functionality of the Service.

14. Digital Services Act Transparency

As an online platform operating within the European Union, Horexa complies with the obligations set out in the Digital Services Act (Regulation 2022/2065). In addition to the information provided throughout this Policy, we note the following:

  • Point of contact: our single point of contact for authorities, users, and the European Commission is reachable at privacy@horexa.com.

  • Legal representative: Horexa SRL, as a company registered in Romania, is established in the EU.

  • Terms of Service: our Terms of Service describe the restrictions we apply to content and accounts, including our content moderation policies and internal complaint-handling procedures.

  • Transparency reporting: we will publish annual transparency reports as required by the DSA, detailing our content moderation activities, the number of orders received from authorities, and the use of automated means.

  • Trusted flaggers: reports submitted by organisations awarded trusted flagger status under the DSA will be prioritised.

  • Trader traceability: business accounts on Horexa are required to provide identity verification information in accordance with Article 30 of the DSA. Certain information about verified businesses is made available to users as required.

15. Cookies and Similar Technologies

The Horexa mobile application does not use browser cookies. However, we use similar technologies such as local storage and device identifiers for analytics, authentication, and functionality purposes. If we introduce a web-based version of the Service, we will update this section with a detailed cookie policy.

16. Data Protection Officer

We are in the process of appointing a Data Protection Officer (DPO) in accordance with Article 37 of the GDPR. Once appointed, the DPO's contact details will be published here and communicated to the Romanian Data Protection Authority (ANSPDCP). In the interim, all privacy-related inquiries should be directed to privacy@horexa.com.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technology, legal requirements, or for other operational reasons. We will notify you of material changes through the app (e.g., via an in-app notification or a banner) and, where required, seek your renewed consent. The "Last updated" date at the top of this Policy indicates when it was most recently revised.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

Horexa SRL
Corabia Nr. 88, ap. 2, Bucharest, Romania
Email: privacy@horexa.com

You also have the right to lodge a complaint with the Romanian Data Protection Authority:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru nr. 28–30, Sector 1, 010336 București
Website: www.dataprotection.ro