riverfrost – Indie RPG Mobile Game Studio

English

English

Privacy Policy

1.Effective Date: 31.01.2026

Version: 1.0

2. Scope

This Privacy Policy applies to the mobile app "Ironify" (iOS/Android) and its associated backend services (API, database, authentication, support communication).

If you access external websites or services through links in the App, their respective privacy policies apply.

By using Ironify, you consent to the collection, use, and disclosure of your information as described in this Policy. If you do not agree with this Policy, please do not use our Services.

3. Principles

We process personal data only when necessary to provide the App, when permitted by law, or when you have given consent. To ensure transparency, this policy covers all processing activities, including technical data such as IP addresses and usage information.

4. Legal Basis for Processing (GDPR Art. 6)

Depending on the purpose, we base processing on the following legal grounds:

- Art. 6(1)(b) GDPR (Contract): Operating the App, account management, synchronization, game features, in-app purchases.

- Art. 6(1)(f) GDPR (Legitimate Interest): Security, stability, error analysis (crash reporting), fraud prevention, technical administration.

- Art. 6(1)(a) GDPR (Consent): Optional features, particularly notifications, if you enable them in your device settings.

Note on Workout Data: Ironify is not a medical device and does not replace medical advice. The App is a workout tracker for training documentation and gamified motivation. We do not collect diagnoses, medical findings, or health data. Workout data is processed solely to provide App features and display your progress.

5. What Data Does Ironify Process?

5.1 Account Data (Supabase Auth)

Data Categories

- Email address

- Password (for email/password login; processed via Supabase)

- OAuth login (Google, Discord): Provider ID, email, name (if provided)

Purposes

- Authentication, account creation/linking, login recognition

- Account-related communication (e.g., support)

Legal Basis: Art. 6(1)(b) GDPR

5.2 Profile and Game Progress Data

Data Categories

- Display name

- Avatar/character settings

- Training goals (e.g., workouts per week) and timezone (for weekly logic)

- Level, XP, attributes, gear, quests, battle pass, rewards

Purposes

- Providing core App and game mechanics

- Personalization (e.g., display name, avatar)

Legal Basis: Art. 6(1)(b) GDPR

5.3 Workout Data

Data Categories

- Workouts (start/end time, duration, number of exercises)

- Exercises and sets (weight, reps, duration, distance, notes)

- Templates (workout templates) and history/statistics

Purposes

- Workout planning and documentation

- Progress display, statistics, RPG/gamification mechanics

Legal Basis: Art. 6(1)(b) GDPR

5.4 Social Features (Guilds/Buddy)

Data Categories

- Guild membership, roles, activities, leaderboards

- Chat messages, reactions

- Buddy activities

Purposes: Providing social features (community, cooperation, competitions)

Legal Basis: Art. 6(1)(b) GDPR

Visibility: Content in these areas is visible to other users within the respective features (e.g., guild members, leaderboards, chat).

5.5 In-App Purchases

Data Categories

- Product ID, store transaction ID, purchase timestamp, store platform

- Price/amount and currency (if provided by the store)

- Verification data/receipts for purchase validation

- Purchase status/entitlements (local and server-side)

Purposes: Processing and verifying purchases, providing paid content/features

Legal Basis: Art. 6(1)(b) GDPR, Art. 6(1)(f) GDPR (fraud prevention)

Important Note on App Stores: Payments are processed through the respective app store (Apple App Store / Google Play). These providers process data independently according to their own privacy policies.

5.6 Support/Feedback

Data Categories

- Title, message, category, optional email

- User ID (for logged-in users)

- For bug reports, optional technical info: App version/build, platform, OS version, language/locale, timezone, screen size, pixel density

Purposes: Handling support requests, bug fixes, App improvement

Legal Basis: Art. 6(1)(b) GDPR (contractual communication), Art. 6(1)(f) GDPR (legitimate interest in support and product improvement)

5.7 Technical and Log Data (Backend)

Data Categories

- Device and app information (e.g., App version, platform)

- Network status (for sync/offline functionality)

- Server log data (e.g., IP address, timestamp, request data) when accessing the backend

Purposes: System operation and security (e.g., attack prevention), error analysis, stability, synchronization

Legal Basis: Art. 6(1)(f) GDPR

5.8 Local Storage (Device)

What is Stored Locally?

- Settings (e.g., units, sound, notifications)

- Offline cache and local database

- Local notification scheduling (no push tokens)

Purposes: Offline capability, performance, user convenience

Legal Basis: Providing App functionality (Art. 6(1)(b) GDPR)

5.9 Crash Reporting (Firebase Crashlytics)

Data Categories

- Crash and diagnostic data, stack traces

- App version/build, platform, OS version, screen names, breadcrumb logs

- Technical metadata/custom keys (e.g., auth status, network status, DB schema version, sync status)

- No intentional collection of directly identifying data/PII

Purposes: Stability, error analysis, App improvement

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in a stable and secure product)

Notes: Active by default only in release versions (debug only for testing). Opt-out available via support request: info@riverfrost.com

5.10 No Tracking/Ads/Analytics

Ironify does not use advertising tracking, advertising SDKs, or Firebase Analytics.

6. App Permissions

Ironify may use the following permissions (depending on your device settings):

- Network access (Internet) for backend/sync and crash reporting

- Notifications (optional) for local reminders

- Vibration for haptic feedback

- In-app purchases (store billing)

No access to camera, photos/media, microphone, contacts, or location. No other permissions are actively used.

7. Recipients / Data Processors

We use service providers who process data on our behalf (processors) or act as independent controllers. Depending on usage, the following providers may be involved:

7.1 Supabase (Auth, Database, Edge Functions)

Purpose: Authentication, storage, and synchronization of App data

Role: Data processor | Region: West EU (Ireland)

7.2 Firebase Crashlytics (Google)

Purpose: Crash and diagnostic data (no Firebase Analytics, no advertising)

Role: Data processor

7.3 Apple App Store / Google Play

Purpose: Processing in-app purchases, billing, fraud prevention

Role: Independent data controllers

Apple Privacy Policy: https://www.apple.com/legal/privacy/

Google Privacy Policy: https://policies.google.com/privacy

7.4 Resend (Email Service)

Purpose: Sending support emails / ticket communication

Role: Data processor | Region: EU (Ireland)

Note: These providers may use sub-processors. Details can be found in their respective privacy policies and sub-processor lists.

7.5 Disclosure of Your Information

We will not share your personal information except in the following circumstances:

- With your consent: When you agree to share information

- Service providers: With processors who help us operate our Services (listed above)

- Legal requirements: When required by law, court order, or government request

- Protection of rights: To protect our rights, property, or safety, or that of our users

- Business transfers: In connection with a merger, acquisition, or sale of assets (you will be notified of any such change)

We do not sell your personal information to third parties.

8. International Data Transfers

Processing may occur outside the EU/EEA depending on the provider (e.g., USA). Where required, transfers are based on appropriate safeguards (e.g., Standard Contractual Clauses).

Specific notes:

- Supabase: Hosting/DB region West EU (Ireland)

- Firebase Crashlytics (Google): Processing may occur outside the EU/EEA (including USA)

- Resend: Region EU (Ireland); sub-processors per provider list

9. Data Retention and Deletion

We retain personal data only as long as necessary for the respective purposes or as legally required.

- Account and app data: Until account deletion or as long as required for operation

- Support tickets: Until resolution/closure, then deletion/anonymization; legal obligations remain unaffected

- Crash logs: As long as required for error analysis

- Server log data: According to hosting provider retention periods (Supabase); details in their documentation

10. Account Deletion in the App

Account deletion can be initiated in the App settings. Server-side, the user account and associated content are deleted, including:

- Profile and character data

- Workout data (sessions, exercises, templates), consistency and reward data

- Guild/buddy data, chat and feed posts, reactions

- Buddy requests and events

Support tickets are anonymized (user ID/email removed); content remains until resolution/closure and is then deleted.

If you own a guild, ownership is transferred to another member; if no member exists, the guild and its content are deleted.

Non-personal or legally required records (e.g., purchase or chargeback-related data) may be retained.

Locally on device: Some account data is removed (e.g., profile cache, onboarding status). Settings and offline cache may remain until you clear app data or uninstall the App.

11. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information. These rights may include:

- Access: Request information about what data we hold about you

- Correction: Request correction of inaccurate or incomplete data

- Deletion: Request deletion of your personal data

- Portability: Request a copy of your data in a portable format

- Objection: Object to certain processing of your data

- Withdrawal: Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at info@riverfrost.com or use the Account deletion feature in the App settings.

For specific rights based on your location, see the relevant sections below (EU/GDPR, California/CCPA).

12. Withdrawal of Consent

You can withdraw consent (e.g., for notifications) at any time with effect for the future - in the App settings and/or in your device's operating system settings.

13. Obligation to Provide Data

Certain data (e.g., email and login information) is required to use the App's online features. Without this data, account creation, synchronization, and social features are not possible.

14. Automated Decision-Making / Profiling

No automated decision-making with legal effect within the meaning of Art. 22 GDPR takes place.

15. Data Security

We follow industry standards and maintain reasonable safeguards to protect your information. Our security measures include:

Technical Measures:

- All data transmission is encrypted (TLS/HTTPS)

- Strong encrypted communication between servers and databases

- Regular security monitoring and updates

- Network security measures to prevent unauthorized access

Organizational Measures:

- Role-based access restrictions to systems and data

- Limited personnel access to personal information

- Secure storage of records and data

While we implement these measures to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

16. Children's Privacy

Ironify is intended for users aged 12 and older, as required by the App Store age rating.

Age Requirements:

- Minimum age: 12 years old

- Users aged 12-17: Must have parental or guardian consent to use the App. A parent or legal guardian must review and accept this Privacy Policy and the Terms of Service on their behalf.

- Users under 12: We do not knowingly collect personal information from children under the age of 12. If you are under 12 years old, please do not use our Services.

Regional Considerations: In jurisdictions where a higher age of consent applies (e.g., certain EU member states require 16 for consent to data processing), users below that age must have verifiable parental consent.

Parental Rights: If you are a parent or guardian and believe that your child under 12 has provided us with personal information without your consent, please contact us at info@riverfrost.com. We will take steps to delete such information promptly. If you are a parent or guardian of a user aged 12-17, you may contact us to review, modify, or request deletion of your child's data.

17. European Union Privacy Rights (GDPR)

This section applies to residents of the European Union and European Economic Area.

Under the General Data Protection Regulation (GDPR), you have the following rights:

- Right of Access (Art. 15): Obtain confirmation whether we process your data and request a copy

- Right to Rectification (Art. 16): Request correction of inaccurate personal data

- Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")

- Right to Restriction (Art. 18): Request restriction of processing in certain circumstances

- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format

- Right to Object (Art. 21): Object to processing based on legitimate interests

- Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent

- Right to Lodge a Complaint (Art. 77): File a complaint with a supervisory authority

Supervisory Authority: You have the right to lodge a complaint with the data protection authority in your country of residence. A list of EU data protection authorities can be found at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

How to Exercise Your Rights: Contact us at info@riverfrost.com. We will respond within one month (or up to three months for complex requests) as required by GDPR.

Legal Basis for Processing: See Section 4 of this Policy for details on the legal basis for each processing activity.

18. California Privacy Rights (CCPA)

This section applies to California residents only.

Under California law, California users have the following rights:

- Right to Know: You have the right to request disclosure of the personal information we collect, use, and disclose about you.

- Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.

- Right to Opt-Out of Sale: We do not sell your personal information. We have not sold personal information in the past 12 months and have no plans to do so.

- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Do Not Track: California law requires us to disclose how we respond to Do Not Track signals. Because there is no industry or legal standard for recognizing Do Not Track signals, we do not currently respond to them.

Shine the Light: We do not share your personal information with third parties for direct marketing purposes.

To exercise your California privacy rights, contact us at info@riverfrost.com.

19. Changes to this Privacy Policy

We may update this Privacy Policy if the App, services used, or legal requirements change. We will try to inform you about significant changes that may affect you. The current version is available within the App and at riverfrost.com/privacy-policy.

If you object to any changes, you should stop using our Services and delete your account.

20. Contact

1. Data Controller

Hannah Kaltenbach

Kirchbachstraße 105

28211, Bremen, Germany

Email: info@riverfrost.com

For privacy-related questions, to exercise your rights, or to submit a complaint, contact us at:

Email: info@riverfrost.com

You also have the right to lodge a complaint with a data protection supervisory authority in your country of residence.

Last updated: 31.01.2026