Privacy Policy

Effective date: April 25, 2026

Last updated: April 25, 2026

Table of Contents

  1. Data Controller
  2. What Data We Collect
  3. Legal Basis for Processing
  4. Where Your Data Lives
  5. Third-Party Services
  6. Data Processing Agreement (DPA)
  7. International Data Transfers
  8. Who Can See Your Data
  9. Data Retention
  10. Security Measures
  11. Cookies & Tracking
  12. Your Rights (GDPR/CCPA)
  13. How to Delete Your Data
  14. Children's Privacy
  15. Data Breach Notification
  16. Automated Decision-Making
  17. Changes to This Policy
  18. Contact Us

This Privacy Policy explains how LevelUp Life ("we", "us", or "our") collects, stores, uses, and protects your personal data. We believe in transparency and keeping things simple. This policy applies to the LevelUp Life web application and all related services.

1. Data Controller

The data controller responsible for your personal data is:

LevelUp Life

Email: samauskasnojus@gmail.com

If you have questions about how we process your data, contact us at the email above. We will respond within 30 days.

2. What Data We Collect

Account Information (Optional)

If you choose to create an account and sign in:

  • Email address (used solely for authentication and account recovery)
  • Password (encrypted with bcrypt by Supabase; we never see or store the plaintext)

Game Progress Data

Your journey data is stored to provide and improve the service:

  • Your display name and avatar (as you set them — not your real name)
  • Level, XP, streaks, and stats
  • Completed missions, achievements, and challenge history
  • Inventory, gold, and equipped items
  • Habit tracking data and preferences
  • App settings and notification preferences
  • Assessment answers (used to personalize your experience)

Subscription & Payment Data (Optional)

If you upgrade to LevelUp Life Pro:

  • Subscription tier and status (free/pro)
  • Upgrade date and expiration date
  • Payment method details are handled by the payment provider — we do not store your credit card number or banking details

Social Features (Optional)

If you opt in to social features:

  • Your public profile (username, avatar, level)
  • Friends list and friend challenge data
  • Leaderboard entries

Usage Data (Automatically Collected)

When you use the app, we automatically collect:

  • Browser type and version
  • Device type (desktop/mobile)
  • Pages/views accessed within the app
  • Date and time of interactions

This data is stored only on your device (localStorage) and synced to Supabase only if you sign in. We also store anonymous first-party marketing events locally (e.g. button clicks, onboarding completion) to improve the product — never sold or used for ads.

Data we do NOT collect:

  • Real name, phone number, or physical address
  • GPS or precise location data
  • Photos, camera, or microphone access
  • Contacts or address book
  • Credit card numbers or banking details (processed by payment providers only)
  • Sensitive personal data (health, ethnicity, religion, etc.)

4. Where Your Data Lives

On Your Device

By default, all your data is stored locally in your browser (localStorage and IndexedDB). This means your progress is private to your device and browser. Clearing your browser data will remove this information.

In the Cloud (If You Sign In)

If you create an account and sign in, your data syncs to Supabase (a secure cloud database hosted on AWS). This lets you access your progress across devices. See Section 5 for details.

5. Third-Party Services

We use the following third-party processors who may have access to your data:

Supabase Inc.

Data Processor

Purpose: Authentication, cloud database storage, and data sync

Data accessed: Email, password (hashed), game progress, social data

Location: AWS EU-West (Ireland) by default

Compliance: GDPR-compliant, SOC 2 Type II certified. Data processed under a Data Processing Agreement (DPA).

Privacy policy: supabase.com/privacy

CDN Providers (unpkg, cdnjs)

Service Provider

Purpose: Delivering open-source JavaScript libraries (Tailwind CSS, Lucide Icons)

Data accessed: IP address may be logged transiently for CDN delivery. No personal data is shared.

We do not share your personal data with any other third parties. We never sell your data.

5b. Data Processing Agreement (DPA)

Under GDPR Article 28, when a data controller (LevelUp Life) uses a data processor (Supabase Inc.) to handle personal data on its behalf, a Data Processing Agreement (DPA) must be in place.

Our DPA with Supabase

  • Status: Supabase Inc. acts as a data processor under GDPR Article 28. A DPA is established through Supabase's Terms of Service and Privacy Policy, which include data processing obligations.
  • Scope: Processing is limited to authentication, database storage, and data sync as described in Section 5.
  • Sub-processors: Supabase uses AWS (Amazon Web Services) for hosting. See supabase.com/privacy for the full sub-processor list.
  • Compliance: Supabase is SOC 2 Type II certified and GDPR-compliant. Data is hosted in the EU (AWS eu-west-1, Ireland) by default.
  • Data deletion: Upon account deletion, we instruct Supabase to remove all associated data within 30 days.

If you require a copy of the DPA or have questions about data processing arrangements, contact us at samauskasnojus@gmail.com. EU users can also request Supabase's DPA directly at supabase.com/contact.

6. International Data Transfers

If you use the app from outside the European Economic Area (EEA), your data may be transferred to and processed in the EU (Ireland) where our Supabase instance is hosted.

If you are an EEA resident, your data stays within the EEA by default (Supabase EU-West region). No data is transferred to countries without adequate data protection.

For users in jurisdictions with data localization requirements, we recommend using the app without signing in (local-only mode) to keep data on your device.

7. Who Can See Your Data

Your game progress Only you
Your email address Only you
Your assessment answers Only you
Public profile (if you opt in) Friends you add
Leaderboard entries (if you opt in) Other players

We never sell, rent, or share your data with third parties for their own purposes. We don't use your data for advertising. We only access your data when you request support or when required by law.

8. Data Retention

Data Type Retention Period
Account data (email, auth) Until you delete your account
Game progress & stats Until you delete your account or clear local data
Subscription data (tier, dates) Until you delete your account or subscription expires
Social data (friends, leaderboards) Until you delete your account or opt out of social features
Local-only data (no account) Until you clear browser data or use "Clear All Data"
Data after account deletion Deleted within 30 days from all systems

We do not retain your personal data longer than necessary. Once you delete your account, all associated data is permanently removed within 30 days.

9. Security Measures

We implement appropriate technical and organizational measures to protect your data:

  • Encryption in transit: All data is transmitted over HTTPS (TLS 1.2+)
  • Encryption at rest: Supabase/AWS encrypts all stored data (AES-256)
  • Password security: Passwords are hashed with bcrypt by Supabase — we never store or see plaintext passwords
  • Row-Level Security (RLS): Supabase RLS policies ensure users can only access their own data
  • Input sanitization: All user inputs are sanitized to prevent XSS and injection attacks
  • Minimal data collection: We only collect data necessary to provide the service

While we strive to protect your data, no system is 100% secure. We recommend using a strong, unique password for your account.

10. Cookies & Tracking

Type Purpose Duration
Authentication cookies Maintain your signed-in session (Supabase Auth) Session / 7 days
localStorage data Store game progress and preferences locally Until manually cleared

We use no tracking cookies, no analytics cookies, and no advertising cookies. We do not use Google Analytics, Facebook Pixel, or similar ad-tracking services.

We may use optional, privacy-friendly analytics (such as Plausible) or first-party event counts stored in your browser to measure which features and pages are used — without building an advertising profile. If enabled, this collects only aggregated page views and custom events (e.g. "started app", "opened upgrade screen"), not your mission content or personal stats.

11. Your Rights (GDPR/CCPA)

Depending on your location, you have the following rights:

GDPR Rights (EEA Residents)

  • Right of Access (Art. 15): Get a copy of all data we hold about you
  • Right to Rectification (Art. 16): Correct inaccurate data
  • Right to Erasure (Art. 17): Delete your account and all associated data
  • Right to Data Portability (Art. 20): Export your data in a machine-readable format (Settings → Export Data)
  • Right to Restrict Processing (Art. 18): Limit how we use your data
  • Right to Object (Art. 21): Object to processing based on legitimate interest
  • Right to Withdraw Consent (Art. 7): Withdraw consent for optional features at any time in Settings

CCPA Rights (California Residents)

  • Right to Know: Know what personal data we collect and how it's used
  • Right to Delete: Request deletion of your personal data
  • Right to Opt Out: Opt out of the sale of personal data — we never sell your data, so no action is needed
  • Right to Non-Discrimination: Exercising your rights will not result in discriminatory treatment

Right to Lodge a Complaint: If you believe we have mishandled your data, you have the right to complain to your local supervisory authority. EEA residents can find their authority at edpb.europa.eu. California residents can contact the California Attorney General.

To exercise any of these rights, use the in-app settings or contact us at samauskasnojus@gmail.com. We will respond within 30 days (or 45 days for CCPA requests).

12. How to Delete Your Data

Clear Local Data (No Account)

Open the app → Settings → scroll down → tap "Clear All Data". This removes everything from your device immediately.

Delete Account (Signed In Users)

To delete your account and all cloud data:

  1. Sign in to the app
  2. Go to Settings
  3. Tap "Delete Account" at the bottom
  4. Confirm deletion

Or email us at samauskasnojus@gmail.com with "Delete My Account" and your account email. We will process the request within 30 days.

Export Before Deleting

Before deletion, you can export your data via Settings → Export Data. This gives you a JSON file with all your progress, stats, and history.

Important: Account deletion is permanent and irreversible. All game progress, achievements, and social connections will be permanently removed within 30 days. We cannot recover your data once deleted.

13. Children's Privacy

LevelUp Life is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13.

Under GDPR (Article 8), children aged 13–15 in the EEA may use the service with parental consent. Under COPPA (US), we do not collect personal information from children under 13.

If we discover that we have collected personal data from a child under 13, we will delete it immediately. If you believe a child under 13 has provided us with personal data, please contact us at samauskasnojus@gmail.com.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

  • We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Article 33)
  • We will notify affected users without undue delay when the breach is likely to result in a high risk to your rights (GDPR Article 34)
  • Notifications will be sent via email to the address associated with your account

For local-only users (no account), a breach of cloud data would not affect you since your data never leaves your device.

15. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects concerning you.

The app uses algorithmic features (adaptive difficulty, mission recommendations, AI coaching tips) to personalize your experience. These are purely for game enjoyment and do not make decisions that affect your legal rights, credit, employment, or similar matters. You can disable these features in Settings at any time.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.

  • Minor changes: Updated without notice. Check the "Last updated" date at the top.
  • Material changes: We will notify you via in-app notification at least 14 days before the change takes effect. Continued use after the effective date constitutes acceptance.

Previous versions of this policy are available upon request by emailing samauskasnojus@gmail.com.

17. Contact Us

Questions, concerns, or data requests? Reach out:

We will respond to all data subject requests within 30 days (GDPR) or 45 days (CCPA). For verification, we may ask you to confirm your identity before processing your request.

LevelUp Life is committed to protecting your privacy and data rights.

This policy is effective as of April 25, 2026.