Privacy Policy (App)

This privacy policy applies exclusively to the mobile app of QuizBox. The privacy policy for the website can be found here.

Controller

Scope

This privacy policy explains how we process personal data when you use the QuizBox app. It applies to the app and the backend services we provide (e.g. game and user management).

Overview: What data may be processed?

Depending on how you use the app, we process in particular the following categories of data:

• Account/login data: email address, username, internal user ID, login timestamps.
• Game and profile data: progress, points, statistics, league/tournament progress, friends list, in-app currency (e.g. coins/diamonds), settings.
• Usage/device data: technical identifiers (e.g. app instance ID), device and app information (e.g. operating system, app version), events/interactions in the app.
• Diagnostic and error data: crash/error reports and performance data (e.g. loading times), if enabled.
• Push data: device tokens (e.g. FCM/APNs), time and status of notifications.
• Feedback/support data: content you enter (e.g. message, category), optional email/name, device name and optionally a screenshot.
• Purchase/billing data: for in-app purchases, transaction/receipt data (no full payment data such as credit card numbers).
• Advertising/marketing data: if/when ad videos are integrated in the future, ad IDs (e.g. Android Advertising ID / iOS Identifier) and usage data may be processed (see section "Advertising / ad videos").

Purposes and legal bases (GDPR)

We process personal data for the following purposes:

• Provision of app functions (account, login, gameplay, matchmaking, leagues/tournaments, statistics, rewards, friends list) - Art. 6(1)(b) GDPR (contract/pre-contract).
• Security, abuse and fraud prevention (e.g. technical logs, server logs) - Art. 6(1)(f) GDPR (legitimate interest in secure operation).
• Error analysis and stability (crash/error reports, diagnostic data) - Art. 6(1)(f) GDPR; where required also Art. 6(1)(a) GDPR (consent).
• Usage analysis/product improvement (analytics/events) - generally Art. 6(1)(a) GDPR (consent), where legally required.
• Push notifications (e.g. game updates) - generally Art. 6(1)(a) GDPR (consent via operating system permission); technically necessary notifications may also be based on Art. 6(1)(b)/(f) GDPR.
• Processing of in-app purchases (unlocking, purchase validation) - Art. 6(1)(b) GDPR and Art. 6(1)(c) GDPR (legal obligations, e.g. retention duties, where applicable).
• Support/feedback - Art. 6(1)(b) GDPR (support within the use) or Art. 6(1)(f) GDPR (legitimate interest in troubleshooting) or Art. 6(1)(a) GDPR (if you voluntarily provide additional data, e.g. screenshot/email).

Account and login (AWS Cognito)

For registration/login we use AWS Cognito (Amazon Web Services). You can sign in via email/password or - if enabled - via social login (e.g. Google/Facebook) through the Cognito "Hosted UI". This processes in particular identification and login data (e.g. email, username, user ID).

We generally operate our AWS services in the region eu-central-1 (Frankfurt).

Backend database (AWS DynamoDB) and game data

To provide the game functions, we store in AWS DynamoDB among other things profile and game data (e.g. username, email, internal user ID, friends list, progress/statistics, league/tournament and reward information, wallet balances).

Visibility to other players: Depending on the function, other players can see your username and certain game/profile information (e.g. avatar, status, league/statistics), for example in friends lists, opponent views or leaderboards. Which data is shown depends on the app settings and the respective function.

Profile pictures / avatars (planned)

If we provide a profile picture feature and you upload a profile picture, we process the image (image file) and, if applicable, technical metadata (e.g. upload time, file format/size). The profile picture may - depending on your settings - be visible to other players (e.g. in friends lists, opponent views or leaderboards).

Please note: images may contain personal data (e.g. face, name tag) and possibly embedded metadata (e.g. EXIF). We recommend not uploading sensitive information.

Server logs

When the app communicates with our servers, we process technically necessary connection data (e.g. IP address, date/time, requested endpoints, device/browser identifiers such as "user agent"). This is required to provide the services, analyze errors and ensure security.

Feedback (including optional screenshot upload)

If you send feedback via the app, we process the content you enter (e.g. message, topic) as well as context information (e.g. affected screen, app version, device name). Optionally you can provide name/email. In addition, the app - only as part of the feedback feature - can create a screenshot and upload it to an AWS S3 bucket so we can better understand your issue.

Push notifications (Firebase Cloud Messaging / APNs)

For push notifications we use Firebase Cloud Messaging (FCM). On iOS, push messages are technically delivered via the Apple Push Notification Service (APNs). A device token is processed to deliver messages to your device. You can disable push notifications at any time in your device's system settings.

Analytics, stability and performance (Firebase & Sentry)

The app integrates the following services/SDKs:

• Firebase Analytics (usage analysis, events, reach measurement).
• Firebase Crashlytics (crash/error reports).
• Firebase Performance Monitoring (performance metrics).
• Firebase Remote Config (configuration/feature flags).
• Firebase In-App Messaging (in-app notices/campaigns, typically based on analytics events).
• Sentry (error and diagnostic data for stabilization/troubleshooting).

Depending on the service, device/app information, technical identifiers, usage events as well as error/crash details (e.g. stack traces) may be processed. Direct identification is generally not performed via names, but depending on the integration it may be possible through linking with account/session information (e.g. in support cases).

App permissions

Depending on the platform and function, the app requires certain permissions. Typical examples are: Internet (communication with our servers), Vibration (feedback/notifications) and, where applicable, storage access (e.g. for feedback screenshots). Screenshots are created only when you actively use the feedback feature. There is no access to your photo/media library unless you select/share content yourself. You can manage permissions in your device's system settings.

In-app purchases

If you make in-app purchases, payment processing is handled by the respective app store provider (Apple App Store / Google Play). We typically receive transaction information (e.g. product ID, time, confirmation/receipt data), but no full payment data (e.g. credit card numbers). We may process transaction data to validate purchases and unlock content.

Advertising / ad videos (future)

Currently, no advertising SDKs are integrated in the app and no ads are delivered. However, we plan to offer ad videos in the future (e.g. rewarded ads). In that case, an ad network may process technical data (e.g. IP address, device identifiers, ad ID, interactions with ads). Once a specific ad network is used, we will update this privacy policy accordingly.

Note: Personalized advertising and processing for marketing purposes require consent depending on the legal basis. On iOS, "App Tracking Transparency" may also be required.

Recipients / processors

Depending on the function, data may be transferred to the following categories of recipients:

• Amazon Web Services (AWS) (Cognito, DynamoDB, S3; hosting/backend infrastructure).
• Google / Firebase (Analytics, Crashlytics, Performance, Remote Config, In-App Messaging, Cloud Messaging).
• Sentry (error/diagnostic reports).
• App store providers (Apple/Google) for download, billing and, if applicable, purchase validation.
• Advertising partners (future, depending on integration).

Further information about providers (selection):

• AWS Privacy: https://aws.amazon.com/de/privacy/
• Firebase/Google Privacy: https://firebase.google.com/support/privacy
• Sentry Privacy: https://sentry.io/privacy/
• Apple Privacy: https://www.apple.com/legal/privacy/
• Google Privacy: https://policies.google.com/privacy

Data transfers to third countries

Depending on the provider used, processing may also take place in countries outside the EU/EEA (in particular the USA). Where required, we base transfers on appropriate safeguards, in particular EU Standard Contractual Clauses (SCC) and/or - where applicable - an adequacy decision (e.g. EU-U.S. Data Privacy Framework) for certified providers.

Retention period

We generally store personal data only as long as necessary for the purposes mentioned: account and game data typically for the duration of your account; support/feedback data as long as necessary for processing. Server logs are usually stored only for a short time for security reasons.

Local storage on the device

The app stores certain data locally to enable use (e.g. session/auth tokens and settings). These data are usually stored in the device's secure storage. You can delete local data by logging out or uninstalling the app.

Your rights

You have the right of access, rectification, erasure, restriction of processing as well as the right to data portability (where applicable) and the right to object. You can also lodge a complaint with a data protection supervisory authority.

If processing is based on your consent, you can withdraw it at any time with effect for the future.

For requests (e.g. access or deletion of your account) please contact us at shk-media@gmx.de.

Account deletion

You can request the deletion of your account at any time. As soon as the function is available in the app, you will find it under Settings > Account > Delete. Until then, please send us an email to shk-media@gmx.de (ideally with your username and the email address used in the app).

After successful verification, we delete or anonymize your account and profile data unless statutory retention obligations apply. Data we must retain for legal reasons (e.g. billing/transaction records for in-app purchases, if any) are stored in accordance with legal requirements and deleted afterwards.

Children

Our app is not specifically directed at children. If you believe we have processed children's data without the appropriate consent, please contact us so we can review and, if necessary, delete the data.

Changes to this privacy policy

We update this privacy policy if legal requirements, app features or data processing change. The current version is always available on this page.