Who we are
The data controller responsible for your information.
Smartass Facts is a gamified fact-guessing app operated by Smartass Facts Ltd. ("we", "us", "our"). When you use our website at smartassfacts.com or our mobile apps, you're sharing information with us, and this policy explains how we handle it.
Data Controller
Smartass Facts Ltd.
Registered in Ukraine
Company No. 12345678
Registered Address
Kyiv, Ukraine
privacy@smartassfacts.com
Data Protection Officer
Appointed in accordance with GDPR Art. 37
dpo@smartassfacts.com
EU Representative
For EEA-based data subjects with GDPR queries
eu@smartassfacts.com
Data we collect
We collect only what's necessary to provide, improve, and protect the service.
2.1 Data you give us directly
- Account registration β name, email address, username, and password (hashed) when you create an account.
- Profile information β optional avatar, display name, and bio you choose to add.
- User-submitted content β facts, ratings, comments, or reports you submit within the app.
- Support communications β messages you send to our support team, including any attachments.
- Payment data β billing name and address. Card numbers are processed directly by Stripe and never stored by us.
2.2 Data collected automatically
- Usage data β pages visited, features used, game sessions played, facts swiped, correct/incorrect answers, time spent in-app.
- Device & technical data β IP address, browser type and version, operating system, device identifiers, screen resolution, language settings.
- Log data β server logs including timestamps, error reports, referrer URLs, and HTTP response codes.
- Cookies & similar technologies β as described in our Cookie Policy.
2.3 Data from third parties
- Social login providers β if you sign in via Google or Apple, we receive your name, email, and profile picture from that provider.
- Analytics providers β aggregated, anonymised behavioural data from Google Analytics (with IP anonymisation enabled).
- Fraud prevention β risk signals from Stripe Radar to prevent fraudulent transactions.
We do not intentionally collect special category data (health, race, religion, biometrics, etc.). Please don't share this type of information in the app.
How we use your data
We use your information for specific, documented purposes only.
| Purpose | Data used | Legal basis |
|---|---|---|
| Create & manage your account | Name, email, password | Contract |
| Deliver the game experience | Usage data, game progress, preferences | Contract |
| Process payments & subscriptions | Billing name, address, Stripe tokens | Contract |
| Improve & personalise the app | Usage data, game history | Legitimate interest |
| Analytics & performance monitoring | Anonymised usage & device data | Consent |
| Send transactional emails | Email address | Contract |
| Send marketing & product updates | Email address, preferences | Consent |
| Fraud prevention & security | IP address, device data, Stripe signals | Legitimate interest |
| Comply with legal obligations | As required by applicable law | Legal obligation |
| Respond to support requests | Name, email, support messages | Contract |
We only send promotional emails with your explicit consent. You can unsubscribe at any time using the link in any email, or by updating your account preferences.
Legal basis for processing
Under GDPR, we must have a lawful reason to process your personal data. Here are the bases we rely on.
Contract (Art. 6(1)(b))
Processing necessary to provide the service you've signed up for β account creation, gameplay, and payment handling.
Legitimate Interest (Art. 6(1)(f))
Improving the app, preventing fraud, and ensuring security. We always balance this against your rights and freedoms.
Consent (Art. 6(1)(a))
Optional analytics, marketing emails, and non-essential cookies. You can withdraw consent at any time.
Legal Obligation (Art. 6(1)(c))
Compliance with tax law, law enforcement requests, and other applicable legal requirements.
Sharing & international transfers
We share data only with trusted partners who help us run the service, under strict data processing agreements.
5.1 Service providers we work with
| Provider | Role | Data shared | Location |
|---|---|---|---|
| Firebase (Google) | Authentication & database hosting | Account data, game data | EU & US |
| Google Analytics | Usage analytics (anonymised) | Anonymised usage data | US |
| Stripe | Payment processing | Billing info, device data | US & EU |
| SendGrid | Transactional & marketing emails | Email address, name | US |
| Sentry | Error tracking & monitoring | Anonymised error & device data | EU |
| Vercel | Web hosting & CDN | IP address, request logs | Global |
5.2 Other circumstances where we may share data
- Legal requirements β if required by a court order, government authority, or applicable law, we may disclose your data. We will notify you unless legally prohibited from doing so.
- Business transfers β in the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity under the same privacy protections.
- Protecting rights β to investigate, prevent, or act on suspected fraud, security incidents, or violations of our Terms of Service.
- With your consent β we may share data for other purposes if you've explicitly agreed.
5.3 International data transfers
Some of our service providers are based outside the EEA (primarily the US). Where this occurs, we ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Binding Corporate Rules for intra-group transfers
We do not sell, rent, or trade your personal information to any third party for their own commercial purposes. This is unconditional.
Data retention
We keep your data only as long as necessary for its original purpose, or as required by law.
| Data type | Retention period | Reason |
|---|---|---|
| Account & profile data | Duration of account + 30 days | Service delivery; deletion grace period |
| Game history & progress | Duration of account | Personalisation & leaderboards |
| Payment records | 7 years | Tax & accounting obligations |
| Support communications | 3 years | Dispute resolution & quality assurance |
| Server & access logs | 90 days | Security monitoring & debugging |
| Analytics data (anonymised) | 26 months (Google Analytics default) | Product improvement |
| Marketing consent records | Until consent withdrawn + 1 year | GDPR accountability |
| Deleted account data | 30-day recovery window, then purged | Accidental deletion recovery |
When data reaches the end of its retention period, it is either securely deleted or irreversibly anonymised. We conduct quarterly data audits to ensure compliance.
Your rights
You have meaningful control over your personal data. Here's what you can do and how to exercise each right.
Right to Access
Request a copy of all personal data we hold about you (a "Subject Access Request").
Right to Rectification
Ask us to correct any inaccurate or incomplete personal data we hold.
Right to Erasure
Request deletion of your data ("right to be forgotten") where no legal basis for retention exists.
Right to Restriction
Ask us to pause processing your data while a dispute about accuracy or lawfulness is resolved.
Right to Portability
Receive your data in a structured, machine-readable format (JSON/CSV) to transfer to another service.
Right to Object
Object to processing based on legitimate interest, including profiling and direct marketing.
Automated Decisions
Not be subject to decisions made solely by automated processing that significantly affect you.
Withdraw Consent
Withdraw any consent you've given (e.g. marketing emails, analytics) at any time without penalty.
Right to Complain
Lodge a complaint with your local data protection authority if you're unhappy with how we handle your data.
How to exercise your rights
- Email us at privacy@smartassfacts.com with "Privacy Request" in the subject line.
- Describe your request and include your registered email address so we can verify your identity.
- We will respond within 30 days (we usually respond within 48 hours).
- We may need to verify your identity before processing some requests β we'll let you know if so.
If you're in the EU/EEA and believe we've mishandled your data, you have the right to lodge a complaint with your national data protection authority. For example, in the EU you can contact the relevant national DPA β
Children's privacy
Smartass Facts is designed for adults and older teenagers. We take children's privacy seriously.
Smartass Facts is intended for users aged 13 and over (or 16+ in certain EU member states). We do not knowingly collect personal information from children under these ages.
- Our registration process requires users to confirm they meet the minimum age requirement.
- We do not direct marketing at users under 18.
- If we discover we have inadvertently collected data from a child under the applicable minimum age, we will delete it promptly.
- Parents or guardians who believe their child has provided us with personal data should contact us at privacy@smartassfacts.com.
If you believe your child under 13 has created an account without your knowledge, please email us at privacy@smartassfacts.com and we will delete the account and all associated data within 24 hours.
Security
We implement industry-standard technical and organisational measures to protect your data.
Technical safeguards
- Encryption in transit β all data transmitted between your device and our servers uses TLS 1.2+.
- Encryption at rest β stored data is encrypted using AES-256 on Firebase's infrastructure.
- Password hashing β passwords are hashed using bcrypt with per-user salts. We never store plaintext passwords.
- Two-factor authentication (2FA) β available and encouraged for all accounts.
- Access controls β internal access to production data is role-based, logged, and limited to essential personnel.
Organisational safeguards
- Annual security training for all staff with access to personal data.
- Signed data processing agreements with all third-party processors.
- Regular internal security reviews and third-party penetration testing.
- Documented incident response procedure for data breaches.
Data breach notification
In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of discovery (GDPR Art. 33).
- Notify affected users without undue delay where the breach poses a high risk (GDPR Art. 34).
- Provide clear information on what happened, what data was affected, and steps you can take.
We take security reports seriously. Please email security@smartassfacts.com with details. We aim to acknowledge all reports within 24 hours.
Third-party links & services
Our app may contain links to external websites and integrate with third-party services we don't control.
Smartass Facts may contain links to third-party websites, social media platforms, or embedded content (e.g. TikTok, Instagram, YouTube). These services have their own privacy policies that govern how they handle your data, and we are not responsible for their practices.
When you interact with social login (Google, Apple), social sharing features, or click external links from within our app, the respective third party's privacy policy applies. We encourage you to review those policies.
Social media integrations
Policy changes
We keep this policy up to date. Here's how we notify you of changes.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we update the "Last updated" date at the top of this page.
For material changes β those that significantly affect how we use your data or your rights β we will notify you through:
- A prominent notice on the Smartass Facts website and in-app
- An email to your registered address (at least 30 days before changes take effect)
- A prompt to review and re-accept updated terms where required by law
Version history
Contact & Data Protection Officer
We're here to help with any privacy questions, requests, or concerns.
If you have any questions about this Privacy Policy, want to exercise your rights, or have a concern about how we handle your data, please get in touch. All privacy requests are handled by a real person β not a bot.
Privacy team & DPO π
For general queries, data requests (SAR, deletion, portability)
and GDPR / CCPA compliance matters.
We aim to acknowledge all privacy requests within 48 hours and resolve them within 30 days as required by GDPR. Complex requests may take longer β we'll keep you informed.