Privacy Policy

Controller and contact

The controller is the SideMissions operator. Controller legal name, postal address, and privacy contact must be completed before production release.

Privacy requests should be sent to the privacy contact shown by the app operator once production contact details are configured.

Data we process

SideMissions processes the name or alias you enter, journey names and settings, participant lists, invite codes, challenge text, proof descriptions, uploaded or selected proof media, journey pictures, progress, phase status, language and appearance settings, device session identifiers, install identifiers, request metadata, and operational logs.

The app does not require precise location data. If you include locations, faces, names, or other personal information in journey text, pictures, videos, or proof descriptions, that content may become personal data shared with the journey members.

Why we use data

We use data to create and manage journeys, let invited members join, show challenges and recap material to journey members, protect host and participant permissions, operate the backend, prevent misuse, debug problems, and improve reliability.

SideMissions does not sell personal data and does not use third-party advertising tracking.

Legal basis

Where GDPR applies, the main legal bases are performance of a contract or requested service for the core app flow, legitimate interests for security, fraud prevention, operations, and service improvement, and consent or device permission where you choose to access photos, videos, camera, or notifications.

Sharing and hosting

Journey content is shared with the host and members of the same journey. Backend hosting and infrastructure providers process data only to operate SideMissions.

The planned production backend is hosted on DigitalOcean. The exact server region, subprocessors, and any transfer safeguards must be documented before public release.

Media

Pictures and videos can contain sensitive information about you or other people. Upload or share media only when you have the right to do so and when the people shown are comfortable with that use.

Production media uses private storage with backend-issued short-lived upload and read URLs. Development builds may use local signed storage for emulator testing.

Retention and deletion

Journey data is kept while needed to provide the journey, recap, security, troubleshooting, and backup functions. Hosts can delete journeys, and participants can leave journeys from the app.

Production retention periods for accounts, journeys, proofs, backups, logs, deleted data, and inactive journeys must be finalized and documented before public release.

Your rights

Depending on your location, you may have rights to access, correct, delete, restrict, object to processing, receive a portable copy of your data, withdraw consent where processing is based on consent, and lodge a complaint with a data protection authority.

Requests will be handled through the configured privacy contact. GDPR requests should generally receive a response within one month.

Security

Production traffic should use HTTPS. The backend enforces membership and host permissions, media uploads use signed URLs, and the app stores session material using device secure storage where available.

No system is perfectly secure. Please avoid uploading content that would create serious harm if seen by the wrong person until retention controls, monitoring, and incident-response procedures are complete.

Children

SideMissions is not designed for children below the digital consent age that applies in their country. Parents or guardians should supervise any use by minors.

Automated decisions and AI

SideMissions does not make legally significant automated decisions about users. Current challenge suggestions are template-based. If AI suggestions are added later, the privacy policy and product documentation must explain the provider, data use, and safeguards.

Changes

We may update this policy when the product, backend, hosting, media storage, notifications, or legal requirements change. The app should show the latest effective date.