Rich Score is committed to protecting your privacy. This policy explains what data we collect, why we collect it, and your rights as a user — including your rights under the EU General Data Protection Regulation (GDPR).
1. Who We Are
Rich Score ("we", "us", "our") is the data controller responsible for your personal data. Rich Score is operated by Hoovus Kinnisvara OÜ (registry code 16775200), Estonia.
Contact: support@listoflegacy.com
2. What Data We Collect
Account Data
- Email address (from registration or Google Sign-In)
- Display name and username
- Google account ID (if you sign in with Google)
- Apple ID (if you sign in with Apple)
- Email verification status
Profile Data (optional, provided by you)
- Profile photo and cover photo
- Bio and social links
- Country and company name
- Privacy setting (public / private profile)
Subscription and Financial Data
- Subscription tier and status
- Subscription start and end dates
- Contribution history (amounts, dates, types)
- Stripe customer ID (payment processing handled entirely by Stripe — we never store card details)
App Activity Data
- Leaderboard rank and Rich Score
- Followers and following list
- Activity events (contributions, rank changes)
- In-app notifications
3. Why We Collect It (Legal Basis)
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Creating and managing your account | Contract performance |
| Processing subscriptions and payments | Contract performance |
| Displaying your profile and rank publicly | Consent (you choose to join) |
| Sending transactional emails (verification, cancellation) | Contract performance |
| Improving the service and fixing bugs | Legitimate interest |
| Complying with financial record-keeping obligations | Legal obligation |
4. Who We Share Data With
We do not sell your data. We share data only with the third-party processors necessary to operate the service:
| Processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing and subscription management | Ireland (EU) |
| Cloudinary | Profile photo and cover photo storage and delivery | USA (SCCs) |
| Google (OAuth) | Authentication via Google Sign-In | Ireland (EU) |
| Railway | Backend server and database hosting | USA (SCCs) |
| Resend | Transactional email delivery | USA (SCCs) |
Transfers to the USA are covered by Standard Contractual Clauses (SCCs) as required by GDPR Chapter V.
5. How Long We Keep Your Data
- Active accounts: for as long as your account is active.
- Deleted accounts: account data is removed within 30 days of deletion request. Contribution history may be retained in anonymised form for the integrity of the public leaderboard record.
- Financial records: subscription and payment records are retained for 7 years as required by Estonian accounting law.
6. Your Rights Under GDPR
As an EU resident, you have the following rights:
- Right of Access: request a copy of all personal data we hold about you.
- Right to Rectification: correct inaccurate data directly in the app, or by contacting us.
- Right to Erasure: request deletion of your account and personal data.
- Right to Data Portability: receive your data in a structured, machine-readable format.
- Right to Object: object to processing based on legitimate interest.
- Right to Withdraw Consent: where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, email support@listoflegacy.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee.
7. Cookies and Tracking
The Rich Score website (this page) does not use tracking cookies or third-party analytics. The mobile app uses no advertising trackers. We may use anonymous crash reporting to improve app stability.
8. Children's Privacy
Rich Score is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
9. Security
We use industry-standard measures to protect your data: HTTPS encryption in transit, hashed passwords (bcrypt), JWT-based authentication, and access-controlled database hosting. Payment data is handled entirely by Stripe and never touches our servers.
10. Changes to This Policy
We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for significant changes, notify you via email or in-app notification.
11. Contact
For any privacy-related questions or requests:
Email: support@listoflegacy.com