Privacy Policy — Loremax Mobile Application
Last updated: 12 June 2026 Version: 1.1
---
1. Introduction
This Privacy Policy describes how Loremax (“we”, “us”, “our”) collects, uses, stores, shares, and protects your personal data when you use the Loremax mobile application for iOS and Android (the “App”) and related services at loremax.hu.
We process personal data in accordance with:
- Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR)
- Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Hungary — Infotv.)
- Applicable app-store policies (Apple App Store, Google Play)
Data controller: Selmeczi Vilmos Vazul 2051 Biatorbágy, Szabadság út 48., Hungary Email: selmeczi.vilmos.vazul@gmail.com (e.g. privacy@loremax.hu) Website: https://loremax.hu
Data Protection Officer / privacy contact: selmeczi.vilmos.vazul@gmail.com
Supervisory authority (Hungary): NAIH — National Authority for Data Protection and Freedom of Information Website: https://www.naih.hu Complaints: https://www.naih.hu/panasz
---
2. Scope and minimum age
This policy applies to users of the Loremax App who create an account or otherwise use our services.
The App is a social “daily quest” application: users complete quests, upload photo proof, connect with friends, and receive notifications.
Minimum age: The App is not directed at children under 13. You must be at least 13 years old to use the App (or 16 in EU member states where that is the age of digital consent). Before sign-in, you must confirm that you meet this requirement. We do not knowingly collect personal data from children under 13. If you believe we have, contact selmeczi.vilmos.vazul@gmail.com and we will delete it promptly.
---
3. Personal data we collect
3.1 Account and identity
| Data | How collected | Purpose |
|---|---|---|
| Email address | Sign in with Apple/Google, or manual entry during onboarding | Account, authentication, support, legal notices |
| User ID (UUID) | Generated at registration | Internal identification |
| Username | You choose during onboarding | Public handle, friend requests, invite links |
| Display name | From username or OAuth provider | Shown to other users |
| OAuth name fields | Apple/Google sign-in | Profile setup |
We do not collect phone numbers.
3.2 Profile and social data
| Data | Purpose |
|---|---|
| Profile photo (avatar) | Public profile |
| XP / level | Gamification |
| Friend connections | Social features |
| Quest history and daily quest state | Quest completion, daily quest assignment |
| Privacy setting: past quests visible to friends | Controls friend visibility on your profile (default: on) |
| Privacy setting: push notifications enabled | Your in-app push preference |
| Analytics consent choice | Records your opt-in/opt-out for product analytics |
3.3 User-generated content
| Data | Purpose |
|---|---|
| Quest proof photos | Evidence of completed quests |
| Captions / experience text (max ~280 characters) | Optional post description |
| Comments (max 500 characters) | Social interaction |
| Content reports | Moderation |
3.4 Location (optional — opt-in only)
If you actively enable location on a quest upload:
- GPS coordinates (latitude, longitude, accuracy)
- Reverse-geocoded city, country, ISO country code
- Timestamp
Default: we do not collect location. Location is never collected without your explicit per-upload consent.
3.5 Device and technical data
| Data | Where stored | Purpose |
|---|---|---|
| Authentication session tokens | Your device (AsyncStorage) | Keep you signed in |
| App language (HU/EN) | Your device | UI preference |
| Pending invite username | Your device | Process friend invites after sign-up |
| Platform (iOS/Android) | Server / analytics | Compatibility |
| App version | Analytics (if consented) | Product improvement |
| Expo push token | Server | Push notifications (if enabled) |
| Analytics distinct ID (Supabase user ID) | Device + PostHog EU (if consented) | Product analytics |
3.6 What we do NOT send to analytics
When analytics is enabled, we send only pseudonymous product events. We do not send: email, username, invite URLs, GPS coordinates, captions, quest text, or image URLs to PostHog.
---
4. Legal bases for processing (GDPR Article 6)
| Activity | Legal basis |
|---|---|
| Account, quests, friends, feed | Art. 6(1)(b) — performance of contract |
| Push notifications | Art. 6(1)(a) — consent (OS permission + in-app toggle) |
| Optional upload location | Art. 6(1)(a) — consent (per-upload checkbox) |
| Product analytics (PostHog) | Art. 6(1)(a) — consent (first-use modal + Settings toggle; default off until you accept) |
| Security, abuse prevention, rate limits | Art. 6(1)(f) — legitimate interests |
| Legal compliance | Art. 6(1)(c) — legal obligation |
| Account deletion / erasure requests | Art. 6(1)(b) and Art. 17 |
---
5. Where data is stored
5.1 Cloud — Supabase (processor)
Region: EU (Zurich) (e.g. EU)
PostgreSQL stores account, profile, friendships, quest runs, comments, notifications, push tokens, and related data.
Storage bucket `quest-proof`: avatars and quest photos. This bucket is public: anyone with the direct URL may access an image. URLs may be shared among friends and quest participants.
5.2 Your device
Session data and preferences are stored in AsyncStorage on your device.
5.3 Third-party processors
| Processor | Role | Data | Location |
|---|---|---|---|
| Supabase Inc. | Database, auth, storage, edge functions | App data | EU (Zurich) |
| Apple Inc. | Sign in with Apple (iOS) | Identity token, optional name/email | Global |
| Google LLC | Sign in with Google | OAuth identity, email, name | Global |
| Expo / EAS | Push delivery | Push tokens, notification payloads | USA |
| PostHog Inc. | Product analytics (only if you consent) | User ID, event names, app version, platform | EU (eu.i.posthog.com) |
We use data processing agreements with processors as required by GDPR Article 28.
International transfers: Where data is transferred outside the EEA, we rely on Standard Contractual Clauses and/or adequacy decisions as applicable.
---
6. How we use your data
- Operate the App (quests, friends, feed, XP)
- Authenticate you and maintain your session
- Send push notifications when you have enabled them and granted OS permission: friend requests, quest approvals, and occasional external quest reminders (on average every 2–3 days) — no streak or in-app daily quest reminders
- Show your content to friends and quest participants per access rules
- Moderate reported content
- Improve the App through analytics only with your consent
- Prevent abuse (rate limits)
- Comply with law and enforce our Terms of Use
We do not sell your personal data. We do not use your data for third-party advertising.
---
7. Who can see your data
| Data | Visible to |
|---|---|
| Only you (and authorized administrators for internal admin tasks) | |
| Username, display name, avatar, XP | Any signed-in Loremax user viewing your profile |
| Quest posts (photo, caption, optional location) | You, your friends, and quest participants |
| Past quests on profile | Friends only, if your setting is on (default on) |
| Comments | Post owner and participants |
| Invite links | Username only — `https://loremax.hu/i?u={username}` |
---
8. Device permissions
| Permission | When | Purpose |
|---|---|---|
| Camera | Quest upload, avatar, QR scan | Photos |
| Photo library | Quest upload, avatar | Select/save images |
| Location (when in use) | Only if you enable on upload | Attach location to post |
| Notifications | After sign-in (if enabled) | Server-delivered push notifications |
| Apple Sign In | iOS login | Authentication |
Denying permissions limits related features.
---
9. Retention
| Category | Retention |
|---|---|
| Account and profile | Until you delete your account, or as required by law |
| Quest posts, comments, photos | Until account deletion |
| Push tokens | Until account deletion or you disable push |
| Analytics (PostHog) | Up to 12 months, then deleted or anonymized; erased on account deletion when configured |
| Rate-limit logs | Rolling 24 hours |
| Encrypted backups | Up to 30 days, then rotated |
We delete production data without undue delay after a valid erasure request, and within one month at latest (GDPR Art. 17).
---
10. Your rights
Under GDPR (Articles 15–22) and applicable law, you may:
- Access your personal data
- Rectify inaccurate data
- Erase your data (“right to be forgotten”)
- Restrict processing in certain cases
- Data portability — receive your data in machine-readable form
- Object to processing based on legitimate interest
- Withdraw consent at any time (analytics, location, push)
- Lodge a complaint with NAIH or your local EU authority
How to exercise your rights
| Right | Method |
|---|---|
| Delete account | App → Settings → Delete profile → confirm |
| Delete account (web) | https://loremax.hu/app/account-deletion |
| Download your data | App → Settings → Download my data (JSON) |
| Analytics opt-out | App → Settings → turn off Allow product analytics; or decline the first-use prompt |
| Push opt-out | App → Settings → turn off Push notifications; or revoke OS permission |
| Past quests visibility | App → Settings → toggle Friends can see my past quests |
| Location | Do not enable location on upload |
| Other requests | Email selmeczi.vilmos.vazul@gmail.com — we respond within one month |
We may verify your identity before fulfilling requests.
---
11. Account deletion
When you delete your account:
- All files in your cloud storage folder are removed (paginated cleanup)
- Your database records are deleted (cascade: profile, friendships, quests, comments, tokens, etc.)
- Your Supabase Auth account is deleted
- We attempt to delete analytics data tied to your user ID when server-side integration is configured
- You are removed from other users’ quest participant lists
May persist: encrypted backups until rotation; content saved by others outside the App; processor logs per their policies.
---
12. Security
We use HTTPS/TLS, Row Level Security, server-side rate limiting, input validation, and server-only secrets for sensitive operations. No method is 100% secure. Report concerns to selmeczi.vilmos.vazul@gmail.com.
---
13. Data breaches
If a breach is likely to affect your rights, we will notify NAIH within 72 hours (GDPR Art. 33) and affected users where required (Art. 34).
---
14. California residents (CCPA/CPRA)
If you are a California resident and we meet applicable thresholds:
- Right to know — this policy describes collection and use
- Right to delete — in-app deletion or email selmeczi.vilmos.vazul@gmail.com
- Right to correct — contact selmeczi.vilmos.vazul@gmail.com
- Right to opt out of sale/share — we do not sell or share personal information for cross-context behavioral advertising
We will not discriminate against you for exercising these rights.
---
15. Changes
We may update this policy. Material changes will be communicated in the App or by email. The “Last updated” date will change.
---
16. Contact
Selmeczi Vilmos Vazul 2051 Biatorbágy, Szabadság út 48. Email: selmeczi.vilmos.vazul@gmail.com Support: •••••••••••••••••••••••••••••••