Privacy Policy
DropStreak is a stock-tracking app for trading-card-game drops at Norwegian retailers, operated by the publisher of the DropStreak Apple App Store and Google Play Store listings (the "Publisher"). This document describes what data the app and its backend collect, how it is used, who it is shared with, and how you can exercise your rights over it.
What data we collect
DropStreak collects the minimum needed to deliver the service. We do not sell personal data, run advertising, or build user profiles for any purpose other than operating the app.
When you sign in
- Email address — provided by Apple ("Sign in with Apple") or Google ("Sign in with Google"). If you opt into Apple's hide-my-email relay, only the relay address is stored.
- Display name — only if your sign-in provider hands one over.
- A randomly-generated user ID — primary key in our database.
When you use the app
- Watchlist ("Catching list") items — the EANs you've tagged, so we can notify you when they restock.
- Subscription state (tier: Free or Pro) — if you start a Pro subscription, status info is received from RevenueCat to gate Pro features.
- A push-notification token (FCM) — issued by Firebase Cloud Messaging on your device so we can deliver restock notifications. The token rotates and we evict dead ones automatically.
- Notification permission status — whether your device has granted permission to receive notifications.
- In-app feedback reports — when you submit a report via "Report an issue" or by shaking your device, the message text is stored along with app version, platform, OS version, device model, the current screen, and a small triage context snapshot (sign-in state, subscription tier, watchlist count, filter state). Submission is optional.
Automatically, for debugging and analytics
- Crash and error reports — captured by Sentry. Includes the stack trace, the screen you were on, and the same triage context bag as feedback reports. No screen contents, photos, location, or contacts are captured.
- Anonymous request logs — backend access logs (URL, method, status, duration). Retained briefly for operations and discarded.
What we do not collect
- We do not collect or use your precise location.
- We do not access your photos, contacts, calendar, microphone, or camera.
- We do not run third-party advertising SDKs.
- We do not sell or rent personal data to anyone.
How we use this data
- Identify you across sessions so your Catching list persists.
- Send push notifications when products you're watching come back in stock.
- Bill and entitle your subscription (Pro tier) via Apple/Google billing and RevenueCat.
- Investigate bugs and improve the app via Sentry crash reports and your feedback submissions.
- Operate and maintain the service (backups, capacity planning, incident response).
Third parties we share data with
| Service | What is shared | Purpose |
|---|---|---|
| Apple ("Sign in with Apple") | Email (or relay address), Apple user ID | Authentication |
| Google ("Sign in with Google", FCM) | Email, Google user ID, FCM token | Authentication, push notifications |
| Firebase Cloud Messaging | FCM token, notification payload (product name + retailer link) | Push delivery |
| Sentry | Crash stack traces, triage context | Bug diagnosis |
| RevenueCat (when Pro is wired) | App user ID, store transaction ID | Subscription state management |
| Neon (Postgres host) | All stored data above | Database hosting (data resides in the EU) |
| Fly.io | All in-flight traffic | Application hosting |
All third parties listed are under contractual data-processing terms appropriate for their roles. Data is encrypted in transit (HTTPS / TLS) and at rest where the third party offers it.
Retention
- Account + watchlist data — kept while your account exists; deleted on request (see below) or when you delete the account from within the app.
- Push tokens — rotated automatically; permanent-failure tokens are evicted from our store.
- Feedback reports — kept for triage; we may delete or anonymize old reports periodically.
- Sentry crash reports — retained per Sentry's free-tier defaults (typically 30 days), then deleted automatically.
Your rights
Wherever you live, but especially under the EU GDPR and Norwegian Personal Data Act:
- Access — you can request a copy of the personal data we hold about you.
- Rectification — you can ask us to correct inaccurate data.
- Erasure — you can ask us to delete your account and associated data ("right to be forgotten").
- Portability — you can request your data in a machine-readable format.
- Object — you can object to specific processing; in practice, deleting your account is the cleanest way to stop all processing.
- Complain — to Datatilsynet (Norway's data protection authority) at datatilsynet.no, or to the equivalent in your country.
To exercise any of these rights, email the contact address below.
Children
DropStreak is not directed at children under 13 (or under 16 in EU/EEA jurisdictions where the local law sets that floor). We do not knowingly collect data from such children. If you believe a child has used the app, contact us and we will delete the associated data.
Changes to this policy
We will update this page when our practices change. The "Last updated" date at the top reflects the most recent revision. Material changes will be announced in-app or via email.
Contact
For privacy questions or to exercise your data rights:
Email: privacy@dropstreak.app
The data controller is the Publisher of the DropStreak app on the Apple App Store and Google Play.
© 2026 DropStreak.