Privacy Policy

Effective date: March 18, 2026 · Last updated: March 18, 2026

This Privacy Policy explains how Rumbla ("we", "our", or "us") collects, uses, and protects your personal data when you use the Rumbla mobile application and website at rumbla.app. Rumbla is operated by Francisco Pizzuto, based in Copenhagen, Denmark.

We are subject to the General Data Protection Regulation (GDPR) as a data controller operating within the European Union.

1. Data We Collect

1.1 Account data

When you create an account, we collect your name, email address, and profile photo (optional). If you sign in with Apple, we receive a unique identifier and optionally your name and email.

1.2 Location data (GPS)

Rumbla requires access to your device's GPS to function. During an active run, we collect your precise GPS coordinates in real time to calculate which H3 hexagonal cells you have traversed. Location tracking is only active during an active run session — we do not track your location in the background when you are not running.

1.3 Territory and gameplay data

We store the H3 hexagon identifiers (not raw GPS coordinates) that represent your conquered territory, including timestamps of conquest and previous ownership.

1.4 Activity and run data

We store metadata about your runs: distance, duration, pace, and hexagons conquered or stolen during each session.

1.5 Social data

If you connect with other users, we store your social graph, posts, reactions, and comments.

1.6 Device and technical data

We collect device type, OS version, app version, and crash/error logs for stability and debugging. We do not use this data for advertising.

1.7 Communications

If you join our waitlist or contact us, we store your email address and message content.

2. How We Use Your Data

Purpose	Legal basis
Provide and operate the Rumbla service	Performance of contract (Art. 6(1)(b) GDPR)
Real-time territory tracking during runs	Performance of contract
Send notifications about stolen zones, friend activity, streak reminders	Performance of contract + Legitimate interest
Send transactional emails	Performance of contract
Improve the app and fix bugs	Legitimate interest (Art. 6(1)(f) GDPR)
Comply with legal obligations	Legal obligation (Art. 6(1)(c) GDPR)

We never sell your data. We never use your data for advertising.

3. Data Storage and Processors

Provider	Role	Location
Supabase	Database, authentication, real-time infrastructure	EU (Ireland / eu-west-1)
Resend	Transactional email delivery	EU (Ireland / eu-west-1)
Netlify	Website hosting (rumbla.app)	Global CDN
Mapbox	Map rendering	Global CDN
Apple	Sign in with Apple authentication	Global

4. Data Retention

• Account data: Active account lifetime + 30 days post-deletion.
• Run and territory data: Active account lifetime.
• Waitlist data: Until app launch or deletion request.
• Crash logs: 90 days.
• Email communications: 12 months.

5. Your Rights Under GDPR

• Right of access: Request a copy of all personal data we hold about you.
• Right to rectification: Correct inaccurate data in the app or by contacting us.
• Right to erasure: Delete your account from Settings → Delete Account. Processed within 30 days.
• Right to data portability: Export your data from Settings → Export Data.
• Right to restriction and objection: Contact us at any time.
• Right to withdraw consent: Where processing is consent-based, you can withdraw at any time.

Contact us at info@rumbla.app. We respond within 30 days.

You also have the right to lodge a complaint with: datatilsynet.dk

6. Cookies

See our Cookie Policy. The Rumbla mobile app does not use cookies.

7. Children

Rumbla is not directed at children under 13. Contact us to delete any such data.

8. Changes to This Policy

We will notify you of material changes at least 14 days before they take effect.

9. Contact

Data controller: Francisco Pizzuto · Copenhagen, Denmark
info@rumbla.app · rumbla.app