Privacy Policy

1. Who We Are

RiseKinetic ("we", "us", "our") is operated by [Your Full Name], located at [Your Address], Germany. We are the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR).

For any data protection inquiries, contact us at privacy@risekinetic.com.

2. What Data We Collect

We collect the following categories of personal data:

Account data: When you sign up via Google OAuth, we receive your name, email address, and profile picture from Google. If you sign up via email OTP, we collect only your email address.

Profile data: Your username, display name, and any profile information you choose to provide within the app.

Usage data: Challenge completions, streaks, badges earned, level progress, and friend connections — all data you actively create through using the app.

Payment data: If you subscribe to RiseKinetic Premium, Stripe processes your payment information. We store only your Stripe customer ID and subscription status — never your card number or bank details.

Technical data: IP address, browser type, device type, and access timestamps. These are collected automatically by our hosting provider (Vercel) and our backend (Supabase) for security and performance purposes.

3. Why We Process Your Data

We process your personal data based on the following legal grounds under GDPR:

Contract performance (Art. 6(1)(b)): To provide the RiseKinetic service — creating your account, tracking your challenges and streaks, managing friendships, and processing Premium subscriptions.

Legitimate interest (Art. 6(1)(f)): To maintain the security of our platform, prevent abuse, and improve the service based on aggregated, non-identifiable usage patterns.

Consent (Art. 6(1)(a)): For any optional features where we explicitly ask for your permission, such as marketing communications. You can withdraw consent at any time.

4. Third-Party Services

We rely on the following third-party services to operate RiseKinetic. Each processes data on our behalf under a Data Processing Agreement (DPA):

Supabase (database & authentication) — hosted in the EU (Ireland region). Stores your account, profile, challenge, and friendship data. Handles authentication via Google OAuth and email OTP.

Vercel (hosting) — serves the application from the EU (Ireland region). Processes IP addresses and request logs for content delivery and security.

Stripe (payments) — processes Premium subscription payments. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.

Resend (transactional email) — delivers OTP verification codes and account-related emails via Supabase's custom SMTP integration.

Google (OAuth provider) — when you choose to sign in with Google, Google shares your basic profile information with us. See Google's Privacy Policy.

5. Cookies & Local Storage

RiseKinetic uses only essential cookies and local storage required for the application to function. These include authentication session tokens managed by Supabase. We do not use advertising cookies, tracking pixels, or third-party analytics tools.

6. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, all associated data (profile, completions, badges, friendships) is permanently removed from our database through cascading deletion. Stripe retains payment records independently in accordance with legal requirements.

Technical server logs (IP addresses, access times) are retained for up to 30 days for security and debugging purposes, then automatically purged.

7. Your Rights Under GDPR

As a data subject in the EU, you have the following rights:

Right of access — request a copy of all personal data we hold about you.

Right to rectification — correct inaccurate data via your profile settings or by contacting us.

Right to erasure ("right to be forgotten") — delete your account and all associated data through the app settings or by emailing us.

Right to data portability — receive your data in a structured, machine-readable format.

Right to restriction — request that we limit processing of your data in certain circumstances.

Right to object — object to processing based on legitimate interest.

To exercise any of these rights, email privacy@risekinetic.com. We will respond within 30 days.

If you believe your rights have been violated, you have the right to lodge a complaint with your local data protection authority. In Germany, this is the data protection commissioner of your federal state (Landesdatenschutzbeauftragter) or the Federal Commissioner for Data Protection (BfDI).

8. Data Transfers

Our primary infrastructure (Supabase and Vercel) is hosted in the EU (Ireland). Some sub-processors (such as Stripe and Resend) may process data in the United States under the EU-U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of data protection.

9. Children's Privacy

RiseKinetic is not intended for children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make significant changes, we will notify you via email or through a notice in the app. The "Last updated" date at the top of this page reflects the most recent revision.