Privacy Policy
Last updated May 9, 2026
Controller: CLTR DMG AB, registered office at Gustav III:s Boulevard, 169 74 Solna, Sweden, corporate ID [ORG.NR]. Contact for privacy matters: privacy@superstarlegacy.com
This Privacy Policy explains what personal data we collect when you use the Superstar Legacy mobile app (the "App") and the marketing site at superstarlegacy.com (the "Site", together with the App, the "Service"), why we collect it, who we share it with, and the rights you have over it.
The legal framework below is GDPR-first; equivalent rights under the UK GDPR, Swiss FADP, California CCPA/CPRA, and other regimes are honoured as described in Section 11.
1. Quick summary
- We are the controller of the personal data we collect through the Service.
- What we collect: a small profile (artist name, character choice, in-game stats), the songs you create (metadata + the AI-generated cover/audio), basic device info, and — if you opt in — crash reports and product analytics.
- Why: to run the game, sync progress across your devices, generate AI cover art and music when you ask us to, fix crashes, and (with consent) understand how the app is used.
- Where data lives: in the EU. Firebase Firestore is in Stockholm (
europe-north2); Cloud Functions in Belgium (europe-west1). Some processors (AI generation, push delivery) are in the US under SCCs / DPF; we use EU regions wherever offered. - Your rights: access, rectification, deletion, portability, restriction, objection, withdrawal of consent — see Section 9.
- No sale, no ads, no tracking: we do not sell your personal data, we do not show ads, and we do not track you across other apps or sites. We do not request Apple's App Tracking Transparency prompt because we do not track.
- Children: minimum age 16 in the EEA / UK, 13 elsewhere.
2. Personal data we collect
2.1 Data you give us directly
| Category | Examples | When |
|---|---|---|
| Account identifier | Apple sub, Google account ID, or Spotify user ID — depending on which provider you sign in with. The email on the platform account, if the platform shares it. | Sign-in |
| Profile | Artist name, character template choice, manager personality choice, avatar customisation | Onboarding, edits |
| User-generated content | Song title, mood/feeling tags, lyric text (where applicable), prompts for AI cover and music | When you create a song |
| Settings | Sound, haptics, theme, language, graphics quality preference | Settings screen |
| Support correspondence | What you write to us by email or through in-app / platform feedback tools | When you contact us |
| Marketing consent (opt-in) | Email + the fact that you opted in to product updates | When you tick the box on the Site |
| Spotify connection (optional) | If you connect Spotify, the data Spotify returns under the scopes we request: profile (display name, country), public top artists / top tracks / followed artists. We do not request listening history or playlist contents unless you grant the corresponding scope. | When you connect Spotify |
2.2 Data created by your use of the Service
| Category | Examples | Why | |---|---|---| | Game state | Tier, fans, coins, action points, skill XP, achievements, training history, performance history, ledger of in-game purchases, daily streak | To run the game and sync across devices | | Social graph (current scope) | Manager affinity, NPC interaction state | Game mechanics | | Content metadata | Song id, cover URL, audio URL, tags, creation timestamp | To list and play your library | | AI-generated outputs | Cover image file, music audio file, generated lyrics where applicable | The result of what you asked us to create | | Push token | Apple APNs or Firebase Cloud Messaging token | To send the notifications you opted in to |
2.3 Data we collect automatically about your device
| Category | Examples | Why | |---|---|---| | Device & app | Device model, OS version, app version, build channel, locale, timezone | Compatibility, debugging, language defaults | | Diagnostics (only with consent) | Crash stack traces, breadcrumbs of in-app navigation, device performance metrics — sent to Firebase Crashlytics (Google sub-processor in §4.1) | Diagnose crashes | | Product analytics (only with consent) | Pseudonymous events (e.g., "song_created", "screen_visited") — sent to Firebase Analytics (Google sub-processor in §4.1) | Understand which features are used and where players struggle | | Push delivery receipts | Whether a push was delivered/opened — via Expo Push and APNs/FCM | Improve notification reliability | | Standard web logs (Site only) | IP, user-agent, referrer, requested path, timestamp | Operate and secure the marketing site |
2.4 What we don't collect
- We do not collect precise location (no
expo-location, noCLLocationManager). - We do not access contacts, calendar, photos, or microphone unless you explicitly take an action that uses them (and as of today, no such surface exists).
- We do not request Apple's App Tracking Transparency permission. We do not track you across apps or websites.
- We do not knowingly collect data from anyone below the age threshold in Section 8.
3. Why we collect it (purposes and legal bases)
We rely on the following lawful bases under the EU and UK GDPR:
| Purpose | Data used | Legal basis (Art. 6 GDPR) | |---|---|---| | Create and operate your Account | Account identifier, profile | (b) performance of contract | | Save and sync your game progress | Game state, content metadata, content files | (b) performance of contract | | Generate AI cover art / music when you request it | Inputs you provided + minimal context (mood, title) — sent to upstream providers | (b) performance of contract | | Personalise the Service when you connect Spotify | Profile, top artists / top tracks (if scope granted) | (a) consent — you opt in by connecting Spotify | | Process purchases and entitlements | Platform Store transaction id, subscription state | (b) performance of contract | | Send transactional notifications (purchase receipts, security alerts, material ToS changes) | Email, push token | (b) performance of contract; (c) legal obligation for some | | Send marketing emails | Email, marketing-consent flag | (a) consent — opt-in only | | Diagnose crashes (Firebase Crashlytics) | Diagnostics from Section 2.3 | (a) consent in EEA / UK; (f) legitimate interest elsewhere | | Understand product usage (Firebase Analytics) | Pseudonymous events | (a) consent — opt-in only in EEA / UK | | Detect fraud, abuse, cheating | Anti-cheat signals, App Check / App Attest tokens, server-side rate limits | (f) legitimate interest in protecting the Service and other users | | Enforce these Terms and respond to legal claims | Whatever is relevant | (f) legitimate interest, (c) legal obligation | | Comply with accounting / tax law (purchase records) | Receipts, transaction ids | (c) legal obligation (Bokföringslagen — 7 years in Sweden) |
3.1 Why we believe legitimate-interest processing is balanced
For each (f) basis above, we have run a balancing test and concluded that our interest does not override your fundamental rights, taking into account: (i) the limited data used; (ii) the fact that you are a customer who has chosen to use our Service; (iii) industry-standard expectations for crash diagnostics and anti-fraud; (iv) the safeguards in Section 7. You can object at any time — see Section 9.6.
4. Who we share your personal data with
We share personal data only with the categories of recipients below, and only as needed for the purposes in Section 3.
4.1 Processors (acting on our instructions)
| Processor | Function | Data they see | Region | Transfer mechanism |
|---|---|---|---|---|
| Google (Firebase / Google Cloud) | Auth, Firestore (database), Cloud Functions (server logic), Cloud Storage (cover/audio files), Cloud Messaging (push routing), Crashlytics (crash reporting), Analytics (product analytics) | Account, profile, game state, content, push token, pseudonymous diagnostics and event data | Firestore in Stockholm (europe-north2), Functions in Belgium (europe-west1), Storage in EU multi-region, Crashlytics and Analytics in Google global infrastructure. One v1 auth-trigger Function is region-locked to us-central1 by Google. | EU residency for primary data. SCCs + EU–US Data Privacy Framework cover the residual US transfer for Crashlytics, Analytics, and the auth-trigger Function. |
| Apple | Sign in with Apple, App Store payments, push delivery via APNs | Apple ID identifier, transaction id, push token | EU + global Apple infrastructure | Apple's own framework; Apple is also an independent controller for App Store data |
| Google (separately, when implemented) | Sign in with Google | Google account id | Global | SCCs + DPF; Google is also an independent controller for the OAuth identity flow |
| Spotify AB | Sign in with Spotify and the optional Spotify connection (top artists / top tracks) | Spotify user ID, profile, public listening data per granted scope | Spotify EU / global infrastructure (Spotify AB is established in Stockholm, Sweden) | EU residency primary; Spotify is also an independent controller for the OAuth identity flow |
| Expo (650 Industries, Inc.) | App build pipeline, OTA JS updates, Expo Push relay | Update channel, runtime version, push token, basic device info | USA (CDN global) | SCCs + DPF |
| OpenRouter | LLM gateway used to generate the image prompt for cover art | Short text fragments (song title, mood) — no identifiers | USA | SCCs |
| fal.ai | Image generation (Flux Schnell) | The text prompt produced upstream — no identifiers | USA | SCCs |
| ElevenLabs (planned) | Music generation | The music-generation prompt and any lyrics you provided — no identifiers | USA | SCCs |
| RevenueCat (planned) | Subscription entitlement abstraction | Platform transaction id, subscription state | USA | SCCs + DPF |
| Specific.dev | Marketing site host | Standard web logs, waitlist email | EU | N/A (EU residency) |
| Cloudflare | DNS for superstarlegacy.com (proxy off — Cloudflare does not see HTTP traffic for this zone) | DNS query metadata only | Anycast (global) | SCCs + DPF |
| Resend | Transactional / waitlist email | Email address, message content, basic delivery metadata | USA | SCCs |
| One.com | Mail hosting for @superstarlegacy.com aliases (support, privacy, dmca, legal) and the underlying mailboxes | Sender/recipient, message body of mail you send to those addresses | EU (Denmark) | EU residency |
4.2 Third parties acting as independent controllers
- Apple for App Store account, billing, and App Store Connect analytics.
- Google for OAuth identity and (when launched) Play Store billing.
- Spotify for the OAuth identity flow when you sign in with or connect Spotify, and for any data you also have stored with Spotify directly.
- Authorities and courts where we are legally required to disclose data.
- Acquirers in the event of a merger, acquisition, or asset sale — disclosure limited to what is necessary to evaluate or carry out the transaction, with confidentiality protections; you will be notified of any change of controller.
4.3 What we do not do
- We do not sell your personal data (under any definition, including the CCPA's "sale" and "share").
- We do not allow our processors to use your data for their own marketing or model training. For AI providers (OpenRouter, fal.ai, ElevenLabs), we configure API keys to disable training-on-prompts wherever the provider exposes that toggle.
- We do not run advertising on the Service, do not embed advertising SDKs, and do not target users for advertising on or off our Service.
5. International transfers
EU storage is the default. Where data must leave the EEA (e.g., US-based AI providers, Expo OTA delivery, Firebase Crashlytics and Analytics), we rely on:
- the EU–US Data Privacy Framework, where the recipient is certified, and
- the 2021 Standard Contractual Clauses in the form approved by the European Commission, with supplementary technical and organisational measures (encryption in transit and at rest, pseudonymisation where possible, access logging, vendor security review).
A copy of the relevant SCCs is available on request from privacy@superstarlegacy.com (with commercial terms redacted).
6. Retention
| Category | Retention | |---|---| | Account, profile, game state, content metadata | While your Account is active, plus 30 days after deletion request, after which we delete or anonymise | | AI-generated cover/audio files | Same as above | | Backups containing the above | Rolling cycle, fully overwritten within 90 days | | Diagnostics (Firebase Crashlytics) | 90 days (provider default) | | Analytics events (Firebase Analytics) | 14 months max (provider default; configurable down to 2 months) | | Push tokens | While the Account is active and the device is registered | | Purchase records (transaction ids, receipts) | 7 years from end of the relevant accounting year (Swedish Bokföringslagen) | | Marketing list | Until you unsubscribe, plus 30 days | | Support correspondence | 24 months from last interaction | | Legal-claim records | While the claim is live, plus the limitation period |
7. How we protect personal data
- Encryption in transit (TLS 1.2+) for all client-server traffic, including AI-provider calls.
- Encryption at rest as provided by Google Cloud (AES-256) for Firestore, Storage, and Functions.
- Server-side authorisation on every economy-altering operation via Cloud Functions; clients cannot directly mutate fan counts, ledgers, or purchases.
- Firestore and Storage security rules version-controlled in the repository.
- App Check using Apple App Attest and Google Play Integrity to confirm that requests come from a genuine, unmodified install.
- Least-privilege access to production: service-account keys are stored in infrastructure, not in the client bundle.
- Vendor security review before adopting a new processor.
- No collection of biometric or special-category data — we do not process Art. 9 GDPR data.
7.1 Data breach notification
If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Swedish Authority for Privacy Protection (IMY) within 72 hours where required, and we will notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms.
8. Children
The Service is not intended for children under 16 in the EEA / UK and not intended for children under 13 elsewhere. We do not knowingly collect personal data from anyone below those ages. If you are a parent and believe your child has used the Service in violation of this rule, contact privacy@superstarlegacy.com and we will delete the Account within 7 days of verifying the request.
We rely on the platform's parental controls (Apple "Ask to Buy", Google "Family Library") to enforce purchase consent for minors. We do not implement an additional age-verification mechanism beyond a self-declared age gate at sign-up.
9. Your rights
Under the GDPR and UK GDPR, you have the rights below. We do not charge for the first request in any 12-month period, and we respond within 30 days (extendable by 60 days for complex requests, with notice to you).
9.1 Access (Art. 15)
You can request a copy of your personal data. Where the App offers a self-service export, you'll find it in Settings → Privacy. Otherwise email privacy@superstarlegacy.com and we will fulfil within 30 days.
9.2 Rectification (Art. 16)
You can correct your profile in-app. For data not exposed in the UI, email privacy@superstarlegacy.com.
9.3 Erasure / right to be forgotten (Art. 17)
You can delete your Account from Settings → Account → Delete Account, which triggers deletion of your Account data within 30 days. Some categories must be retained for the periods in Section 6 (e.g., purchase records for tax law).
9.4 Restriction of processing (Art. 18)
You can ask us to restrict processing while a dispute is being resolved. Email privacy@superstarlegacy.com.
9.5 Portability (Art. 20)
The export from Section 9.1 is structured JSON; you can use it to move to another service.
9.6 Objection (Art. 21)
You can object to processing based on legitimate interest (Section 3, basis (f)) at any time. For analytics and crash reporting, you can also withdraw consent under Section 9.7 below.
9.7 Withdrawal of consent (Art. 7(3))
Where we rely on consent, you can withdraw it at any time. Where the App offers in-app consent toggles, you'll find them in Settings → Privacy. Otherwise email privacy@superstarlegacy.com. Withdrawal does not affect the lawfulness of processing before withdrawal.
9.8 Automated decision-making (Art. 22)
We do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects. The AI generation features are user-initiated creative tools, not decisions about you.
9.9 Right to complain
You have the right to lodge a complaint with a supervisory authority. The lead authority for us is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten / "IMY"), imy.se. EU residents may also complain to their local DPA; UK residents to the ICO (ico.org.uk).
9.10 How to exercise rights
Email privacy@superstarlegacy.com from the email address on your Account, or use the in-app flow where available. We may need to verify your identity, especially where the request is destructive or involves data export.
10. Cookies and similar technologies
10.1 In the App
The App does not use cookies (it's a native mobile app). We use device-local storage (AsyncStorage, the Firebase SDK cache) for performance and offline resilience.
10.2 On the Site
The Site currently uses only strictly necessary cookies / local storage entries (session, CSRF, theme preference). It does not set analytics, advertising, or social-tracking cookies as of the date above. If we add any in the future, we will present a consent banner before they are set.
11. Regional supplements
11.1 California (CCPA / CPRA) residents
- Categories of personal information collected: identifiers, customer records (artist name, settings), commercial information (purchases), Internet activity (in-app events), inferences (skill level), audio/visual (AI-generated cover/audio).
- Sources: you, your device, our processors.
- Purposes: described in Section 3.
- Sale or sharing: we do not sell or share personal information as those terms are defined in the CCPA / CPRA.
- Sensitive personal information: we do not knowingly collect SPI; sign-in identifiers are not used to infer characteristics.
- Rights under California law: know, delete, correct, opt out of sale/share (none to opt out of), limit use of SPI (none collected), non-discrimination. Use the same channels as Section 9.10. Authorised agents may submit requests on your behalf with proof of authorisation.
11.2 United Kingdom
The UK GDPR applies. Our UK representative under Art. 27 UK GDPR will be appointed if/when we have UK users at scale. The ICO is the relevant regulator (ico.org.uk).
11.3 Switzerland
The revised FADP applies to Swiss residents on substantively the same terms as GDPR. The Swiss FDPIC is the relevant regulator (edoeb.admin.ch).
11.4 Brazil (LGPD), Quebec (Law 25), Australia (Privacy Act)
We honour equivalent rights (access, correction, deletion, portability, withdrawal of consent) for residents of these jurisdictions through the same channels. Contact privacy@superstarlegacy.com.
11.5 Other jurisdictions
If we have users in a jurisdiction with mandatory privacy law not specifically addressed here, we will honour the rights granted by that law.
12. AI-specific disclosures
The Service uses AI to generate cover art and, in future, music tracks. Our use of AI is subject to the EU AI Act and to upstream providers' policies.
- Risk classification: the AI we use (image generation, music generation, content prompting LLMs) is general-purpose and is not used for any prohibited or high-risk use case under the EU AI Act.
- Transparency: AI-generated outputs are clearly marked in the App (e.g., the cover art is presented as a generated cover for an in-game song). Where a provider's terms require us to mark outputs as AI-generated outside the App (e.g., when you export them), we will surface that requirement at the export point.
- No training on you: we do not allow our AI providers to use your prompts or outputs to train their models, where the provider exposes that toggle. We will update this section if any provider's defaults change.
- Profiling: we do not use AI to make decisions about you. AI is a creative tool you operate.
- Opt-out: the AI features are opt-in by virtue of being explicit user actions (you press "Create"). If you never use those features, no prompts are sent to AI providers.
13. Changes to this Privacy Policy
We may update this Policy when our processing changes or when the law requires it. Material changes are notified by an in-app notice and (where we have your email) by email. The "Last updated" date above always reflects the current version. We keep prior versions on request.
14. Contact
| Topic | Address |
|---|---|
| Privacy / data subject requests | privacy@superstarlegacy.com |
| General support | support@superstarlegacy.com |
| Copyright / DMCA | dmca@superstarlegacy.com |
| Legal notices | legal@superstarlegacy.com |
| DPO | We have not appointed a Data Protection Officer because none of the GDPR Art. 37 triggers apply (no public authority, no large-scale systematic monitoring, no large-scale Art. 9 / 10 processing). If that changes we will appoint one and update this section. |
| Postal | CLTR DMG AB, Gustav III:s Boulevard, 169 74 Solna, Sweden |
| Supervisory authority | Integritetsskyddsmyndigheten (IMY), Box 8114, 104 20 Stockholm, Sweden, imy.se |
End of Privacy Policy.