This policy explains what personal data Skadi collects, why, and what rights you have under
the EU General Data Protection Regulation (GDPR) and equivalent laws.
1. Who we are
Skadi is operated by Maksym Myronov as an individual.
For any data-protection question, contact maksym@myronov.de.
We are the data controller for the personal data described below.
2. What data we collect
Account data (collected when you sign in)
Email address — provided by your sign-in provider (Google or Apple). If you use Sign in with Apple's "Hide My Email" feature, we receive only Apple's relay address.
Full name — provided by your sign-in provider, or entered by you during profile setup.
Gamer tag — a public display name you choose.
A unique account identifier — assigned by our authentication backend (Supabase).
Activity data (generated as you use the app)
Ladders you join or create, your rank and score within those ladders.
Achievements you claim, including the date of each claim.
Invites you send to others.
Data about other people you invite
When you send a friend invite or a private-ladder invite, you provide us with the
name and contact (email or phone) of the person you are inviting.
We store this so the invite can be processed and so you can see invites you have sent.
What we do not collect
We do not show advertising and do not share data with ad networks.
We do not use third-party analytics or behavioural tracking.
We do not collect location data, contacts, photos, or other on-device data.
We do not use cookies on the marketing website beyond strictly-necessary ones (currently none).
3. Why we use your data (purposes & legal basis)
Under GDPR Article 6 we rely on the following lawful bases:
Performance of a contract (Art. 6(1)(b)) — to create and manage your account,
show you ladders and achievements, deliver invites you initiate, and let you delete your account.
Legitimate interests (Art. 6(1)(f)) — to keep the service operational and secure
(e.g. rate limiting, abuse prevention, error diagnostics from server logs).
Consent (Art. 6(1)(a)) — when you actively send an invite, you are providing the
contact details of the invitee under your responsibility; you should only invite people who are
expecting to hear from you.
4. Who processes your data on our behalf
We use the following sub-processors. Each handles data only as instructed by us:
Supabase Inc. — database, authentication, server logs. Data is stored in the EU (Ireland AWS region).
Google LLC — sign-in via Google OAuth. Google sees that you are signing into Skadi but does not receive your activity data.
Apple Inc. — Sign in with Apple. Apple sees that you are signing into Skadi but does not receive your activity data.
Cloudflare, Inc. — hosting of the marketing website (skadi.rocks) and DNS.
5. International data transfers
Your account and activity data is stored in the European Union (Ireland).
Some of our sub-processors (Google, Apple, Cloudflare) are headquartered in the United States and
may process limited operational data outside the EU. Where this happens, transfers are protected
by Standard Contractual Clauses as adopted by the European Commission.
6. How long we keep your data
Account & activity data: kept while your account exists. When you delete your account from the My Account screen, all your personal data is removed from our database immediately. Cached copies in encrypted backups are purged within 30 days.
Invites you have sent: deleted together with your account, or removed earlier on request.
Server logs: kept for up to 30 days for security and debugging, then deleted.
7. Your rights under GDPR
You have the right to:
Access the personal data we hold about you.
Correct inaccurate data (you can edit your full name and gamer tag in the My Account screen).
Delete your account and all associated data — use the Delete account button in the My Account screen. Or email us and we will delete it for you.
Export a copy of your data in a machine-readable format. Email us to request this.
Object to processing based on legitimate interests, or restrict processing.
Withdraw consent at any time where processing is based on consent.
Lodge a complaint with your local data-protection authority. In Germany this is the supervisory authority of your federal state; for non-residents, the Irish Data Protection Commission is competent because our data is hosted in Ireland.
To exercise any of these rights, email maksym@myronov.de. We will respond within 30 days.
8. If you were invited by someone else
If someone has invited you to join Skadi using your email or phone, your contact information is held
in our database as part of that invite. You can request removal at any time by emailing
maksym@myronov.de — no Skadi account required.
9. Security
Data is transmitted over TLS. Database access is restricted by row-level security so accounts cannot
read each other's private data. Authentication tokens are stored on the device using the operating
system's secure storage.
10. Changes to this policy
If we materially change how data is collected or used, we will update the "Last updated" date above
and, where appropriate, notify users in the app. Continued use of Skadi after a change indicates
acceptance of the updated policy.