Privacy Policy

By using the Gameedy app and the website gameedy.com, you entrust us with your personal data. This policy explains how it is processed in accordance with the General Data Protection Regulation (GDPR — EU 2016/679) and the French Data Protection Act as amended.

1. Data controller

The controller of personal data is Mr. Grégoire Clément DELACROIX, sole proprietor operating under the trade name Gleedi, whose full contact details appear in the Legal Notice section. Contact: [email protected].

No Data Protection Officer (DPO) has been appointed, as the processing does not fall within the cases of mandatory designation under article 37 GDPR.

2. Data collected

• Identification and account data: email address, display name (username), generated avatar, login data via Google OAuth or Discord OAuth where applicable (email address, display name, unique identifier and profile picture, limited to the data transmitted by the identity provider at login), accepted Terms version (terms_version), profile visibility (public/private).
• Usage data: rated games, created lists, published comments, browsing history within the app, preferences and settings, social relationships (followed users), submitted feature ideas.
• Technical data: device identifier, operating system, application version, anonymized error reports (Sentry and Firebase Crashlytics), push notification tokens. The Sentry Flutter SDK generates an installation identifier (installationId, a random UUID created at installation and stored locally), used only to deduplicate error reports. Firebase Crashlytics likewise generates a technical installation identifier (installation_id). The collection of personally identifiable information is disabled (sendDefaultPii: false): IP addresses and session data are not transmitted.
• Subscription data: RevenueCat application identifier (app_user_id), subscription store (App Store / Google Play), environment (production / sandbox), subscribed product identifier, store subscription identifier, subscription status, period end date and any cancellation date. Gameedy neither collects nor stores your bank card data; this data is managed exclusively by Apple or Google depending on the platform.
• Billing logs: when subscriptions are synchronized through RevenueCat webhooks, the backend logs technical events containing an event identifier, event type, user identifier (userId), store, status and product identifier. This data is pseudonymized and kept solely for security and debugging purposes.
• Scan data: when a barcode is scanned, the GTIN/UPC/EAN code is sent to EAN-Search in order to identify the product name. That name is then sent to OpenAI solely for normalization. This data does not identify you and is not retained after processing.

Gameedy does not collect any sensitive data within the meaning of article 9 GDPR.

3. Purposes of processing

• Provision and personalization of the service (recommendations, game library, video game summary translation via OpenAI)
• Personalized recommendations through automated processing (profiling — see §4)
• User account management and authentication
• Subscription and billing management (via the App Store, Google Play and RevenueCat)
• Application improvement (bug fixing and stability)
• Tracking accepted Terms versions for regulatory compliance
• Sending notifications with your consent
• Detecting and resolving technical errors
• Security and fraud prevention
• Legal and regulatory obligations

4. Profiling and personalized recommendations

Gameedy may generate personalized game recommendations at the user's request. When you initiate a recommendation by selecting a library or a list, the app analyzes the characteristics of the games it contains (theme, genre, developer, gameplay perspective, etc.) to identify similar games likely to match your interests. The results are displayed as a feed that you can browse freely and close at any time.

This processing constitutes profiling within the meaning of article 4(4) GDPR. It is initiated exclusively by your action and does not result in decisions producing legal or similarly significant effects concerning you within the meaning of article 22. There is no passive or background profiling.

The app also offers a non-personalized discovery mode: you may manually enter raw criteria (genre, theme, platform, etc.) without any link to your personal library. This mode is based on no profiling and constitutes the non-personalized recommendation option required by article 27 of Regulation (EU) 2022/2065 (DSA).

Legal basis: performance of the contract. You may object to this processing by contacting [email protected]; in that case, the recommendation feature will no longer be available.

5. Legal basis for processing

• Performance of the contract: account management, provision of the service, subscriptions, tracking accepted Terms versions, barcode scanning, personalized recommendations on request
• Legitimate interest (art. 6.1.f GDPR): security, abuse prevention, service improvement, error monitoring, billing event logging for debugging and security audit purposes
• Consent: push notifications (you may withdraw your consent at any time from Settings → Notifications → Gameedy)
• Legal obligation: retention of accounting and tax data for 10 years (art. L.123-22 of the French Commercial Code)

6. Recipients of data

Processors (processing data on behalf of Gameedy):

• Hetzner Online GmbH — backend hosting — Germany
• Scaleway SAS — database hosting — France
• IGDB (Twitch Interactive, Inc.) — video game data — United States
• RevenueCat, Inc. — subscription management and synchronization — United States
• Sentry (Functional Software, Inc.) and Firebase Crashlytics (Google LLC) — error monitoring — United States
• Google LLC (Google OAuth) and Discord Inc. (Discord OAuth) — social authentication — United States
• Google LLC (Firebase Cloud Messaging) — push notifications — United States
• Relaxed Communications GmbH (EAN-Search.org) — barcode scanning — Germany
• OpenAI, LLC — artificial intelligence (barcode-scan normalization and video game summary translation) — United States

Third-party data controllers (processing your data in their own name, under their own policies):

• Apple Inc. (App Store) — iOS payment processing and store subscription management; privacy policy: www.apple.com/legal/privacy/en-ww/
• Google LLC (Google Play) — Android payment processing and store subscription management; privacy policy: policies.google.com/privacy

When you subscribe via the App Store or Google Play, Apple or Google collects your payment data directly. Gameedy does not receive this data and is not responsible for its processing.

Gameedy does not sell your personal data to third parties.

7. Transfers outside the EU

Some processors and third-party data controllers operate in the United States. Transfers outside the EU are governed as follows:

• Hetzner Online GmbH: established in Germany (EU) — no transfers outside the EU for backend hosting
• Scaleway SAS: established in France (EU) — no transfers outside the EU for database hosting
• Apple Inc.: DPF-certified for activities falling within the scope of the program
• RevenueCat, Inc. and Sentry (Functional Software, Inc.): Standard Contractual Clauses (SCCs) — data processing agreement (DPA) available from each provider
• IGDB (Twitch Interactive, Inc.): SCCs
• OpenAI, LLC: SCCs only — not DPF-certified
• EAN-Search.org (Relaxed Communications GmbH): established in Germany (EU) — no transfers outside the EU for that service

For users in the United Kingdom, transfers to EEA countries benefit from the adequacy decisions adopted by the United Kingdom. Transfers to the United States are governed by the International Data Transfer Agreement (IDTA) or contractual clauses approved by the ICO.

8. Retention period

• Account data and content (profile, libraries, lists, comments, social relationships): retained for the lifetime of the account and, where applicable, until the active subscription expires, then permanently deleted within one month. This deletion is irreversible.
• Subscription and billing data: 10 years from the transaction
• Technical logs, error reports and billing logs: rolling 12 months
• Scan data: not retained after processing

9. Your rights

In accordance with the GDPR and the French Data Protection Act, you have the following rights:

• Right of access (art. 15): obtain a copy of your data
• Right to rectification (art. 16): correct inaccurate data
• Right to erasure (art. 17): delete your account and your data
• Right to restriction (art. 18): restrict processing in certain circumstances
• Right to data portability (art. 20): receive your data in JSON format directly from the Privacy & Data page in the app, or on request at [email protected]
• Right to object (art. 21): object to processing based on legitimate interest
• Right to withdraw consent (art. 7.3): revoke at any time processing based on your consent, without retroactive effect
• Post-mortem instructions (art. 85 of the French Data Protection Act as amended): define instructions regarding the retention, deletion or disclosure of your data after your death

Your pseudonymized billing logs are available on written request to [email protected]. These time limits run from receipt of your request and may be extended by a further two months in the case of complex or numerous requests, with prior notice.

To exercise your rights: [email protected] or via the app settings. If your complaint is not resolved, you may contact your national data protection authority: CNIL (France), ICO (United Kingdom), BfDI (Germany), AEPD (Spain), Garante (Italy), UODO (Poland), ANPD (Brazil), OPC (Canada), OAIC (Australia).

California residents — CCPA/CPRA

California residents have the following rights: to know, delete, correct and opt out of sale or sharing. Gameedy does not sell your personal data and does not share it for cross-context behavioral advertising. Contact: [email protected] (subject: "CCPA Rights Request").

Residents of Canada — PIPEDA and Law 25 (Québec)

Canadian residents benefit from rights of access, rectification, portability and, in Québec, de-indexing. Gameedy designates [email protected] as the person responsible for the protection of personal information. Authorities: www.priv.gc.ca · www.cai.gouv.qc.ca.

Residents of Brazil — LGPD

Brazilian residents benefit from rights of confirmation, access, correction, portability, information on recipients and withdrawal of consent. In accordance with article 41 of the LGPD, Gameedy designates [email protected] as Encarregado de dados. Authority: www.gov.br/anpd.

Residents of Australia — Privacy Act 1988

Australian residents benefit from rights of access, correction and erasure. Authority: www.oaic.gov.au. Contact: subject "Australian Privacy Request".

Residents of the United Kingdom — UK GDPR

UK residents benefit from the same rights as those described above under the UK GDPR and the Data Protection Act 2018. The competent supervisory authority is the Information Commissioner's Office (ICO).

10. Cookies & trackers (website)

The website gameedy.com places no cookies on your device and uses no external service (no analytics, no third-party CDN, no advertising network). Fonts are self-hosted. Only the hosting provider's standard access logs (IP address, date/time, browser) are processed for security purposes — legitimate interest (art. 6.1.f GDPR), never for advertising purposes.

11. Security

Gameedy implements appropriate technical and organizational measures: encryption of data in transit (TLS), secure authentication, restricted access to personal data. In the event of a data breach likely to create a risk to the rights and freedoms of data subjects, Gameedy notifies the competent supervisory authority within the applicable legal deadlines (72 hours under the GDPR — art. 33, and as soon as reasonably possible in other jurisdictions). In the event of a breach presenting a high risk to your rights and freedoms, you will also be informed as soon as possible in accordance with article 34 GDPR.

12. Minors

The app is open only to persons aged at least 18. Gameedy has uniformly set this minimum age at 18 for all of its markets, corresponding to the age of majority in almost all countries in which the app is available. Users under 18 are not allowed to create an account. Gameedy does not knowingly collect personal data from persons under 18.

Children in the United States — COPPA

Although the app is reserved for adults, Gameedy takes additional measures for users residing in the United States: the app is not intended for children under 13. If we learn that a user is under 13 and resides in the United States, we will immediately delete the account and data, in accordance with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §6501 et seq.).

13. Website (landing page)

The website gameedy.com is a purely informational static website. It does not collect or store any personal data directly. The data described in sections 2 to 8 concern exclusively the Gameedy mobile app (iOS and Android).

14. Updates to this policy

This policy may be updated at any time. Any material change will be notified in the app. The last update date is indicated at the top of this page.