B90HQ

Privacy Policy

Last updated: 22 September 2025

This Privacy Policy explains how B90-Industries (“we,” “us,” or “our”) collects, uses, discloses, and protects personal data when you use the B90HQ mobile application and related services (together, the “Service”). We comply with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable laws.

1. Data Controller

Controller:
Fabian S. Klinke, Louis Köhler, Paul Vogler
BAUGRUPPE90 GbR
Uhlandstr. 171/172
10719 Berlin, Germany

Contact for privacy matters:
Email: privacy@b90-industries.com

2. What Data We Collect

We process only the data needed to deliver the Service. The categories below specify the data elements, purpose, and legal basis.

Account & Authentication

  • Email address, username, hashed password
  • Session tokens, access refresh tokens (Supabase), device identifiers needed for security
  • Purpose: Account creation, secure sign-in, fraud prevention
  • Legal basis: Performance of contract (Art. 6(1)(b) GDPR)

Profile & Location Preferences

  • City and country (mandatory)
  • Optional display name, avatar, tagline
  • Location selection (coordinates, accuracy level, timestamp), live-update radius, background location preference
  • Purpose: Personalize member cards, recommend shows in your area, enable location-based notifications
  • Legal basis: Performance of contract; explicit consent for precise or background location (Art. 6(1)(a))

Community Interactions

  • Comments, reactions (including “screws”), XP totals, leaderboard position, show RSVPs, saved posts, post read status
  • Media you share (images, videos, links) and associated metadata
  • Purpose: Render the feed, award XP, operate leaderboards, manage RSVP lists
  • Legal basis: Performance of contract

Direct Messages & Conversations

  • Message content, attachments, timestamps, read receipts, participant IDs, conversation metadata, notification counts
  • Purpose: Provide real-time one-to-one messaging, sync unread badges, investigate abuse when reported
  • Legal basis: Performance of contract; legitimate interests for safety review (Art. 6(1)(f))

Mini Games & In-App Activities

  • ScrewdlJump runs (score, max height, band reached, items collected, duration, random seed)
  • XP granted for gameplay, leaderboard markers, anti-cheat flags
  • Purpose: Power mini games and virtual rewards, detect abusive gameplay patterns
  • Legal basis: Performance of contract; legitimate interests for integrity of competitions

Notifications & Preferences

  • Push notification token (APNs), notification category settings, mute status for games, opt-in/opt-out timestamps
  • Purpose: Deliver opt-in push notifications, respect your preferences, keep audit trails required by EU Digital Services Act (DSA)
  • Legal basis: Performance of contract; legitimate interests for compliance record keeping

Device, Usage & Diagnostics Data

  • Device model, OS/app version, IP address, timestamps, screen interactions, feature usage (PostHog), crash traces and feedback (Sentry), marketing attribution (none)
  • Purpose: Maintain stability, combat abuse, understand which features are used
  • Legal basis: Consent for analytics and crash diagnostics where required; legitimate interests for security and fraud prevention

Support & Feedback

  • Messages submitted through in-app feedback, optional name/email, linked crash identifiers
  • Purpose: Resolve issues, respond to user support requests
  • Legal basis: Legitimate interests (service improvement)

We do not knowingly collect special category data (Art. 9 GDPR), government identifiers, or precise geolocation unless you turn on precise location. We do not buy personal data from third parties.

3. How We Use Data

We use the data described above to:

  • Deliver core features such as the artist feed, direct messages, mini games, shows calendar, and leaderboards
  • Tailor show recommendations and notifications to your selected city or precise location (if enabled)
  • Synchronize push notifications and unread counts across your devices
  • Moderate content, respond to notices under the DSA, and address reported abuse or legal obligations
  • Analyse feature adoption and app reliability (aggregated/consented analytics) to guide product improvements
  • Detect and prevent spam, cheating, or security threats (e.g., unusual message patterns or game exploits)
  • Provide customer support and respond to rights requests

We do not use your personal data for third-party advertising, nor do we sell personal data.

4. Legal Bases for Processing

| Purpose | Legal Basis | |---------|-------------| | Account registration, profile, feed, messaging, shows, mini games | Art. 6(1)(b) GDPR – performance of a contract | | Push notifications, unread count syncing, moderation records | Art. 6(1)(b) & 6(1)(f) GDPR – contract & legitimate interests (safety/compliance) | | Precise or background location, analytics events, crash diagnostics (where required) | Art. 6(1)(a) GDPR – consent | | Fraud prevention, abuse detection, record keeping, legal compliance | Art. 6(1)(c) & 6(1)(f) GDPR – legal obligation & legitimate interests |

You may withdraw consent at any time (e.g., disable analytics or precise location in settings). Withdrawal does not affect prior processing.

5. Sharing & Processors

We only share personal data with service providers under data processing agreements:

  • Supabase (EU region): Authentication, database, real-time messaging, file storage, serverless functions (hosts profiles, messages, mini game stats, notifications)
  • PostHog Cloud EU (Frankfurt): Usage analytics for consented users, pseudonymous event data
  • Sentry (EU region): Crash reporting, performance diagnostics, in-app feedback
  • Apple Inc. (APNs & MapKit): Delivers push notifications and location search results; subject to Apple’s privacy policies

Processors may access data only to provide contracted services. We do not allow onward transfer without appropriate safeguards.

We may disclose data to competent authorities when legally required (e.g., court order) or to enforce our Terms and Community Guidelines.

6. International Transfers

Supabase, PostHog, and Sentry process data in the European Union. When we rely on Apple services hosted outside the EU (e.g., APNs routing), we use the European Commission’s Standard Contractual Clauses and Apple’s EU Data Boundary to ensure GDPR-compliant protection.

7. Data Retention

  • Account and profile data: retained while your account is active; deleted within 30 days after account deletion from hot systems and within 90 days from backups
  • Direct messages and conversation metadata: retained until you delete the conversation or your account; conversation tokens older than 18 months are archived and purged on a rolling basis
  • Feed interactions (comments, reactions, screws, XP history): retained for the life of the content; removed when content is deleted or account is closed
  • Show RSVPs: kept until the event ends plus 90 days for audit trail
  • Mini game runs and leaderboards: high scores and aggregated stats retained for 24 months to maintain fairness; older raw runs anonymized
  • Notification logs and moderation records: retained for 12 months unless a longer period is needed for an active investigation or legal obligation
  • Analytics and crash diagnostics: raw events retained for up to 12 months, then deleted or aggregated
  • Support tickets and feedback: stored for up to 24 months after resolution

If you delete your account, we anonymize or delete remaining personal data unless retention is required by law.

8. Your Rights

You have the following rights under GDPR:

  • Access, rectification, and erasure (including account deletion in-app)
  • Restriction of processing and objection (including opt-out from analytics or push notifications)
  • Data portability (export of profile, posts, messages, RSVPs, and game history upon request)
  • Withdrawal of consent at any time
  • Complaint to a supervisory authority (e.g., Berliner Beauftragte für Datenschutz und Informationsfreiheit)

To exercise any right, email privacy@b90-industries.com. We verify your identity and respond within one month.

9. Security Measures

We implement technical and organizational safeguards, including:

  • Encryption in transit (HTTPS/TLS) and at rest (Supabase, PostHog, Sentry)
  • Role-based access controls, least privilege policies, and secure logging
  • Regular security reviews of third-party processors
  • Detection of anomalous activity (e.g., spam messaging, game cheating)

Despite these measures, no system is perfectly secure. We follow statutory breach-notification obligations if an incident occurs.

10. Children

The Service is not directed to individuals under 16 years of age. We delete personal data if we learn that someone under 16 has created an account without required consent.

11. Automated Decision-Making

We do not engage in automated decision-making that produces legal or similarly significant effects on you. Moderation decisions always involve human review.

12. Changes to this Policy

We may update this Privacy Policy to reflect product or legal changes. Material updates will be announced in-app at least seven (7) days before they take effect. Continued use after the effective date constitutes acceptance.

13. Contact Us

For privacy questions or complaints, contact privacy@b90-industries.com or write to the Controller at the address above.

You may also lodge a complaint with your local supervisory authority.