Legal
Datenschutzerklärung · Last updated May 2025
The controller responsible for data processing on this website within the meaning of the GDPR is:
When you register, we collect your email address and a password hash. Required to provide your account and associate purchased decks with your profile.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract
When you make a purchase, payment is processed by Stripe. We receive a record of which decks you unlocked and a payment intent reference. We do not store card details.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract
We store your saved favorite cards and display name if you choose to set one.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract
When you use multiplayer sessions, we store technical session information (e.g. session code, participants, selected deck, timestamps, and game state needed to keep both players in sync). We do not record your spoken answers to conversation cards.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract
Our hosting provider (Vercel) automatically collects standard server log data including IP address, browser type, and pages visited. Used for security and performance. Deleted after 30 days.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest
Supabase Inc. stores account, purchase, favorites, and multiplayer session data on EU servers (Frankfurt) and provides the real-time sync used for sessions. Acts as a data processor under a DPA.
supabase.com/privacyStripe, Inc. processes all payments. Certified under the EU-US Data Privacy Framework. You are subject to Stripe's privacy policy when making a purchase.
stripe.com/privacyVercel Inc. hosts this website and processes server logs as a data processor.
vercel.com/legal/privacy-policyWe use browser local storage to cache your unlock state for performance — so the app loads without a visible flash. No tracking cookies or advertising cookies are used. The PWA service worker handles offline functionality only — no personal data is stored in the cache.
We retain your account and purchase data for as long as your account is active. Upon deletion request, all personal data is removed within 30 days — except where retention is required by law (typically 10 years for financial records under § 147 AO).
Multiplayer session data is temporary. Sessions that are waiting or cancelled are deleted after 1 hour, active sessions are deleted after 15 minutes of inactivity, and completed sessions are kept for 7 days for your session history.
To exercise any right, contact support@revealcardapp.com. You may also lodge a complaint with your local data protection authority (in Germany: the relevant Landesbeauftragter für Datenschutz).
We use TLS encryption for all data in transit, hashed passwords, and row-level security in our database. No system is completely secure — we cannot guarantee absolute security.
We may update this policy from time to time. Registered users will be notified of material changes by email. The date at the top of this page reflects the most recent update.