Privacy Policy

Last updated: 3 May 2026

This Privacy Policy is provided in English in line with the app's interface language. Riftr is operated from Germany; the operator is identified in the Imprint. Statutory rights of data subjects under German and EU data-protection law remain unaffected by the language of this document.

1. Controller

The data controller within the meaning of Art. 4 (7) GDPR is:

Eladio Rubio Hernandez
Fermanagh-Weg 3
33647 Bielefeld
Germany

Email: contact@getriftr.app

The platform is currently operated by the above-named individual. Should the platform later be operated by an incorporated entity (e.g. a Riftr UG once founded and registered in the German commercial register), this Privacy Policy will be updated and existing users notified in-app.

A Data Protection Officer is not appointed — Riftr does not meet the thresholds in § 38 BDSG that would require one.

2. Beta-mode notice

Riftr is currently operating in beta mode. The marketplace is open for sellers to prepare pre-launch inventory, but actual purchase transactions are disabled platform-wide. As a consequence, NO banking data, payment data, or KYC information is processed during the beta. The Stripe integration described below is present in the codebase but inactive until the marketplace transitions to full launch. At that point this Privacy Policy will be updated and existing users notified.

3. Data we collect

The following categories of personal data are processed when you use Riftr:

(a) Account data

Email address (mandatory, login + verify)
Hashed password (Firebase Authentication)
Display name
Profile photo URL (optional, from Google Sign-In or manual)
Push-notification token (FCM, optional)

(b) Seller-onboarding data (only when you list cards for sale)

Postal address (street, ZIP, city, country)
Verified email
For commercial sellers (§ 14 BGB): legal entity name, VAT identification number
Counters required by the German PStTG (DAC7): yearly transaction count + gross revenue per calendar year

(c) App usage data

Listings you create (cardId, price, condition, quantity, foil flag)
Decks, recorded matches, card collection
Anonymous scanner telemetry (strategy/confidence/latency, no user identifier attached) for service improvement

(d) Technical data

IP address (logged by Firebase / Cloud Functions for security and abuse prevention)
Device push token

We do NOT collect: phone numbers, date of birth, GPS / location data, contacts, IDFA / advertising identifiers, biometric data, social-graph data from third parties, or any data not listed above.

4. Purposes and legal bases

We process your data only for the purposes listed below.

(a) Providing the app and your account — Art. 6 (1) (b) GDPR (contract performance). Includes: account creation, login, displaying your profile, syncing your decks / matches / collection across devices.

(b) Providing the marketplace — Art. 6 (1) (b) GDPR (contract performance). Includes: showing your listings to other users, transmitting your seller country to enable shipping calculation, displaying your public seller profile (rating, sales count) to potential buyers.

(c) Statutory obligations — Art. 6 (1) (c) GDPR (legal obligation). Includes: tracking yearly sales counters under the German PStTG / DAC7, retaining order records for the periods required by the Handelsgesetzbuch (HGB § 257) and the Abgabenordnung (AO § 147).

(d) Push notifications — Art. 6 (1) (a) GDPR (consent). You opt in by accepting the iOS / Android push permission prompt. You can revoke at any time in your device settings or by signing out.

(e) Service improvement (anonymous telemetry) — Art. 6 (1) (f) GDPR (legitimate interest in improving scanner accuracy and app stability). The telemetry contains no user identifier and cannot be linked to a specific account.

(f) Security and abuse prevention — Art. 6 (1) (f) GDPR (legitimate interest). Includes IP-address logging by our hosting provider, rate-limit counters, and Firebase App Check integrity tokens.

5. Service providers (processors)

We use the following carefully selected service providers, each bound to a Data Processing Agreement (Art. 28 GDPR):

(a) Google Ireland Limited / Google LLC — Firebase platform

Firebase Authentication (email + Google Sign-In)
Cloud Firestore (app database)
Cloud Functions (server logic)
Firebase Cloud Messaging (push, via APNs on iOS)
Firebase App Check (anti-abuse)

Server location: EU (Frankfurt / europe-west). Some sub-services may transfer data to the United States.

(b) Resend Inc. — transactional email. Used solely for sending the 6-digit email verification code to confirm your seller email. Data: your email address. No marketing or newsletter use.

(c) Stripe Payments Europe Limited / Stripe Inc. — payment processing (CURRENTLY INACTIVE in beta). Once the marketplace transitions to full launch, Stripe will process payments between buyers and sellers under its own privacy policy. Stripe is an independent payment service provider; the seller enters a direct contract with Stripe (Stripe Connected Account Agreement) for KYC and payouts.

(d) Apple Inc. / Google LLC — push notification routing. APNs (iOS) and FCM (Android) deliver push notifications to your device. Apple / Google cannot read the notification content.

(e) Cloudflare, Inc. — email forwarding and website analytics. Email Routing forwards mail addressed to @getriftr.app to our internal mailbox. Cloudflare Web Analytics on getriftr.app is cookieless and does not store IP addresses per visitor — aggregated server-side only.

(f) Apple Inc. / Google LLC — app distribution. The App Store and Google Play deliver the app and provide aggregate install metrics to us under their respective privacy policies.

6. Third-country transfers

Some of the processors listed above are located outside the EU/EEA (United States). For these transfers we rely on the EU Standard Contractual Clauses (SCC) under Art. 46 (2) (c) GDPR, supplemented by additional safeguards documented by the respective providers (Google, Resend, Stripe, Cloudflare).

Stripe Payments Europe Limited (Ireland) is within the EU. Onward transfers from Stripe to Stripe Inc. (US) are governed by SCCs between the Stripe entities.

7. Storage periods

Account data: until you delete your account.
Listings: until you delete them or they are sold.
Order records (post-launch only): retained for the periods required by German tax and commercial law (HGB § 257: 6 years; AO § 147: 10 years for tax-relevant records).
Email verification codes: 24 hours.
Anonymous scanner telemetry: 90 days, then aggregated.
Account-deletion audit log: indefinite, contains only the deletion timestamp and a truncated SHA-256 hash of your email — never the email itself. Required as proof of erasure under Art. 17 GDPR.
Reviews you have written about other sellers: deleted with your account.
Reviews other sellers / buyers have left about you: retained as part of the public marketplace record (legitimate interest in transparency for future buyers and sellers).

8. Your rights

You have the following rights regarding your personal data:

Right of access (Art. 15 GDPR) — ask us what data we hold about you.
Right to rectification (Art. 16) — correct inaccurate data via the in-app profile editor.
Right to erasure (Art. 17) — built into the app: Profile → Edit Profile → Delete Account. The action is performed by a server-side cascade and cannot be undone.
Right to restriction (Art. 18) — contact us at contact@getriftr.app.
Right to data portability (Art. 20) — contact us; we will provide your account data in a structured, commonly used format (JSON).
Right to object (Art. 21) — applies to processing based on legitimate interest. Contact us with the reason.
Right to withdraw consent (Art. 7 (3)) — where processing is based on consent (push notifications), you can revoke at any time with no effect on past processing.
Right to lodge a complaint with a supervisory authority (Art. 77) — for Germany / NRW: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestraße 2-4, 40213 Düsseldorf, https://www.ldi.nrw.de/.

9. Automated decision-making

Riftr does NOT use automated individual decision-making or profiling within the meaning of Art. 22 GDPR. The marketplace pricing, listing visibility and seller-tier calculations are deterministic and rule-based, not adaptive profiling.

10. Mandatory provision

Account creation requires email and a display name — without these we cannot provide an account. Selling on the marketplace additionally requires postal address (for shipping label generation by sellers) and, for commercial sellers, VAT identification number (§ 5 DDG / § 14 BGB obligation). Browsing and collecting cards work without seller data.

11. Changes to this policy

We may update this Privacy Policy when we add features, switch providers, or react to legal changes. Substantial changes will be notified in-app at least 14 days before they take effect. The current version is always available under Profile → Legal → Privacy Policy in the app, and at this URL.