Privacy Policy

Effective Date: February 6, 2026

1. Introduction

This Privacy Policy describes how AllFacts.app x DA (“Company,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information obtained through the AllFacts application (“Service”) accessible at allfacts.app and any associated Progressive Web Application installs.

By using the Service you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use immediately.

2. Information We Collect

2.1 Information You Provide Directly

Account Data. When you create an account we collect your email address and password for authentication powered by Supabase Auth. Your password is securely hashed by Supabase and is never stored in plain text.

Profile Data. You may optionally provide a display name. If you authenticate through a third-party OAuth provider (e.g., Google), we receive the email address and profile picture URL that you authorized the provider to share.

2.2 Information Collected Automatically

Usage Data. We log interactions with the Service including facts viewed, quiz answers submitted, favorites saved, XP earned, streaks achieved, and achievement milestones. This data is tied to your authenticated user ID and is stored in our Supabase-managed PostgreSQL database with Row Level Security (RLS) enforcement.

Device & Technical Data. Our hosting provider (Vercel) and database provider (Supabase) automatically collect standard server logs that may include IP address, browser user-agent, referring URL, and request timestamps. We do not augment these logs with fingerprinting, canvas tracking, or any advanced identification technique.

Local Storage & Cookies. The Service stores authentication session tokens in browser cookies managed by the Supabase Auth SDK. The PWA service worker caches static assets for offline use. We do not deploy advertising cookies, analytics pixels, or third-party tracking scripts.

3. How We Use Your Information

We process your data exclusively for the following purposes:

(a) To authenticate your identity and maintain your session; (b) to persist progress, favorites, and quiz scores; (c) to power gamification features such as streaks, XP, levels, and achievements; (d) to sync data across devices you own; (e) to improve, debug, and secure the Service; (f) to comply with legal obligations.

We do not use your data for advertising, profiling-for-sale, or automated decision-making that produces legal effects.

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following legal bases under Articles 6 and 9 of the General Data Protection Regulation:

Contractual Necessity — processing required to deliver the Service you requested (account management, progress sync). Legitimate Interest — processing for security, fraud prevention, and product improvement where your rights do not override our interests. Consent — where explicitly given (e.g., optional analytics in future releases). You may withdraw consent at any time without affecting the lawfulness of prior processing.

5. Data Sharing & Third Parties

We do not sell, rent, or trade your personal information. We share data only with the following categories of service providers, each contractually bound to process data solely on our behalf:

Supabase, Inc. — authentication, database, and row-level-security enforcement. Data is stored in Supabase-managed PostgreSQL with AES-256 encryption at rest and TLS 1.3 in transit.

Vercel, Inc. — hosting, edge network, and CDN. Server logs are retained per Vercel's data processing agreement.

Google LLC — font delivery (Google Fonts) and, if enabled, OAuth identity provider. Subject to Google's Privacy Policy.

We may also disclose data if required by law, regulation, legal process, or enforceable governmental request.

6. Your Rights

6.1 Rights Under GDPR (EEA / UK / Switzerland)

You have the right to: access your data; rectify inaccuracies; erase your data (“right to be forgotten”); restrict processing; data portability; object to processing; and lodge a complaint with your local supervisory authority.

6.2 Rights Under CCPA / CPRA (California Residents)

California residents have the right to: know what personal information is collected; request deletion of personal information; opt-out of the sale or sharing of personal information (we do not sell your data); and non-discrimination for exercising these rights.

6.3 Other Jurisdictions

If you are subject to LGPD (Brazil), POPIA (South Africa), PIPEDA (Canada), or other applicable data-protection frameworks, you may have additional rights. We will honor valid requests consistent with those laws.

To exercise any right, contact legal@allfacts.app. We will acknowledge your request within five (5) business days and resolve it within thirty (30) calendar days.

7. Data Retention

We retain your account data for as long as your account remains active. Usage logs and activity records are retained for a maximum of twenty-four (24) months, after which they are automatically purged or anonymized. If you delete your account, we will erase all personally identifiable data within thirty (30) days, except where retention is required by law.

8. Security

We employ industry-standard safeguards including: TLS 1.3 encryption for all data in transit; AES-256 encryption at rest via Supabase; Row Level Security (RLS) policies ensuring users can only access their own records; server-side JWT validation via getUser() to prevent token tampering; and regular dependency auditing. No system is 100% secure; if you discover a vulnerability, please report it to support@allfacts.app immediately.

9. Children's Privacy

AllFacts is an educational service suitable for general audiences. We do not knowingly collect personal information from children under the age of 13 (or under 16 in the EEA) without verifiable parental consent as required by COPPA and GDPR. If you believe we have inadvertently collected such data, contact legal@allfacts.app and we will promptly delete it.

10. International Data Transfers

Your data may be processed in the United States where our infrastructure providers operate. Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and/or equivalent safeguards to ensure an adequate level of data protection for cross-border transfers.

11. Do Not Track & Global Privacy Control

The Service does not track users across third-party websites and therefore does not respond to Do Not Track (DNT) signals. We honor Global Privacy Control (GPC) signals as a valid opt-out request under applicable law.

12. Changes to This Policy

We may revise this Privacy Policy from time to time. Material changes will be communicated by updating the “Effective Date” above and, where practicable, through in-app notification. Continued use after publication constitutes acceptance.

13. Contact

AllFacts.app x DA

Privacy & Legal: legal@allfacts.app

General Support: support@allfacts.app

Copyright © 2026 AllFacts.app x DA. ALL RIGHTS RESERVED.