Privacy Policy

This Privacy Policy describes how Bregox AS ("Company," "we," "us," or "our") collects, uses, and shares information about you when you use our mobile applications and related services (collectively, the "Service").

1. Information We Collect

1.1 Information You Provide

We collect information you provide directly to us, including:

• Account Information: When you create an account, we collect your name, email address, and password. This data is securely stored using our backend provider, Supabase, on servers located in Ireland.
• Profile Information: Any additional information you choose to add to your profile.
• Communications: When you contact us for support or feedback, we collect the information you provide.
• Guest Users: If you use a guest-enabled product, we do not collect account information, but you are still subject to device and usage data collection as outlined below.

1.2 Information Collected Automatically

When you use our Service, we automatically collect certain information, including:

• Device Information: Device type, operating system, unique device identifiers, and mobile network information.
• Usage Information: How you interact with the Service, including which decks (card sets) you open, which individual cards you view and for how long, and whether quiz answer buttons are pressed. This data is aggregated and anonymous — it is used solely to understand which decks are popular and to guide content decisions.
• Log Data: IP address, access times, app crashes, and system activity.
• Location Information: General location based on IP address (we do not collect precise GPS location).
• Local Preferences: We store certain preferences on your device (language selection, analytics consent choice, and saved decks for guest users) using local device storage. This data is not transmitted to our servers and is cleared when you uninstall the app.

Analytics and crash data collection is not enabled by default and requires your explicit consent. You can enable or disable it at any time in the app's Settings.

1.3 Information from Third Parties

If you choose to sign in using a third-party service (such as Apple or Google), we receive certain profile information from that service, such as your name, email address, and profile picture, in accordance with your privacy settings on that platform.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Create and manage your account
• Process transactions and send related information
• Send technical notices, updates, security alerts, and support messages
• Respond to your comments, questions, and requests
• Monitor and analyze trends, usage, and activities
• Detect, investigate, and prevent fraudulent transactions and abuse
• Personalize and improve your experience
• Comply with legal obligations

3. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or United Kingdom (UK), our legal basis for collecting and using your personal information depends on the specific information and context:

• Contract Performance: Processing necessary to provide the Service you requested.
• Legitimate Interests: Processing for our legitimate business interests, such as improving the Service, provided these interests are not overridden by your rights.
• Consent: Where you have given explicit consent for specific processing activities.
• Legal Compliance: Processing necessary to comply with legal obligations.

4. Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

• Service Providers: With third-party vendors who perform services on our behalf (hosting, analytics, customer support).
• Legal Requirements: When required by law, regulation, legal process, or governmental request.
• Protection of Rights: To protect the rights, property, and safety of Bregox AS, our users, or others.
• Business Transfers: In connection with a merger, acquisition, or sale of assets.
• With Your Consent: When you have given us permission to share your information.

5. Third-Party Services

Our Service integrates with third-party services to function effectively. We use the following providers:

• Cloud Infrastructure & Database: We use Supabase to securely store user accounts and app data. This data is hosted on servers located in Ireland (EEA) via Amazon Web Services.
• Authentication Providers: We offer sign-in functionality through Apple and Google.
• Analytics & Stability: We use Google Firebase Analytics and Crashlytics to monitor app stability, track crashes, and understand aggregate usage patterns (such as which decks are most played). Firebase Analytics does not use advertising identifiers (IDFA) and is not used for ad targeting or cross-app tracking. Analytics data is only collected with your in-app consent, which you can change anytime in Settings. Data processed by Firebase may be transferred to the United States.
• Subscription Management: We use RevenueCat to manage in-app subscriptions and process purchase receipts. RevenueCat receives subscription status and receipt data to validate and manage your premium access. Bregox AS does not store your payment card information — payment is processed by Apple or Google through their respective in-app purchase systems. RevenueCat's privacy policy is available at rev.cat/privacy.
• Transactional Email: We use Resend to send account-related emails such as authentication and password reset messages. Resend may process your email address and related metadata. Resend is based in the United States.

These third parties have their own privacy policies. Information shared with them is strictly limited to what is necessary for their specific function.

6. Data Retention

We retain your personal information for as long as necessary to:

• Provide the Service to you
• Comply with legal obligations
• Resolve disputes and enforce agreements
• Achieve the purposes described in this Privacy Policy

You can delete your account directly within the app's Settings. When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal purposes. Please note that deleting your account does not automatically cancel an active subscription — you must cancel your subscription separately through your App Store or Google Play account settings.

Transaction records and financial data necessary to comply with Norwegian accounting law (Bokføringsloven), VAT obligations, and other applicable legal requirements may be retained for the period required by law, regardless of account deletion.

Analytics and crash report data processed by Google Firebase is retained according to Google's own retention settings — typically up to 14 months for analytics events and 90 days for crash reports.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest
• Secure authentication mechanisms
• Regular security assessments
• Access controls and monitoring

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8. International Data Transfers

Bregox AS is based in Norway. Your primary account data is stored securely in Ireland (EEA) via our infrastructure provider. However, some usage data, crash reports, and analytics processed by providers like Google Firebase may be transferred to and stored in countries outside the EEA, including the United States.

When we transfer data outside the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place. Our US-based providers include Google (Firebase Analytics and Crashlytics), RevenueCat (subscription management), and Resend (transactional email). We rely on the EU-US Data Privacy Framework where the provider is certified, and Standard Contractual Clauses approved by the European Commission as an additional or alternative safeguard.

9. Your Rights and Choices

9.1 All Users

You have the right to:

• Access your personal information
• Update or correct inaccurate information
• Delete your account and associated data (available in-app and upon request via privacy@bregox.com)
• Opt out of promotional communications
• Disable push notifications through device settings

9.2 EEA, UK, and Swiss Users (GDPR)

Under the General Data Protection Regulation, you have additional rights:

• Right of Access: Request a copy of your personal data.
• Right to Rectification: Request correction of inaccurate data.
• Right to Erasure: Request deletion of your data ("right to be forgotten").
• Right to Restriction: Request limited processing of your data.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
• Right to Lodge a Complaint: File a complaint with your local data protection authority.

To exercise any of these rights, contact privacy@bregox.com. We will respond to your request within one month. In complex or multiple requests, we may extend this period by up to two additional months and will notify you of any extension. To request a copy of your data in a portable format, include that in your email — portable data includes your account information and saved deck preferences.

9.3 California Residents (CCPA)

Although Bregox AS may not currently meet the applicability thresholds of the California Consumer Privacy Act, we extend the following rights to California residents as a matter of good practice:

• Know what personal information is collected and how it is used
• Request deletion of personal information
• Opt out of the sale of personal information (we do not sell personal information)
• Non-discrimination for exercising privacy rights

To exercise these rights, contact us using the information provided below.

10. Children's Privacy

Our Service is not directed to children. Age restrictions for accessing the app are set and enforced by the platform through which you download it (Apple App Store or Google Play) based on the app's content rating. In accordance with the U.S. Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

If we discover that we have collected personal information from a child under 13 without parental consent, we will take steps to delete that information promptly.

For users in the EEA, we comply with local laws regarding the age of consent for data processing, which may be higher than 13 in some countries.

11. Cookies and Tracking Technologies

Our mobile application may use local storage, analytics SDKs, and similar technologies to collect and store information. These technologies help us:

• Remember your preferences and settings
• Understand how you use the Service
• Improve performance and functionality
• Provide personalized content

You can manage certain tracking through your device settings.

Our website (pots.bregox.com) may use essential cookies for site functionality. We do not use advertising cookies or cross-site tracking on our website.

12. Do Not Track

Some browsers include a "Do Not Track" (DNT) feature. Because there is no accepted standard for how to respond to DNT signals, our Service does not currently respond to DNT browser signals.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy in the app
• Updating the "Last updated" date
• Sending you a notification (for significant changes)

Your continued use of the Service after changes become effective constitutes acceptance of the revised Privacy Policy.

14. Privacy Contact

For questions about our data protection practices or to exercise your rights, you may contact our privacy team at:

Email: privacy@bregox.com

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Bregox AS
Solbergliveien 42, 0671 Oslo, Norway
Email: privacy@bregox.com

For general support inquiries: support@bregox.com

If you are located in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.