1. Controller
The data controller within the meaning of Art. 4 (7) GDPR is:
Eladio Rubio Hernandez
Fermanagh-Weg 3
33647 Bielefeld
Germany
Email: contact@getriftr.app
The platform is currently operated by the above-named individual. Should the platform later be operated by an incorporated entity (e.g. a Riftr UG once founded and registered in the German commercial register), this Privacy Policy will be updated and existing users notified in-app.
A Data Protection Officer is not appointed — Riftr does not meet the thresholds in § 38 BDSG that would require one.
2. Beta-Mode Notice
Riftr is currently in a closed beta. The marketplace runs in the TEST mode of our payment provider, Stripe. When you try the purchase flow you enter payment data (test-card numbers) into a form that is transmitted to and processed by Stripe in a test environment. If you go through the seller flow, Stripe's onboarding additionally collects KYC data (name, date of birth, address, bank details). No real charge is made and no real money moves. Please enter ONLY the test-card numbers we provide and never your real card details. Riftr itself never sees or stores your card or bank details at any time. That processing happens solely at Stripe. When the marketplace moves to full launch this Privacy Policy will be updated and existing users notified.
3. Data We Collect
The following categories of personal data are processed when you use Riftr:
(a) Account data
- Email address (mandatory, login + verify)
- Hashed password (Firebase Authentication)
- Display name
- Profile photo URL (optional, from Google Sign-In or manual)
- Push-notification token (FCM, optional)
- Apple Sign-In: an Apple-issued OAuth refresh token (stored solely so we can revoke your Apple session when you delete your account, as required by Apple)
(b) Seller-onboarding data (only when you list cards for sale)
- Postal address (street, ZIP, city, country)
- Verified email
- For commercial sellers (§ 14 BGB): legal entity name, VAT identification number
- Counters required by the German PStTG (DAC7): yearly transaction count + gross revenue per calendar year
- Tax identification number (TIN), where required for DAC7 reporting (§ 15 PStTG)
- Note: when one of your listings is purchased, your email address and shipping address are shared with the buyer for contract execution (Art. 6 (1) (b) GDPR)
(c) Order data (marketplace purchases)
- As a buyer: your shipping address including recipient name (shared with the seller for delivery)
- Order records: items, prices, order status, plus the seller's email address in your order confirmation and the seller's shipping address in your order view (all orders); for commercial sellers additionally the full business imprint
(d) App usage data
- Listings you create (cardId, price, condition, quantity, foil flag)
- Decks, recorded matches, card collection
- Anonymous scanner telemetry (strategy/confidence/latency, no user identifier attached) for service improvement
(f) Reports, complaints & moderation
- Reports you submit (reported content/account, reason, optional description, good-faith declaration)
- Complaints against moderation measures (your text + a snapshot of your sanction state)
- Moderation records affecting you (strikes with order reference, sanction audit trail)
(g) Technical data
- IP address (logged by Firebase / Cloud Functions for security and abuse prevention)
- Device push token
We do NOT collect: phone numbers, date of birth, GPS / location data, contacts, IDFA / advertising identifiers, biometric data, social-graph data from third parties, or any data not listed above.
4. Purposes and Legal Bases
We process your data only for the purposes listed below.
(a) Providing the app and your account — Art. 6 (1) (b) GDPR (contract performance). Includes: account creation, login, displaying your profile, syncing your decks / matches / collection across devices.
(b) Providing the marketplace — Art. 6 (1) (b) GDPR (contract performance). Includes: showing your listings to other users, transmitting your seller country to enable shipping calculation, displaying your public seller profile (rating, sales count) to potential buyers.
(c) Statutory obligations — Art. 6 (1) (c) GDPR (legal obligation). Includes: tracking yearly sales counters under the German PStTG / DAC7, retaining order records for the periods required by the Handelsgesetzbuch (HGB § 257) and the Abgabenordnung (AO § 147).
(d) Push notifications — Art. 6 (1) (a) GDPR (consent). You opt in by accepting the iOS / Android push permission prompt. You can revoke at any time in your device settings or by signing out.
(e) Service improvement (anonymous telemetry) — Art. 6 (1) (f) GDPR (legitimate interest in improving scanner accuracy and app stability). The telemetry contains no user identifier and cannot be linked to a specific account.
(f) Security and abuse prevention — Art. 6 (1) (f) GDPR (legitimate interest). Includes IP-address logging by our hosting provider, rate-limit counters, Firebase App Check integrity tokens, and rate-limited internal alert emails to the platform operator triggered by automated fraud-, payout-, and abuse-detection rules in our Cloud Functions backend.
5. Service Providers (processors)
We use the following carefully selected service providers, each bound to a Data Processing Agreement (Art. 28 GDPR):
(a) Google Ireland Limited / Google LLC — Firebase platform
- Firebase Authentication (email + Google Sign-In)
- Cloud Firestore (app database)
- Cloud Functions (server logic)
- Firebase Cloud Messaging (push, via APNs on iOS)
- Firebase App Check (anti-abuse)
- Firebase Crashlytics (crash diagnostics: device model, OS version, crash stack traces — used solely for app stability, no advertising use)
Server location: EU (Frankfurt / europe-west). Some sub-services may transfer data to the United States.
(b) Resend Inc. — transactional email. Used for (i) sending the 6-digit email verification code to confirm your seller email, (ii) sending order and contract confirmation emails to buyers once a purchase is paid (order details, seller identity and — for purchases from commercial sellers — the statutory withdrawal notice; this fulfils the durable-medium confirmation requirement of § 312i BGB), (iii) seller notices required by law (e.g. DAC7 threshold notifications), and (iv) delivering internal operational alerts to the platform operator when automated checks detect potential fraud, payout failures, or security-relevant events on the marketplace (see § 4 (f)). Such alerts may contain pseudonymous user identifiers (Firebase UID), Stripe account/order/listing references and error messages, but no payment card data, no bank account numbers in cleartext, and no message content. No marketing or newsletter use.
(c) Stripe Payments Europe Limited / Stripe Inc. — payment processing (TEST mode during the closed beta). During the beta the marketplace runs in Stripe's test mode: test-card payment data and, if you onboard as a seller, KYC and onboarding data are processed by Stripe; no real money moves (see § 2). Once the marketplace transitions to full launch, Stripe processes real payments between buyers and sellers under its own privacy policy. Stripe is an independent payment service provider; the seller enters a direct contract with Stripe (Stripe Connected Account Agreement) for KYC and payouts.
(d) Apple Inc. / Google LLC — push notification routing. APNs (iOS) and FCM (Android) deliver push notifications to your device. Apple / Google cannot read the notification content.
Fonts on getriftr.app are self-hosted — no requests are made to Google Fonts or any other font CDN when you visit this website.
(e) Cloudflare, Inc. — email forwarding and website analytics. Email Routing forwards mail addressed to @getriftr.app to our internal mailbox. Cloudflare Web Analytics on getriftr.app is cookieless and does not store IP addresses per visitor — aggregated server-side only.
(f) Apple Inc. / Google LLC — app distribution. The App Store and Google Play deliver the app and provide aggregate install metrics to us under their respective privacy policies.
(g) OpenStreetMap Foundation (United Kingdom) — address validation. When you save a seller address, it is sent to the public Nominatim geocoding service to check that it is a plausible, deliverable address (Art. 6 (1) (f) GDPR — legitimate interest in marketplace integrity). Only the address itself is transmitted, never your name, email or account data.
(h) European Commission — VAT number validation (VIES). For commercial sellers, the VAT identification number you provide is checked against the EU VIES service (Art. 6 (1) (c) GDPR — statutory verification duties).
6. Third-Country Transfers
Some of the processors listed above are located outside the EU/EEA (United States). For these transfers we rely on the EU Standard Contractual Clauses (SCC) under Art. 46 (2) (c) GDPR, supplemented by additional safeguards documented by the respective providers (Google, Resend, Stripe, Cloudflare).
Stripe Payments Europe Limited (Ireland) is within the EU. Onward transfers from Stripe to Stripe Inc. (US) are governed by SCCs between the Stripe entities.
7. Storage Periods
- Account data: until you delete your account. Exception: pseudonymised DAC7 plausibility and threshold records (hashed digests and counter snapshots — no clear-text identity), the deletion audit entry and the Stripe account reference are retained for statutory periods (§ 24 PStTG, AO § 147; Art. 17 (3) (b) GDPR).
- Listings: until you delete them or they are sold.
- Order records (post-launch only): retained for the periods required by German tax and commercial law (HGB § 257: 6 years; AO § 147: 10 years for tax-relevant records).
- Email verification codes: 10 minutes (server-side TTL on the verification document; the email itself stays in your inbox until you delete it).
- Internal operational alert emails (see § 4 (f), § 5 (b)): retained in the operator's mailbox for up to 24 months for fraud-pattern correlation, then deleted. Resend transmission logs are retained by Resend for 30-90 days per their data-retention policy.
- Anonymous scanner telemetry: 90 days, then aggregated.
- Reports, complaints and moderation records: currently retained without a fixed deletion period for platform safety and legal defence (under legal review).
- Account-deletion audit log: indefinite, contains the deletion timestamp, a deletion summary and — for sellers — the Stripe account reference; no email address or email hash is stored. Required as proof of erasure under Art. 17 GDPR.
- Reviews you have written about other sellers: deleted automatically together with your account; the reviewed seller's average rating is recalculated without your reviews.
- Reviews other sellers / buyers have left about you: deleted together with your account (they are stored under your account).
- Stripe Connected Account (sellers): your Stripe account and its records survive the deletion of your Riftr account — Stripe retains them under its own statutory tax/AML retention duties and privacy policy; Riftr keeps only the account reference (acct_…) for payment forensics.
8. Your Rights
You have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR) — ask us what data we hold about you.
- Right to rectification (Art. 16) — correct inaccurate data via the in-app profile editor.
- Right to erasure (Art. 17) — built into the app: Profile → Edit Profile → Delete Account. The action is performed by a server-side cascade and cannot be undone.
- Right to restriction (Art. 18) — contact us at contact@getriftr.app.
- Right to data portability (Art. 20) — contact us; we will provide your account data in a structured, commonly used format (JSON).
- Right to object (Art. 21) — applies to processing based on legitimate interest. Contact us with the reason.
- Right to withdraw consent (Art. 7 (3)) — where processing is based on consent (push notifications), you can revoke at any time with no effect on past processing.
- Right to lodge a complaint with a supervisory authority (Art. 77) — for Germany / NRW: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestraße 2-4, 40213 Düsseldorf, https://www.ldi.nrw.de/.
Minors. Riftr's companion features (match tracker, deck builder, collection) may be used by minors only with the consent of a parent or legal guardian (see Beta Terms § 3). Marketplace purchases require a confirmed age of 18+; selling requires Stripe identity verification. Consent-based processing (push notifications) is not directed at children under 16 (Art. 8 GDPR). Parents or guardians can request deletion of a minor's account at any time via contact@getriftr.app.
9. Automated Decision-Making
Riftr does NOT use automated individual decision-making or profiling within the meaning of Art. 22 GDPR. The marketplace pricing, listing visibility and seller-tier calculations are deterministic and rule-based, not adaptive profiling.
10. Mandatory Provision
Account creation requires email and a display name — without these we cannot provide an account. Selling on the marketplace additionally requires postal address (for shipping label generation by sellers) and, for commercial sellers, VAT identification number (§ 5 DDG / § 14 BGB obligation). Browsing and collecting cards work without seller data.
11. Changes to This Policy
We may update this Privacy Policy when we add features, switch providers, or react to legal changes. Substantial changes will be notified in-app at least 14 days before they take effect. The current version is always available under Profile → Legal → Privacy Policy in the app, and at this URL.
