This policy explains what personal data Skadi collects, why, and what rights you have under
the EU General Data Protection Regulation (GDPR) and equivalent laws.
1. Who we are
Skadi is operated by Maksym Myronov as an individual.
For any data-protection question, contact info@skadi.rocks.
We are the data controller for the personal data described below.
2. What data we collect
Account data (collected when you sign in)
Email address — provided by your sign-in provider (Google or Apple). If you use Sign in with Apple's "Hide My Email" feature, we receive only Apple's relay address.
Full name — provided by your sign-in provider, or entered by you during profile setup.
Gamer tag — a public display name you choose.
A unique account identifier — assigned by our authentication backend (Supabase).
Profile data (entered or chosen by you)
Avatar — a character tile you select from the in-app picker. Stored as an identifier; no image files are uploaded.
Equipment description — an optional free-text field (e.g. your board setup).
Primary riding location — an optional free-text field (e.g. your home resort).
Units preference — whether you have chosen metric (km / km/h) or imperial (mi / mph) display.
Location and ride data (collected during ride tracking)
When you start a ride session, the app requests permission to access your device's GPS.
We collect:
Precise GPS coordinates — recorded continuously while a session is active, including when the screen is locked (background location). Used to calculate speed, distance, and route.
Speed — derived from GPS and stored as your peak and average speed for each session.
Distance — total distance covered during a session.
Session duration and timestamps — when a ride started and ended.
GPS data is processed on-device to produce the metrics above. Raw coordinate tracks are not permanently stored on our servers beyond what is needed to display your ride history.
You are in control: location permission is only requested when you start tracking. You can revoke it at any time in your device settings. No location data is collected while the app is not in active use (i.e. outside an open ride session).
Activity data (generated as you use the app)
Ladders you join or create, your rank and score within those ladders.
Achievements you claim, including the date of each claim.
Invites you send to others.
Push notification tokens
When you grant notification permission, we store a push notification token
for your device. This is a platform-assigned identifier (issued by Apple APNs or Google FCM)
that lets us deliver notifications such as squad invites or achievement alerts. It contains no
personal information about you beyond identifying your device.
Tokens for uninstalled apps are pruned automatically.
Analytics and session replay
We use PostHog to collect anonymised analytics and session replays. This includes
which screens you visit, which features you interact with, and recordings of in-app interactions
(session replay). Session replays may capture on-screen content such as your gamer tag or ride
statistics, but are used solely to improve the product and diagnose usability issues.
PostHog data is associated with a randomly generated identifier, not your email address.
Analytics collection is enabled by default. If you wish to opt out, contact
info@skadi.rocks.
Crash reports and diagnostics
We use Bugsnag to capture crash reports and performance diagnostics. When the app
crashes or encounters an unexpected error, Bugsnag automatically sends us a report containing the
error type, a stack trace, your device model, OS version, and app version. Your account identifier
may be attached to help us reproduce and fix the issue. No ride data or precise location coordinates
are included in crash reports.
Subscription and purchase data
Skadi offers optional paid features via in-app subscriptions. Payments are processed entirely by
Apple App Store or Google Play — we never receive your payment card details. We do receive your
subscription status (active, expired, or cancelled) and a platform-assigned purchase identifier
so we can unlock the features you paid for.
Data about other people you invite
When you send a friend invite or a private-ladder invite, you provide us with the
name and contact (email or phone) of the person you are inviting.
We store this so the invite can be processed and so you can see invites you have sent.
What we do not collect
We do not show advertising and do not share data with ad networks.
We do not access your contacts list, photos, microphone, or camera.
We do not use cookies on the marketing website beyond strictly-necessary ones (currently none).
3. Why we use your data (purposes & legal basis)
Under GDPR Article 6 we rely on the following lawful bases:
Performance of a contract (Art. 6(1)(b)) — to create and manage your account,
show you ladders and achievements, record and display your ride statistics, deliver invites you
initiate, unlock subscription features you have purchased, and let you delete your account.
Legitimate interests (Art. 6(1)(f)) — to keep the service operational and secure
(rate limiting, abuse prevention, error diagnostics via crash reports and server logs) and to
improve the product through analytics and session replay.
Consent (Art. 6(1)(a)) — for location access during ride tracking (you grant
this via the OS permission dialog) and for push notifications (you grant this via the OS
permission dialog). You may withdraw either consent at any time in your device settings.
Also applies when you actively send an invite — you are providing contact details of the invitee
under your responsibility.
4. Who processes your data on our behalf
We use the following sub-processors. Each handles data only as instructed by us:
Supabase Inc. — database, authentication, server logs. Data is stored in the EU (Ireland AWS region). Privacy policy.
PostHog Inc. — product analytics and session replay. PostHog receives anonymised usage events and in-app session recordings. Data is stored in the EU. Privacy policy.
Bugsnag (SmartBear Software Inc.) — crash reporting and error diagnostics. Bugsnag receives crash logs and device metadata when the app encounters an error. Privacy policy.
Expo (Expo Inc.) — push notification delivery pipeline. Expo receives push tokens and notification payloads in order to route notifications to Apple APNs and Google FCM. Privacy policy.
Apple Inc. — Sign in with Apple (iOS), Apple Push Notification service (APNs), and App Store payment processing. Apple sees that you are signing into Skadi but does not receive your activity or ride data. Privacy policy.
Google LLC — sign-in via Google OAuth, Firebase Cloud Messaging (FCM) for delivering notifications to Android devices, and Google Play payment processing. Google sees that you are signing into Skadi but does not receive your activity or ride data. Privacy policy.
Resend Inc. — transactional email delivery (e.g. squad invite emails to non-registered contacts, account deletion confirmation). Privacy policy.
Cloudflare, Inc. — hosting of the marketing website (skadi.rocks) and DNS. Privacy policy.
5. International data transfers
Your account and activity data is stored in the European Union (Ireland).
Some of our sub-processors (Google, Apple, Cloudflare, Expo, Resend, PostHog, Bugsnag) are
headquartered in the United States and may process limited operational data outside the EU.
Where this happens, transfers are protected by Standard Contractual Clauses as adopted by the
European Commission.
6. How long we keep your data
Account, profile & ride data: kept while your account exists. When you delete your account, all your personal data is removed from our database immediately. Cached copies in encrypted backups are purged within 30 days.
Analytics data (PostHog): session replays and events are retained for 1 year, then automatically deleted.
Crash reports (Bugsnag): retained for 1 year or until the underlying issue is resolved, then deleted.
Invites you have sent: deleted together with your account, or removed earlier on request.
Push notification tokens: kept until you uninstall the app, revoke notification permission, or delete your account. Tokens reported as invalid by Apple/Google are pruned automatically.
Server logs: kept for up to 30 days for security and debugging, then deleted.
7. Your rights under GDPR
You have the right to:
Access the personal data we hold about you.
Correct inaccurate data (you can edit your full name and gamer tag in the My Account screen).
Delete your account and all associated data — use the Delete account button in the My Account screen, or visit skadi.rocks/delete-my-account. You can also email us and we will delete it for you.
Export a copy of your data in a machine-readable format. Email us to request this.
Object to processing based on legitimate interests, or restrict processing.
Withdraw consent at any time — revoke location permission in device settings (stops location collection immediately), revoke notification permission in device settings (disables future pushes), or email us to opt out of analytics.
Lodge a complaint with your local data-protection authority. In Germany this is the supervisory authority of your federal state; for non-residents, the Irish Data Protection Commission is competent because our data is hosted in Ireland.
To exercise any of these rights, email info@skadi.rocks. We will respond within 30 days.
8. Children's privacy
Skadi is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect
personal data from children. If you believe a child has provided us with their data, please
contact info@skadi.rocks and we will delete it promptly.
9. If you were invited by someone else
If someone has invited you to join Skadi using your email or phone, your contact information is held
in our database as part of that invite. You can request removal at any time by emailing
info@skadi.rocks — no Skadi account required.
10. Security
All data is transmitted over TLS (HTTPS). Database access is restricted by row-level security so
accounts cannot read each other's private data. Authentication tokens are stored on the device using
the operating system's secure storage. Location data is collected only within an active ride session
and is not accessible to other apps.
11. Changes to this policy
If we materially change how data is collected or used, we will update the "Last updated" date above
and, where appropriate, notify users in the app. Continued use of Skadi after a change indicates
acceptance of the updated policy.