Skip to content
← Back
Notice: This document is a placeholder structure. The final Privacy Policy must be reviewed and approved by a qualified legal adviser before Bunny Catch is made publicly available. This policy is not yet legally binding.

Privacy Policy

Last updated: 2026-07-01

1. Controller

[LEGAL REVIEW REQUIRED: legal entity name, registered address, DPO contact if required under GDPR Art. 37]

2. Data we collect

We collect only the data necessary to operate Bunny Catch (data minimisation principle). The following table summarises each category:

CategoryData pointsPurposeLegal basisRetention
account identityemail address, display name, username, avatar URL, phone (optional)Authentication, profile display, player identificationContractual necessity (account creation)Until account deletion (anonymized row kept for integrity)
preferences consentmarketing consent (boolean), notifications preference, locale, ToS version & acceptance datePersonalisation, regulatory consent evidenceConsent (marketing); legitimate interest (notifications, locale)Preferences: until account deletion. Consent events: 3 years minimum
game activitygame session timestamps, scores, bunnies caught, IP address (session start), user agent (session start), fraud signalsGameplay scoring, ranking, anti-fraudContractual necessity (game service delivery); legitimate interest (fraud prevention)Game sessions: 12 months then archive. Suspicious activity: 24 months
economicBunny Coin balance, coin transaction history, shop purchasesIn-game currency management, purchase historyContractual necessity (virtual economy)7 years (accounting obligation)
operationaladmin audit log entries, ranking period results, reward historySecurity audit trail, fair play, leaderboard historyLegitimate interest (security, fraud audit, ranking integrity)Audit logs: 12 months. Ranking results: indefinite (aggregate history)

3. Data we do NOT collect

  • Date of birth (no age-gating feature in the MVP)
  • Precise geolocation
  • Payment card details (no real-money transactions)
  • Biometric data

Phone number is optional and collected only when provided voluntarily.

4. Processors and transfers

Your data is hosted by Supabase Inc. (PostgreSQL database, authentication, real-time) and [hosting provider — LEGAL REVIEW REQUIRED]. Both processors operate data-processing agreements (DPA) and comply with applicable data-protection frameworks. [LEGAL REVIEW REQUIRED: international transfer mechanisms e.g. SCCs if data leaves the EEA]

5. Your rights

Depending on your jurisdiction, you may have the following rights:

  • Access: download a copy of your data via Settings → Download my data.
  • Rectification: update your profile in Settings.
  • Erasure (right to be forgotten): delete your account in Settings. Your profile is anonymised in place; financial records are retained for 7 years as required by accounting law.
  • Restriction / objection: contact us at privacy@bunnycatch.example.
  • Portability: your data export (Settings → Download my data) is provided in machine-readable JSON format.
  • Consent withdrawal: toggle marketing consent off in Settings at any time.

6. Cookies and tracking

Bunny Catch uses session cookies set by Supabase Auth for authentication only. No third-party advertising or analytics cookies are used. [LEGAL REVIEW REQUIRED: cookie banner requirement under ePrivacy Directive / local law]

7. Security

We implement technical measures including TLS in transit, RLS-enforced database access controls, and server-side validation for all mutations. Passwords are never stored in plain text (managed by Supabase Auth with bcrypt hashing).

8. Contact

Privacy enquiries: privacy@bunnycatch.example.
[LEGAL REVIEW REQUIRED: supervisory authority contact and complaint procedure]