Privacy Policy

1. Who we are

"Hard Rock Collector" (the "App") is an independent, non-commercial fan project published by the project contributors. It is not affiliated with, endorsed by, or sponsored by Hard Rock International. This policy explains what data we collect when you use the App, why, and what you can do about it.

For any privacy question or request, email support@itropical-live-solutions.com.

2. What data we collect

We deliberately collect as little data as possible. We do not collect your name, email address, payment information, advertising identifiers, contacts, photos, browsing history, or device fingerprints. We do not embed any third-party analytics, advertising, or tracking SDK.

The data we do collect, all tied to your account on our backend:

• Apple user identifier (the opaque sub returned by Sign in with Apple). This is how we recognize your account across devices.
• Display name - the handle you choose; user-editable. Visible to friends and on leaderboards.
• Check-in records - café identifier, timestamp, the coordinates you submitted at check-in, and the GPS accuracy reading at that moment.
• Achievement progress, XP, streak data - derived from your check-ins.
• Friendships - the user IDs of accounts you've added as friends.
• APNs device token, if you grant push notification permission, so we can deliver notifications you've opted in to.
• Subscription status - whether you have an active "Collector Plus" subscription. Apple handles all payment; we only see "active / not active".

We also keep minimal server access logs (request method, route, status code, truncated IP, timestamp) for a short period to detect abuse and debug outages. Logs are not used for analytics or profiling.

3. Why we collect it (legal basis)

For users in the EU/EEA and UK, the lawful basis under GDPR Article 6:

• Account & check-in data - necessary to perform the contract you entered when you signed in (Art. 6(1)(b)). Without it, the App cannot function.
• Anti-abuse logging & rate limiting - our legitimate interest in keeping the service available and fair (Art. 6(1)(f)).
• Push notifications - your explicit consent, given when you grant permission in iOS (Art. 6(1)(a)). You can revoke it any time in iOS Settings.

For users in California (CCPA/CPRA): we do not "sell" or "share" your personal information as those terms are defined under CCPA.

4. Location data

The App requests "When In Use" location access. Your location is read on your device only at the moment you tap the check-in button - never in the background, never continuously. The reading is sent to our server so we can verify you are physically at the café (Haversine distance + GPS accuracy ceiling). The server stores the coordinates and accuracy reading as part of the check-in record so the visit can be proven later; we do not build a movement profile, location history, or heat map.

You can revoke location permission any time in iOS Settings → Privacy & Security → Location Services → Hard Rock Collector. Without it, you can browse the catalog but cannot check in.

5. Third parties & processors

We rely on a small number of third parties - none of them receive marketing data or user profiles:

• Apple Inc. - Sign in with Apple (authentication), APNs (push delivery), App Store (subscription billing). Governed by Apple's privacy policy.
• Railway Corp. - our hosting provider in the United States. They run the Vapor server and the managed Postgres database; they are a data processor under our instructions.

We do not use Google Analytics, Facebook Pixel, Mixpanel, Segment, Firebase, AppsFlyer, Crashlytics, or any comparable SDK.

6. How long we keep your data

Your account data is kept for as long as your account exists. When you delete your account in Profile → Settings → Delete Account, your check-ins, achievements, friendships, profile, display name, and APNs token are deleted from our database immediately. There is no soft-delete and no recovery window. Server access logs are rotated and purged within 30 days.

7. Your rights

Wherever you are in the world, you can:

• Access the data we hold about you (most of it is visible inside the App on your profile).
• Correct your display name in the App.
• Delete your account and all associated data via Settings → Delete Account.
• Withdraw push consent in iOS Settings.

If you are in the EU/EEA or UK, you additionally have GDPR rights to portability, restriction, objection, and to lodge a complaint with your local supervisory authority. Email support@itropical-live-solutions.com for any data request - we respond within 30 days.

8. Children

The App is not directed to children under 13. Sign in with Apple itself requires you to be at least 13 in most regions (older in some). If you believe a child under the applicable minimum age has created an account, email us and we will delete it.

9. International transfers

Our servers are hosted by Railway in the United States. If you use the App from the EU/EEA or UK, your data will be transferred to the US for processing. We rely on the relevant Standard Contractual Clauses with our processor where required by law.

10. Security

Traffic between the App and our server is encrypted with HTTPS/TLS. Your session is bound to a short-lived token verified server-side. We never see or store your Apple password. We use only operating-system-provided cryptography (TLS, Sign in with Apple, CryptoKit SHA-256, Keychain, JWT HS256) - no custom crypto.

No system is perfectly secure. If we discover a breach that affects you, we will notify affected users and relevant authorities as required by law.

11. Changes to this policy

We may update this policy as the App evolves. Material changes will be announced in-app and the "Effective date" below will be updated. Continued use of the App after an update means you accept the revised policy.

12. Contact

Questions, complaints, or data requests: support@itropical-live-solutions.com.

Effective date: 2026-05-28