Privacy Policy

This Privacy Policy explains how Sidestory ("we", "our", or "the app") collects, uses, and protects your personal data when you use the mobile application Sidestory.

01General Information

• App name: Sidestory
• Provider: Michael Zauner
• Contact email: sidestep@mzappworks.dev

We take the protection of your personal data seriously and process it in accordance with applicable data protection laws, in particular the General Data Protection Regulation (GDPR).

02Data We Collect

We collect and process the following data depending on how you use the app:

2.1 Authentication Data

When you sign in with Google or Apple, we receive and store:

• Your name (as provided by your Google or Apple account)
• Your email address
• A unique user ID issued by Firebase Authentication

This data is used solely to identify your account and enable access to the app.

2.2 User-Generated Content

The app collects and stores the following data associated with your account:

• Quest progress and completion history
• Sidestories, journal entries, and mood ratings ("memories")
• Photos you choose to attach to completed quests
• Personal preferences (language, theme, interests, personal place)

This data is synced to and stored on our backend infrastructure hosted by Supabase (see Section 4) in the European Union. A local copy may be cached on your device for offline access.

2.3 Location Data

The app may request access to your device's location to personalize certain quest suggestions (e.g. your "personal place"). Location data is processed on-device. Only derived information you explicitly save (e.g. a chosen "personal place") is transmitted to our backend.

2.4 Technical and Usage Data

To ensure stable operation and improve the app, the following technical and usage data may be processed via Firebase Analytics and Firebase Crashlytics:

• Device information (operating system, device model, language)
• App version and installation ID
• Crash and error details
• App usage events (e.g. screens viewed, quests started or completed) in aggregated, pseudonymized form

Advertising identifiers (IDFA / Android Advertising ID) are disabled. We do not use this data for advertising or cross-app tracking.

03How We Use Your Data

We use collected data to:

• Provide and operate the app
• Authenticate and manage user accounts
• Improve app functionality and user experience
• Detect, analyze, and fix technical issues
• Ensure app security and stability

04Third-Party Services (Data Processors)

The app relies on the following third-party services, which act as data processors on our behalf and may process your data in accordance with their own privacy policies:

• Firebase Authentication (Google Ireland Ltd. / Google LLC) – user sign-in and account management
• Firebase Analytics & Crashlytics (Google Ireland Ltd. / Google LLC) – aggregated usage analytics and crash reporting (advertising IDs disabled)
• Google Sign-In (Google LLC) – OAuth authentication via Google
• Sign in with Apple (Apple Inc.) – OAuth authentication via Apple
• Supabase (Supabase Inc.) – backend database and file storage for your account, quest data, sidestories, memories, and photos. Our Supabase project is hosted in the European Union.
• Resend (Resend, Inc.) – transactional email delivery, used to send account verification emails and magic sign-in links

Firebase, Google, Apple, and Resend services may process data outside the European Union (including in the United States). These providers participate in the EU-U.S. Data Privacy Framework and/or rely on Standard Contractual Clauses to provide appropriate safeguards in accordance with GDPR (Art. 44–49). Supabase data for this app is stored in the EU.

For more information, see:

• Firebase Privacy Policy
• Google Privacy Policy
• Apple Privacy Policy
• Supabase Privacy Policy
• Resend Privacy Policy

05Data Storage and Security

We apply appropriate technical and organizational measures to protect your data against unauthorized access, loss, or misuse.

• Authentication data is stored securely via Firebase Authentication.
• Account data, quest progress, sidestories, memories, journal entries, photos, and preferences are stored on our Supabase backend, hosted in the European Union. Transport is encrypted via TLS, and database access is restricted via row-level security policies tied to your authenticated user ID.
• A local copy of your content may be cached on your device for offline use.
• Verification emails and magic links are delivered via Resend; email metadata may be retained by Resend for delivery diagnostics in line with their privacy policy.
• Data is retained only as long as necessary for the purposes described in this policy or until you delete your account.

06Your Rights (GDPR)

You have the right to:

• Access your personal data
• Rectify inaccurate data
• Request deletion of your data
• Restrict or object to data processing
• Request data portability
• Lodge a complaint with a supervisory authority (in Austria: Datenschutzbehörde)

To exercise your rights, please contact us at sidestep@mzappworks.dev.

07Account and Data Deletion

You may request the deletion of your account and associated personal data at any time by contacting us at sidestep@mzappworks.dev. Upon deletion, we will remove your authentication record, account profile, sidestories, memories, journal entries, photos, and quest history from our Supabase backend within 30 days, except where retention is required by law.

Locally cached data on your device can additionally be removed by uninstalling the app. Note that uninstalling the app alone does not delete data stored on our backend — please submit a deletion request to remove server-side data.

08Age Restriction

Sidestory is intended for users aged 16 and older. We do not knowingly collect personal data from individuals under the age of 16. If you believe a person under 16 has provided us with personal data, please contact us and we will delete it promptly.

09Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be published on this page with an updated "Last updated" date and are effective immediately upon publication. We recommend checking this page periodically.

10Contact

If you have any questions about this Privacy Policy or data protection, please contact: