Gronte

Privacy Policy

Last updated: May 9, 2026 · Effective: May 9, 2026

Quick summary: Gronte collects only the minimum data needed to run your account and the game (email, nickname, hashed password, gameplay stats). No ads, no third-party analytics, no location or device tracking. You can delete your account in-app at any time and all your data is permanently removed.

Contents

Data Controller
Data We Collect
Purposes of Processing
Legal Basis
Third Parties & International Transfers
Retention
Your Rights
Security
Children's Privacy
Policy Changes
Contact

1. Data Controller

This Privacy Policy is published by the independent developer behind the Gronte mobile application and related web services:

Data Controller: Gökhan Yılmaz (independent developer)
Contact: [email protected]
Service: Gronte mobile application (iOS / Android)

2. Data We Collect

2.1 At Account Creation

Email address — used as account identifier and for password reset / security notifications.
Nickname — displayed publicly so other players can recognize you in matches.
Password — never stored in plain text. We only keep a non-reversible BCrypt hash.
Apple ID (only if Sign in with Apple is used) — Apple's signed identity token is verified; the email may be relay-masked according to your Apple privacy preference.

2.2 Profile Preferences

Avatar (image you upload via Cloudinary)
Notification preferences (game invites, friend requests, activity updates)
Language preference

2.3 Game & Usage Data

Quizzes you create and play, the answers you give
Game session participation (who, when, what score)
Level, XP, achievements, tier badges, daily challenge progress
Friendships (accepted requests)

2.4 Data We Do NOT Collect

We do not collect:

Location data (GPS or IP-based)
Phone numbers
Date of birth
Persistent device identifiers (Advertising ID, IMEI, etc.)
Tracking data for advertising or analytics
Access to your contacts, photos, or other app data

3. Purposes of Processing

We process the data we collect strictly for the following purposes:

Account creation, authentication, and security
Running game functionality (quiz sessions, real-time multiplayer)
Leaderboards, ranking, and social features (friends, invites)
In-app notifications and activity updates (we do not use push services; notifications are delivered via WebSocket while the app is open)
Preventing abuse and maintaining service quality
Compliance with legal obligations

4. Legal Basis

We rely on the following legal bases under the GDPR and applicable Turkish data protection law (KVKK):

Performance of a contract — to provide the account, game, and social features (GDPR Art. 6(1)(b))
Explicit consent — given when you check the "I accept the Terms of Service and Privacy Policy" box during sign-up (GDPR Art. 6(1)(a))
Legitimate interest — service security and abuse prevention (GDPR Art. 6(1)(f))
Legal obligation — when required by competent authorities (GDPR Art. 6(1)(c))

5. Third Parties & International Transfers

We do not sell your data and we do not share it with third parties for marketing. The following service providers are used only for essential infrastructure:

5.1 Cloudinary (United States)

Purpose: Storage and delivery (CDN) of the avatar image you upload.
Data shared: Only the image you upload and its technical metadata.
Legal basis: Performance of a contract.
International transfer: Cloudinary servers may be located in the US/EU. Transfers are made under appropriate safeguards under GDPR Art. 46 and KVKK Art. 9.

5.2 Apple Inc. (only if Sign in with Apple is used)

Purpose: Verification of Apple's signed identity token.
Data shared: Only the signed token Apple provides; we do not send any user data to Apple.

5.3 Hetzner (Germany)

Purpose: Server hosting (European Union — Falkenstein, Germany).
Data location: All application data is stored within the EU.

6. Retention

While the account is active: Data is retained until you delete your account.
Upon account deletion: All your personal data — email, nickname, password hash, gameplay history, achievements, friendships, and quizzes you created — is permanently deleted (hard delete). You can delete your account at any time via the "Delete Account" button in the app.
Backups: Server backups are retained for up to 7 days, after which deleted data is also removed from backups.
Legal obligations: Where competent authorities specifically require it, the minimum necessary data may be retained for the legally required period.

7. Your Rights

Under GDPR Articles 15–22 and KVKK Article 11 you have the right to:

Know whether your personal data is being processed
Request information about the data being processed
Learn the purpose of processing and verify it is used accordingly
Know third parties to whom data has been transferred (domestic or international)
Request correction of incomplete or inaccurate data
Request erasure — you can use the in-app "Delete Account" feature directly
Object to outcomes resulting from automated processing
Seek compensation for damages caused by unlawful processing
Data portability (GDPR) — receive your data in a machine-readable format

To exercise these rights, contact [email protected]. We will respond within 30 days.

8. Security

All app-server traffic is encrypted with HTTPS/TLS 1.2+.
Passwords are never stored in plain text — only as BCrypt non-reversible hashes.
Authentication is JWT-based; session tokens are stored in the device's secure storage (iOS Keychain / Android Keystore).
The database is reachable only from the application server's private network; it is not exposed to the public internet.
The server firewall allows only HTTPS (443) and SSH (22).

That said, no method of transmission over the internet is 100% secure. We take reasonable measures to protect your data but cannot guarantee absolute security.

9. Children's Privacy

Gronte is not intended for children under 13. We do not knowingly collect data from anyone under 13. For users aged 13–18 we recommend obtaining parental or guardian consent before using the service. If you believe a child has provided us with data, please contact [email protected] and the data will be deleted immediately.

10. Policy Changes

This Privacy Policy may be updated from time to time. Material changes will be announced via in-app notice or email to the address associated with your account. The "last updated" date at the top reflects the latest version. Continued use of the service after changes means you accept the new version.

11. Contact

For any questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data:

Email: [email protected]

Users in the EU may also lodge a complaint with their local data protection authority. Users in Turkey may contact the Personal Data Protection Authority (KVKK) at www.kvkk.gov.tr.