Privacy Policy

1. Introduction

Welcome to Ranked ("we," "us," "our"). Ranked is a mobile application that lets you rate, track, and discover movies, TV shows, games, and music. This Privacy Policy explains what personal data we collect, how we use it, and your rights regarding that data.

Data Controller: Daniel Schreiner, Rostocker Str. 39a, 49090 Osnabrueck, Germany. Contact: [email protected]

By using Ranked, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the app.

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

• Email address - used for authentication and account recovery
• Username - your chosen display name, visible to other users
• Password - stored securely via Supabase Auth (we never have access to your plaintext password)

2.2 Profile Information

You may optionally provide:

• Bio - a short text description on your profile
• Profile picture (avatar) - uploaded to our storage service
• Social links - handles or URLs for Instagram, Twitter/X, TikTok, YouTube, or a personal website
• Country - ISO country code, used for the World Taste Map feature
• Preferred language - your chosen display language within the app
• Accent color / theme - your visual customization preferences

2.3 Ratings and Reviews

When you use the app's core features, we collect:

• Star ratings - 0.5 to 5.0 stars on movies, TV shows, games, and music
• Attribute ratings - optional sub-ratings (e.g., story, acting, gameplay) on individual items
• Text reviews - optional short reviews (up to 280 characters)
• List entries - items you add to your Watchlist, Watching, Completed, or Dropped lists
• Ranked lists - custom ordered lists you create, including collaborative lists
• Favorites - up to 4 items you pin to your profile

2.4 Social Data

• Follows - which users you follow and who follows you
• Challenges - rating challenges sent to or received from other users
• Group Swipe sessions - participation in group recommendation sessions
• Rating likes - likes you give to other users' ratings

2.5 Connected Account Data

You may optionally connect external accounts:

• Spotify - via OAuth authentication. We store your Spotify access token, refresh token, display name, and Spotify user ID in order to import your listening history. Imported data includes recently played tracks, top tracks, top artists, saved tracks, and audio features (energy, danceability, etc.). You can disconnect at any time, which removes the stored tokens.
• Steam - via Steam64 ID or vanity URL input. We use this to import your game library through the RAWG API. No Steam authentication tokens are stored.
• Netflix - via CSV file upload. You upload your Netflix viewing history file, and we parse it locally to match titles against our database. No Netflix credentials are stored.
• Letterboxd - via CSV file upload. You upload your Letterboxd ratings or watched history file, and we parse it locally to match titles. No Letterboxd credentials are stored.

For all connected services, we store an import record (timestamp and item count) so you can see when you last synced.

2.6 Automatically Collected Data

• Authentication session data - managed by Supabase Auth
• Timestamps - when you created your account, made ratings, or performed actions
• Achievement data - which milestones you have unlocked

We do not collect location data (beyond the optional country you set) or use analytics telemetry via first-party tracking SDKs.

2.7 Advertising Data

If you are a free-tier user and have consented to personalized advertising:

• Device advertising identifier - your device's Advertising ID (IDFA on iOS, GAID on Android), used by our ad partners to serve relevant ads. This identifier is only accessed after you grant permission via the App Tracking Transparency prompt (iOS) or GDPR consent dialog.
• Ad interaction data - whether you viewed, clicked, or dismissed an ad within the app. This data is shared with our advertising partners to measure ad performance.
• Non-personalized ads - if you decline ad tracking consent, we serve non-personalized ads that do not use your device identifier or behavioral data. Non-personalized ads are based on contextual signals only (e.g., app category, country).

Ranked+ (premium) subscribers do not see ads and no advertising data is collected from them.

3. How We Use Your Data

We use your data to:

• Provide the service - display your ratings, lists, and profile to you and (where applicable) other users
• Power social features - show activity feeds, enable follows, challenges, and taste matching
• Generate insights - compute your Taste DNA, Weekly Wrapped, Year in Review, streak statistics, and taste match scores
• Provide AI-powered features - generate quiz results, search recommendations, and predicted ratings (see Section 4)
• Process payments - manage premium subscriptions via RevenueCat
• Improve the app - understand usage patterns to fix bugs and build new features
• Communicate with you - in-app notifications (new followers, challenge updates, list invites)

We do not sell, rent, or trade your personal data to third parties. If you are a free-tier user, we display ads from third-party advertising partners (see Section 5A). We share limited data with ad networks only as described in that section and only with your consent.

4. AI Features and Data Processing

Ranked uses AI-powered features through the Anthropic Claude API, accessed via Supabase Edge Functions. These features include:

• DNA Quiz - generates personality-based quiz questions from your rating history
• AI Search - provides personalized search recommendations
• Predicted Ratings - estimates how you might rate an unrated item

How it works: When you use an AI feature, relevant portions of your rating data (titles, categories, genres, star ratings) are sent to the Anthropic Claude API in a single request. Anthropic processes this data to generate a response and does not store your data beyond the duration of the API call. Anthropic does not use your data to train its models. See Anthropic's Privacy Policy for details.

AI features have daily usage limits that apply to all users (tracked in-app). You can view your AI usage in Settings.

5. Third-Party Services

We use the following third-party services to operate Ranked:

Each third-party service operates under its own privacy policy. We encourage you to review them.

5A. Advertising Partners

Free-tier users may see ads served by the following third-party advertising networks:

What ad partners receive:

• Your device's advertising identifier (IDFA/GAID) - only if you have granted tracking consent
• Whether you viewed, clicked, or dismissed an ad
• Country-level location (derived from IP by the ad network, not shared by Ranked)
• App context (app name, screen placement) - no personal profile data, ratings, or username

What ad partners do NOT receive:

• Your email, username, bio, ratings, reviews, lists, or any Ranked profile data
• Your Spotify, Netflix, or Steam data
• Your Taste DNA or any derived insights

Consent and control:

• On iOS, the App Tracking Transparency (ATT) prompt is shown before any ad tracking begins. You can change this in iOS Settings > Privacy > Tracking at any time.
• In the EU/EEA, a GDPR consent dialog is shown before personalized ad serving begins. You can withdraw consent at any time in Ranked Settings.
• If you decline consent, you will see non-personalized (contextual) ads that do not use your device identifier.
• Ranked+ premium subscribers see no ads at all, and no advertising data is collected.

5B. Affiliate Links

Ranked may earn a commission when you click through to a streaming service, digital store, or music platform from the Detail screen and make a purchase or start a subscription. Our affiliate partners include:

• JustWatch - aggregated streaming provider links (movies/TV)
• Apple Services Performance Partners - Apple TV+ and iTunes purchase/rental links
• Amazon Associates - Prime Video links

How affiliate links work:

• When you tap a streaming provider logo or "Where to Watch" link on a Detail screen, the URL includes an affiliate tracking parameter (a partner ID).
• The streaming service records that the click came from Ranked.
• If you make a qualifying purchase or start a subscription within a limited window (typically 24 hours), Ranked earns a small commission.
• No personal data is shared with affiliate partners. The affiliate link contains only a partner ID and the destination URL. Your Ranked profile, ratings, and browsing history are never shared.
• Affiliate links do not change the price you pay for any service.

Affiliate link placements are disclosed in-app with an informational tooltip near the "Where to Watch" section.

6. Data Storage and Security

• All data is stored in a Supabase database hosted on Amazon Web Services (AWS) in the EU West (Ireland) region.
• All database tables use Row Level Security (RLS), meaning users can only read, write, and delete their own data.
• Passwords are handled entirely by Supabase Auth and are never stored in plaintext.
• Spotify OAuth tokens are stored in a private table with RLS policies that prevent any user from accessing another user's tokens.
• Avatar images are stored in Supabase Storage with RLS policies restricting uploads to the file owner.
• All communication between the app and our servers uses HTTPS encryption.

7. Data Retention and Deletion

• Active accounts: Your data is retained as long as your account is active.
• Account deletion: You can delete your account at any time from Settings in the app. Account deletion is a full cascade delete that removes:
  • Your profile, ratings, reviews, list entries, favorites, and ranked lists
  • All social data (follows, challenges, notifications)
  • Connected account tokens
  • Achievement data and AI usage records
  • Avatar files from storage
  • Your authentication record

  This process is irreversible. The deletion is executed server-side via a secure database function.

• Backup retention: Standard database backups maintained by Supabase may retain deleted data for a limited period per Supabase's data retention policy, after which it is permanently purged.

8. Your Rights (GDPR and Global Privacy Rights)

If you are located in the European Union, European Economic Area, United Kingdom, or another jurisdiction with applicable data protection laws, you have the following rights:

8.1 Right to Access

You can request a copy of all personal data we hold about you.

8.2 Right to Rectification

You can update your profile information (username, bio, avatar, social links) at any time in the app. For other data corrections, contact us.

8.3 Right to Erasure ("Right to Be Forgotten")

You can delete your account and all associated data through the in-app Delete Account feature (Settings). You may also contact us to request deletion.

8.4 Right to Data Portability

You can request an export of your data in a structured, machine-readable format. Contact us to make this request.

8.5 Right to Restrict Processing

You can request that we limit how we process your data in certain circumstances.

8.6 Right to Object

You can object to processing of your data where we rely on legitimate interests.

8.7 Right to Withdraw Consent

Where processing is based on consent (e.g., connecting Spotify, personalized advertising), you can withdraw consent at any time by disconnecting the service in Settings or changing your ad preferences.

8.8 Right to Opt Out of Personalized Advertising

You can opt out of personalized advertising at any time:

• iOS: Go to Settings > Privacy & Security > Tracking, and disable tracking for Ranked. Alternatively, deny the App Tracking Transparency prompt when it appears.
• Android: Go to Settings > Google > Ads > Delete advertising ID or opt out of Ads Personalization.
• In-app (EU/EEA): Withdraw your GDPR consent for personalized ads in Ranked Settings.
• Opting out does not remove ads - you will see non-personalized (contextual) ads instead. To remove ads entirely, upgrade to Ranked+.

8.9 How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

Legal Basis for Processing (EU/EEA Users)

• Contract performance - processing necessary to provide the service you signed up for (account, ratings, lists, social features)
• Consent - optional features like connecting Spotify, using AI features, or personalized advertising
• Legitimate interest - improving the app, preventing abuse

9. Children's Privacy

Ranked is not intended for children under the age of 16.

We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that data promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected].

10. International Data Transfers

Your data is stored on servers located in the EU West (Ireland) region. If you access Ranked from outside this region, your data may be transferred internationally. We rely on Supabase's infrastructure and contractual safeguards to protect data during such transfers.

For EU/EEA users: where data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top and, where appropriate, notify you in the app (e.g., via the What's New modal).

Your continued use of Ranked after changes are posted constitutes acceptance of the updated policy.

12. Contact and Supervisory Authority

If you have questions about this Privacy Policy or your personal data, contact us at:

If you believe that our processing of your personal data infringes data protection laws, you have the right to lodge a complaint with a supervisory authority. For users in Lower Saxony, Germany, the competent authority is: