Privacy & Security Policy

This document is the Privacy and Security Policy of the Korak mobile application, owned and operated by Zbor MNE DOO, with its registered office at Janka Đonovića 40, 81000 Podgorica, Montenegro (Tax ID: 03506177).

Its purpose is to protect users' personal data, financial transactions, and the integrity of the Korak platform.

The provider undertakes to apply technical and organisational protection measures in accordance with:

• the Law on Personal Data Protection of Montenegro;
• the Law on Electronic Commerce of Montenegro;
• PCI DSS standards for the protection of payment data;
• industry best practices for information security.

We collect the following categories of data:

• Identification data: first and last name, email address, phone number, demographic information (year of birth, sex, city, country, preferred languages).
• Usage data: search history, selected therapists, booked sessions, ratings and recommendations.
• Technical data: IP address, device type, operating system version, push-notification tokens, crash diagnostics.
• Payment data: processed exclusively through certified payment processors — we do not store card numbers on our servers.
• Therapist documentation: diplomas, licences, identity documents and profile photo, provided during registration for verification purposes.
• Product analytics & session recordings: in-app events (screens visited, actions taken such as searches and bookings), associated with a non-identifying internal user ID. We also record anonymised session replays of user interaction with the app for the purpose of improving usability and diagnosing issues. Text you type (including verification codes and payment details) is automatically masked in these recordings and is never sent to our analytics provider. Replays do not capture audio, your camera, or any content outside the Korak app.

All data is stored in a secure database with technical and organisational safeguards applied.

Data provided by users is processed solely for the following purposes:

• registration and access to the platform;
• establishing contact and communication between clients and therapists;
• verifying the identity and qualifications of therapists;
• displaying therapist reviews for transparency and quality of service;
• system administration and security.

Korak uses personal data only in ways consistent with the purpose for which it was collected or for which users have given authorisation, in accordance with applicable law.

We process personal data on the following legal bases:

• the user's consent;
• performance of a contract with the user;
• compliance with a legal obligation;
• our legitimate interests, where these do not override the user's rights and freedoms.

Users have the right to withdraw consent at any time. Such withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Only basic information (first name, photo, qualifications and general professional information) is publicly visible on a therapist's profile. Email address, password and phone number are never publicly accessible and are stored with appropriate security measures.

Full personal data is accessible only to the Korak administrative team, and only for purposes of security and system administration.

Third parties we share data with

User data is not shared with third parties except in the following cases:

• With a selected therapist — only the contact details necessary to arrange a session, and only after both parties confirm the booking.
• With payment processors — only the information needed to complete a transaction.
• With service providers we rely on (acting as data processors under contract):
  • Supabase Inc. — database hosting, authentication, file storage.
  • Google LLC — Google Sign-In, Firebase Cloud Messaging (push notifications), Firebase Analytics (anonymous usage metrics), Firebase Crashlytics (crash diagnostics).
  • Apple Inc. — Sign in with Apple (authentication). When you use the "Hide My Email" relay option, Apple acts as an intermediary forwarder for emails between us and you.
  • Infobip d.o.o. — delivery of one-time SMS codes for phone verification.
  • PostHog Inc. — product analytics, session replay and feature-flag delivery. Data is hosted on PostHog's EU Cloud infrastructure. Text inputs are masked by default in session replays so verification codes and payment details are never transmitted.
  • Resend, Inc. — delivery of one-time email codes for email verification.
• By order of a competent authority — in accordance with applicable law.

Personal data is kept for as long as there is a purpose for processing it or until the user requests its deletion. If a user deletes their account, all of their data is permanently erased, except where there is a legal basis for continued retention (for example, invoices or tax records, which are kept only for the period required by law and are not used for any other purpose).

All users are responsible for keeping their accounts secure and using the platform in accordance with the Terms of Service.

Korak is obliged to ensure the security of the personal data it processes. To prevent unauthorised access or disclosure, to maintain the accuracy of data, and to ensure its proper use, Korak has adopted appropriate physical, electronic and administrative procedures.

Korak strives to protect the privacy of personal data and accidental disclosure is unlikely. In the event of such an unplanned disclosure, Korak will take reasonable steps to limit and remedy the disclosure and to notify affected users.

All payment transactions are processed through certified payment processors compliant with PCI DSS standards. Korak does not collect, store or process payment-card data on its own servers. Payment data is transmitted over an encrypted channel (TLS/SSL) directly to the payment processor.

Security measures for payment transactions include:

• SSL/TLS encryption for all communication;
• tokenisation of payment data;
• 3-D Secure authentication for card transactions, where supported;
• regular transaction monitoring to detect suspicious activity.

Encryption

• All data in transit is protected with TLS 1.2 or newer.
• Sensitive data at rest in the database is encrypted using AES-256.

Access control

• Access to user data is restricted to authorised personnel.
• The principle of least privilege is applied.
• Row-Level Security is enforced at the database layer so that users can only access their own records.

Infrastructure

• Hosting on servers with certified infrastructure.
• Regular security patches and system updates.
• Firewall protection and intrusion detection / prevention (IDS/IPS).
• Regular data backups.

Korak applies the following measures:

• monitoring of unusual usage and transaction patterns;
• mandatory email verification at registration.

In the event of suspicious activity, Korak reserves the right to temporarily suspend an account, request additional identity verification, and notify the competent authorities.

In the event of a security incident, Korak will:

• immediately take measures to contain and limit the incident;
• notify affected users within 72 hours of discovery;
• notify the Agency for Personal Data Protection as required by law;
• conduct a root-cause analysis and apply corrective measures.

Users have the following rights under the Law on Personal Data Protection:

• Right to information — to know what data we process and why.
• Right of access — to obtain a copy of your personal data.
• Right to rectification — to have inaccurate data corrected.
• Right to erasure ("right to be forgotten") — to have your data deleted.
• Right to restriction of processing in specific circumstances.
• Right to object to processing based on legitimate interests.
• Right to data portability — to receive your data in a structured, machine-readable format.

To exercise any of these rights, contact support@korak.to. We will respond within 30 days.

To help keep your account secure you should:

• not access your account from public or insecure networks without protection;
• notify us immediately if you suspect unauthorised access;
• keep the app updated to the latest version;
• update your personal data whenever it changes.

Korak is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact support@korak.to and we will delete it.

Some of our service providers (listed in section 5) may process data outside Montenegro, including in the European Economic Area and the United States. Where data is transferred outside Montenegro, we rely on appropriate safeguards such as Standard Contractual Clauses and service providers' compliance with recognised security standards.

If you believe your rights regarding the processing of personal data have been infringed, you have the right to lodge a complaint with the Agency for Personal Data Protection and Free Access to Information of Montenegro:

Address

Bulevar Svetog Petra Cetinjskog 147, Podgorica

Web

www.azlp.me

Email

azlp@t-com.me

You also have the right to judicial protection in accordance with applicable law.

Korak reviews and updates this policy regularly. Users will be notified of material changes through the app or by email. This policy entered into force on 10 April 2026.

For any questions, incident reports or requests related to security and data protection:

Company

Zbor MNE DOO

Address

Janka Đonovića 40, 81000 Podgorica, Montenegro

General

info@korak.to

Support

support@korak.to