Privacy Policy

1. Who we are and how to reach our Privacy Officer

Perthro is operated by Rune Art ltd. ("Perthro", "we", "us", "our"), a corporation incorporated federally under the Canada Business Corporations Act and extra-provincially registered in Alberta. Our principal place of business is in Alberta, Canada. Perthro (the "Service") is a social gaming journal app available on the Apple App Store and at perthro.io.

We have designated a Privacy Officer who is accountable for compliance with this policy and with applicable privacy laws, including Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), Alberta's Personal Information Protection Act ("Alberta PIPA"), and Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25. You can reach the Privacy Officer at:

• Email: contact@rune.art (subject line "Privacy Officer")
• Post: Rune Art ltd., addressed to "Privacy Officer"

2. Scope of this policy

This policy applies to personal information that we collect when you use the Perthro mobile app, the perthro.io website, and any related services we operate. It does not apply to third-party services that you reach through Perthro (for example, Steam, PlayStation Network, Xbox Live, or IGDB), which are governed by their own privacy policies.

3. What we collect

3.1 Information you provide

• Account information. Email address, display name, and (optionally) profile photo and bio.
• Authentication. If you sign in with Sign in with Apple, we receive an Apple-issued identifier and the email address you choose to share (which may be a private relay address). We do not receive your full Apple ID.
• Content you create. Game sessions you log, ratings, reviews, lists, comments, votes, bookmarks, and follows.
• Connected platform data (optional). If you connect Steam, PlayStation Network, or Xbox Live, we receive your public profile and your library of owned games. You can disconnect at any time, which revokes our access tokens.
• Support correspondence. Messages you send to contact@rune.art, including any attachments.
• Payment information. If you subscribe to Perthro Pro, payment is handled by Apple. We receive a confirmation that you have an active subscription, but we do not see your payment card or billing address.

3.2 Information collected automatically

• Device and usage data. Device model, operating system version, app version, language, and basic interaction events (for example, screen views and feature usage). Used in aggregate to operate and improve the app.
• Crash reports. If the app crashes, we receive a stack trace, the iOS version, and minimal device context. Crash reports do not contain your reviews, your messages, or your library contents.
• Approximate region. Derived from the IP address used to connect. We do not collect precise GPS location.
• Log data. Server logs (IP address, request timestamps, error codes) retained briefly for security, abuse-detection, and debugging.

3.3 What we do not collect

• We do not collect precise GPS location.
• We do not access your contacts, photos, microphone, or camera unless you explicitly grant permission for a feature that needs it (for example, picking a profile photo from your library).
• We do not perform cross-site behavioural tracking, sell personal information to data brokers, or fingerprint your device or browser.
• We do not share your content with third-party AI training services or large-language-model providers.

3.4 Advertising and analytics on the free tier

The free tier of Perthro shows sponsored cards served by Google AdMob, and asks for App Tracking Transparency (ATT) permission so AdMob can deliver personalized ads using Apple's Identifier for Advertisers (IDFA). Decline the ATT prompt and you'll see only non-personalized ads. Perthro Pro and Perthro Hero subscribers see no ads at all — the ad SDK is not even initialized for them.

We use PostHog for in-app product analytics — screens viewed, features used, basic performance metrics — keyed to your Perthro account ID after sign-in (not to your real name or email). We use Apple AdServices (Apple Search Ads attribution) and SKAdNetwork to measure which marketing campaign drove your install. These Apple-mediated flows are designed to avoid cross-app identity linkage.

We don't currently offer an in-app toggle to disable PostHog analytics. If you want analytics disabled, contact our Privacy Officer and we'll exclude your account; we're also building this toggle into Settings.

4. Why we collect it, and our legal bases

We process personal information for the purposes below. Where the EU/UK General Data Protection Regulation (GDPR/UK GDPR) applies, the corresponding legal basis is shown in brackets.

• To operate the Service. Authenticating you, syncing your library across devices, delivering your feed, powering search, and processing subscriptions. [Legal basis: performance of a contract with you.]
• To keep the Service safe. Detecting abuse, spam, and violations of our Terms of Service and Community Guidelines. [Legal basis: legitimate interests in keeping the Service safe and lawful.]
• To improve the Service. Understanding which features are used and where users get stuck. After sign-in, analytics events are keyed to your Perthro account ID (not your real name or email) — see Section 3.4 for details. We don't currently offer an in-app toggle to disable analytics; if you want analytics disabled, email our Privacy Officer (see Section 1) and we'll exclude your account. We're also building this toggle into Settings. [Legal basis: legitimate interests in improving the Service.]
• To communicate with you. Sending you transactional notifications (for example, password resets, security alerts, important changes to the Service). We do not send marketing or promotional emails without your express opt-in, in accordance with Canada's Anti-Spam Legislation ("CASL"). [Legal basis: performance of a contract; consent for marketing emails.]
• To meet legal obligations. Responding to lawful requests from regulators, courts, and law enforcement. [Legal basis: legal obligation.]

You can withdraw your consent for any optional processing at any time. Withdrawing consent will not affect the lawfulness of processing carried out before withdrawal, and may limit your ability to use certain features.

5. Who we share it with

We do not sell your personal information, and we do not share it for cross-context behavioural advertising. We share information only with the limited set of service providers we need to operate Perthro, each bound by a written data-processing agreement that requires a level of protection comparable to ours:

• Supabase for authentication, database, file storage, and backend hosting.
• Apple for TestFlight, App Store distribution, Sign in with Apple, push notifications, and subscription billing.
• IGDB (operated by Twitch Interactive) for game metadata. We send game IDs only; we do not send any user-identifying information.
• Sentry for crash and error reports. Stack traces include the iOS version and minimal device context; they do not contain your reviews, your messages, or your library contents.
• PostHog for in-app product analytics (screens viewed, features used, basic performance metrics). After sign-in, events are keyed to your Perthro account ID.
• Google AdMob for serving sponsored ad cards to Free-tier users only. With your ATT consent, AdMob receives Apple's Identifier for Advertisers (IDFA) for personalized ads; without ATT consent, ads are non-personalized. Pro and Hero subscribers do not load the ad SDK at all.
• Apple AdServices and SKAdNetwork for install-attribution measurement (Apple Search Ads and other ad networks). These flows are Apple-mediated and privacy-preserving by design.
• Resend (our email delivery provider) for transactional email (account verification, password resets, account-deletion confirmations, reauthentication codes).
• Steam (Valve), PlayStation Network (Sony), and Xbox Live (Microsoft) — only when you choose to connect those accounts in Settings. We exchange OAuth tokens, read your library, playtime, and achievements/trophies, and store the refresh tokens encrypted at rest using Supabase Vault. We never see or store your password for any of these services. The PlayStation connection uses APIs that Sony does not formally sanction; we maintain it on a best-effort basis and you may lose access if Sony changes endpoints.

We may also disclose personal information if required by valid legal process (for example, a subpoena, court order, or lawful production order), to enforce our Terms, to investigate suspected fraud or violations of our Community Guidelines, or to protect the rights, safety, and property of users or the public.

If we are ever involved in a merger, acquisition, financing, reorganization, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you (and where required, obtain your consent) before your information becomes subject to a different privacy policy.

6. Where your data is stored and cross-border transfers

Some of our service providers store and process personal information outside Canada, primarily in the United States and the European Union. Specifically:

• Supabase projects can be hosted in regions including the United States, Canada, the European Union, and the United Kingdom. We host the Perthro project in a region selected for performance and regulatory fit.
• Sentry stores crash data in the United States or European Union depending on the data residency we have selected.
• PostHog (PostHog Inc.) hosts our analytics data in the United States.
• Google (AdMob, AdServices, SKAdNetwork postbacks) processes ad-request and attribution data on Google's and Apple's global infrastructure, primarily in the United States.
• Apple processes App Store, TestFlight, AdServices, and SKAdNetwork data on its global infrastructure.

When personal information is transferred outside of Canada, it remains subject to the laws of the country in which it is stored, including any laws permitting access by foreign government, law enforcement, or national security authorities. We use contractual safeguards (including, where applicable, the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum) to require comparable protection for transferred data, and we remain accountable to you for personal information processed on our behalf.

If you would like more detail about the specific countries where your data is processed, contact our Privacy Officer.

7. How long we keep it

We keep personal information only as long as we need it for the purposes set out in this policy, or as required by law. Specific retention windows:

• Account profile and content (reviews, ratings, sessions, lists, follows, bookmarks): kept while your account is active. Removed within 30 days after you delete your account, with limited backup copies purged within a further 60 days.
• Connected-platform tokens (Steam, PSN, Xbox): kept while connected. Revoked and deleted immediately on disconnect or account deletion.
• Server access logs: up to 30 days.
• Crash reports: up to 90 days.
• Support correspondence: up to 2 years after the matter is resolved.
• Records required for tax, accounting, or legal compliance: for the period required by applicable law (typically 6 to 7 years for Canadian tax records).
• Aggregate, anonymized metrics (for example, "X reviews were posted last month") may be retained indefinitely. These cannot be linked back to any individual.

8. How we protect it

We use technical and organizational safeguards appropriate to the sensitivity of the information, including:

• Encryption in transit (TLS 1.2 or higher) for all connections between the app, the website, and our servers.
• Encryption at rest for databases and file storage.
• Column-level encryption of sensitive credentials (connected-platform OAuth refresh tokens for PlayStation Network and Xbox Live) using Supabase Vault, on top of standard disk-level at-rest encryption.
• Reauthentication via a one-time email code for account deletion, so a stolen session token cannot be used to wipe an account.
• Access controls and audit logging for staff systems, with access granted on a need-to-know basis.
• Multi-factor authentication on administrative accounts.
• Regular review of our service providers' security posture.

No method of transmission or storage is 100% secure. If we become aware of a breach affecting your personal information, we will follow the breach-notification process described below.

9. Automated decisions, profiling, and AI

We do not use your personal information to make decisions about you that produce legal or similarly significant effects through fully automated means. We do not perform behavioural profiling for advertising. We do not train large-language models, image generators, or other AI systems on your reviews, lists, profile, or other content, and we do not provide your content to third parties for those purposes.

Some operational systems use rules and signals to surface possibly abusive content for human review (for example, automated spam detection). A human moderator reviews any consequential action.

10. Your rights

Depending on where you live, you have rights with respect to your personal information. We honour these rights for everyone, regardless of jurisdiction, where it is feasible to do so.

You may have the right to:

• Access the personal information we hold about you, and receive a copy in a portable format.
• Correct inaccurate or incomplete information.
• Delete your account and associated personal information ("right to be forgotten").
• Object to certain processing (for example, processing based on legitimate interests).
• Restrict certain processing while we look into a request.
• Withdraw consent for any optional data uses at any time.
• Receive a copy of your data in a structured, commonly used, machine-readable format ("data portability").
• Lodge a complaint with your local data-protection authority (see section 16).
• Not be subject to a fully automated decision that produces legal or similarly significant effects.

To exercise any of these rights, email our Privacy Officer at contact@rune.art from the email associated with your account, or use the in-app controls under Settings → Account. We will respond within 30 days of receiving a verifiable request, and may extend that period (with notice to you) where the request is complex.

We do not charge a fee for handling rights requests, except where a request is manifestly unfounded or excessive (for example, repetitive requests), in which case we may charge a reasonable fee or decline to act, and will explain why.

11. Deleting your account

You can delete your Perthro account at any time:

• Inside the app: Settings → Account → Delete account.
• On the web: visit perthro.io/delete-account.
• By email: write to contact@rune.art from the email address associated with your account.

Once requested, your profile, sessions, ratings, reviews, lists, comments, follows, bookmarks, and connected-platform tokens are removed from our active systems within 30 days. Backup copies are purged within a further 60 days. Anonymized aggregate metrics may persist (see section 7).

Deleting your Perthro account does not cancel any active Perthro Pro subscription; subscriptions are managed by Apple, see our Subscription Terms.

12. Children: minimum age 16

Perthro is not intended for, and may not be used by, anyone under 16 years of age, anywhere. We do not knowingly collect personal information from anyone under 16.

This single global threshold is set above the highest applicable age of consent we encountered (the GDPR's age of digital consent, which can be up to 16 in some EU member states), and well above the COPPA threshold of 13 (United States) and Quebec's Law 25 threshold of 14 for sensitive consents. It also avoids the regulatory complexity of operating a public social feed for minors.

If you are a parent or guardian and you believe a child under 16 has created a Perthro account, contact us at contact@rune.art and we will delete the account and any associated personal information promptly. If we discover an underage account ourselves, we will delete it without prior notice.

13. Data breach notification

If we suffer a breach of security safeguards involving your personal information, and the breach creates a real risk of significant harm to you, we will:

• Notify you directly without undue delay, by email and in-app notice.
• Report the breach to the Office of the Privacy Commissioner of Canada ("OPC") in accordance with PIPEDA.
• Where applicable, report the breach to the Commission d'accès à l'information du Québec ("CAI"), the UK Information Commissioner's Office ("ICO"), the relevant EU supervisory authority, or other competent regulators.
• Keep records of every breach involving personal information for at least 24 months, as required by PIPEDA.
• Notify other organizations or government institutions where doing so could reduce the risk of harm.

14. Region-specific notices

14.1 Canada (PIPEDA and Alberta PIPA)

If you live in Canada, your personal information is protected by PIPEDA (federal) and, where applicable, by the privacy law of your province. Because Rune Art ltd. has its principal place of business in Alberta, Alberta's Personal Information Protection Act (Alberta PIPA) applies to most of our day-to-day handling of personal information about Canadian residents, alongside PIPEDA for inter-provincial and international flows. Residents of Quebec are additionally protected by Quebec's Law 25; residents of British Columbia by BC's PIPA. You have the rights described in section 10. Our Privacy Officer is your first point of contact for any concern.

14.2 Quebec residents (Law 25)

If you reside in Quebec, you have additional rights under An Act respecting the protection of personal information in the private sector, as amended by Law 25, including the right to be informed of any use of your personal information for automated decision-making (we do not use it for this purpose, see section 9), the right to data portability, and specific protections for sensitive information. Communications can be in French on request.

14.3 European Union and United Kingdom (GDPR / UK GDPR)

If you are in the EU, EEA, or UK, the legal bases for our processing are described in section 4. International transfers are described in section 6. You may lodge a complaint with your national data-protection authority. We do not have a permanent establishment in the EU or UK, and we do not currently maintain an EU/UK Article 27 representative; we will appoint one if our user base in those regions reaches the threshold that requires it.

14.4 California (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act, as amended by the CPRA. We do not "sell" or "share" personal information as those terms are defined under the CCPA, including for cross-context behavioural advertising. We do not use sensitive personal information for purposes that require an opt-out under the CPRA. You can exercise your CCPA rights (to know, delete, correct, and limit) using the contacts in section 17.

14.5 Other regions

If you are in another region with applicable privacy law (for example, Brazil's LGPD, Australia's Privacy Act), we apply the protections in this policy and honour the rights in section 10 to the extent feasible.

15. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you in the app and by email, and update the "Last updated" date at the top of this page. Material changes that require your consent (for example, a new processing purpose) will not apply to you until you accept them. Your continued use of Perthro after a non-material change constitutes acceptance of the revised policy.

16. Complaints and contact

If you have questions, concerns, or a complaint about how we handle your personal information, please contact our Privacy Officer first at contact@rune.art. We take complaints seriously and will work to resolve them.

You also have the right to lodge a complaint with the appropriate regulator:

• Canada (federal): Office of the Privacy Commissioner of Canada, priv.gc.ca.
• Quebec: Commission d'accès à l'information du Québec, cai.gouv.qc.ca.
• Alberta: Office of the Information and Privacy Commissioner of Alberta, oipc.ab.ca.
• British Columbia: Office of the Information and Privacy Commissioner for British Columbia, oipc.bc.ca.
• United Kingdom: Information Commissioner's Office, ico.org.uk.
• European Union / EEA: the data-protection authority of your country of residence.
• California: California Privacy Protection Agency, cppa.ca.gov; or the California Attorney General.

Rune Art ltd. is the data controller (under GDPR/UK GDPR) and the organization accountable for personal information (under PIPEDA) for the purposes of this policy.