Skip to Content
Legal · Transparency

Your data, your game.

Tier is built for gamers who want to track their backlog, write reviews and connect with friends — not for advertisers. This page explains exactly what we collect, why we collect it, and what control you have. Plain language, no dark patterns.

Effective 2026-05-11 GDPR · CCPA Apple & Google compliant No ads · No tracking SDKs

01 Who we are

Tier is a video-game tracking and social journal application published by Why Not Studio (the "Publisher", "we", "us"). The mobile app is distributed through the Apple App Store and Google Play under the bundle identifier com.yourtier.tier; the backend runs at tier.app.

For any privacy-related request, write to contact@yourtier.com. We respond within 30 days, as required by GDPR Article 12.

02 What we collect

Only what's needed to make the app work. Grouped by purpose:

Account & identity

Required
Email address
For account recovery and security alerts. Hashed password — never stored in clear text.
OAuth
Apple / Google identifier
Opaque token if you sign in with Apple or Google. Apple relay emails honored as-is.
Public
Gamertag
Your in-app pseudonym, separate from your legal name.

Profile (all optional)

  • Bio, pronouns, "gamer since" year
  • Date of birth — used only to compute your displayed age and to gate PEGI-rated content. The raw date is never shown publicly.
  • Favorite genres and platforms
  • Avatar and profile banner images
  • Social handles you type in: Twitter/X, Discord, Twitch, YouTube, Steam, Xbox Live, PSN, Nintendo. We store the handles you typed — we do not call those platforms' APIs on your behalf.
  • Profile visibility: public, following only, or private.

Activity & content

Your journal entries, reviews, ratings, lists, follows, blocks, likes, comments and gamification stats (XP, level, streaks).

To do Playing Completed Abandoned

Device & technical

  • Push-notification preferences and email digest opt-in (toggles in Settings).
  • App preferences (theme, reduce-motion).
  • Authentication attempts (IP, user agent, outcome) — anti brute-force.
  • Rate-limit counters — per user / per IP, short windows.
  • Standard Expo / native crash logs, unless you've opted out at the OS level.

We do NOT collect: precise GPS or location, your contacts, calendar, SMS or call logs, microphone or camera streams (the camera is only opened when you tap "take a new profile picture"), health or biometric data, financial data, or your browsing activity outside Tier.

03 Legal basis (GDPR Art. 6)

Purpose Basis
Creating and operating your account Contract — Art. 6(1)(b)
Authentication, anti-fraud, rate limiting Legitimate interest — Art. 6(1)(f)
Push notifications (friends, social, releases) Consent — Art. 6(1)(a) · per-channel toggle
Weekly email digest Consent — opt-out anytime
Public profile / reviews / lists Contract + your visibility choice
Moderation, DMCA, court orders Legal obligation — Art. 6(1)(c)
Aggregated, anonymous product analytics Legitimate interest — Art. 6(1)(f)

You can withdraw consent at any time without affecting the lawfulness of prior processing.

04 How we use your data

  1. Provide the core service — show your profile, journal, reviews and lists, and let you follow other gamers.
  2. Authenticate you — via email/password, Sign in with Apple, or Sign in with Google. OAuth audience checks are enforced backend-side.
  3. Personalize content — recommend games based on your favorites, history and trending scores.
  4. Send the notifications you opted into — never others.
  5. Moderate the community — handle blocks, reports and rule violations.
  6. Protect the service — rate-limit abuse, detect credential stuffing.
  7. Comply with the law — respond to lawful requests, keep deletion audit trails.
!

We do not sell your personal data. We do not feed it to third-party AI training pipelines. Period.

05 Third parties & data sharing

Authentication providers

  • Apple — Sign in with Apple. We receive an opaque identifier, optionally your name and a (real or relay) email.
  • Google — OAuth. We receive your sub, verified email and basic profile claims.

Game catalog providers

We call these from our backend with our own API keys. Your identity is never forwarded.

Catalog
IGDB
Game metadata.
Catalog
RAWG
Game metadata, cover art.
Catalog
Steam
Releases & platform info.
Stats
HowLongToBeat
Completion-time estimates.

Infrastructure

  • Expo / EAS — OTA updates and build pipeline. Anonymized channel pings only.
  • Apple App Store and Google Play — distribution.
  • Our own backend (Odoo 19 + PostgreSQL, hosted in the EU) — primary data store.
i

No ad SDKs. No cross-app tracking SDKs. We don't request the iOS tracking permission because we have nothing to track you with. We may use aggregated, non-identifying product analytics — never on a per-user basis.

06 International transfers

The primary database lives in the European Union. When third parties (Apple, Google, Expo) process data outside the EU, transfers rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

07 Retention

Data Retention
Account profile Until you delete your account.
Reviews, lists, journal, social graph Until you delete the item or your account.
Authentication attempts 90 days, then deleted.
Rate-limit counters Rolling window — minutes to hours.
Account-deletion audit log Retained indefinitely, anonymized (only a short SHA-256 prefix of the former login is stored as proof a deletion happened).
Moderation cases For the limitation period applicable to the offense.
Crash logs 30 days.

08 Your content & visibility

You control who can see your profile and content via the visibility setting:

  • Public — anyone, including signed-out visitors, can view your profile, reviews and public lists.
  • Following only — visible only to users you follow.
  • Private — visible only to you.
!

Heads up: anything you publish as Public can be cached, screenshotted or quoted by other users. We cannot retroactively erase content that's been copied off-platform.

09 Your rights

Under GDPR (and equivalents under CCPA / CPRA, UK GDPR, LGPD…), you can:

Access

Request a copy of the personal data we hold on you.

Rectify

Correct anything inaccurate — most fields are editable in Profile & Settings.

Erase

Delete your account in-app (Settings → Account → Delete account).

Portability

Get an export in machine-readable JSON.

Restrict

Ask us to pause processing while a dispute is resolved.

Object

Object to processing based on legitimate interests.

Withdraw consent

Toggle push, email digest and any optional feature off.

Complain

Lodge a complaint with your supervisory authority (e.g., the CNIL in France).

To exercise these rights, email contact@yourtier.com from the address linked to your account. We may ask you to verify your identity before acting.

10 Children's privacy

Tier is not directed at children under 13 (or under 16 in EU jurisdictions where local law sets a higher digital-consent age). We do not knowingly collect data from them. If you believe a child has signed up, email contact@yourtier.com and we'll delete the account.

Some catalog games carry PEGI / ESRB age ratings. The date-of-birth field is used to gate display of higher-rated content; it is never displayed publicly.

11 Security

  • Passwords — salted, slow KDF. Never stored or transmitted in clear text.
  • HTTPS / TLS — enforced everywhere.
  • Tiered API access — public / app-user (portal) / internal / admin, with per-endpoint allowlists.
  • Anti brute-force — auth-attempt log and rate-limit counters.
  • Row-level security via Odoo ir.rule constraints — portal users can only read whitelisted fields on other users.
  • OAuth audience verification backend-side — client identifiers are public by design, the security boundary is the audience check.
  • Account-deletion cooldowns to prevent accidental or coerced deletions.
i

If a personal-data breach affects you, we'll notify you and the competent supervisory authority within 72 hours, as required by GDPR Article 33.

12 Cookies & local storage

  • Secure storage (Keychain / Keystore via expo-secure-store) for authentication tokens.
  • Async storage for non-sensitive preferences (theme, last-viewed tab).
  • No third-party advertising cookies in the app.
  • On tier.app, only strictly necessary first-party cookies are set for session management.

13 Push & email

Push notifications are sent only when you've enabled the matching toggle (friends activity, social, releases). You can revoke notification permission at the OS level any time (iOS Settings → Notifications → Tier; Android App info → Notifications).

The weekly email digest is opt-in. Toggle it off in Settings, or use the unsubscribe link in every digest email.

14 Account deletion — what happens

  1. Your res.users record is archived; identifying fields on res.partner (email, gamertag, bio, avatars, banner, social handles, date of birth, pronouns) are nulled or replaced with placeholders.
  2. A short SHA-256 prefix of your former login is written to the deletion audit log as proof the request was honored. The original email is not stored.
  3. All active sessions are revoked.
  4. Your reviews and lists are either deleted or anonymized so other users' interactions are not orphaned.
!

Account deletion is irreversible. We will not be able to recover your data afterwards.

15 Changes to this policy

Material changes are announced in-app and by email at least 30 days before they take effect. The "Effective" date at the top of this page always reflects the current version.

16 Contact

Publisher: Why Not Studio
Privacy contact: contact@yourtier.com
Postal mail: to be filled in for the public-facing release

If you believe your rights have not been respected, you can complain to your local data-protection authority. EU residents may contact the CNIL at www.cnil.fr.

Have a question we didn't answer?

The privacy team reads every email. Reach out — we'll get back within 30 days, usually much faster.

Contact privacy team →
© Why Not Studio · Tier Effective 2026-05-11 · Privacy Policy v1.0