Privacy Policy

1. INTRODUCTION

BlyxoParty (hereinafter "BlyxoParty", "we", "our") is committed to protecting the privacy of its users.

This Privacy Policy describes how we collect, use, retain, and protect your personal data when using

the BlyxoParty mobile application and the blyxoparty.com website.

It is established in compliance with Regulation (EU) 2016/679 of the

European Parliament and of the Council of 27 April 2016 (GDPR) and French Law No. 78-17 of 6 January 1978

as amended (Data Protection Act).

2. DATA CONTROLLER

Data Controller: Arthur Vidal

Application / Website: BlyxoParty — blyxoparty.com

Contact: contact@blyxoparty.com

3. PERSONAL DATA COLLECTED

3.1 Identity and Account Data

• OAuth provider identifier (Google ID or Apple ID)
• Email address (provided by the OAuth provider upon login)
• Username (chosen during onboarding)
• Profile picture / avatar URL (provided by the OAuth provider or manually uploaded by the user)
• Pseudonymized public identifier (public_id)
• Friend code (randomly generated alphanumeric code allowing your contacts to find you)
• Account status (created / active)
• Age indicator (adult / minor / not provided)

3.2 Preference Data

• Preferred interface language (French / English)
• Newsletter email subscription preference (opt-in / opt-out)
• Social suggestion preference (do_not_suggest: prevents appearing in friend suggestions)

3.3 Technical Data

• JWT authentication token (stored locally on your device)
• Push notification token — Expo Push Token (stored on our servers for sending notifications)
• IP address (server logs, temporary retention)
• Connection timestamps (last_login_at, created_at, updated_at)

3.4 Gameplay and Social Activity Data

• Created and joined game sessions (game type, settings, session code)
• Votes, answers, and actions taken during games
• Game statistics (games played, wins, win streaks)
• Friends list, sent and received friend requests, session invitations

3.5 Support Data

• Content of support tickets opened via the application (subject, messages exchanged with the support team)

3.6 Optional Music Integrations (if activated by the user)

• Spotify: Spotify account identifier, Spotify email address, library data (playlists, liked tracks) necessary for the music mode to function
• Apple Music: Apple Music access token, music library, necessary for the music mode to function

This third-party service data is only collected if you choose to enable the corresponding integration. It is deleted when you revoke the integration or delete your account.

4. LEGAL BASES FOR PROCESSING

Each processing operation is based on one of the following legal bases:

• Contract performance (Art. 6.1.b GDPR): Account creation and management, game and service operation, sending transactional emails (welcome, confirmation).
• Legitimate interest (Art. 6.1.f GDPR): Security, fraud and abuse prevention, service improvement, analysis of anonymized usage statistics.
• Consent (Art. 6.1.a GDPR): Sending newsletters and marketing communications; activating Spotify and Apple Music integrations. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legal obligation (Art. 6.1.c GDPR): Data retention required by applicable regulations (connection logs, accounting and tax obligations).

5. PURPOSES OF PROCESSING

Your personal data is processed for the following purposes:

• Create, secure, and manage your user account
• Enable OAuth authentication (Google Sign-In, Apple Sign In)
• Enable gameplay, real-time multiplayer sessions, and social features (friends, invitations)
• Send push notifications (game invitations, friend requests, support responses, session updates)
• Send transactional emails (welcome email)
• Send newsletters and updates, if you have consented
• Ensure platform security and prevent abusive or fraudulent use
• Manage support tickets and user requests
• Comply with our legal and regulatory obligations
• Improve the application, fix bugs, and develop new features

6. DATA RECIPIENTS

We do not sell or rent your personal data to third parties. Your data may be transferred to the following subcontractors and partners strictly within the framework of providing the services:

• Google LLC (Google Sign-In / OAuth authentication)
• Privacy Policy: https://policies.google.com/privacy
• Apple Inc. (Apple Sign In / OAuth authentication, Apple Music)
• Privacy Policy: https://www.apple.com/legal/privacy/en/
• Spotify AB (optional music integration)
• Privacy Policy: https://www.spotify.com/en/legal/privacy-policy/
• Expo / Expo Application Services — EAS (push notification service)
• Privacy Policy: https://expo.dev/privacy
• OVHcloud (SMTP hosting for transactional emails)
• Privacy Policy: https://www.ovhcloud.com/en/personal-data-management/

These providers act as data processors and are required to process your data solely according to our instructions, in compliance with the GDPR.

Data may also be disclosed to competent authorities upon judicial or legal request.

7. TRANSFERS OUTSIDE THE EUROPEAN UNION

Some of our subcontractors (Google, Apple, Spotify, Expo) are based in the United States and may store or process your data outside the European Union.

These transfers are governed by appropriate safeguards in accordance with Chapter V of the GDPR, including:

• Standard contractual clauses adopted by the European Commission
• The Trans-Atlantic Data Privacy Framework for certified companies

You may obtain information about the applicable safeguards by contacting us at contact@blyxoparty.com.

8. RETENTION PERIODS

• Account data (identity, preferences, gameplay data):
• Retained for the entire duration of the account's existence, then deleted within 30 days following a deletion request or account closure.
• Push notification token:
• Deleted upon logout or account deletion.
• Music integration data (Spotify, Apple Music):
• Deleted upon integration revocation or account deletion.
• Support tickets:
• Retained for 3 years from ticket closure, in accordance with legal retention obligations.
• Server logs (IP address, access logs):
• Retained for a maximum of 12 months, in compliance with legal obligations.
• Welcome and transactional emails:
• Traces retained for 3 years for evidentiary purposes.

9. YOUR RIGHTS

In accordance with the GDPR and French Data Protection Act, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR): Obtain a copy of your data.
• Right to rectification (Art. 16 GDPR): Correct inaccurate or incomplete data.
• Right to erasure (Art. 17 GDPR): Request deletion of your data, subject to legal retention obligations.
• Right to restriction of processing (Art. 18 GDPR): Request temporary suspension of processing your data.
• Right to data portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21 GDPR): Object to processing based on legitimate interest or for direct marketing purposes.
• Right to withdraw consent: Withdraw your consent at any time for processing based on this basis.
• Right to set post-mortem directives: Define instructions regarding the fate of your data after your death.

To exercise any of these rights, contact us by one of the following means:

• By email: contact@blyxoparty.com
• Via support tickets available in the mobile application
• Via the "Delete my account" button in the application settings

We will respond within a maximum of 30 days. In the case of complex or numerous requests, this period may be extended by an additional 60 days, with prior notice.

10. DATA SECURITY

BlyxoParty implements the following technical and organizational measures to protect your data:

• All communications between the application/site and our servers are encrypted via HTTPS/TLS.
• Access to the MySQL database is strictly restricted and secured.
• Authentication tokens (JWT) have a limited validity period (90 days) and are invalidated upon logout.
• Sensitive identifiers and secrets are managed via server environment variables (not exposed in source code).
• Third-party service passwords are never stored by BlyxoParty.
• The WebSocket server (ws.blyxoparty.com) is secured by an internal secret and is not publicly accessible.

In the event of a personal data breach posing a high risk to your rights and freedoms, we undertake to inform you as soon as possible, in accordance with Article 34 of the GDPR.

11. CHANGES TO THE PRIVACY POLICY

BlyxoParty reserves the right to modify this policy at any time, particularly to take into account legal, regulatory, or technical developments, or changes in application features.

The last update date is indicated at the top of this document. In the event of a material change, you will be informed by appropriate means (in-app notification, email). Continued use of the services after notification constitutes acceptance of the updated policy.

12. CONTACT

For any questions regarding this Privacy Policy or to exercise your rights:

Email: contact@blyxoparty.com