Privacy Policy

1. Controller and contact

The controller responsible for data processing in connection with this Platform (within the meaning of the EU General Data Protection Regulation – GDPR) is:
Zanarkand Dev
Lindenstr. 50
44577 Castrop-Rauxel
Germany

Email: sendhelpbro@prank-your-friends.com
If you have any questions about this Privacy Policy or how we process your data, you can contact us using the above details.

2. Categories of data we process

We process different types of personal data depending on how you use the Platform. In particular:

• Account data: email address, password hash or login tokens, basic profile information, referral code, XP and level information.
• Usage data: sessions, generation jobs, room photo analysis results, feature usage events, referral events, error logs.
• Media data: room photos you upload, prank outputs associated with your account, and optional submissions (for example for TikTok or featured galleries).
• Payment data: high‑level payment and credit usage information (such as payment status, amount, currency, credit packs purchased). Full payment details (for example card numbers) are processed by our payment provider, not by us directly.
• Technical data: IP address, browser/user‑agent information, basic device information and log data generated when interacting with our web app and APIs.

3. Purposes and legal bases

We process personal data for the following purposes and on the following legal bases:

• Providing the Platform, including authentication, credit accounting, XP/level system and prank generation – Art. 6(1)(b) GDPR (performance of a contract).
• Processing payments via external payment providers and allocating purchased credits – Art. 6(1)(b) and (f) GDPR (contract performance and legitimate interest in secure payment processing).
• Security and abuse prevention: detecting misuse, fraud and technical issues – Art. 6(1)(f) GDPR (legitimate interest in secure and stable operation).
• Referral and XP features: tracking referral events and XP‑related actions in order to award credits or XP – Art. 6(1)(b) GDPR where necessary to fulfil the feature rules, otherwise Art. 6(1)(f) GDPR.
• Voluntary submissions (for example TikTok or featured‑prank submissions) – based on your consent (Art. 6(1)(a) GDPR) and our legitimate interest in promoting the Platform (Art. 6(1)(f) GDPR).

4. Recipients and third‑party services

We use several infrastructure and service providers to operate the Platform. Depending on your use, personal data may be processed by the following categories of recipients:

• Hosting and database providers (for example Supabase) for authentication, storage and data persistence.
• Payment providers (for example Stripe) for handling payments and credit packs.
• AI infrastructure providers used to run image generation and analysis.
• Analytics and logging services to understand performance and errors and improve the Platform.

Where required by law, we conclude data processing agreements and – for international transfers – appropriate safeguards such as Standard Contractual Clauses.

5. Storage periods

We store personal data only for as long as necessary to fulfil the above purposes or as required by statutory retention obligations. In particular:

• Account data is kept for the lifetime of your account and then deleted or anonymised, unless legal retention periods apply.
• Payment‑related records may be stored for up to ten years under commercial and tax law.
• Log and diagnostic data is usually kept only as long as necessary to analyse issues and maintain security.

6. Your rights under the GDPR

As a data subject you have, under the conditions of the GDPR, the following rights:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object to processing based on Art. 6(1)(e) or (f) GDPR (Art. 21 GDPR)
• Where processing is based on consent: the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Art. 7(3) GDPR).

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work or place of the alleged infringement.

7. Updates to this Privacy Policy

We may update this Privacy Policy from time to time, for example if we introduce new features or if legal requirements change. We will indicate the date of the last update at the top of this page and, where appropriate, inform registered users via the Platform.