Privacy Policy
01Who We Are
Decode ("the App", "we", "us", "our") is operated by Stefano Marchesi, an individual based in Albinea (RE), 42020, Italy.
Stefano Marchesi acts as the Data Controller within the meaning of the EU General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and applicable Italian law (D.Lgs. 196/2003, as amended by D.Lgs. 101/2018).
Contact: decode.city26@gmail.com
02Scope
This Privacy Policy explains what personal data we collect when you use Decode, why we collect it, how long we retain it, who we share it with, and what rights you have over it.
By creating an account or using the App, you acknowledge that you have read and understood this Policy.
03Data We Collect
3.1 Account Data
When you register, we collect:
- Email address — used for authentication and service communications
- Username — the display name you choose (publicly visible in the leaderboard)
- Password — stored in hashed form by our authentication provider; we never see it in plain text
3.2 Profile Data
- Avatar image — optional photo or image you upload to personalise your profile (publicly visible)
3.3 Game Progress Data
- Current case and mission progress
- Score, medals earned, detective rank, unlocked forensic tools
- Hints used, time to complete missions, case completion status
- Team challenge records (invite codes, results)
3.4 Purchase Data
Purchases are processed exclusively by the Apple App Store or Google Play Store and managed by RevenueCat. We do not receive or store your payment card details. We receive only:
- Confirmation that a purchase was completed
- The product identifier and transaction ID (provided by RevenueCat)
- The amount paid and currency
Purchase records are retained for legal and accounting purposes.
3.5 Location Data
The App requests access to your device GPS location during gameplay, specifically:
- To validate geo-checkin missions (confirming you have physically reached a real-world location)
- To display your position on the in-app city map
Location is accessed only while the App is in the foreground and only when you are actively playing a mission that requires it. We do not track your location in the background. You may deny location permission, but geo-checkin mission types will not function without it.
3.6 Push Notification Data
If you grant permission, we collect your push notification token (a device identifier issued by Apple APNs or Google FCM) to send you service notifications such as team challenge invitations and case availability updates. You may revoke this permission at any time in your device settings.
3.7 Usage and Technical Data
- Device type, operating system version, app version
- IP address (logged for security and abuse prevention)
- Session timestamps and approximate usage duration
- Crash reports and error logs
3.8 Communications
If you contact us by email, we retain the correspondence to respond to your request and for a reasonable period thereafter.
04Legal Basis for Processing
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Creating and managing your account | Contract performance (Art. 6(1)(b)) |
| Processing purchases and unlocking cases | Contract performance (Art. 6(1)(b)) |
| Saving game progress and career data | Contract performance (Art. 6(1)(b)) |
| Displaying username and score in the public leaderboard | Contract performance + Legitimate interest (Art. 6(1)(f)) |
| Sending push notifications | Consent (Art. 6(1)(a)) — revocable at any time |
| Accessing GPS location for geo-checkin missions | Consent (Art. 6(1)(a)) — revocable at any time |
| Security, fraud prevention, abuse detection | Legitimate interest (Art. 6(1)(f)) |
| Retaining purchase records for accounting | Legal obligation (Art. 6(1)(c)) |
| Responding to support enquiries | Legitimate interest (Art. 6(1)(f)) |
05Public Leaderboard
Your username, detective rank, and total score are visible to all users of the App in the public leaderboard. If you do not wish to appear publicly, you may request account deletion (see Section 10).
06Third-Party Service Providers
We use the following third-party services that may process your personal data on our behalf. Each operates under its own privacy policy and, where applicable, a Data Processing Agreement (DPA) with us.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Authentication, database, file storage, real-time features | EU (Frankfurt) |
| RevenueCat | Purchase management and entitlement verification | USA (SCCs apply) |
| Google Firebase Cloud Messaging | Push notifications (Android) | USA (SCCs apply) |
| Apple Push Notification service | Push notifications (iOS) | USA (SCCs apply) |
| Upstash | In-memory cache and leaderboard data | EU |
| YouTube / Google | Trailer videos displayed inside the App via WebView | USA (SCCs apply) |
| Cloudflare | CDN, DNS, network security | USA (SCCs apply) |
We do not sell your personal data to any third party.
07International Data Transfers
Some of our service providers operate outside the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or we rely on the provider's adequacy determination.
08Data Retention
| Data Category | Retention Period |
|---|---|
| Account and profile data | Until you delete your account |
| Game progress (scores, missions, medals) | Until you delete your account |
| Push notification tokens | Until you revoke permission or delete your account |
| Location data | Not stored server-side; validated in real time and discarded |
| Usage and technical logs | 12 months from collection |
| Purchase records | 10 years (Italian fiscal law obligation) |
| Support email correspondence | 2 years from the last exchange |
When you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law (e.g., purchase records).
09Children's Privacy
The App is not directed at children under the age of 14 years. In Italy, 14 is the minimum age for autonomous digital consent under Art. 8 GDPR as implemented by Italian law.
We do not knowingly collect personal data from children under 14. If we become aware that a user is under 14, we will promptly delete their account and associated data. If you believe a child under 14 has registered, please contact us at decode.city26@gmail.com.
10Your Rights Under GDPR
As a data subject, you have the following rights:
- Right of access — you may request a copy of the personal data we hold about you.
- Right to rectification — you may request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — you may request deletion of your personal data, subject to legal retention obligations.
- Right to restriction — you may request that we limit how we process your data in certain circumstances.
- Right to data portability — you may request your data in a structured, machine-readable format.
- Right to object — you may object to processing based on legitimate interest.
- Right to withdraw consent — where processing is based on consent (location, push notifications), you may withdraw it at any time.
- Right to lodge a complaint with the Italian Data Protection Authority:
Garante per la protezione dei dati personali — garante.it
Piazza Venezia 11, 00187 Roma, Italy
To exercise any of these rights, email us at decode.city26@gmail.com. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.
11Security
We implement appropriate technical and organisational measures to protect your personal data, including encrypted data transmission (HTTPS/TLS), hashed password storage, row-level security on our database, JWT-based authentication with short-lived tokens and refresh rotation, and rate limiting to prevent abuse.
No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we take reasonable steps to protect your information.
12Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and notify you via an in-app notice or push notification for material changes. Your continued use of the App after the effective date constitutes acceptance of the updated Policy.