Privacy Policy

Last updated: April 20, 2026

Data Controller

SetSquad is operated by RNT Projects, De Nieuwe Erven 3, 5431 NV Cuijk, Netherlands. For privacy inquiries, contact privacy@setsquad.app.

Scope

This policy covers the SetSquad website (setsquad.app) and the SetSquad mobile app for iOS and Android. The app is not directed at children under 13 and we do not knowingly collect personal data from them.

What Data We Collect

Account data

  • Email address — from Sign in with Apple or Google. If you use Apple's “Hide My Email” we only receive the relay address.
  • Display name and avatar URL — optional, set by you in-app.
  • Username and bio — optional, public on your profile.
  • OAuth provider identifiers — opaque tokens from Apple/Google; we never receive your OAuth password.

App content

  • Your LEGO collection, build sessions, timer history, ratings, follow relationships, activity events and kudos.
  • Photos you upload — profile avatar and build photos, stored in Supabase Storage. You can delete these at any time.
  • Reports you submit about other users or content.

Device permissions (asked only when used)

  • Camera — to scan set barcodes and photograph finished builds.
  • Photo library — to pick a profile picture or a build photo, and to save build cards for sharing.
  • Microphone — only if you choose to record a video of your build.
  • Push notifications — optional, requested contextually (e.g. after completing a build).

Advertising and device identifiers

  • Advertising Identifier (IDFA on iOS, AAID on Android) — used by Google AdMob to show relevant ads. On iOS we ask for App Tracking Transparency consent first; on Android and in the EEA/UK we respect the IAB-TCF consent you set via the consent form. Declining → non-personalized ads.
  • Coarse device info — OS version, model, app version, locale. Used for crash diagnostics.

Third Parties We Use

Each of these is a data processor acting on our instructions.

  • Supabase (EU, Frankfurt) — authentication, Postgres database, storage of photos. Sub-processor: AWS eu-central.
  • Apple Sign in with Apple — identity verification for iOS users.
  • Google Sign-In — identity verification.
  • Google AdMob — advertising. Processes IDFA/AAID and coarse device data. See Google's privacy policy.
  • RevenueCat — subscription management. Receives an anonymous SetSquad user id and your purchase receipts. No email or name is shared.
  • Apple App Store / Google Play — process all in-app purchases and subscriptions. We never see your payment details.
  • Sentry — crash and error reporting. Receives stack traces, device model, OS version and your SetSquad user id for debugging. No photos, email or OAuth tokens are sent.
  • Expo / EAS Updates — delivers app bundle updates. Receives only the app version and runtime version.
  • Resend — transactional email delivery from the app (account confirmations, weekly digest, retirement alerts). Receives your email address and the message body only.
  • Brevo — waitlist email delivery from the marketing website only. Receives your email address if you join the waitlist.
  • Vercel Analytics & Speed Insights — aggregate, cookieless website analytics (no personal identifiers).
  • OpenAI — automated content moderation on the text and images you submit (bio, username, reviews, comments, build photos, user reports). We send only the specific piece of content being moderated. OpenAI retains this data for up to 30 days for abuse monitoring and does not use it to train their models.
  • Expo Push Notification Service — delivers push notifications. Receives your device push token and the notification payload.

Legal Basis (GDPR Article 6)

  • Performance of a contract — running your account, syncing your collection, delivering purchased subscriptions.
  • Consent — push notifications, personalized ads (IDFA), email marketing.
  • Legitimate interest — crash diagnostics, fraud prevention, content moderation.
  • Legal obligation — responding to lawful requests, tax record-keeping for purchases.

Data Retention

Account data is kept until you delete your account. Build photos and content you produce live as long as the account does. Crash reports are kept by Sentry for 90 days. Purchase records are kept for seven years to meet Dutch tax law.

Account and Data Deletion

In the app: Profile → Settings → Delete Account. This permanently erases your profile, collection, build sessions, ratings, follows, kudos, reports submitted by you, and your uploaded photos. Deletion is immediate on our servers; third-party processors erase within their own SLAs (Sentry 90 days, AdMob per Google's schedule).

Alternative route if you can't access the app: visit setsquad.app/delete-account or email privacy@setsquad.app. We respond within 30 days.

Your Rights (GDPR)

  • Access — request a copy of your data.
  • Rectification — request correction.
  • Deletion — request erasure.
  • Portability — receive a machine-readable export.
  • Objection / restriction — object to specific processing (e.g. ads).
  • Withdraw consent — turn off notifications, revoke tracking in system settings, unsubscribe from email.
  • Complaint — file with the Dutch Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

Exercise any of these by emailing privacy@setsquad.app.

International Transfers

Our primary database is in the EU. Some processors (Google, Apple, Sentry, RevenueCat, OpenAI) transfer data to the US under the EU–US Data Privacy Framework or Standard Contractual Clauses.

Security

Data is encrypted in transit (HTTPS/TLS) and at rest. Authentication tokens are stored in iOS Keychain / Android Keystore. Offline app data in WatermelonDB lives only on your device.

Children

SetSquad is intended for users aged 13 and over. If you believe a child under 13 has created an account, contact privacy@setsquad.app and we will delete it.

Changes to This Policy

If we make significant changes we will update the "Last updated" date and — for changes that affect your rights — notify active users in-app or by email.

Contact

Privacy questions: privacy@setsquad.app. Legal: legal@setsquad.app.

LEGO Trademark Disclaimer

LEGO® is a trademark of the LEGO Group of companies which does not sponsor, authorize or endorse this application. SetSquad is not affiliated with, endorsed by, or sponsored by the LEGO Group.