Privacy Policy

The controller as defined by the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection regulations is:

Lorik Bajrami
Paul-Fuss-Str. 2
24106 Kiel
Germany

Email: contact@skyjoscore.app

We generally process personal data only to the extent necessary to provide a functional app as well as our content and services. The processing of personal data takes place regularly only with the consent of the data subject. An exception applies in cases where prior consent cannot be obtained for practical reasons and the processing of the data is permitted by law.

To the extent that we obtain the data subject's consent for processing operations involving personal data, Art. 6(1)(a) GDPR serves as the legal basis.

Hosting

This website is hosted on a dedicated server with IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. The servers are located in Germany. When you access the website, the host automatically collects so-called server log files transmitted by your browser. These are:

• Browser type and browser version
• Operating system used
• Referrer URL
• Hostname of the accessing computer
• Time of the server request
• IP address (anonymised)

This data cannot be associated with specific persons and is not merged with other data sources. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the secure operation of the website). More information on data protection at IONOS: ionos.de/terms-gtc/datenschutzerklaerung.

Local Storage

We use technically necessary browser storage for functional settings, in particular for language selection (lang), theme selection (theme), and storage of your cookie choice (consentChoice). This storage takes place exclusively in your browser and is not transmitted to third parties.

Web Analytics: Google Analytics 4

This website uses Google Analytics 4, a web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google Analytics uses cookies and similar technologies to analyse the use of the website (e.g. pages visited, time on site, approximate location, device type).

Consent: Google Analytics is loaded exclusively after your explicit consent via our cookie banner. The legal basis is § 25(1) TDDDG as well as Art. 6(1)(a) GDPR. As long as you do not give consent or refuse consent, no scripts from Google are loaded, no cookies are set, and no data is transmitted to Google.

IP Anonymisation: We enable the anonymize_ip function so that your IP address is shortened by Google within the EU/EEA before any further processing. Direct association with your person does not take place.

Third-Country Transfer: Google LLC may transfer personal data to the USA. The transfer is based on the adequacy decision of the EU Commission under the EU-U.S. Data Privacy Framework (DPF), which Google has joined (policies.google.com/privacy/frameworks), and additionally on the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

Withdrawal: You can change your consent at any time via the "Cookie settings" link in the footer of this website. You can also install the browser add-on to deactivate Google Analytics.

More information on data processing by Google: policies.google.com/privacy.

Contact Form (Formspree)

On the support page (/support.html) we offer a contact form. Incoming messages are processed via the Formspree service (Formspree Inc., 340 S Lemon Ave #8606, Walnut, CA 91789, USA) and forwarded to us by email.

The following data is transmitted:

• Sender's email address
• Selected topic (subject)
• Free-text message
• Time of transmission and technical metadata (IP address, browser information)

The legal basis is Art. 6(1)(b) GDPR (performance of pre-contractual measures or processing of a support request) and Art. 6(1)(f) GDPR (legitimate interest in a functional support channel). Since Formspree is based in the USA, the transfer is based on the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. Formspree deletes incoming form data after 30 days. More information: formspree.io/legal/privacy-policy.

4.1 Guest Use (Without Account)

When using the app without registration (guest mode), no personal data is collected or transmitted. Game data (player names, scores) is kept exclusively in the device's memory and is irretrievably deleted when the app is closed. No communication with our servers takes place.

4.2 Registration and Account

If you create an account, we collect and store the following personal data:

• Email address: for sign-in and account management
• Username: freely chosen, displayed in the app
• Time of registration: date and time of account creation
• Game data: games you create, player names, and scores

The legal basis is Art. 6(1)(b) GDPR (performance of contract / provision of app features). Providing an email address is required to use an account; the username is optional.

Passwords are stored exclusively as a secured hash and are not visible to us in plain text.

For account management, authentication, and data storage, the app uses Supabase, a service of Supabase Inc., 970 Toa Payoh North, Singapore 318992. Supabase operates the database infrastructure on Amazon Web Services (AWS) servers in the eu-north-1 (Stockholm, Sweden) region. Your data therefore does not leave the EU/EEA.

Supabase processes the following data on our behalf:

• Email address and username
• Time of registration and last sign-in
• Secured password hash
• Game data (games, rounds, scores, player names)

A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is in place with Supabase. Although Supabase Inc. has its headquarters outside the EU, the actual data processing takes place on EU servers. Insofar as a transfer to third countries (e.g. for technical support by Supabase Inc.) takes place, this is based on the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

More information: supabase.com/privacy, supabase.com Security.

6.1 Overview

The app shows no embedded advertising (no banners, no interstitials). However, you can voluntarily support the development of the app by tapping the "Support" button to watch a short rewarded ad. An ad is loaded and displayed only after your explicit tap action; no automatic ad delivery takes place.

Rewarded ads are delivered via Google AdMob, a service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (represented within the EU by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). Premium users do not see the "Support" button.

6.2 Consent Management (IAB TCF / Google UMP)

For users in the European Economic Area (EEA), Switzerland, and the United Kingdom, the app uses the Google User Messaging Platform (UMP) as a certified Consent Management Platform (CMP) in accordance with the IAB Transparency & Consent Framework (TCF) v2.2. Before a rewarded ad is loaded or data is transmitted to AdMob, your consent is obtained. Without consent, no ad is loaded.

Depending on your choice, AdMob may deliver the rewarded ad as:

• Personalised ad: based on your user profile (only with consent)
• Non-personalised ad: without profile building
• Limited Ads: in case of conflicting signals

You can withdraw or change your consent at any time under: App → Settings → Privacy options.

6.3 Processed Data

When you watch a rewarded ad, Google AdMob may process the following data depending on region, consent status, and system settings:

• Device identifiers: IDFA (Identifier for Advertisers, iOS), only if app tracking is allowed in iOS system settings
• IP address (possibly shortened) and approximate location derived from it
• Device and system information (model, OS version, language, app version)
• Usage and performance data for the ad (impression, completion, reward)
• Consent status information (TC string per IAB TCF)

6.4 Third-Country Transfer

Google LLC is based in the USA. Insofar as data is transferred to the USA, this is based on the EU Standard Contractual Clauses (SCCs) and/or the EU-U.S. Data Privacy Framework (DPF), which Google has joined (Art. 45/46 GDPR). More information: policies.google.com/privacy/frameworks.

6.5 iOS App Tracking Transparency

On iOS devices, the Apple App Tracking Transparency (ATT) framework is additionally taken into account. The IDFA is only used for personalised ads if you have agreed to tracking in iOS system settings (Settings → Privacy & Security → Tracking).

6.6 More Information on Google AdMob

Google Privacy Policy · AdMob & Privacy · Consent modes in AdMob

The app is downloaded and operated via the Apple App Store. Apple Inc. independently collects data in accordance with their privacy policy. We have no influence on this data collection. More information: apple.com/legal/privacy.

The app declares its privacy practices in the Apple App Store in accordance with Apple's requirements (Privacy Nutrition Labels). The information provided there reflects the processing activities described in this privacy policy.

For downloading and using the app via the Apple App Store, Apple Inc.'s terms of use also apply in the form of the Licensed Application End User License Agreement (Standard EULA). Apple is a third-party beneficiary of this agreement in this context and can enforce its terms against you.

The processing of personal data takes place on the basis of the following legal bases:

• Art. 6(1)(a) GDPR (consent):
  Storage of/access to information on the end device as well as personalised advertising via Google AdMob, provided you have given your consent. Consents can be withdrawn at any time.
• Art. 6(1)(b) GDPR (performance of contract):
  Processing of account and game data to provide app functions for registered users.
• Art. 6(1)(f) GDPR (legitimate interest):
  Secure operation of the website (server logs) and prevention of misuse.

We use the following processors, with whom a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR has been concluded or whose standard contractual clauses have been acknowledged:

• Supabase Inc. (Singapore): backend infrastructure, authentication, database operation on EU servers (AWS Stockholm, eu-north-1). DPA available via the Supabase platform.
• IONOS SE (Germany): web hosting of the landing page.
• Formspree Inc. (USA): processing of support requests via the contact form. Transfer based on the EU Standard Contractual Clauses (SCCs).

Google LLC may act as a joint controller (Art. 26 GDPR) or as an independent controller for processing in the context of Google AdMob in the area of personalised advertising. Further details can be found in the Google Ads Controller-Controller Data Protection Terms.

When using Google AdMob, data may be transferred to the USA. The transfer is based on:

• EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, and/or
• EU-U.S. Data Privacy Framework (adequacy decision pursuant to Art. 45 GDPR)

When using the contact form, data is transmitted to Formspree Inc. (USA). The transfer is based on the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

The actual app data storage via Supabase takes place on EU servers (Stockholm, AWS eu-north-1). No transfer outside the EU takes place for account and game data.

• Account and game data: Stored as long as your account is active. After deletion of your account, all personal data is completely and irretrievably deleted within 30 days.
• Subscription and payment data: Transaction and purchase records are subject to statutory retention obligations (§ 147 AO, § 257 HGB) and are retained for 10 years even after account deletion. Use for other purposes does not take place. After expiry of the period, this data is also irretrievably deleted.
• Guest use: Game data is kept exclusively in memory and is automatically deleted when the app is closed. No persistent storage takes place.
• Server logs (website): Automatically deleted after a maximum of 7 days.
• Consent status (AdMob/UMP): Stored locally on the device and queried again each time the app is started. You can change it at any time under Settings → Privacy options.

To delete your account, please send an email to: contact@skyjoscore.app. After deletion, all account and game data will be removed within 30 days. Subscription and payment records are retained for 10 years due to statutory retention obligations and are deleted after that.

We do not use automated decision-making, including profiling, within the meaning of Art. 22 GDPR that has legal effect on you or significantly affects you in a similar way.

You have the following rights with regard to personal data concerning you:

• Right of access (Art. 15 GDPR): which data we have stored about you, where it comes from, and for what purpose.
• Right to rectification (Art. 16 GDPR): correction of incorrect or incomplete data.
• Right to erasure (Art. 17 GDPR): right to be forgotten, insofar as no retention obligations apply.
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR): transmission of your data in a machine-readable format.
• Right to object (Art. 21 GDPR): against processing based on legitimate interests (Art. 6(1)(f) GDPR).
• Right to withdraw consent (Art. 7(3) GDPR): at any time with effect for the future, without giving reasons and without disadvantages for you.

To exercise your rights, please contact: contact@skyjoscore.app. We will respond within 30 days.

Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data. The competent authority is the one in the federal state where you reside, or the authority responsible for the jurisdiction in which the controller is based. A list of all German data protection supervisory authorities can be found at: bfdi.bund.de.

The app is not directed to children under 13 years of age. We do not knowingly collect personal data from children under 13. If we learn that a child under 13 has created an account, the corresponding data will be deleted immediately. Parents or legal guardians who are aware that their child has provided us with personal data without their consent are asked to contact us at contact@skyjoscore.app.

We reserve the right to adapt this privacy policy as necessary in order to adjust it to changed legal situations or to changes in the service and data processing. The current version is always available on this page. The date of the last update is shown above.