Privacy Policy
Last updated: May 20261. Controller
Patrick ReumLyoner Straße 52
60528 Frankfurt am Main
Germany
Email: info@baumwollpyjama.de
2. Scope
This privacy policy applies to the website at lunedo.baumwollpyjama.de and the Lunedo app (iOS/Android). Sections that apply only to the website or only to the app are marked accordingly: Website App
3. Overview
Lunedo is an app for discovering and managing board games. We collect only the minimum technically required to operate our services. The website exists to introduce the app and let you download it. The app requires no mandatory account — you can use it without providing any personal data.
4. Data We Process
4.1 Device ID App
When you first open the app, a random anonymous device ID is created and stored locally. This ID identifies your device to our services but contains no personal information (no name, email address, or phone number).
- Purpose: Storing your collection, votes, and app settings; assigning discovery packs.
- Legal basis: Art. 6(1)(b) GDPR (performance of a contract), or alternatively Art. 6(1)(f) GDPR (legitimate interest in a functioning app).
- Storage: Locally on your device (AsyncStorage). The ID is also sent to our backend server when you: vote on the roadmap, submit a game suggestion, or enable push notifications.
4.2 Push Notifications App
If you enable push notifications, a push token (a technical identifier of your device at the notification service) is stored together with your anonymous device ID and device platform (iOS or Android) on our server.
- Purpose: Sending notifications about new board games and discovery packs.
- Legal basis: Art. 6(1)(a) GDPR (your explicit consent).
- Withdrawal: You can disable push notifications at any time in your device's system settings.
- Service provider: Expo Inc., USA — push tokens are routed via the Expo Push Service (see section 7).
4.3 Game Suggestions App
When you submit a game suggestion, we process: up to 3 photos you upload, an optional text (game name, reason), and your anonymous device ID.
- Purpose: Reviewing and potentially adding the suggested game to the app database.
- Legal basis: Art. 6(1)(a) GDPR (your consent by actively submitting).
4.4 Roadmap Votes App
When you vote for a planned feature, your anonymous device ID is stored together with the feature ID to ensure fair counting (one vote per device).
- Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the integrity of the voting process).
4.5 Shared Collections App
When you share your game collection or wishlist, an anonymous share link is created. The following data is stored in our database: a randomly generated link ID, the type of share (collection or wishlist), the IDs of the included games, your anonymous device ID, and a creation timestamp. The link is publicly accessible — anyone with the link can view the shared list.
- Legal basis: Art. 6(1)(a) GDPR (your consent by actively using the share function).
- Retention: Shared lists remain stored until manually deleted. You can request deletion via your device ID.
4.6 Technical Connection Data / Server Logs
When accessing the website or when the app communicates with our backend, technical connection data may be generated — including IP addresses, timestamps, and accessed endpoints. This data is used solely for operational security and is not used to identify individuals.
- Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stable, secure operation).
- Retention: Typically 7–30 days, depending on the hosting provider and Supabase logging policies.
5. Data We Do Not Collect
- Names, email addresses, or other contact details (no mandatory login in the app)
- Location data
- Contact lists or other device data
- Data about your browsing or app behaviour outside our services
- Payment data
6. No Cookies, No Tracking Website
The website uses neither cookies nor analytics or tracking services (no Google Analytics, no Meta Pixel, no similar services). No data is processed for advertising purposes or shared with third parties.
7. Service Providers and Third Countries
Supabase (Backend, Database, File Storage) App
Provider: Supabase Inc., 970 Toa Payoh North, #07-04, Singapore 318992
Privacy: supabase.com/privacy
Supabase provides our database, cloud storage, and server-side functions. Data is processed on servers in the EU (Frankfurt, AWS). Supabase acts as a data processor under Art. 28 GDPR; we have concluded a Data Processing Addendum including EU Standard Contractual Clauses (SCC, Implementing Decision (EU) 2021/914) for third-country transfers.
Expo Push Service (Push Notifications) App
Provider: Expo Inc., USA
Privacy: expo.dev/privacy
When you enable push notifications, your push token is routed via the Expo Push Service. Expo acts as a data processor; data transfer to the USA is based on EU Standard Contractual Clauses.
8. External Links App
The app displays links to external services. No data is transmitted by merely displaying the links. Only when you tap a link does the external service open and its privacy policy apply.
- Shop links (Thalia, Hugendubel): Tapping opens the retailer's website with a pre-filled search for the game.
- YouTube videos: Tapping opens the YouTube app or website. Google LLC's privacy policy applies.
- Local game shops (Google Maps): Tapping opens Google Maps with a search for board game shops. Google may process your location if you have permitted this in Google Maps.
9. Local Data Storage App
Some usage data is stored exclusively locally on your device (via AsyncStorage) and is not transmitted to us:
- Your game collection and wishlist
- Your preferences and settings
- The status of your discovery packs
- The read status of your in-app messages
- Your saved filter settings for the Discover page
This data exists solely on your device. If you uninstall the app, this data is permanently deleted.
10. Your Rights
Under the GDPR you have the following rights:
- Access (Art. 15 GDPR): You may request information about the data stored about you.
- Rectification (Art. 16 GDPR): You may request correction of inaccurate data.
- Erasure (Art. 17 GDPR): You may request deletion of your data, unless statutory retention obligations apply.
- Restriction (Art. 18 GDPR): In certain cases you may request restriction of processing.
- Objection (Art. 21 GDPR): You may object to processing based on legitimate interests at any time.
- Portability (Art. 20 GDPR): You may request your data in a machine-readable format.
- Withdrawal of consent (Art. 7(3) GDPR): Consents may be withdrawn at any time with future effect.
As we do not collect personal data such as name or email in the app, please include your anonymous device ID in any requests so we can locate your data.
Privacy contact: support@baumwollpyjama.de
11. Data Security
We employ technical and organisational measures to protect your data against unauthorised access, loss, or manipulation. Communication between the app and our backend is encrypted (TLS). Supabase is SOC 2 Type 2 certified.
12. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for Hesse, Germany is:
Der Hessische Beauftragte für Datenschutz und InformationsfreiheitPostfach 3163
65021 Wiesbaden
datenschutz.hessen.de
13. Changes to This Policy
We reserve the right to update this privacy policy if the app, website, or legal requirements change. The current version is always available at this URL. The date of the last update is shown above.
14. Children
Lunedo is not intended for children under 13. We do not knowingly collect data from children under 13. If you believe a child under 13 has submitted data through our services, please contact support@baumwollpyjama.de.