Privacy Policy: Heimdall HQ

Last Updated: 2026-02-19

This Privacy Policy describes how Heimdall HQ (hereinafter "the Application"), operated by Philip Grefe (hereinafter "the Controller" or "Service Provider"), collects, processes, and protects personal data in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Controller Information

The responsible party (Controller) for data processing within the meaning of Art. 4 No. 7 GDPR is:

Philip Grefe

Email: p.grefe@gmail.com

2. Scope and Purpose of Data Processing

The Application processes personal data to provide its services. The processing is conducted based on the following legal grounds:

Art. 6(1)(a) GDPR (Consent): For processing such as background location tracking or marketing.
Art. 6(1)(b) GDPR (Performance of Contract): For processing required to provide the core app functionality (e.g., account management and real-time gameplay location features).
Art. 6(1)(f) GDPR (Legitimate Interests): For technical logs and security purposes.

A. Location Data (High-Precision & Background)

The Application utilizes background location tracking to share positions during gameplay.

Purpose: Real-time location sharing with other players of the same game.
Legal Basis: Location data is processed to provide the core functionality of real-time gameplay (Art. 6(1)(b) GDPR). Where required, additional extended/background tracking is based on user consent (Art. 6(1)(a) GDPR).
Permission Flow: On iOS and Android, location permissions are requested through the native system prompt. If access is denied, users may later enable permission in system settings.

B. Motion, Camera, and Microphone

Motion Detection: Used to distinguish between walking, cycling, or driving to improve location quality and battery efficiency.
Camera Access: Used solely to scan invitation QR codes.
Microphone: Used for voice-to-text input features if enabled by the user.

C. Authentication and Identity

When you use Google Sign-In or Apple Authentication, we process your Email Address and Full Name to create and maintain your user profile.

D. Diagnostic Data

We collect diagnostic data (e.g., crash logs via Sentry) to improve app stability.

3. Third-Party Services and International Data Transfer

To provide the service, data may be transmitted to third-party providers. Some providers may be located outside the EU/EEA. Where required, transfers rely on safeguards such as Standard Contractual Clauses (SCCs) and/or adequacy mechanisms.

We do not sell personal data to third parties.

Provider	Purpose	Data Privacy Information
Supabase	Backend Database & Auth	https://supabase.com/privacy
PowerSync	Offline-First Sync	https://www.powersync.com/privacy-policy
Mapbox	Map Rendering	https://www.mapbox.com/legal/privacy
Transistor Soft	Geolocation Services	https://www.transistorsoft.com/privacy_policy
Google	Auth & Play Services	https://policies.google.com/privacy
Apple	Auth & iOS Services	https://www.apple.com/legal/privacy/

4. Your Rights (Data Subject Rights)

Under the GDPR, you have the following rights regarding your personal data:

Right of Access (Art. 15 GDPR)
Right to Rectification (Art. 16 GDPR)
Right to Erasure (Art. 17 GDPR)
Right to Restriction (Art. 18 GDPR)
Right to Data Portability (Art. 20 GDPR)
Right to Object (Art. 21 GDPR)
Right to Withdraw Consent (Art. 7(3) GDPR)

To exercise these rights, contact us at p.grefe@gmail.com.

5. Right to Lodge a Complaint

In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence.

6. Data Retention and Deletion

Personal data is stored only as long as necessary for the purposes described in this policy, unless longer retention is required by law.

Account-related data is deleted after a valid account deletion request is completed.
Location data and gameplay-related data are retained only as needed for service operation and then removed according to operational retention periods.
Certain minimal records may be retained where legally required (for example, security or legal compliance records).

7. Data Security

We implement appropriate technical and organizational measures, including encryption in transit (TLS) and access controls.