Aquarama

Privacy Policy

How we collect, use, store and protect your personal data

Effective from May 22, 2026 · Last updated May 22, 2026

This document is currently under review by a qualified Georgian privacy lawyer for compliance with Georgian personal data protection law and GDPR. Material changes may follow.

1. About this policy

This Privacy Policy describes how Aquatec Systems Georgia LLC (hereafter — "Aquarama", "we", "our") collects, uses, stores and protects personal data of users of the Aquarama mobile and web application (hereafter — the "Application") and the website aquarama.vercel.app (hereafter — the "Site").

By using the Application or the Site you agree to the terms of this Policy. If you do not agree — please do not use our services.

2. Data controller

The controller of your personal data is:

  • Legal entity: Aquatec Systems Georgia LLC
  • Legal address: 6010 Georgia, Batumi, General Aslan Abashidze St. 47A
  • Identification code: 445703169
  • Email for data requests: info@aquarama.ge
  • Phone: +995 579 35 85 27

3. What data we collect

3.1. Data you provide directly

  • Contact data — phone number, first and last name. Collected at registration in the Application.
  • Vehicle data — license plate, make, model, colour, year. Collected when you add a car or on your first visit.
  • Visit history — date and time of visit, services performed, amount due. Collected automatically upon each visit.
  • Deposit balance — remaining amount, top-up and spending history. Collected when you top up the deposit.
  • Friend invitations — invited friend's phone number and (optionally) their car plate. Collected when you invite a friend.

3.2. Data we collect automatically

  • Technical data — IP address, device type, operating system, browser or Application version.
  • Login log — account login date and time, history of OTP requests.
  • Usage data — which pages you opened, which features you used, session duration.

3.3. Sensitive information

We do not collect: health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation.

We do not collect geolocation, except when you act as a promo agent — only then is geolocation recorded at the moment a flyer entry is created (governed by a separate agreement with the agent).

4. Why we use your data (processing purposes)

The legal basis for each purpose:

  • Providing car wash services and visit accounting (contact, vehicle, visit history) — performance of the contract.
  • Sending SMS one-time passwords for login (phone number) — performance of the contract.
  • "Invite a friend" referral program (invited friend's number, inviter's name) — consent of the inviter.
  • Deposit accounting and discount calculation — performance of the contract.
  • Fraud and abuse prevention — legitimate interest.
  • Service quality improvement (anonymous analytics) — legitimate interest.
  • Compliance with law (accounting, tax reporting) — legal obligation.

5. Who we share your data with

We do not sell your data. Data is only transferred to processors acting on our behalf:

  • Supabase Inc. — database storage and authentication (USA, EU backup region).
  • Vercel Inc. — application hosting (USA, EU edge servers).
  • SMS Office Georgia (smsoffice.ge) — sending SMS codes and invitations (Georgia).
  • Cloudflare (via Vercel) — CDN and attack protection (global).

We have data processing agreements (DPAs) with each processor. All processors comply with GDPR and applicable local laws.

In specific cases we may also share data with Georgian government authorities (upon lawful request), legal counsel and auditors (under confidentiality), or a legal successor in case of business reorganization or sale.

6. International data transfer

Because Supabase and Vercel are headquartered in the USA, your data may be transferred outside Georgia and the European Economic Area. These transfers are protected by EU Standard Contractual Clauses and processors' certifications under the EU-US Data Privacy Framework where applicable.

7. How long we store your data

  • Active user account — for as long as the account is active.
  • Deleted account — no more than 30 days from the deletion request, except for data required for accounting.
  • Visit and payment history — 6 years (Georgian accounting law requirement).
  • OTP request log — 7 days.
  • SMS sending log — 12 months.
  • Technical logs — 90 days.

After the retention period expires, data is deleted or anonymized.

8. Your rights

You have the following rights regarding your personal data:

  • Right of access — obtain a copy of your data;
  • Right of rectification — request correction of inaccurate or incomplete data;
  • Right of erasure ("right to be forgotten") — request deletion of your data;
  • Right to restrict processing — temporarily suspend processing in case of dispute;
  • Right to data portability — receive your data in a machine-readable format (JSON or CSV);
  • Right to object — to processing based on legitimate interest;
  • Right to withdraw consent — where processing is based on consent;
  • Right to lodge a complaint with the Personal Data Protection Service of Georgia.

To exercise these rights, write to info@aquarama.ge. We will respond within 30 days.

How to delete your account

Open the Application → "Profile" → "Delete account". Within 30 days all your data will be deleted, except for accounting records of completed visits (kept as required by law).

9. Data security

We use the following technical and organizational measures:

  • TLS 1.3 (HTTPS) encryption for data transfer;
  • encryption of data at rest on Supabase servers;
  • passwords and PIN codes stored only as hashes (bcrypt);
  • role-based access control;
  • regular dependency updates and vulnerability patching;
  • access logging for sensitive operations.

However, no method of internet transmission or electronic storage is 100% secure. We recommend that you do not share your one-time login codes with anyone and notify us of any suspicious activity on your account.

10. Cookies and similar technologies

We use a minimal set of cookies necessary for the Application to function:

  • aquarama_client_token — stores the user's session. Lifetime: 30 days.
  • aquarama_auth — stores the session of car wash operators and administrators. Lifetime: 30 days.

We do not use cookies for advertising, do not work with advertising networks and do not integrate with social networks.

11. Children

The Application is not intended for children under 16 years of age. We do not knowingly collect data from children. If you discover that a child has provided us with data without parental consent — please contact us and we will delete the data.

12. "Invite a friend" referral program — special terms

When you invite a friend through the referral program:

  • You confirm that you have obtained your friend's consent to receive an SMS invitation from Aquarama.
  • We will send your friend no more than 4 SMS messages (one initial invitation and up to 3 reminders within 30 days).
  • If your friend does not wish to receive messages, they can reply with the word STOP or contact us — we will stop sending and remove their number.
  • You are responsible for the accuracy of the number you provide — please double-check it before sending.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes in the Application, by email (if provided), no later than 30 days before the changes take effect.

14. Contacts

If you have questions about this Policy or wish to exercise your rights:

  • Email: info@aquarama.ge
  • Phone: +995 579 35 85 27
  • Postal address: 6010 Georgia, Batumi, General Aslan Abashidze St. 47A

You may also submit complaints to the Personal Data Protection Service of Georgia: