Version 1.0, last updated 23 April 2026
Sentiko is an emotional barometer for cultural venues. People use it to log how a concert, an exhibition, or a film made them feel. We treat those feelings with care. They are not merchandise.
This policy explains, in plain language, what data we handle, on what legal basis, and what rights you have. It applies to every Sentiko surface, including the consumer app at sentiko.app, the about page at about.sentiko.app, the B2B landing at sentiko.org, and tenant dashboards at [client].sentiko.art.
The data controller under the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") is:
Markevitch Media GmbH, trading as ikono, operator of the Sentiko service.
Contact for any privacy matter: privacy@sentiko.app or markevitch@ikonotv.art.
Markevitch Media GmbH has not appointed a statutory Data Protection Officer, as the thresholds under Article 37 GDPR are not met. A named privacy contact is reachable at the addresses above and will respond to every request personally.
Sentiko is designed so that you can participate without identifying yourself. You do not need an account to scan a QR code and log an emotion. We do not ask for your location. We do not ask for your contacts. We do not place advertising cookies.
If you choose to create an account, you do so to keep a private garden of your own reactions over time. That is the only reason an account exists.
When you scan a Sentiko QR code and select an emotion, we record:
Legal basis: legitimate interest under Article 6(1)(f) GDPR, namely running and improving a cultural feedback service whose output is only ever aggregate. The risk to you is low because the log is not linked to an identifier, your name, your email, or your device's permanent identifiers.
If you choose to sign in, we receive and store:
Legal basis: performance of a contract with you under Article 6(1)(b) GDPR (we cannot give you a personal garden without an account), and your consent under Article 6(1)(a) GDPR where the sign-in step itself constitutes an explicit choice.
Cultural institutions that host Sentiko see only aggregate emotional patterns across their programme. They do not see your name, your email, your individual log, or any identifier that could single you out. A museum or concert hall sees the shape of a room's emotional response, not the people in it.
Legal basis: legitimate interest under Article 6(1)(f) GDPR. Because the shared output is aggregated and non-identifying, it does not constitute personal data about you under Article 4(1) GDPR.
Our infrastructure keeps short-lived technical logs (IP address, request time, error traces) to defend the service against abuse and to diagnose outages. These logs are access-controlled and are not used for profiling.
Legal basis: legitimate interest under Article 6(1)(f) GDPR (network and information security, in line with Recital 49).
We do not sell your data. Not to advertisers, not to data brokers, not to cultural institutions, not to anyone. This is not a clause we might revise later to make money. It is the foundation of the service.
We do not use GPS or geolocation prompts. Context comes from the QR code you scan, nothing else.
We do not run behavioural advertising trackers, nor embed third-party analytics that profile you across sites.
We rely on a small set of trusted providers to operate Sentiko. Each is bound by a data processing agreement under Article 28 GDPR.
| Provider | Role | Location |
|---|---|---|
| Google Ireland Ltd (Firebase Authentication, Cloud Firestore, Firebase Hosting) | Authentication, database, hosting | EU regions, with Standard Contractual Clauses where transfers to the US apply |
| Apple Distribution International Ltd (Sign in with Apple) | Optional sign-in provider | Ireland |
| Vercel Inc. | Static hosting and edge delivery for Sentiko web surfaces | Global edge network, Standard Contractual Clauses in place |
If we add or change a sub-processor, we will update this list and note the change in Section 13.
Sentiko is an EU-hosted service. Firebase Authentication and Firestore are configured to EU regions. Some sub-processors (for example Vercel's edge network) operate globally. Where personal data leaves the European Economic Area, transfers rely on the Standard Contractual Clauses approved by the European Commission (Decision 2021/914) and, where applicable, supplementary measures such as encryption in transit and at rest.
Sentiko uses the minimum storage required to make the service work:
Sentiko does not set advertising cookies and does not use cross-site tracking technologies. Because no non-essential cookies are deployed, a cookie consent banner is not required under Article 5(3) of the ePrivacy Directive.
If you are in the European Union, the United Kingdom, or another region with equivalent rules, you have the right to:
To exercise any of these rights, write to privacy@sentiko.app. We will respond within 30 days, as required by Article 12(3) GDPR. We may ask for minimal information to verify the request, but no more than necessary.
Sentiko is not directed at children under 16. Accounts are not knowingly created for them. If you believe a child has created an account, write to us and we will remove it without delay.
We apply industry-standard safeguards, TLS in transit, encryption at rest on Firebase and Firestore, authenticated access to administrative tools, and least-privilege internal permissions. No system is perfect, but we treat this data as something we have been trusted with, not something we own. In the event of a personal data breach likely to result in a risk to you, we will notify the competent supervisory authority within 72 hours as required by Article 33 GDPR, and, where the risk is high, we will also notify you directly.
Sentiko does not use your personal data to make automated decisions that produce legal or similarly significant effects concerning you, within the meaning of Article 22 GDPR.
If we update this policy, we will post the new version at this URL and update the version number and date at the top. Material changes will be communicated inside the app or by email to account holders, as appropriate.
Privacy questions, access or deletion requests, concerns: write to privacy@sentiko.app. A human will read it.