spice-club-legal

Privacy Policy — Spice Club

Effective date: 2026-05-05 Last updated: 2026-05-05

This Privacy Policy explains how the Spice Club mobile application (the “App”) collects, uses, shares, and protects information when you use it. By using the App you agree to the practices described below. If you do not agree, please stop using the App.

If you have any questions, contact us at davidjohansmolders@gmail.com.

---

1. Who we are

The App is operated by the publisher listed on the App Store page for Spice Club (the “Publisher”, “we”, “us”). The Publisher is the data controller for personal data processed through the App.

2. Summary

• We do not sell your personal data.
• We do not run third-party advertising in the App.
• We do not use your in-App content (such as custom cards or coupons) for any purpose other than delivering the App’s features to you and your paired partner.
• You can delete your account and associated data from inside the App at any time (see Your rights below).

3. Data we collect

We aim to collect as little personal data as possible. The categories below cover everything the App may store about you.

3.1 Account and pairing data

• A randomly generated user identifier created when you first open the App. This is generated by our authentication provider (Supabase Auth) and is not derived from your name, phone number, or email unless you choose to sign in with one.
• A short pairing code that you can share with a partner so the two accounts can be linked into a “couple”. The code is opaque (it does not reveal anything about you) and can be regenerated.
• The user identifier of your paired partner, if any.

3.2 Profile and preferences

• Onboarding answers you provide in the App, such as your gender, your partner’s gender, a chosen “spice” level, and your preferred language. These answers shape which cards are shown.
• App settings such as deck size, hidden cards, and language.

3.3 Game and content data

• Cards you create (“custom cards”) and the cards you select for a game. Custom card text is created by you and visible to you and your paired partner.
• Game state: which game is active, when it started, which cards are marked completed, when it ends.
• Coupons you create or redeem with your partner.

3.4 Push-notification tokens

• A device push token (issued by Apple Push Notification service or Firebase Cloud Messaging) so we can notify your partner of relevant events, such as a new game starting or a coupon being redeemed. The token is tied to your device and is invalidated when you sign out or uninstall the App.

3.5 Purchase and subscription data

• If you purchase a subscription or one-time unlock, the purchase is processed by Apple via in-app purchase. We receive only the information needed to verify your entitlement (a non-identifying subscriber id and the entitlement status) through our subscription provider (RevenueCat).
• We do not receive your payment card details, full name, or billing address from Apple.

3.6 Diagnostic data

• We may receive crash reports and basic diagnostic logs (for example through Apple’s crash reporting or our backend’s standard request logs). These are used to diagnose problems and improve reliability.

3.7 Information we do not collect

• We do not collect your contacts, photos, microphone, camera, precise location, health, or financial data.
• We do not run third-party advertising SDKs and do not use your data to build advertising profiles.

4. How we use your data

We use the data described above to:

1. Operate core App features (creating an account, pairing partners, running games, syncing decks and coupons between paired devices).
2. Send push notifications you have enabled (e.g., “your partner started a game”, “a coupon was redeemed”).
3. Verify entitlements for any paid features you purchase.
4. Diagnose crashes and improve the App’s reliability and security.
5. Comply with applicable laws and respond to lawful requests.

We do not use your data for advertising, profiling, or sale to third parties.

5. Legal bases (EEA / UK users)

If you are in the European Economic Area or the United Kingdom, our legal bases for processing are:

• Performance of a contract — processing necessary to provide the App and the features you request.
• Legitimate interests — keeping the App secure, preventing abuse, and improving reliability. We balance these interests against your rights.
• Consent — for push notifications and any optional feature where you grant permission. You can withdraw consent at any time in your device settings.
• Legal obligations — for tax, compliance, or law-enforcement requests where applicable.

6. Sharing and third-party processors

We use a small set of service providers to run the App. They process data only on our behalf and under contractual obligations.

Provider	Purpose	Data processed
Supabase	Authentication, database, realtime sync	Account id, profile, game and coupon data, push tokens
Apple Push Notification service	Delivering push notifications on iOS	Device push token, notification payload
Firebase Cloud Messaging (Google)	Push notification delivery and routing	Device push token, notification payload
RevenueCat	Subscription / IAP entitlement management	Anonymous subscriber id, purchase receipts, entitlement status
Apple App Store	App distribution, in-app purchases	Apple-managed payment data; we receive only entitlement status

We do not sell, rent, or share your personal data with any party for their own marketing purposes.

7. International transfers

Our service providers may process data in countries other than the one you live in, including the United States. Where required, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, the EU–U.S. Data Privacy Framework (where applicable), or equivalent mechanisms.

8. Data retention

• Account data and game data are retained while your account exists.
• Push tokens are retained until they are invalidated by your device or you sign out / uninstall.
• Crash and diagnostic logs are retained for a limited period (typically up to 90 days) and then deleted or aggregated.
• When you delete your account, your account record, profile, custom cards, games, and coupons are deleted from our database. Backups are rotated on a normal schedule and any residual copies are overwritten within that cycle.

9. Security

We use HTTPS/TLS in transit and rely on our infrastructure providers’ encryption at rest. Access to production data is limited to a small number of administrators on a need-to-know basis. No system can be guaranteed 100% secure; you use the App at your own risk.

10. Your rights

You have the following rights, subject to local law:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate data.
• Deletion — delete your account and associated data. You can do this from inside the App: open Settings → Delete account. The deletion is processed immediately and removes your account, profile, custom cards, games, and coupons.
• Objection / restriction — object to or restrict certain processing.
• Portability — receive your data in a portable format.
• Withdraw consent — where we rely on consent, you can withdraw it.
• Lodge a complaint — with your local data protection authority.

To exercise any of these rights, contact us at davidjohansmolders@gmail.com. We will respond within the period required by law.

11. Children’s privacy

The App is intended for adults (18+) and includes mature themes. It is not directed at children under 13 (or under 16 in the EEA, where applicable), and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact us and we will delete it.

12. California privacy notice (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, the right to request deletion, the right to correct inaccurate information, and the right to opt out of “sale” or “sharing” of personal information for cross-context behavioral advertising. We do not sell or share personal information as defined by the CCPA/CPRA. To exercise your rights, contact us at the email above.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be highlighted in the App or by updating the “Effective date” above. Continued use of the App after a change means you accept the updated policy.

14. Contact

For questions, requests, or complaints about this Privacy Policy or how we handle your data, contact:

davidjohansmolders@gmail.com