B90HQ

Privacy Policy

Last updated: February 2, 2026

This Privacy Policy explains how B90-Industries (“we,” “us,” or “our”) collects, uses, discloses, and protects personal data when you use the B90HQ mobile application and related services (together, the “Service”). We comply with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable laws.

1. Data Controller

Controller:
Fabian S. Klinke, Louis Köhler, Paul Vogler
BAUGRUPPE90 GbR
Uhlandstr. 171/172
10719 Berlin, Germany

Contact for privacy matters:
Email: privacy@b90-industries.com

2. What Data We Collect

We process only the data needed to deliver the Service. The categories below specify the data elements, purpose, and legal basis.

Account & Authentication

  • Email address, username, hashed password
  • Session tokens, access refresh tokens (Supabase), device identifiers needed for security
  • Purpose: Account creation, secure sign-in, fraud prevention
  • Legal basis: Performance of contract (Art. 6(1)(b) GDPR)

Profile & Location Preferences

  • City and country (mandatory)
  • Optional display name, avatar, tagline
  • Location selection (coordinates, accuracy level, timestamp), live-update radius, background location preference
  • Purpose: Personalize member cards, surface shows in your area, enable location-based notifications
  • Legal basis: Performance of contract; explicit consent for precise or background location (Art. 6(1)(a))

Community Interactions

  • Comments, reactions (including “screws”), XP totals, leaderboard position, show RSVPs, saved posts, post read status
  • Media you share (images, videos, links) and associated metadata
  • Purpose: Render the feed, award XP, operate leaderboards, manage RSVP lists
  • Legal basis: Performance of contract

Direct Messages & Conversations

  • Message content, attachments, timestamps, read receipts, participant IDs, conversation metadata, notification counts
  • Purpose: Provide real-time one-to-one messaging, sync unread badges, investigate abuse when reported
  • Legal basis: Performance of contract; legitimate interests for safety review (Art. 6(1)(f))

Mini Games & In-App Activities

  • ScrewdlJump runs (score, max height, band reached, items collected, duration, random seed)
  • XP granted for gameplay, leaderboard markers, anti-cheat flags
  • Purpose: Power mini games and virtual rewards, detect abusive gameplay patterns
  • Legal basis: Performance of contract; legitimate interests for integrity of competitions

Notifications & Preferences

  • Push notification token (APNs), notification category settings, mute status for games, opt-in/opt-out timestamps
  • Purpose: Deliver opt-in push notifications, respect your preferences, keep audit trails required by EU Digital Services Act (DSA)
  • Legal basis: Performance of contract; legitimate interests for compliance record keeping

Device, Usage & Diagnostics Data

  • Device model, OS/app version, IP address, timestamps, login events (device/app metadata), direct interaction events (posts, comments, screws, RSVPs, messages), online heartbeat events, crash traces, logs, and breadcrumbs (Sentry)
  • Purpose: Maintain stability, combat abuse, measure activity and reliability, keep online status accurate
  • Legal basis: Legitimate interests for service integrity and security; consent for crash diagnostics where required

Machine Learning & Safety Signals

  • Content, usage patterns, and safety signals (e.g., message frequency, report outcomes, interaction history)
  • Purpose: Train and improve spam detection, abuse prevention, and safety tooling
  • Legal basis: Legitimate interests (service integrity); consent where required

Support & Feedback

  • Messages submitted through in-app feedback, optional name/email, linked crash identifiers
  • Purpose: Resolve issues, respond to user support requests
  • Legal basis: Legitimate interests (service improvement)

We do not knowingly collect special category data (Art. 9 GDPR), government identifiers, or precise geolocation unless you turn on precise location. We do not buy personal data from third parties.

3. How We Use Data

We use the data described above to:

  • Deliver core features such as the artist feed, direct messages, mini games, shows calendar, and leaderboards
  • Tailor show listings and notifications to your selected city or precise location (if enabled)
  • Synchronize push notifications and unread counts across your devices
  • Moderate content, respond to notices under the DSA, and address reported abuse or legal obligations
  • Analyse activity and app reliability (first-party analytics) to guide product improvements
  • Maintain online status and active user counts based on heartbeat events
  • Detect and prevent spam, cheating, or security threats (e.g., unusual message patterns or game exploits)
  • Train and improve machine-learning models for spam detection, safety signals, and abuse prevention
  • Provide customer support and respond to rights requests

We do not use your personal data for third-party advertising, nor do we sell personal data.

4. Legal Bases for Processing

PurposeLegal Basis
Account registration, profile, feed, messaging, shows, mini gamesArt. 6(1)(b) GDPR – performance of a contract
Push notifications, unread count syncing, moderation recordsArt. 6(1)(b) & 6(1)(f) GDPR – contract & legitimate interests (safety/compliance)
Precise or background location, crash diagnostics (where required)Art. 6(1)(a) GDPR – consent
Fraud prevention, abuse detection, record keeping, online status, first-party activity analytics, model training for safetyArt. 6(1)(c) & 6(1)(f) GDPR – legal obligation & legitimate interests

You may withdraw consent at any time (e.g., disable crash reporting or precise location in settings). Withdrawal does not affect prior processing.

5. Sharing & Processors

We only share personal data with service providers under data processing agreements:

  • Supabase (EU region): Authentication, database, real-time messaging, file storage, serverless functions (hosts profiles, messages, mini game stats, notifications)
  • Sentry (EU region): Crash reporting, performance diagnostics, logs, breadcrumbs, in-app feedback
  • Vercel: Hosting and delivery of web content (including policy documents and marketing pages)
  • Amazon Web Services (AWS): Cloud infrastructure for backend services, storage, and delivery
  • Apple Inc. (APNs & MapKit): Delivers push notifications and location search results; subject to Apple’s privacy policies

Processors may access data only to provide contracted services. We do not allow onward transfer without appropriate safeguards.

We do not use third-party analytics providers. Activity analytics are collected first-party and stored in our own Supabase database.

We may disclose data to competent authorities when legally required (e.g., court order) or to enforce our Terms and Community Guidelines.

6. International Transfers

Supabase and Sentry process data in the European Union. Vercel and AWS may process data in regions we configure, which can include locations outside the EU/EEA. When we rely on providers hosted outside the EU (e.g., APNs routing or non-EU infrastructure), we use the European Commission’s Standard Contractual Clauses or equivalent safeguards to ensure GDPR-compliant protection.

7. Data Retention

We retain all personal data for as long as your account is active. We delete or anonymize personal data only after you delete your profile. Deletion occurs 30 days after your profile deletion request (cooling-off period). If we must keep specific data for legal obligations, we retain only what is required and only for the legally mandated period.

8. Your Rights

You have the following rights under GDPR:

  • Access, rectification, and erasure (including account deletion in-app)
  • Restriction of processing and objection (including opt-out from analytics or push notifications)
  • Data portability (export of profile, posts, messages, RSVPs, and game history upon request)
  • Withdrawal of consent at any time
  • Complaint to a supervisory authority (e.g., Berliner Beauftragte für Datenschutz und Informationsfreiheit)

To exercise any right, email privacy@b90-industries.com. We verify your identity and respond within one month.

9. Security Measures

We implement technical and organizational safeguards, including:

  • Encryption in transit (HTTPS/TLS) and at rest (Supabase, Sentry)
  • Role-based access controls, least privilege policies, and secure logging
  • Regular security reviews of third-party processors
  • Detection of anomalous activity (e.g., spam messaging, game cheating)

Despite these measures, no system is perfectly secure. We follow statutory breach-notification obligations if an incident occurs.

10. Children

The Service is not directed to individuals under 16 years of age. We delete personal data if we learn that someone under 16 has created an account without required consent.

11. Automated Decision-Making

We use automated signals, including machine-learning models, to detect spam and prioritize reports. These systems do not produce legal or similarly significant effects on you. Moderation decisions always involve human review.

11.1 Sentry Feedback & Identifiers

Sentry receives a user identifier so we can connect diagnostics to your account. Only B90HQ can resolve that identifier. If you opt in to sending personal information in the feedback screen, Sentry also receives your name and email with the feedback message.

12. Changes to this Policy

We may update this Privacy Policy to reflect product or legal changes. Material updates will be announced in-app at least seven (7) days before they take effect. Continued use after the effective date constitutes acceptance.

13. Contact Us

For privacy questions or complaints, contact privacy@b90-industries.com or write to the Controller at the address above.

You may also lodge a complaint with your local supervisory authority.