Privacy Policy

This Privacy Policy explains what personal data Piece of Cake (the “App”) collects, how it is used, who it is shared with, how long it is kept, and the rights you have over it. The App is published by TritonApps (“we”, “us”), an indie studio based in the Republic of Ireland. We are the data controller for personal data processed through the App.

1. Who we are

The App is published by TritonApps, Republic of Ireland. For privacy matters please email privacy@tritonapps.com.

2. What we collect, when, and why

We try to collect as little as possible and only what we need to run the service. The categories below match our App Store privacy disclosure and the Google Play Data Safety form.

2.1 Account and profile data

• Email address — required to create an account and to send transactional emails (verify email, reset password, secure email change).
• Display name and avatar selection — optional. Shown to other players in tables you join.
• Authentication metadata — Supabase issues a JWT on sign-in; we keep last-sign-in timestamp for security.

2.2 Gameplay data

• Tables you create or join, the players in them, and per-game events (cards played, turns, results). Required to run real-time multiplayer.
• Stats — aggregated wins, losses, streaks. Used to show your stats in the App.

2.3 Subscription data

• Subscription status, plan, renewal date — received from RevenueCat (which receives it from Apple or Google). Used to gate Pro features and to honour your active entitlement.
• We do not receive your card details. Payment is handled by Apple App Store or Google Play.

2.4 Push tokens

• APNs / FCM device token — required to send turn alerts and other notifications you opt into. You can revoke at any time in your device settings.

2.5 Diagnostics

• Crash reports and error traces via Sentry. We strip personally-identifying values from event tags by default; only an opaque user-id is associated with traces.
• We do not use third-party analytics or advertising SDKs. We do not track you across apps or websites.

3. Sub-processors

We use the following sub-processors. Each is bound by a Data Processing Agreement (or equivalent) and processes data only to deliver the service.

• Supabase (auth, profile, Postgres database).
• RevenueCat (subscription state).
• Sentry (diagnostics — no PII linked to identity).
• Expo / EAS (build distribution, OTA updates, push token relay to APNs/FCM).
• Fly.io (API hosting; transit only, no analytics).
• Apple and Google (payment processors; subject to their own privacy policies).

4. How long we keep it

We keep your account data for as long as your account exists. When you delete your account (see Account deletion), we delete or anonymise your personal data within 30 days. Encrypted backups may take up to a further 30 days to roll over before the data is gone from cold storage. Apple and Google retain payment records under their own policies; we do not control those records.

Diagnostic events (Sentry) are retained for 90 days then deleted.

5. Your rights

If the GDPR or UK GDPR applies to you, you have the right to:

• access the personal data we hold about you,
• have inaccurate data rectified,
• have your data erased (“right to be forgotten”),
• restrict or object to certain processing,
• receive your data in a portable format, and
• lodge a complaint with your supervisory authority — for users in Ireland, the Data Protection Commission.

Other jurisdictions may give you similar rights (CCPA, LGPD, and others). We honour requests on the same basis regardless of where you are.

6. How to exercise your rights

The fastest path is in-app: Profile → Delete account. For other requests, email privacy@tritonapps.com from the address on your account. We respond within 30 days, in line with GDPR Article 12. We may need to verify your identity before processing a request.

7. Children’s data

Piece of Cake is rated 4+ on the App Store and PEGI 3 on Google Play, but it is not directed to children under 13 (or 16 in jurisdictions where GDPR Article 8 sets that as the threshold). We do not knowingly collect personal data from children below the applicable age. If you believe a child has created an account, please contact privacy@tritonapps.com and we will delete the data.

8. International transfers

Some of our sub-processors (Supabase, RevenueCat, Sentry, Fly.io) may process data outside the European Economic Area. Where they do, transfers rely on the European Commission’s Standard Contractual Clauses or an equivalent transfer mechanism. Your data continues to be protected to the standard required by the GDPR.

9. Changes to this policy

If we change this policy in a way that affects your rights, we will update the effective date above and notify you in-app or by email before the change takes effect. Older versions are kept on file and are available on request.

10. Contact

Questions, complaints, or requests under this policy:

• Email: privacy@tritonapps.com
• Postal address: available on request via the email above.

For cookies on this website, see the shared TritonApps Cookie Policy. Within the App itself we do not use cookies.