Game of Chores

Privacy Policy

Effective date: 29 May 2026 Last updated: 4 June 2026

This Privacy Policy explains how Game of Chores (“the App,” “we,” “us”) collects, uses, shares, and protects personal data when you use the App, our website at gameofchores.me, or any related service.

We are committed to processing your data lawfully, transparently, and only for the purposes described below.

1. Who we are

The data controller for Game of Chores is:

Umut Aktaş (natural person, sole controller)
Utrecht, the Netherlands
Contact: privacy@gameofchores.me

The App is distributed via the Apple App Store and Google Play Store under developer accounts registered in Turkey. The data controller is Umut Aktaş personally; the store accounts are distribution channels and do not create a separate legal controller.

If you are a user in the European Economic Area, your rights under the General Data Protection Regulation (GDPR) apply. If you are a user in Turkey, additional rights under the Personal Data Protection Law (KVKK) apply — see Section 13.

2. What we collect

We collect only what is needed to operate the App. Categories below map to GDPR Article 13 and 14 transparency requirements.

2.1 Account data

Collected at sign-in via Sign in with Apple or Sign in with Google:

  • Email address (or Apple’s private relay address, if you choose to hide your email)
  • Display name (as provided by Apple/Google or chosen by you)
  • Profile photo (optional, from your Apple/Google account or uploaded by you)
  • A unique account identifier provided by Apple or Google

Account data is received from Apple Inc. and Google LLC acting as identity providers. The data we receive is limited to the fields you authorize at sign-in; we do not query Apple or Google for additional information beyond what is needed to complete sign-in. (Source-of-data disclosure under GDPR Art. 14(2)(f).)

2.2 Profile data

  • Display name and avatar (visible to other users)
  • Play-style label (for example “Speed Cleaner”) — derived from your activity
  • Badges, XP, level, streaks — derived from your activity
  • Age band — derived from the age gate at first launch. The four bands are under-13 (blocked), 13–15 (restricted minor), 16–17 (standard minor), and 18+ (adult). We do not store your full date of birth beyond what is needed to compute the band and to auto-transition you between bands on your 16th and 18th birthdays.

2.3 User-generated content

  • Chore data (titles, categories, optional AI-suggested breakdowns)
  • Battle data (format, opponents, duration, side-bets, status, results)
  • Proof photos (before / after images uploaded to verify completion)
  • Taunts and battle log entries
  • Side-bet items (emoji or custom text)

Proof photos are stored at two resolutions: a compressed thumbnail used in feeds and previews, and a higher-resolution version retained for the proof detail view. We strip EXIF metadata from proof photos before they are stored — location coordinates, capture timestamps, device information, and other camera metadata do not travel with the photo. Battle proofs are stripped twice (during client-side compression and again on the server during resize); Daily Arena proofs are stripped on the server during preprocessing.

2.4 Social-graph data

  • Rivalry records (persistent head-to-head between any two users who have battled, e.g. “Me 14 — Mike 9”)
  • House (team) membership and House War history
  • Friend connections, if you choose to invite or accept friends

Contacts handling (planned feature — not yet available). A contacts-based friend finder is planned but has not yet shipped; the App does not currently read your device contacts. When this feature becomes available, it will work as follows: if you grant the contacts permission (we will ask via a priming screen before the OS dialog), the App will read your device contacts to help you find friends who already use the App. Your contacts will be processed entirely on your device — they will never be uploaded to our servers, never hashed and sent to a matching service, and never retained after the screen closes. The only data that would leave your device from this flow is the unique identifier of the friend you select. If you decline the priming prompt, the App will not trigger the native dialog and will not read your contacts. When the feature ships, users in the 13–15 band will not be able to enable the contacts permission and the priming screen will not be shown to them. We will update this Privacy Policy and notify users via the change-notification channel in Section 11 before this feature goes live.

2.5 Device and technical data

  • Device model, OS version, app version
  • A vendor-scoped device identifier (Identifier for Vendor on iOS / Firebase Installation ID on Android), used to keep your session on a device and to detect abusive multi-account patterns. We do not collect the Android Advertising ID (AD_ID) or any other cross-app tracking identifier.
  • IP address (used transiently for authentication and session security; retained in Firebase Authentication logs per Google Cloud’s published default — see §6)
  • Language and region settings

2.6 Usage and analytics data

  • Events you trigger in the App (screen views, battle creates, proof submits, share actions, and similar) via Firebase Analytics.
  • Native crash reporting: native iOS and Android crash signals are captured by Sentry. We do not use Firebase Crashlytics.
  • Application errors, error logs, and performance traces via Sentry. Sentry receives the error message, stack trace, and breadcrumbs leading up to the error, plus a screenshot and view-hierarchy snapshot of the App at the moment of the error. The Sentry Flutter SDK applies content masking by default: text widgets and image widgets are automatically redacted in the captured screenshot before transmission, so the visible content of the screen at the moment of the error is not transmitted in legible form. Sentry data is stored in Sentry’s EU data center in Frankfurt, Germany.
  • We do not use advertising identifiers, third-party advertising trackers, or attribution SDKs. We do not request the Android AD_ID permission. We do not show ads.

2.7 Notifications data

  • Firebase Cloud Messaging (FCM) push token, if you grant notification permission
  • Notification interaction events (delivered, opened, dismissed)

Users in the 13–15 band cannot enable push notifications: the priming screen is not shown to them, no FCM token is registered, and the restriction is enforced server-side.

2.8 AI processing data

When you use AI-assisted features, we send the relevant content to one of four service providers for processing.

  • AI task breakdown (when creating a battle): the chore title is sent to Google Cloud’s Gemini 2.5 Flash model on Vertex AI, pinned to the europe-west4 region (the Netherlands). Anthropic’s Claude (United States) is a fallback if Gemini is unavailable. The provider returns suggested sub-chores.
  • AI Referee proof verification (opt-in for 1v1 battles; mandatory for Daily Arena and House Wars): a resized version of the proof photo (1024 pixels long edge, re-encoded for transit — not the original camera-resolution file) and the chore description are sent to Gemini 2.5 Flash on Vertex AI in the europe-west4 region (the Netherlands), with Anthropic Claude (United States) as fallback. The provider returns an approval-or-challenge verdict and a short reasoning, both of which are stored with your battle.
  • Safety preprocessing for Daily Arena proofs: Google Cloud Vision runs image-safety classification and limited text detection on the Arena proof image to flag content unsafe for the public leaderboard. Cloud Vision processing region follows Google’s default project configuration. (A follow-up migration to an EU-pinnable surface is tracked in the backlog.)
  • Free-text moderation: OpenAI’s Moderation API classifies user-typed text (chore titles, side-bet terms, AI-emitted sub-chore titles) against safety policies before the text is stored. Our customer counterparty is OpenAI Ireland Limited (Ireland); OpenAI OpCo, LLC (United States) acts as a sub-processor for technical service delivery. OpenAI retains API inputs for up to 30 days for abuse-monitoring purposes, then deletes them; OpenAI does not use API content to train its models by default.

Your account identifier is not transmitted to any external AI provider — only the content needed for the task (image bytes or short text) and a system rubric.

AI Referee verdicts are not cached or reused. Each proof submission triggers a fresh API call to the provider so that your verdict is contemporaneous with the specific proof you submitted. We retain a per-submission idempotency marker (the path of the proof object in our storage) only to prevent duplicate scoring of the same proof; we do not cache the verdict content itself.

We cache AI task-breakdown results in our own database to reduce calls to AI providers. The cache is keyed by the chore’s catalog ID for built-in chores, or by a SHA-256 hash of the normalized chore title for user-typed chores. The cache stores only the AI-generated sub-chore steps and a generation timestamp; the original chore title text is not stored in the cache record. The cache is shared across users by design: if you create a battle for the same chore another user has already requested, your request is served from the cache without a new AI call. Cache entries do not contain your account identifier or your original title text; they are de-identified and are not personal data under GDPR Art. 4(1). They are therefore not subject to access or erasure requests under Arts. 15–17.

AI Act Article 50(1) — interaction with AI. Game of Chores deploys general-purpose AI systems (Google Gemini, Anthropic Claude, OpenAI Moderation) to support battle creation, proof verification, and free-text safety. Under EU AI Act Article 50(1), we inform you that you are interacting with an artificial intelligence system whenever you use AI task breakdown, AI Referee, or any feature whose name starts with AI. The in-App user interface labels these features as AI at the point of interaction.

AI Act Article 50(4) — AI-generated content. Sub-chores suggested by AI task breakdown, and the verdict and reasoning text produced by AI Referee, are AI-generated content. They are displayed in the App with an AI label and a short tooltip explaining how the suggestion or verdict was reached. We do not represent AI-generated text as human-authored in any App surface, share card, or notification.

AI Act deployer obligations. We act as a deployer of AI systems under EU Regulation 2024/1689 (the AI Act). Our deployer obligations — including AI literacy under Article 4, compliance with provider instructions, and transparency under Article 50 (applicable from 2 August 2026) — are supervised by the Autoriteit Persoonsgegevens, our existing supervisory authority for GDPR matters, in coordination with other Dutch AI supervisors. The AI systems we deploy (Gemini, Claude, OpenAI Moderation) are classified as minimal-to-limited risk under the Act’s risk tiers; AI Referee is not used for employment, credit, biometric identification, critical infrastructure, or any Annex III high-risk use case.

2.9 Share cards

When you share a battle outcome, before/after proof comparison, streak milestone, or other achievement from the App, the share image is generated entirely on your device. The image is rendered locally, written to a temporary file, and handed to your operating system’s share sheet. The share image is not uploaded to our servers and is not retained after you share it. A share image contains your display name and avatar, the opponent’s display name and avatar (for battle cards), the chore title, the outcome and XP earned, your head-to-head record, your side-bet description (if any), and an invite link footer with a short code that allows the recipient to challenge you back. Your account identifier is not embedded in share images.

2.10 Invite links

Invite links are short URLs on gameofchores.me that drop the recipient into a pre-filled challenge against you. We do not use third-party deep-link providers, attribution SDKs, UTM parameters, or referrer tracking on invite links: there is no Firebase Dynamic Links integration, no Branch SDK, and no analytics fan-out when a recipient opens an invite link. The only data we store is the invite-code record itself, containing the code, your account identifier, the battle parameters you pre-filled, an expiration date (7 days after creation), and, if the link is redeemed, the redeemer’s account identifier and timestamp. Firestore’s built-in time-to-live mechanism deletes records whose expiration timestamp has passed, typically within 24 hours of expiration; this applies to both unused and redeemed records.

2.11 Block and Report

If you use the App’s Block tool to block another user, we store a record of the block (your account identifier, the blocked user’s account identifier, a timestamp) so that we can enforce it. Blocked users cannot challenge you, taunt you, or appear in your discovery surfaces; pending challenges between you are auto-declined; and the blocked user is removed from your rivalries list. You can unblock anyone you have blocked from Settings → Privacy → Blocked users.

If you use the App’s Report tool to report content (a proof photo, comment, profile, battle, rivalry record, or activity item), we store a report record containing your account identifier, the reported user’s account identifier, a structured reference to the reported content, a report category (selected from child safety, spam, harassment, hate speech, nudity or sexual content, graphic violence, impersonation, threats of violence, or self-harm), an optional short description, and a timestamp. Reports are visible only to the App’s moderation operator; the reported user is not notified that you submitted the report. We review all reports within 24 hours. We may act on a report by warning the reported user, removing the reported content, restricting interactions between the involved users, or removing the reported user’s account. A plain-language summary of these community standards and how report review works is published in our Community Guidelines.

3. Why we collect it (purposes and legal bases)

The table below maps each processing purpose to the data categories used and to the GDPR Article 6 lawful basis we rely on. The “Why we are allowed to do it” column rephrases the legal basis in plain language for users including 13–15 minors.

Purpose Data categories Why we are allowed to do it Legal basis
Create and operate your account Account data, profile data Because we need it to give you the App you signed up for. Contract — Art. 6(1)(b)
Run battles, leaderboards, Houses, Daily Arena User-generated content, social-graph data Because we need it to give you the App you signed up for. Contract — Art. 6(1)(b)
AI task breakdown and AI Referee UGC sent to AI provider Because we need it to give you the App you signed up for. Contract — Art. 6(1)(b)
Maintain invite-link records Invite-code records Because we need it to give you the App you signed up for. Contract — Art. 6(1)(b)
Operate the Block tool Block records Because we need it to give you the App you signed up for. Contract — Art. 6(1)(b)
Send push notifications (16+) FCM token, notification events Because you gave us permission. You can withdraw permission at any time. Consent — Art. 6(1)(a)
Friend discovery via contacts (planned — 16+, on-device only, not yet available) Device contacts (will never be uploaded) When available: because you will have given us permission. You will be able to withdraw permission at any time. Consent — Art. 6(1)(a)
Analytics Usage events, app version, device model Because we have a legitimate reason (to fix bugs and improve the App) and weighed it against your rights. Legitimate interest — Art. 6(1)(f)
Crash + error reporting Sentry error data, breadcrumbs, masked screenshots Because we have a legitimate reason (to keep the App stable) and weighed it against your rights. Legitimate interest — Art. 6(1)(f)
Abuse prevention, moderation, security All categories as needed Because we have a legitimate reason (to keep the community safe) and weighed it against your rights. Legitimate interest — Art. 6(1)(f)
Operate the Report tool Report records Because we have a legitimate reason (community safety) and weighed it against your rights. Legitimate interest — Art. 6(1)(f)
Generate share cards locally UGC rendered on device only We do not process anything on our servers for this; the image is made on your phone. Not applicable — no controller processing
Age-gate compliance Age band derived from date of birth Because we have a legitimate reason (running an App safely for minors) and weighed it against your rights. Legitimate interest — Art. 6(1)(f)

Legitimate interests assessment (GDPR Art. 6(1)(f) processing)

For each purpose relying on legitimate interest, we have considered (i) the interest itself, (ii) why processing is necessary to achieve it, and (iii) whether the user’s rights override it. Summary:

  • Analytics — interest: fixing bugs and improving the App. Necessity: aggregated event counts are the minimum needed to identify broken screens; we do not use advertising identifiers or attribution SDKs. Balance: data is minimized to event names + app version + device model, no identifier-level profiling for marketing; user rights are not overridden.
  • Crash + error reporting (Sentry) — interest: keeping the App stable. Necessity: stack traces and breadcrumbs are needed to diagnose the failure; the masked screenshot is needed to capture UI state. Balance: SDK default masking redacts text + image widget contents before transmission, and data is stored in the EU (Frankfurt); user rights are not overridden.
  • Abuse prevention, moderation, security — interest: keeping the community and the App safe. Necessity: read access to the categories involved in the incident is required to act. Balance: scope is incident-driven, not bulk surveillance; user rights are not overridden because the community safety interest is concrete and immediate.
  • Report tool — interest: community safety. Necessity: the report record is the minimum needed to act on a report. Balance: reporter identity is not surfaced to the reported user; user rights are not overridden.
  • Age-gate compliance — interest: running an App safely for minors and complying with GDPR Art. 8. Necessity: an age band derived from declared date of birth is the minimum needed. Balance: full DOB is not stored beyond what is needed to compute the band and auto-transition; user rights are not overridden.

Our legitimate-interests assessments are conducted in accordance with EDPB Guidelines 1/2024 on processing of personal data based on legitimate interests (adopted 8 October 2024), the WP29 Opinion 06/2014 it updates, and the Court of Justice ruling in Case C-621/22 confirming that commercial interests may qualify as legitimate where the three-step balancing test is satisfied.

You may object to any processing based on legitimate interest under GDPR Art. 21 by emailing privacy@gameofchores.me; we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Consequences of refusing to provide data (GDPR Art. 13(2)(e))

Account data, profile data, and core user-generated content (battles, chores, proof photos) are required to use the App. If you refuse to provide them, we cannot create an account for you and you cannot use the App. Analytics, push notifications, and contacts (when the contacts feature becomes available) are optional and processed on legitimate interest or consent as set out above: refusing them disables the relevant feature only and does not affect access to the App.

You may withdraw consent at any time for consent-based processing (notifications, contacts) via your device settings or in-App settings, without affecting the lawfulness of earlier processing. The 16+ restriction on notification consent is enforced (see §9).

4. Who we share data with (sub-processors)

We do not sell your personal data. We share data only with the service providers below.

  • Google LLC — authentication (Firebase Auth), database (Cloud Firestore, eur3 multi-region), file storage (Cloud Storage, EU multi-region), serverless backend (Cloud Functions, europe-west1 in Belgium), push notifications (Firebase Cloud Messaging), analytics (Firebase Analytics), and AI processing (Vertex AI in the europe-west4 region (the Netherlands) for Gemini 2.5 Flash; Cloud Vision for Arena image-safety preprocessing). Gemini processing occurs within the EU. Cloud Vision routing follows Google’s default project configuration. Google is certified under the EU-U.S. Data Privacy Framework, with Standard Contractual Clauses as a fallback transfer safeguard.
  • Apple Distribution International Limited (Ireland), with Apple Inc. (United States) as the storage destination — Sign in with Apple (authentication only). For users in the European Economic Area and Switzerland, Apple’s controller is Apple Distribution International Limited; the onward transfer to Apple Inc. is governed by Standard Contractual Clauses per Apple’s published privacy policy at apple.com/legal/privacy.
  • Anthropic, PBC (United States) — Claude AI as a fallback provider for AI task breakdown and AI Referee. Transfer to the United States is covered by Anthropic’s Commercial Terms Data Processing Addendum, which incorporates the European Commission’s Standard Contractual Clauses (Module 2, Controller-to-Processor). Anthropic’s published certifications include ISO/IEC 27001:2022, ISO/IEC 42001:2023, and SOC 2 Type I & II.
  • OpenAI Ireland Limited (Ireland), with OpenAI OpCo, LLC (United States) as sub-processor for technical service delivery — Moderation API for free-text safety classification. Transfer to the United States is covered by Standard Contractual Clauses per the OpenAI Data Processing Addendum §4.1. OpenAI retains API inputs for up to 30 days for abuse-monitoring purposes then deletes them; OpenAI does not use API content to train its models by default.
  • Sentry GmbH (Frankfurt, Germany) — error reporting and performance monitoring with EU data residency. Sentry’s group also self-certifies under the EU-U.S. Data Privacy Framework for any transfers to the United States, with Standard Contractual Clauses as a fallback transfer safeguard.
  • DiceBear (Florian Körner, Germany) and Bunny.net (its CDN provider) — generate anonymous avatar SVGs from a seed string transmitted in the request URL. The seed we send is a user identifier; DiceBear and Bunny.net observe this identifier together with the request’s IP address as part of normal HTTP request logging. We send no other personal data.

Other users of the App can see information you make visible by using the App: your display name, avatar, play-style label, badges, battle results in shared battles, rivalry records with users you have battled, leaderboard rankings, and content you submit to public surfaces such as the Daily Arena. Users in the 13–15 band cannot enter the Daily Arena and therefore do not appear on its public leaderboards. In addition, profiles of users in the 13–15 band default to non-public (visible to friends only) and cannot be set to public visibility.

We may disclose data to law enforcement or competent authorities where required by applicable law, court order, or to protect the rights, safety, or property of users or the public.

Online-platform status under the Digital Services Act. Game of Chores is an online platform under EU Regulation 2022/2065 (the Digital Services Act). The App qualifies as a micro enterprise and is therefore exempt from most online-platform-specific obligations under DSA Article 19, but remains subject to baseline intermediary obligations: a single point of contact for authorities (privacy@gameofchores.me); a notice-and-action mechanism for illegal content (the in-App Report tool — see Section 2.11); a statement-of-reasons obligation for content-moderation decisions (delivered via the affected user’s in-App activity feed); and the prohibition on targeted advertising to minors (the App shows no advertising, targeted or otherwise).

We will notify users in advance of material sub-processor changes via the change-notification channel described in Section 11.

5. International data transfers

Your primary data is stored and processed on Google Cloud infrastructure in the European Economic Area:

  • Cloud Firestore: eur3 multi-region (Belgium and the Netherlands)
  • Cloud Storage: EU multi-region
  • Cloud Functions: europe-west1 (Belgium)
  • Vertex AI for Gemini: europe-west4 (the Netherlands)
  • Sentry error reporting: EU data residency (Frankfurt, Germany)

Four categories of processing occur outside the European Economic Area today, each with a documented safeguard:

  • Anthropic Claude (United States, AI fallback provider): covered by Standard Contractual Clauses (Module 2) under Anthropic’s Commercial Terms DPA.
  • OpenAI Moderation: customer counterparty is OpenAI Ireland Limited; the onward transfer from OpenAI Ireland to OpenAI OpCo LLC (United States) for technical service delivery is covered by Standard Contractual Clauses per the OpenAI DPA §4.1.
  • Apple Sign in: for EEA and Swiss users, Apple’s controller is Apple Distribution International Limited (Ireland); the onward transfer to Apple Inc. (United States) for storage is governed by Standard Contractual Clauses per Apple’s published privacy policy.
  • Google Cloud Vision (used only for Daily Arena image-safety preprocessing): runs at Google’s default region for our project and may operate outside the European Economic Area. Google is certified under the EU-U.S. Data Privacy Framework, with Standard Contractual Clauses as a fallback transfer safeguard. A migration to an EU-pinnable surface is on our roadmap.

As the user base grows, we expect to add a United States storage region for users outside Europe. We will notify users of material changes to storage regions in advance via the change-notification channel in Section 11.

6. How long we keep it

  • Active account data: retained while your account exists.
  • Battle and Daily Arena records, including proof photos, AI verification verdicts, and side-bet outcomes: retained while your account exists. When you delete your account, your proof photos are hard-deleted; the battle and Arena records themselves are retained for the other participants with your display name and avatar replaced as described below.
  • Text moderation cache (short-term cache of approved text-content classifications): automatically deleted 7 days after approval.
  • AI task-breakdown cache: shared across users, keyed by chore-title hash or catalog ID, retained indefinitely while the App operates. The original title text is not stored.
  • Invite-link records: each record carries an expiration timestamp set to 7 days after creation; Firestore’s time-to-live mechanism deletes the record within ~24 hours of expiration (applies to both unused and redeemed records).
  • Sign-in logs (IP address, device metadata, sign-in events) in Firebase Authentication: retained per Google Cloud’s published Firebase Auth default.
  • Aggregated and anonymized analytics: retained indefinitely.
  • Other logs and security records: retained as needed for fraud prevention and security investigations, typically no longer than 90 days.

Account deletion: when you delete your account (Settings → Delete account; three-step confirmation requiring you to type “delete my account”), we purge your personal data from our database within 7 days:

  • Your account record, profile data, FCM push tokens, side-bet records, and activity feed entries are hard-deleted.
  • Your proof photos (battle and Daily Arena) are hard-deleted from Cloud Storage. Other participants in your past battles will see a “[proof deleted]” placeholder where your photo used to appear.
  • Your display name and avatar are replaced with “Deleted User” and a default avatar everywhere they appear in other users’ app state — rivalry records, activity feed entries, Daily Arena Weekly Champion records, and House War Champion records.
  • Your Firebase Authentication record is deleted last, irrevocably ending the sign-in chain.

If you do not delete your account, we may delete inactive accounts after a long period of inactivity, with notice where reasonable.

7. Your rights under GDPR

If GDPR applies to you, you have the right to:

  • Access the personal data we hold about you (Art. 15)
  • Rectify inaccurate or incomplete data (Art. 16)
  • Erase your data, the “right to be forgotten” (Art. 17) — also available in-App via Settings → Delete account
  • Restrict processing in certain circumstances (Art. 18)
  • Data portability — receive your data in a structured, machine-readable format (Art. 20)
  • Object to processing based on legitimate interests (Art. 21)
  • Withdraw consent at any time for consent-based processing (Art. 7(3))
  • Not be subject to a decision based solely on automated processing where it produces legal or similarly significant effects (Art. 22) — see below
  • Lodge a complaint with a supervisory authority (Art. 77)

Automated decision-making and profiling (GDPR Art. 22 and Art. 13(2)(f))

The AI Referee feature, when enabled for a battle or required by the format (Daily Arena, House Wars), reaches an approval-or-challenge verdict on your proof photo without human intervention. This verdict affects whether the battle counts toward XP, streaks, and your head-to-head record. You have the right not to be subject to that decision under Art. 22, exercised through the following safeguards:

  • Human review: if you disagree with an AI Referee verdict, you can challenge it via the Activity feed. Your rival is asked to review the proof and confirm or overturn the verdict. For Daily Arena and House Wars (where rival review does not apply), you can email privacy@gameofchores.me to escalate; we will review the verdict manually and reverse it if the rubric was misapplied.
  • Opt-out for 1v1 battles: AI Referee is an opt-in toggle for 1v1 battles; if you turn it off, every proof submitted in your 1v1 battles is reviewed by your rival, not by the AI.
  • Logic: the AI is asked to judge whether the proof photo matches the chore description against a safety-and-completeness rubric. The verdict and a short reasoning string are stored with the battle so you can see why a verdict was reached.

The play-style label we display on your profile (for example “Speed Cleaner”) is derived from the categories and timings of your completed battles. This is profiling under GDPR Art. 4(4); however it does not produce legal or similarly significant effects and is not subject to Art. 22. You can request that the label not be displayed by emailing privacy@gameofchores.me.

To make a request

Email privacy@gameofchores.me with: the email address you used at sign-up; the right you are exercising (access, rectification, erasure, restriction, portability, objection, withdrawal of consent, or Art. 22 contestation); and any clarification we may need to act on the request (for portability, your preferred format). We respond within 30 days as required by GDPR Art. 12(3); for complex requests we may extend by up to 60 days and we will notify you of the extension within the first 30 days. We may ask you to verify your identity before acting on a request.

8. Supervisory authority

The lead supervisory authority for the controller is:

Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Postbus 93374, 2509 AJ Den Haag, Netherlands
autoriteitpersoonsgegevens.nl

You may also lodge a complaint with the supervisory authority in your country of residence. The Autoriteit Persoonsgegevens coordinates with other EU and EEA authorities via the one-stop-shop mechanism set out in GDPR Articles 56 and 60.

9. Children

The App is intended for users aged 13 and over. We enforce this with an age gate at first launch, which produces one of four age bands:

  • Under 13 — blocked from creating an account.
  • 13–15 — restricted minor. The Netherlands implements GDPR Art. 8 with a digital-consent age of 16, and several other EU jurisdictions also set an age higher than 13 (Germany 16, France 15, Italy 14, Spain 14, Croatia 16, Hungary 16, Slovakia 16, Slovenia 15, Lithuania 14, Austria 14). Users in this band cannot legally provide the consent needed for notifications and contacts processing without parental authorization, which the App does not collect. For users in this band we enforce, both in-app and on the server: push notifications cannot be enabled (the priming screen is not shown and no FCM token is registered); the Daily Arena cannot be entered, so 13–15 users do not appear on its public leaderboards; and the profile defaults to non-public (visible to friends only) and cannot be set to public. When the contacts-based friend finder becomes available, the contacts permission will likewise be unavailable to this band; that restriction is not yet in effect because the feature has not shipped.
  • 16–17 — standard minor. Notifications, contacts, and other permission flows behave as for adults.
  • 18+ — adult. Full access.

Auto-transition: the age band is computed from your declared date of birth each time the App opens. On your 16th birthday the App moves you from the 13–15 band to the 16–17 band and the previously-restricted permissions become available (still default-OFF until you opt in). On your 18th birthday the App moves you to the 18+ band.

We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, email privacy@gameofchores.me and we will delete it.

10. Security

We protect your data with technical and organizational measures appropriate to the risk under GDPR Art. 32:

  • Transport security: TLS 1.2 or higher for all client-to-server and server-to-sub-processor traffic.
  • Encryption at rest: Cloud Firestore and Cloud Storage use Google-managed KMS-backed encryption keys for data at rest.
  • Access control: Firestore security rules enforce that users can only read and write data they are authorized to access; the rules are tested against an access-control rubric before each release.
  • Server-side validation: moderation results and the battle-complete transaction are validated on Cloud Functions before any client-supplied write is committed.
  • Least privilege: service-account permissions on Cloud Functions and provider integrations are scoped to the minimum needed for the function; secrets (API keys, sub-processor credentials) are stored in Google Cloud Secret Manager and not in source control.
  • Resilience and recovery: Cloud Firestore and Cloud Storage data are replicated across multiple availability zones within the eur3 multi-region (Belgium and the Netherlands) and the EU multi-region respectively, with point-in-time recovery available for Firestore. We test recovery procedures periodically and target a recovery-time objective of 24 hours for non-catastrophic incidents.
  • Breach notification: in the event of a personal-data breach, we will notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware of it as required by GDPR Art. 33, and we will notify affected users without undue delay where Art. 34 applies.

No system is perfectly secure. We will continue to harden our measures as the App scales and as risks evolve.

11. Changes to this policy

We may update this Privacy Policy from time to time.

Material changes — including the addition of a new sub-processor, a new data category, a change of controller, or a material change to a retention period — are notified by an in-app banner on the next App open and a “Last updated” badge displayed in Settings for 30 days. We update the “Last updated” date at the top of this page in every case. Minor changes (typo fixes, clarifications, formatting) update the “Last updated” date only.

If you object to a material change before it takes effect, you can delete your account from Settings → Delete account; continued use of the App after the change takes effect constitutes acknowledgement of the updated policy.

The information disclosed in this Privacy Policy is consistent with the Privacy Nutrition Label entered in Apple App Store Connect and the Data Safety section entered in Google Play Console for the App. If we update one, we update the others to match.

12. Contact

For privacy questions, requests, or complaints:

privacy@gameofchores.me

13. Additional information for users in Turkey (KVKK)

If you are located in Turkey, the Personal Data Protection Law (Kişisel Verilerin Korunması Kanunu — Law No. 6698, “KVKK”) applies to our processing of your data, in addition to GDPR. This Section discharges our transparency obligation under KVKK Art. 10 (Aydınlatma Yükümlülüğü).

Data controller (Veri Sorumlusu): Umut Aktaş, Utrecht, the Netherlands. Contact: privacy@gameofchores.me.

Lawful grounds (KVKK Art. 5 and Art. 6): we process personal data of Turkish users on the same grounds as set out in Section 3 for GDPR, mapped to KVKK equivalents — contract necessity (Art. 5(2)(c)), legitimate interests (Art. 5(2)(f)), legal obligation (Art. 5(2)(ç)), and explicit consent (Art. 5(1)) for notifications and contacts processing. Special-category data (Art. 6) is not knowingly processed; if proof photos or other UGC incidentally contain special-category content, we rely on explicit consent under Art. 6(2) by virtue of the user voluntarily uploading the content for the App’s intended purpose, and we do not use such content for any purpose beyond the App’s core functionality.

Your KVKK rights (Art. 11) mirror your GDPR rights above: information about processing, access, correction, erasure or destruction, notification of correction or erasure to third parties, objection to results of automated processing, and compensation for damages from unlawful processing.

Supervisory authority: Kişisel Verilerin Korunması Kurulu (KVKK Kurulu), Ankara, Turkey — kvkk.gov.tr.

Cross-border transfers under KVKK. Amendments to KVKK Article 9 effective 1 June 2024 (Law No. 7499 of March 2024) and the Cross-Border Transfer Regulation effective 1 September 2024 changed the framework for transfers of personal data of Turkish users abroad. For the App’s regular and systematic transfers — authentication, AI processing, error reporting (as set out in Section 5) — we rely on the same Standard Contractual Clauses already used for GDPR transfers (Anthropic Commercial Terms DPA SCCs Module 2; OpenAI DPA §4.1 SCCs); for incidental transfers we may also rely on explicit consent under Article 9(6). Turkish SCC notification to the Personal Data Protection Authority is pending as a known V1 pre-launch compliance task; we are tracking this separately and will update Turkish users when the notification has been filed.

Veri Sorumlusu Temsilcisi (Turkish controller representative) and VERBİS registration. At V1 launch, the controller falls below the VERBİS registration thresholds published by the Turkish Personal Data Protection Authority based on annual employee count and turnover. We re-evaluate this status at the close of each financial year and will appoint a Turkish data controller representative and complete VERBİS registration before exceeding the thresholds. Until then, KVKK rights and contact requests can be exercised directly via privacy@gameofchores.me.


This Privacy Policy is governed by the laws of the Netherlands. Any disputes are subject to the exclusive jurisdiction of the courts of Utrecht, the Netherlands, without prejudice to (a) mandatory provisions of Turkish law for users resident in Turkey, and (b) mandatory consumer-protection law in your country of residence that grants you the right to bring proceedings in your local courts.