This Privacy Policy explains how GoStox ("we", "us", "our", "the App") collects, uses, discloses, and safeguards your personal data when you use the mobile application. We are committed to complying with the EU General Data Protection Regulation (GDPR) and applicable national privacy laws.
Controller of your personal data:
Thomas Zenkner
Bergweg 20b
61440 Oberursel
Germany
Contact for privacy matters:
We have not appointed a Data Protection Officer (DPO) because we do not meet the statutory thresholds of Article 37 GDPR.
This policy applies to the GoStox mobile application on iOS and Android. It covers all personal data we process when you install, register for, use, or contact us about the App.
GoStox is a gamified financial-literacy simulation. We do not offer investment advice, brokerage services, or real-money trading. All in-app stocks, portfolios, and rankings are simulated.
| Data | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Email address (for email sign-in or Apple Sign-In) | Account creation, authentication, service communication | 6(1)(b) — contract |
| Username / display name | In-app identification, leaderboards, social features | 6(1)(b) — contract |
| Password (hashed; we never see plaintext) | Account authentication | 6(1)(b) — contract |
| Apple ID / Google ID token | Single sign-on authentication | 6(1)(b) — contract |
| Data | Purpose | Legal basis |
|---|---|---|
| Virtual portfolio, watchlists, game history, match records, friend relationships, badges, learning progress, leaderboard position, settings | Deliver core App functionality | 6(1)(b) — contract |
| Crash diagnostics, performance metrics, anonymised usage events | Improve stability, identify bugs, measure feature adoption | 6(1)(f) — legitimate interest in reliable service |
| Device identifier, operating system version, app version, language, country | Localisation, compatibility checks, fraud prevention | 6(1)(f) — legitimate interest |
We use the following third-party services to deliver GoStox. Each is a separate data processor bound by a Data Processing Agreement (DPA) with us, and each has its own privacy policy linked below.
| Firebase service | What it does | Data involved |
|---|---|---|
| Firebase Authentication | Account sign-in (email, Google, Apple, anonymous) | Email, auth tokens, user UID |
| Realtime Database | Stores your profile, portfolio, game state, friends, rankings | Everything you generate in-app |
| Cloud Functions | Executes server-side logic (price lookups, matchmaking, leaderboard updates) | Inbound requests + server-side processing |
| Cloud Storage | Stores user assets (e.g. avatars, if any) | User-uploaded images |
| Analytics for Firebase | Aggregated usage metrics (anonymised) | Pseudonymous user ID, screen views, feature events |
| Crashlytics | Crash and non-fatal error reports | Device model, OS, stack traces, pseudonymous user ID |
Provider: Google Ireland Limited (EU-based for European users; SCC + adequacy decision apply for any US transfers)
Privacy policy: policies.google.com/privacy
DPA: cloud.google.com/terms/data-processing-addendum
Data region: europe-west1 (Belgium) for Cloud Functions; global for Analytics & Crashlytics
When you purchase a subscription:
GoStox uses EOD Historical Data (EODHD) for stock prices, fundamentals, and market indicators. This data is requested server-side by our Cloud Functions — your personal data is never sent to EODHD. The provider sees only server-to-server traffic from our infrastructure.
| Data category | Retention |
|---|---|
| Account profile, portfolio, game history, friends | For as long as your account exists, until you delete it |
| Analytics events (Firebase Analytics) | Up to 14 months (Google default), aggregated |
| Crash reports | Up to 90 days |
| Subscription records (RevenueCat) | Duration of subscription + as long as required for consumer protection / tax law (up to 10 years under German Handelsgesetzbuch) |
| Backups | Rolling backups may retain data for up to 35 days after deletion |
Deletion rights — you may delete your account in-app at any time (feature available from version 1.x onward, per GDPR Article 17). Upon deletion, we cascade-remove your personal data from our systems within 30 days, except where we are legally required to retain specific records (e.g., tax records for subscription transactions).
| Right | How to exercise |
|---|---|
| Access (Art. 15) — get a copy of what we hold about you | Email privacy@gostox.app |
| Rectification (Art. 16) — correct inaccurate data | In-app Settings, or email us |
| Erasure / "right to be forgotten" (Art. 17) | In-app: Settings → Account → Delete Account (launching in v1.x). Also via email. |
| Restriction (Art. 18) — limit how we use your data | Email us |
| Portability (Art. 20) — receive your data in a structured, machine-readable format | Email us |
| Objection (Art. 21) — object to processing based on legitimate interest | Email us |
| Withdraw consent (Art. 7) — for ads / consent-based processing | Device ad tracking settings + in-app consent prompt |
| Complain to a supervisory authority (Art. 77) | See Section 10 below |
We will respond to any rights request within one month (extendable by two months for complex requests per Art. 12(3)).
Some of our processors are based outside the EU/EEA (notably RevenueCat in the USA). For any such transfer we rely on one or more of the following legal bases:
Google Ireland Limited handles the majority of our processing within the EU and has its own SCC and adequacy-based mechanisms for any onward transfers to Google LLC (USA).
GoStox is intended for users 16 years or older. This is the age of digital consent in Germany under § 8 BDSG (equivalent to the GDPR Article 8 default threshold).
We do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and believe your child under 16 has provided us with personal data, please contact us at privacy@gostox.app — we will delete the data promptly.
We implement technical and organisational measures to protect your data, including:
Despite these measures, no system is 100% secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights, we will notify you and the competent supervisory authority within 72 hours (GDPR Article 33).
You have the right to lodge a complaint with a data protection supervisory authority if you believe we have processed your data unlawfully.
Competent authority for GoStox (controller based in Hesse, Germany):
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
Gustav-Stresemann-Ring 1
65189 Wiesbaden
Germany
Website: datenschutz.hessen.de
If you reside in another EU member state, you may also contact your local data-protection authority — the full EDPB directory is available at edpb.europa.eu/about-edpb/about-edpb/members_en.
If you visit gostox.app (our website), we may use strictly necessary cookies for functionality. We do not use analytics or advertising cookies on the website itself. The mobile app does not use web cookies.
We may update this policy from time to time to reflect changes to our services or applicable law. The "Last updated" date at the top of this policy always shows when it was most recently revised.
For material changes, we will notify you via an in-app prompt or by email before the changes take effect. Continued use of the App after the effective date constitutes acceptance of the updated policy.
GoStox does not make any automated decisions with legal or similarly significant effects on you (GDPR Article 22). Our ranking and matchmaking algorithms operate on in-app simulated data and do not affect your legal status, credit, or real-world circumstances.
For any question, concern, or rights request regarding this policy: