← Back to homepage
Privacy Policy
1. Data Controller
The data controller within the meaning of the General Data Protection Regulation (GDPR) is the operator named in the Legal Notice.
2. Data Collected
We collect and process the following categories of personal data:
2.1 Registration Data
| Data | Purpose | Legal Basis |
|---|
| Name | Display in profile, identification in groups | Performance of contract (Art. 6(1)(b) GDPR) |
| Email address | Authentication, verification, communication | Performance of contract |
| Password | Authentication (stored hashed, no plaintext) | Performance of contract |
| Profile picture (optional) | Display in profile and groups | Consent (Art. 6(1)(a) GDPR) |
2.2 Location Data
| Data | Purpose | Legal Basis |
|---|
| City / District | Regional statistics ("How did your city vote?") | Consent |
| State / Country | National and international statistics | Consent |
| Coordinates (one-time) | Automatic assignment to city/district during registration via GPS or manual selection | Consent |
Location data is collected once during registration – either via the device's GPS sensor or through a manual location search (Google Maps Places API). The coordinates are used to determine the city/district/state/country information and are stored with the user profile.
2.3 Phone Number and Contact Data
- Phone number: Optionally provided during registration and stored as a SHA-256 hash. The plaintext number is not permanently stored on our servers.
- Contact access: If the user grants permission, phone numbers and email addresses from the address book are hashed locally on the device (SHA-256) and compared with stored hashes. No contact data in plaintext is transmitted to our servers.
2.4 Usage Data
| Data | Purpose | Legal Basis |
|---|
| Song ratings / Rankings | Core app functionality, statistics generation | Performance of contract |
| Song ratings (1–10) | Individual song rating | Performance of contract |
| Group memberships | Comparison with friends, group features | Performance of contract |
| Group messages | Communication in groups (chat) | Performance of contract |
| Invite codes / Referral code | Referral program, group joining | Performance of contract |
| Blocked users | User protection, moderation | Legitimate interest (Art. 6(1)(f) GDPR) |
2.5 Technical Data
| Data | Purpose | Legal Basis |
|---|
| FCM token (push notifications) | Delivery of push notifications | Consent |
| App version | Compatibility checks, bug fixing | Legitimate interest |
| Device language setting | Automatic language selection in the app | Legitimate interest |
Additionally, the following data is stored locally on the user's device: app settings, cached song/artist data (Deezer), and ranking drafts. This local data is not transmitted to servers unless the user actively publishes their ranking.
3. Contact Matching (Find Friends)
Contact matching works as follows:
- The user explicitly grants permission to access their contacts.
- Phone numbers are normalized on the user's device (country codes removed) and hashed with SHA-256.
- Only the hash values are sent to the server and compared with stored hashes.
- It is not possible to reverse-engineer the original numbers from the hash values.
- Contact matching only occurs when the user actively triggers it.
- Contact data (phone numbers, email addresses) is not stored on our servers.
- The user IDs of found matches are stored in the user profile to display their published ratings in the activity feed.
- These stored IDs are updated upon subsequent contact matching and removed upon account deletion.
- Revoking the contact permission prevents further matching; existing connections remain until the user deletes their account.
4. Data Processing and Data Processors
To provide the app, we use the following services and data processors:
| Service | Provider | Purpose | Data Transmitted | Server Location |
|---|
| Supabase | Supabase Inc. | Authentication, database, file storage (profile pictures), Edge Functions | Account data, rankings, groups, messages, profile pictures | EU (eu-west) |
| Amazon SES | Amazon Web Services Inc. | Sending verification emails and password resets | Email address | EU |
| RevenueCat | RevenueCat Inc. | Management of in-app purchases and premium subscriptions | Anonymous user ID, purchase/subscription status, transaction ID | USA (EU Standard Contractual Clauses) |
| Firebase Analytics | Google LLC | Anonymized app usage statistics (no ad tracking) | Anonymized usage events | USA (EU Standard Contractual Clauses) |
| Firebase Cloud Messaging | Google LLC | Delivery of push notifications | FCM token | USA (EU Standard Contractual Clauses) |
| Google Maps API | Google LLC | Location detection during registration (Places Autocomplete, Reverse Geocoding) | Coordinates or search query (one-time) | USA (EU Standard Contractual Clauses) |
| Deezer API | Deezer SA | 30-second song previews, artist images | No personal data (content queries only) | EU (France) |
| Google Fonts | Google LLC | Font rendering | IP address (when loading fonts) | USA (EU Standard Contractual Clauses) |
For services based in the USA, EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR serve as the basis for data transfers to third countries.
5. Data Sharing with Third Parties
Personal data is not sold, rented, or shared with third parties for advertising purposes.
Data is only shared with the data processors listed in Section 4, which are technically necessary for operating the app, as well as in the following cases:
- When legally required (e.g., by order of an authority or court)
- To enforce our Terms of Service
- To protect the rights, property, or safety of the operator or other users
6. Data Subject Rights (GDPR)
Every user has the following rights:
- Right of access (Art. 15 GDPR): Right to information about stored data.
- Right to rectification (Art. 16 GDPR): Correction of inaccurate data. Many data points can be edited directly in the app (name, location, profile picture).
- Right to erasure (Art. 17 GDPR): Deletion of all personal data. Can be exercised directly in the app (see Section 7).
- Right to restriction of processing (Art. 18 GDPR): Restriction of processing under certain conditions.
- Right to data portability (Art. 20 GDPR): Export of personal data in a structured, commonly used format.
- Right to object (Art. 21 GDPR): Objection to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3) GDPR): Consent may be withdrawn at any time with effect for the future.
- Right to lodge a complaint: Right to complain to the competent supervisory authority – Austrian Data Protection Authority (www.dsb.gv.at).
To exercise your rights, please use our support chat or contact us by email (see Section 1).
7. Account Deletion and Data Erasure
- The account can be deleted directly in the app (Settings → Delete Account). To confirm, "DELETE ACCOUNT" must be typed.
- Upon deletion, all personal data is removed: profile, ratings, rankings, group memberships, group messages, contact connections, referral data, support requests, and notifications.
- Anonymized, aggregated statistical data (e.g., country results) may remain, as no individual user can be identified from it.
- Complete deletion occurs within 30 days of confirmation.
- Note: An active premium subscription must be cancelled separately in the respective app store.
8. Cookies and Tracking
- The app uses no advertising trackers and sets no cookies for advertising purposes.
- Firebase Analytics: The app uses Firebase Analytics by Google for anonymized usage statistics (e.g., number of active users, most-used features). This is not advertising tracking.
- iOS: Analytics data is only collected after explicit user consent via the App Tracking Transparency (ATT) dialog.
- Android: Anonymized usage statistics are collected by default. The user can disable this in device settings.
- The website (eurovisionscore.com) does not use cookies.
9. Push Notifications
- The app may send push notifications to inform the user about relevant events.
- Types: Group messages, published ratings from contacts/group members, referral status, ESC event reminders, support responses, and administrative messages.
- Push notifications are only sent with the user's explicit consent (opt-in).
- Firebase Cloud Messaging (FCM) is used for delivery. A device-specific FCM token is stored on our servers.
- FCM tokens are removed upon logout and deleted upon account deletion.
- The user can disable push notifications at any time in device settings.
10. Group Chat
- Within groups, users can exchange text messages. Messages are only visible to members of the respective group.
- Messages are stored on our servers (Supabase, EU).
- The author can edit and delete their messages.
- Upon account deletion, all messages from the user are removed.
11. Referral Program
- Each user receives a unique referral code.
- When a new user registers with a referral code, the connection between the inviting and invited user is stored (user IDs).
- Stored data includes: referral code, number of successful invitations, who invited whom.
- This data is used to provide the referral program (premium access with 5+ invitations) and is removed upon account deletion.
- Legal basis: Performance of contract (Art. 6(1)(b) GDPR).
12. Data Security
- All connections between app and server use HTTPS/TLS encryption.
- Passwords are stored hashed (Supabase Auth, bcrypt).
- Phone numbers are stored exclusively as SHA-256 hashes.
- Database access is controlled via Row Level Security (RLS) – each user can only access their own data.
- Profile pictures are served via HTTPS from Supabase Storage.
- We take appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or misuse.
13. Minors
The app is not specifically targeted at children under 16 years of age. Use by persons under 16 requires the consent of a legal guardian. Should we become aware that personal data of a child under 16 has been collected without parental consent, it will be deleted immediately.
14. Changes to this Privacy Policy
We reserve the right to update this privacy policy as needed – for example, due to changes in legislation, new features, or modified data processing procedures. Significant changes will be communicated via email or in-app notification. The current version is always available at eurovisionscore.com/privacy.
15. Contact
For questions about data protection, please use our support chat.
Legal Notice / Impressum
Eurovision Score
Josef David Pucher
Ljuba-Welitsch-Promenade 12/44
1030 Vienna
Austria
VAT ID: ATU68336222
Email: contact@eurovisionscore.com
(This email address is equipped with an automatic response service. For inquiries, please use the support chat.)
Responsible for content pursuant to § 55(2) RStV:
Josef David Pucher, address as above