Privacy Policy

1. Data Controller

RankIt is operated by the publisher listed at playrankit.com (the « Controller »). Any question about how your personal data is handled can be sent to [email protected]. Last updated: 2026-06-15.

2. Data Collected

We collect only what the game needs to run:

• a random device identifier (deviceId) generated on first launch, with no link to your Apple or Google account;
• the free-text pseudo you set before each game;
• your language preference (fr / en) to serve the right content;
• the questions and scale labels you write in « My questions » and choose to inject into a game;
• your reports and blocks (always linked to your deviceId, never shown to other players);
• in-app purchase receipts forwarded by Apple/Google via RevenueCat (product id, status, expiry) — never your card number.
  We do not collect email, real name, phone number, address, GPS location, browsing history or advertising identifier.

3. Purposes of Processing

Your data is used solely to:

• run live games (sharing your pseudo and rankings with the other players in your room);
• store your personal questions between sessions and inject them with priority when you host;
• process in-app purchases and restore access to premium packs;
• moderate user content: automatic filter at creation, reports, blocks, automatic hide after enough concordant reports;
• secure the service against abuse (per-IP rate limiting, technical logs).

4. Legal Basis (GDPR)

Processing relies on:

• performance of the contract between you and the Controller (Art. 6.1.b GDPR) to run the game and your purchases;
• the Controller's legitimate interest (Art. 6.1.f GDPR) for security, UGC moderation and abuse prevention;
• your consent (Art. 6.1.a GDPR) for optional in-app purchases.
  You can withdraw your consent and delete your data at any time (see § 7).

5. Data Retention

• deviceId, pseudo, language, personal questions, blocks: kept while you use the app; deleted on request or automatically 24 months after the last session.
• Reports: kept 12 months for moderation, then purged.
• Game archive data (scores, duration, packs played): 24 months for aggregated statistics, then anonymised.
• Purchase data (RevenueCat / Apple / Google tokens): kept while the subscription is active, then 12 months for accounting obligations.

6. Sharing with Third Parties

We share the minimum data with:

• Apple App Store and Google Play, to process in-app purchases;
• RevenueCat (United States), purchase aggregation provider — Standard Contractual Clauses signed;
• our hosting provider, located in the European Union, which runs the web server and database;
• the other players in your room, who see your pseudo and the questions you choose to inject.
  We never sell your data. No data is shared for advertising purposes.

7. Your Rights

Under the GDPR you have the following rights:

• access to your data;
• rectification of inaccurate data;
• erasure (« right to be forgotten »);
• data portability;
• restriction and objection to processing;
• withdrawal of consent.
  To exercise these rights, email [email protected] with your deviceId (visible in Settings). We answer within 30 days. You can also delete every piece of data by uninstalling the app, then writing to us to purge the server side.

8. Cookies and Trackers

The mobile app uses no cookies, no advertising trackers and no third-party analytics SDK. It does not trigger the iOS App Tracking Transparency prompt because it does not track users across other apps or websites.

9. Security

All communication between the app and our servers goes over TLS (HTTPS / WSS). Internal endpoints between our services are signed with HMAC-SHA256 plus a timestamp anti-replay window. Writes against user data are per-IP rate-limited to contain abuse. Session tokens used to play a game are short-lived JWTs, never persisted in plain text.

10. Contact

For any question about your personal data or this policy, contact us at [email protected]. We have not appointed a Data Protection Officer (DPO) under Art. 37 GDPR because our processing remains limited; you may nevertheless use the same email address for any data-protection topic.

11. Complaint to the CNIL

If you believe your rights are not respected, you can lodge a complaint with the French data protection authority (CNIL): Commission Nationale de l'Informatique et des Libertés, 3 place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France. www.cnil.fr. Residents of other EU countries may also contact their local supervisory authority.