Logo

Privacy Policy

Last updated: May 28, 2026

This Privacy Policy explains how personal data is processed when you use the binked website and apps (the "Service"). It is written to comply with the EU General Data Protection Regulation (GDPR / DSGVO), the German Federal Data Protection Act (BDSG) and the German Telecommunications-Digital Services Data Protection Act (TDDDG).

1. Controller

Controller within the meaning of Art. 4 No. 7 GDPR is:
Kevin Schmidt
Zugmantelstr. 34b, 65510 Idstein, Germany
Email: contact@binked.app

A Data Protection Officer is not appointed because the legal requirements under Art. 37 GDPR / § 38 BDSG are not met.

2. Scope

This policy covers personal data processed via the binked website (binked.app), the binked mobile applications and any related services. By using the Service you acknowledge this policy; it does not, however, replace any consent we are required to obtain separately.

3. Categories of data, purposes and legal bases

3.1 Server log data

When you visit the Service, our hosting provider automatically processes technical information (IP address, date and time of the request, referrer, user agent, requested resource). This data is used to deliver the Service, ensure stability and detect attacks.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure, functional service).
Retention: typically up to 14 days, longer only if needed to investigate a specific incident.

3.2 Account data (Firebase Authentication)

When you create an account, we process your email address, a username, an authentication identifier and the sign-in method (email/password, Google, Apple). Authentication is provided by Firebase Authentication (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; processing may also take place in the USA via Google LLC).
Purpose: account creation, login, security and operation of the Service.
Legal basis: Art. 6(1)(b) GDPR (performance of the user contract).
Retention: for the lifetime of your account. After deletion, residual data is removed within 30 days, unless statutory retention periods require longer storage.

3.3 User-generated content

Replays, avatars, display names, comments and other content you create or upload are processed and stored to provide the Service. Such content is public by default and may be viewed, embedded or indexed by anyone.
Legal basis: Art. 6(1)(b) GDPR (performance of contract) and, where applicable, Art. 6(1)(a) GDPR (consent for publication).
Retention: until you delete the content or your account.

3.4 Payments

If you purchase digital goods (e.g. editing rights, table designs, custom avatars), the payment is processed by external payment service providers (e.g. app store operators, Stripe). We receive only the data needed to confirm and fulfil the order; full payment details are processed by the payment provider under their own privacy policy.
Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(c) GDPR (compliance with tax and accounting obligations).
Retention: invoice-relevant data is kept for up to 10 years in line with §§ 147 AO, 257 HGB.

3.5 Analytics (Google Analytics and Firebase Analytics)

Website (Google Analytics 4). With your consent we use Google Analytics 4, provided by Google Ireland Limited, to analyse usage of the binked website. Google Analytics processes a pseudonymised user identifier, the truncated/anonymised IP address, device and browser data, approximate location (country/region), pages visited and interactions. IP-anonymisation is enabled.

Mobile apps (Firebase Analytics). With your consent we use Firebase Analytics, provided by Google Ireland Limited, in the binked iOS and Android apps to understand how the apps are used. Firebase Analytics processes a Firebase-generated pseudonymous app instance identifier (stored on your device, reset on reinstall), app and device metadata (model, OS version, app version, language) and approximate region. The app does not use the iOS IDFA, IDFV or the Android Advertising ID, and advertising features (ad personalization, ad storage, ad user data) are disabled. Until you consent, analytics collection in the app is switched off at the SDK level — no first_open or session_start event is sent. Consent is collected via the in-app consent banner the first time you open the app.

Purpose: reach measurement, product improvement.
Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG (consent via the cookie banner on the web or the in-app consent banner in the apps). You can withdraw consent at any time with effect for the future via the "Manage cookie settings" link in Section 4; in the apps this also resets the on-device app instance identifier.
Retention: up to 14 months at Google.

3.6 Hosting and infrastructure

The Service is hosted on Google Cloud / Firebase (Google Ireland Limited and Google LLC). Account data, content and metadata are stored on their infrastructure.
Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR. A data processing agreement under Art. 28 GDPR is in place with Google.

3.7 Contact requests

If you contact us by email, we process the data you provide to answer your request.
Legal basis: Art. 6(1)(b) GDPR if your request relates to a contract, otherwise Art. 6(1)(f) GDPR (legitimate interest in answering enquiries).
Retention: until the request is resolved and any related follow-up obligations have lapsed (typically up to 3 years).

3.8 Content reporting (DSA Article 16)

When you submit a report via the in-app report form (available on every hand page; no account is required), we process the data you provide — your name or pseudonym, contact email, report category and free-text description — together with a SHA-256 hash of your IP address and your browser's user-agent string. The IP hash is salted with a server-side secret, is not reversible, and is used only to enforce rate limits and prevent abuse of the form.
Purpose: operating the "Notice and Action" mechanism required by Article 16 of the EU Digital Services Act (Regulation (EU) 2022/2065), reviewing reports of illegal or policy-violating content, contacting you for clarification or to notify you of the outcome, and preventing abuse of the report form.
Legal basis: Art. 6(1)(c) GDPR (legal obligation under the DSA) and Art. 6(1)(f) GDPR (legitimate interest in moderation and abuse prevention).
Recipients / processors: the report and the two resulting emails (confirmation to you, notification to our moderation team) are delivered by Twilio SendGrid. The form is protected by Cloudflare Turnstile, a bot-detection service that receives your IP address.
Retention: report records are kept as long as necessary for our moderation audit trail and to defend against legal claims — generally for the lifetime of the reported content and a reasonable period thereafter.

3.9 Blocking creators

Signed-in users can block individual hand creators from the actions menu on any hand page. We store the blocked creator's user identifier and the time of the block in your private user document. The list is not shared with anyone, including the blocked creator, and is used only to hide that creator's hands from your own view of the Service.
Purpose: providing the user-control mechanism expected by Google Play's User-Generated Content policy and operating the feature on your behalf.
Legal basis: Art. 6(1)(b) GDPR (performance of the user contract).
Retention: your block list is deleted together with your account (see Section 9).

3.10 Newsletter and marketing emails

If you sign up for the binked newsletter or otherwise opt in to receive marketing emails, we process your email address — and, where you provide it, your display name — to send you product updates, content recommendations, partner or sponsored content and other promotional messages relating to binked. We use a double opt-in procedure: after you submit your address you receive a confirmation email and are only added to the list once you confirm. The time and IP address of your sign-up and confirmation are logged so we can demonstrate that consent was given.
Purpose: sending the newsletter and other marketing communications you have asked to receive.
Legal basis: Art. 6(1)(a) GDPR and § 7(2) Nr. 3 UWG (your consent).
Recipients / processors: Twilio SendGrid (see Section 6) delivers the emails and provides delivery and engagement metrics (whether a message was delivered, opened or clicked) which we use to operate the list and measure performance. We do not sell your email address or share it with third parties for their own marketing.
Retention: until you withdraw your consent. You can unsubscribe at any time using the unsubscribe link at the foot of every marketing email or by writing to contact@binked.app. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. After you unsubscribe we keep a minimal suppression record (your email address on a do-not-contact list) so that we do not email you again by mistake.

4. Cookies and similar technologies

We use cookies on the website and comparable on-device storage in our mobile apps (e.g. the Firebase Analytics app instance identifier) on the basis of § 25 TDDDG:

  • Strictly necessary (e.g. session, authentication, consent settings) – stored without consent based on § 25(2) TDDDG and Art. 6(1)(f) GDPR.
  • Analytics / non-essential (e.g. Google Analytics on the web, Firebase Analytics in the apps) – set or activated only after you give consent via the cookie banner (web) or the in-app consent banner (apps). Consent can be withdrawn at any time via the link below, the in-app banner, or your browser.

You can also block or delete cookies in your browser settings.

You can change or withdraw your consent at any time: . The banner will reappear so you can update your choice.

5. International data transfers

Some of our processors (in particular Google) may process data in countries outside the European Economic Area, including the USA. For these transfers we rely on:

  • Adequacy decisions under Art. 45 GDPR (EU–US Data Privacy Framework, where the recipient is certified), and
  • Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR with additional technical and organisational measures where required.

You can request a copy of the relevant safeguards via contact@binked.app.

6. Recipients

We share personal data only with:

  • Google (hosting, authentication, analytics) as a processor under Art. 28 GDPR;
  • Twilio SendGrid (Twilio Inc., USA) as a processor for email delivery — including account-related transactional messages, content-report confirmations sent to reporters, content-report notifications sent to our moderation team, and the binked newsletter and other marketing emails sent to recipients who have opted in;
  • Cloudflare, Inc. (USA) for bot and abuse detection on the content-report form (Cloudflare Turnstile), which processes your IP address for that purpose;
  • Payment service providers and the operators of the Apple App Store and Google Play, where you make a purchase;
  • Tax advisers and authorities, where required by law;
  • Public authorities and courts, where we are legally obliged to disclose data.

We do not sell personal data.

7. Your rights

Under the GDPR you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure / "to be forgotten" (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing based on Art. 6(1)(f) GDPR, including profiling, on grounds relating to your particular situation (Art. 21 GDPR).
  • Right to withdraw consent at any time with effect for the future (Art. 7(3) GDPR), without affecting the lawfulness of processing carried out before withdrawal.

To exercise these rights, contact us at contact@binked.app.

8. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR), in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement. The authority responsible for the controller is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 3163, 65021 Wiesbaden, Germany
https://datenschutz.hessen.de

9. Account deletion and data retention

You can delete your account at any time from within the app or by writing to contact@binked.app. After deletion we remove personal data without undue delay, unless statutory retention obligations (e.g. tax law) or legitimate interests (e.g. defence against legal claims) require longer storage. In such cases the data will be restricted from further processing.

10. Age restrictions

The Service contains simulated-gambling content and is intended for adults only. It is not directed at, and may not be used by, persons under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe that a person under 18 has provided us with personal data, please contact us so we can delete it.

11. Automated decision-making

We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR that produces legal or similarly significant effects on you. The content-report form uses Cloudflare Turnstile to automatically distinguish human submissions from bot traffic; submissions that fail this check are silently rejected, but this does not affect any other use of the Service and does not produce legal effects on you.

12. Security

We use industry-standard technical and organisational measures, including encryption in transit (TLS) and access controls on the Google Cloud / Firebase infrastructure, to protect personal data. No online service can, however, guarantee absolute security.

13. Changes to this policy

We may update this Privacy Policy to reflect changes in the Service, in our processing activities or in applicable law. The "Last updated" date at the top shows when the latest version took effect. Continued use of the Service after changes means you have read the updated policy.

14. Contact

Questions about this policy or your data:
Email: contact@binked.app
Address: Zugmantelstr. 34b, 65510 Idstein, Germany

Back to home