Privacy Policy

This Privacy Policy explains what personal data Stobi collects, how we use it, with whom we share it, and the rights you have under the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act (Tietosuojalaki 1050/2018). We aim to be plain-spoken, not lawyerly, while staying complete.

1. Data controller

The controller of your personal data is:

• Violetta Suokas (sole trader), based in Helsinki, Finland
• Contact for privacy matters: hello@stobi.app

No Data Protection Officer has been appointed; Stobi does not meet the criteria set out in Art. 37 GDPR. Please send all data-protection requests to the email above.

2. What data we collect

• Account data — email address, username, optional avatar photo, optional character name, year of birth (for age verification).
• Authentication data — if you sign in with Apple or Google, we receive a stable user identifier and (optionally) a relay email. We do not see your password.
• Location — precise GPS coordinates while you hide or find a stone, used to verify proximity. Stones on the public map are shown with a randomized offset so other users cannot see exact coordinates.
• Photos — pictures you upload of stones you paint, hide, or find, and any photos you share in chat. EXIF metadata (including GPS) is stripped on upload.
• Activity — stones hidden, stones found, comments, likes, reports, achievements, diamond balance, in-app purchases, and Premium subscription state.
• Chat content — messages you send in community chat and conversations with the Stobi AI companion.
• Device data — device model, OS version, app version, and a push-notification token (if you opt in).
• Crash & usage analytics — error stack traces, performance metrics, and product events (e.g. "opened map", "completed onboarding") linked to your account ID. We do not use any advertising identifier (no IDFA, no GAID), and analytics are not shared with ad networks.

3. Why we use it, and the legal basis

We process personal data on the following legal bases under Art. 6 GDPR:

• Performance of a contract (Art. 6(1)(b)) — creating and operating your account, showing stones on the map, verifying finds, processing in-app purchases and subscriptions, delivering chat.
• Legal obligation (Art. 6(1)(c)) — keeping minimum financial records of purchases, responding to law-enforcement requests where legally required, and honoring your GDPR rights.
• Legitimate interest (Art. 6(1)(f)) — fraud prevention, abuse detection, AI-based photo verification of stone matches, NSFW moderation, crash diagnostics, product analytics, and protecting the safety of our community. You can object at any time (see § 8).
• Consent (Art. 6(1)(a)) — sending push notifications, accessing precise location, and accessing your photo library. You can withdraw consent any time in your device settings; withdrawal does not affect prior processing.

4. Automated processing

Two automated steps run on user-submitted content:

• Find verification — when you photograph a stone you claim to have found, an image-similarity model (CLIP-based) compares it to the stone's published photos and either auto-confirms the find or asks the original author to confirm manually.
• NSFW & safety moderation — every uploaded photo is scored by AWS Rekognition for explicit, violent, or unsafe content. Photos that fail moderation are blocked from upload; no human reviewer sees them.

These checks have legal effect only on the specific upload; they do not profile you. You have the right to request human review of any automated decision that affects you (Art. 22 GDPR) — email hello@stobi.app.

5. Sub-processors and sharing

We share personal data only with the service providers needed to run Stobi. Each acts as our processor under a written Data Processing Agreement (DPA).

• Supabase, Inc. — database, authentication, file storage, and edge functions. Servers in the EU (Frankfurt, eu-central-1). Receives all account, activity, photo, and chat data.
• Apple Inc. — Sign in with Apple, App Store In-App Purchases, push notifications via APNs. Receives the data Apple requires to process those services.
• Google LLC — Google Sign-In and Google Play In-App Billing (Android). Push notifications via Firebase Cloud Messaging. Receives the data Google requires to process those services.
• RevenueCat, Inc. — subscription state management. Receives a pseudonymous UUID and purchase events; never your email or username.
• Amazon Web Services, Inc. — AWS Rekognition runs automated NSFW moderation on uploaded photos. Images are sent for analysis and are not stored by AWS.
• Anthropic PBC — when you chat with the Stobi AI companion, the conversation is sent to Anthropic's Claude API to generate replies. Anthropic does not use Stobi conversations to train its models.
• Mapbox, Inc. — basemap rendering and geocoding. Receives map tile requests with approximate location.
• Sentry, Inc. (Functional Software) — crash and error telemetry. Receives stack traces and a pseudonymous user UUID only — never your email or username.
• Expo / EAS — over-the-air update delivery. Receives device model, OS, and app version when checking for updates.
• Other users of Stobi — your username, avatar, stones, comments, likes, and public chat messages are visible to the community by design.

We do not sell personal data and we do not share it with advertising networks.

6. International transfers

Some sub-processors (Apple, Google, RevenueCat, AWS, Anthropic, Mapbox, Sentry, Expo) are based in the United States. Transfers outside the EEA are protected under the EU–US Data Privacy Framework where the provider is certified, and otherwise under the EU Standard Contractual Clauses (Commission Decision 2021/914) together with supplementary measures (encryption in transit and at rest, pseudonymization where feasible). A copy of the relevant transfer mechanism is available on request.

7. How long we keep your data

• Account, profile, stones, comments, chat — for as long as your account exists.
• After account deletion — your profile, photos, comments, and chat are removed within 30 days. A minimal anonymized record of past purchases (transaction ID, date, amount) is retained for up to 6 years to meet Finnish bookkeeping obligations (Kirjanpitolaki 1336/1997).
• Crash & analytics events — 90 days, then aggregated.
• Push tokens — until you revoke notification permission or delete the app.
• Moderation flags & safety logs — up to 12 months to identify repeat offenders.

8. Your rights

Under the GDPR you have the right to:

• Access — request a copy of the personal data we hold about you (Art. 15).
• Rectification — correct inaccurate data (Art. 16). Most fields are editable in-app.
• Erasure — delete your account and associated data via Settings → Delete account, or by emailing us. Effective within 30 days (Art. 17).
• Restriction — ask us to limit processing while a dispute is resolved (Art. 18).
• Portability — receive your data in a machine-readable format (JSON), or have it transmitted to another controller where technically feasible (Art. 20).
• Object — object to processing based on legitimate interest, including analytics and automated moderation (Art. 21).
• Withdraw consent — for processing based on consent (push, precise location, photo library). Withdrawal does not affect prior processing (Art. 7).
• Not be subject to solely automated decisions — including the right to human review of find verification or moderation outcomes (Art. 22).

To exercise any of these rights, email hello@stobi.app. We will respond within 30 days. If you believe we have mishandled your data you may lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto, Lintulahdenkuja 4, 00530 Helsinki, tietosuoja.fi) or with the supervisory authority in your country of residence.

9. Children

Stobi is for users aged 13 and over. We collect year of birth at sign-up and block accounts that report an age below 13 (the digital-services age of consent set by Finland under Art. 8 GDPR). If you believe a child under 13 has created an account, email hello@stobi.app and we will delete it. Stobi is not directed to children under 13 within the meaning of the U.S. Children's Online Privacy Protection Act (COPPA).

10. Security

We use HTTPS in transit and AES-256 encryption at rest on Supabase storage. Passwords are hashed; we never store them. Access to production data is restricted to the controller and is logged. We will notify affected users and the Tietosuojavaltuutettu of a personal-data breach within 72 hours where required by Art. 33 GDPR.

11. Cookies and tracking

The Stobi mobile app does not use cookies. The Stobi website (stobi.app) does not set tracking or analytics cookies; only essential cookies for language preference may be used. We do not use any third-party advertising or cross-site tracking.

12. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top will change, and material changes will be announced in the app at least 14 days before they take effect. Continuing to use Stobi after a change means you accept the updated policy.

13. Contact

Privacy questions, data-subject requests, or other concerns: hello@stobi.app.