Navicore

Privacy Policy

Effective date: 10 May 2026 · Last updated: 10 May 2026

This Privacy Policy describes how Navicore (“we”, “us”, “the App”, the “Operator” / “Data Controller”) collects, uses, stores and shares information about you when you use our mobile application. Navicore is an independent project based in Ukraine. If you have any questions about this Policy, contact us at privacy@navicoreapp.com.

Summary in plain language. We collect the minimum data we need to run the App: your email and name, your in-app progress (XP, ranks, test results), and — if you grant permission — an advertising identifier so we can show personalized ads. We don't sell your data, we don't track you across other apps, and you can delete your account from inside the App at any time.

1. What information we collect

1.1 Account information

Email address — used as your account identifier and for password resets / magic-link sign-in.
Display name and optional country — shown to other users on leaderboards and in chat.
Avatar image (Premium feature only) — uploaded by you and stored in our object storage.
Authentication provider identifiers if you sign in with Apple or Google (subject identifier, name, email — whatever the provider releases to us).

1.2 In-app activity

Test results, completed question packs, mistakes, exam passes, daily challenges.
Earned XP, current rank, branch (deck / engine / etc.), streak count.
Subscription status (free / Pro) and expiration date.
Chat messages you post (visible to other users in the same rank-based channel).
Reactions, replies, reports, moderation actions.

1.3 Technical and security data

Device-attestation tokens from Apple App Attest (iOS) or Google Play Integrity (Android). These are short-lived cryptographic tokens that prove the App is genuine and unmodified. They contain no personal data about you.
Crash reports via Sentry — automatically captured stack traces, device model, OS version, and a randomly generated installation ID. We strip personally identifiable strings before storage where possible.
Server logs for security audit (rate-limit triggers, suspicious activity, ad-reward verification).

1.4 Advertising identifier (only if you opt in)

On iOS we use App Tracking Transparency: the first time you watch a rewarded ad we show the system prompt asking permission to use your device’s advertising identifier (IDFA). If you allow: Google AdMob may use the IDFA to show personalized ads. If you deny: only non-personalized ads are shown. You can change this choice at any time in iOS Settings → Privacy & Security → Tracking.

1.5 What we DO NOT collect

Location (GPS, IP-based geolocation, or any other).
Contacts, calendar, photos library (other than the single image you choose as avatar).
Microphone, camera, health data, or motion sensors.
Browsing history outside the App.

2. Why we use the data (legal basis under GDPR)

Purpose	Categories used	Legal basis (GDPR)
Provide core App functionality (sign-in, progress, leaderboard, chat)	Account info, in-app activity	Performance of contract (Art. 6(1)(b))
Process subscription payments	Account ID, subscription status	Performance of contract (Art. 6(1)(b))
Detect fraud, abuse, automated bots	Attestation tokens, server logs	Legitimate interest (Art. 6(1)(f))
Show personalized ads	Advertising identifier	Consent (Art. 6(1)(a)) — granted via ATT prompt
Show non-personalized ads	Limited ad metadata, no IDFA	Legitimate interest (Art. 6(1)(f))
Diagnose crashes and improve stability	Crash reports	Legitimate interest (Art. 6(1)(f))
Comply with legal obligations	Whatever is required by law	Legal obligation (Art. 6(1)(c))

3. Third-party services we share data with

We use a small number of trusted third-party services to operate the App. We share with each of them only the minimum data they need to perform their function. None of them sell your data.

Service	Purpose	Data shared	Region
Supabase Inc.	Authentication, database, file storage, serverless functions	All account and in-app data	EU (Frankfurt, Germany)
RevenueCat Inc.	Subscription management and validation	App user ID, subscription receipts	USA
Apple Inc.	In-App Purchase, Sign in with Apple, App Attest, Push Notifications	Subscription receipts, attestation tokens, anonymous push token	USA / Ireland
Google LLC (AdMob)	Rewarded advertising, server-side reward verification	Advertising identifier (only with ATT consent), ad-view metadata	USA / EU
Google LLC (Play Integrity, OAuth)	Anti-fraud (Android), Sign in with Google	Integrity verdict tokens, OAuth profile	USA / EU
Functional Software, Inc. (Sentry)	Crash and error reporting	Stack traces, device model, anonymous installation ID	USA / EU (configurable)
Cloudflare, Inc.	Domain DNS, email forwarding, static-page hosting	Email message metadata when you contact us	USA / Global
Resend, Inc. (transactional email)	Outgoing emails (sign-in links, account notifications)	Your email address, message content	USA

For transfers outside the European Economic Area we rely on the Standard Contractual Clauses approved by the European Commission and additional safeguards each provider has in place.

4. How long we keep the data

Account data — until you delete your account, then permanently erased within 30 days (some encrypted backups may persist for an additional 30 days).
Chat messages — kept while your account exists; admins may delete individual messages for moderation.
Server security logs — automatically purged: ad-reward log 180 days, RevenueCat webhook log 90 days, attestation audit log 90 days, attestation challenges 1 day after expiry.
Crash reports — retained 90 days by Sentry.
Anonymous analytics aggregates (counts, daily-active stats) — retained indefinitely; do not contain personal data.

5. Your rights (GDPR Articles 15–22)

If you are a resident of the European Economic Area, the United Kingdom, Switzerland or Ukraine, you have the following rights:

Right to access (Art. 15) — request a copy of all personal data we hold about you. The App provides this directly: Profile → Settings → Export my data.
Right to rectification (Art. 16) — correct inaccurate data. Most fields are editable in Profile → Edit profile; for the rest contact us.
Right to erasure (Art. 17) — delete your account and all associated data. Use Profile → Settings → Delete account, or email privacy@navicoreapp.com.
Right to data portability (Art. 20) — receive your data in a machine-readable JSON format (provided by the same Export function).
Right to restrict processing (Art. 18) and right to object (Art. 21) — contact us.
Right to withdraw consent — you can revoke ATT permission in iOS Settings or remove notification permission at any time.
Right to lodge a complaint with a supervisory authority. In Ukraine: the Verkhovna Rada Commissioner for Human Rights. In the EU: the data-protection authority of your country of residence.

We respond to verified rights requests within 30 days, free of charge.

6. Children

The App is not directed to children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe a child has created an account, please contact us at privacy@navicoreapp.com and we will delete the account promptly.

7. Subscriptions

Premium subscriptions ($4.99 / month or $39.99 / year, with a 7-day free trial on the annual plan, prices may vary by region) are auto-renewable. They are billed by Apple to the payment method on your Apple ID. Manage or cancel at any time through iOS Settings → Apple ID → Subscriptions. Cancellation must be made at least 24 hours before the renewal date. Refunds are handled by Apple under their refund policy (support.apple.com/HT204084); we do not have direct access to your billing data.

8. Security

Data in transit is encrypted with TLS 1.2+. At-rest encryption is provided by our hosting providers. Passwords are never stored — authentication is handled by Supabase using salted hashes (bcrypt / argon2) or by Apple/Google's OAuth flows. Server-side row-level security ensures users can only read and modify their own records. Despite these measures, no system is 100% secure; if we discover a breach affecting your data, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR Art. 33.

9. Changes to this Policy

If we change this Policy in a way that materially affects your rights, we will notify you in the App (release notes, in-app banner) and, if you have given permission, by push notification. The effective date at the top of this page will be updated. Continuing to use the App after the update means you accept the revised Policy.

10. Contact

Email: privacy@navicoreapp.com (privacy and data-protection requests).
Support: support@navicoreapp.com (general questions).
Operator details available on request.