Privacy Policy
Last updated: 2026-07-01
1. Controller
[LEGAL REVIEW REQUIRED: legal entity name, registered address, DPO contact if required under GDPR Art. 37]
2. Data we collect
We collect only the data necessary to operate Bunny Catch (data minimisation principle). The following table summarises each category:
| Category | Data points | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| account identity | email address, display name, username, avatar URL, phone (optional) | Authentication, profile display, player identification | Contractual necessity (account creation) | Until account deletion (anonymized row kept for integrity) |
| preferences consent | marketing consent (boolean), notifications preference, locale, ToS version & acceptance date | Personalisation, regulatory consent evidence | Consent (marketing); legitimate interest (notifications, locale) | Preferences: until account deletion. Consent events: 3 years minimum |
| game activity | game session timestamps, scores, bunnies caught, IP address (session start), user agent (session start), fraud signals | Gameplay scoring, ranking, anti-fraud | Contractual necessity (game service delivery); legitimate interest (fraud prevention) | Game sessions: 12 months then archive. Suspicious activity: 24 months |
| economic | Bunny Coin balance, coin transaction history, shop purchases | In-game currency management, purchase history | Contractual necessity (virtual economy) | 7 years (accounting obligation) |
| operational | admin audit log entries, ranking period results, reward history | Security audit trail, fair play, leaderboard history | Legitimate interest (security, fraud audit, ranking integrity) | Audit logs: 12 months. Ranking results: indefinite (aggregate history) |
3. Data we do NOT collect
- Date of birth (no age-gating feature in the MVP)
- Precise geolocation
- Payment card details (no real-money transactions)
- Biometric data
Phone number is optional and collected only when provided voluntarily.
4. Processors and transfers
Your data is hosted by Supabase Inc. (PostgreSQL database, authentication, real-time) and [hosting provider — LEGAL REVIEW REQUIRED]. Both processors operate data-processing agreements (DPA) and comply with applicable data-protection frameworks. [LEGAL REVIEW REQUIRED: international transfer mechanisms e.g. SCCs if data leaves the EEA]
5. Your rights
Depending on your jurisdiction, you may have the following rights:
- Access: download a copy of your data via Settings → Download my data.
- Rectification: update your profile in Settings.
- Erasure (right to be forgotten): delete your account in Settings. Your profile is anonymised in place; financial records are retained for 7 years as required by accounting law.
- Restriction / objection: contact us at privacy@bunnycatch.example.
- Portability: your data export (Settings → Download my data) is provided in machine-readable JSON format.
- Consent withdrawal: toggle marketing consent off in Settings at any time.
6. Cookies and tracking
Bunny Catch uses session cookies set by Supabase Auth for authentication only. No third-party advertising or analytics cookies are used. [LEGAL REVIEW REQUIRED: cookie banner requirement under ePrivacy Directive / local law]
7. Security
We implement technical measures including TLS in transit, RLS-enforced database access controls, and server-side validation for all mutations. Passwords are never stored in plain text (managed by Supabase Auth with bcrypt hashing).
8. Contact
Privacy enquiries: privacy@bunnycatch.example.
[LEGAL REVIEW REQUIRED: supervisory authority contact and complaint procedure]