Privacy Policy

1. Introduction

This Privacy Policy describes how LaunchRank ("we", "us", or "our") collects, uses, stores, and protects your personal information when you use our Service.

We are a sole proprietorship registered in Hungary, and we are committed to protecting your privacy in accordance with:

• EU General Data Protection Regulation (GDPR)
• Hungarian data protection laws
• Other applicable privacy regulations

2. Data Controller Information

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

• Email address: For account identification, authentication, and communication
• Username: For your public profile and app submissions
• Full name: For personalization and invoicing purposes
• Password: Securely hashed using bcrypt (we never store plain-text passwords)
• Profile information: Bio, ssocial media links (Twitter/X, GitHub, Website)
• Account status: Whether your account is active or disabled
• Registration date: When you created your account

3.2 Billing and Payment Information

When you make a purchase, we collect:

• Billing address: Street address, city, state/province, postal code, and country
• Payment transaction data: Amount, currency, payment status, transaction IDs (processed by Stripe)
• Stripe identifiers: Session ID, payment intent ID, customer ID
• Billingo partner ID: For Hungarian invoice generation

Important: We do NOT store your credit card details. All payment card information is processed and stored securely by Stripe, our PCI-DSS compliant payment processor.

3.3 Content Data

We store the apps, profiles, and user-generated content you create, including:

• App submissions: App names, descriptions, short descriptions, URLs, logos, product features, and tags
• User profiles: Bio, social media links (Twitter/X, GitHub, Website), username
• Engagement data: Upvotes, comments, follows, and social interactions
• Backlink exchange data: Anchor texts, link URLs, verification status, exchange requests
• Metadata: Launch schedules, app categories, view counts, feature flags (Founder Badge status, private follow settings)
• Timestamps: Creation and last modification dates
• Deletion status: Soft-delete flags for recovery purposes

3.4 Usage and Technical Data

We automatically collect:

• Authentication data: JWT tokens stored in secure, HTTP-only cookies
• Rate limiting data: Request counts to prevent abuse (stored in Redis)
• Session data: Temporary purchase intent data (stored in browser sessionStorage)
• App view tracking: Counts of how many times each app has been viewed
• Analytics data (optional): We may use analytics tools to understand how users interact with our Service, including page views, feature usage, and performance metrics. This helps us improve the Service and user experience.

Note: We do not use advertising trackers or sell your data to third parties. We do not track your browsing behavior outside our Service.

3.5 Email Communication Data

We process email addresses for:

• Transactional emails: Password resets, welcome emails, refund confirmations
• Invoices: Electronic invoices sent via Billingo
• Customer support: Responses to your inquiries

4. How We Use Your Information

4.1 Service Provision

• Create and maintain your account
• Authenticate your identity and secure your account
• Display your submitted apps on the leaderboard
• Track upvotes, comments, and app views
• Facilitate backlink exchanges between users
• Manage Hypeboard promotions and visibility features
• Enable social features (following, profile customization)
• Verify backlinks and monitor link status
• Provide technical support and customer service

4.2 Payment Processing

• Process one-time payments through Stripe for Hypeboard promotions and Founder Badges
• Generate electronic invoices through Billingo (Hungarian tax compliance)
• Handle refund requests and process refunds
• Apply discount codes when applicable
• Maintain payment records for accounting and tax purposes

4.3 Communication

• Send password reset emails with time-limited tokens
• Send welcome emails to new users
• Send refund confirmation emails
• Send invoices/receipts for purchases
• Respond to support inquiries

4.4 Security and Fraud Prevention

• Rate limiting to prevent abuse
• Detect and prevent fraudulent transactions
• Monitor for suspicious account activity
• Enforce password requirements (8+ chars, mixed case, numbers, special characters)

4.5 Legal Compliance

• Comply with GDPR, Hungarian, and EU data protection laws
• Comply with Hungarian tax and invoicing regulations
• Respond to legal requests and court orders
• Enforce our Terms of Service

5. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal grounds:

6. Data Sharing and Third-Party Services

We share your data with the following trusted third-party service providers who help us operate the Service:

Important: We do NOT sell, rent, or trade your personal information to third parties for marketing purposes.

7. Data Retention

7.1 Active Accounts

We retain your personal data for as long as your account is active and you continue to use the Service. Since LaunchRank offers lifetime access to purchased features, your data is retained indefinitely unless you request deletion.

7.2 Deleted Content

• Soft-deleted apps: Marked as deleted but may be recoverable for a limited time
• Permanent deletion: Content may be permanently deleted after a reasonable period

7.3 Closed Accounts

After you close your account or request deletion:

• We will delete your personal data within 30 days
• Some data may be retained for legal or regulatory purposes (e.g., payment records for tax compliance)
• Anonymized usage data may be retained for analytics and service improvement

7.4 Legal Retention Requirements

Certain data must be retained to comply with legal obligations:

• Payment and invoice records: Retained for 8 years (Hungarian tax law requirement)
• Fraud prevention records: Retained as necessary to prevent future fraudulent activity

8. Cookies and Tracking Technologies

8.1 Analytics Cookies (Optional)

We may use analytics tools (such as Google Analytics or similar services) to understand how users interact with our Service. These tools may use cookies to collect:

• Page views and navigation patterns
• Feature usage statistics
• Time spent on pages
• Device and browser information
• General geographic location (country/city level)

Note: Analytics data is used solely to improve our Service and is typically anonymized or aggregated. You can opt-out of analytics tracking through your browser settings or by using browser extensions that block analytics cookies.

8.2 What We DON'T Use

We do NOT use:

• Advertising or marketing cookies for targeted ads
• Social media tracking pixels for advertising purposes
• Cross-site tracking technologies for ad networks
• Behavioral advertising networks
• Data brokers or third-party data selling

9. Data Security

We implement industry-standard security measures to protect your data:

9.1 Encryption

• In transit: All data transmitted over HTTPS/TLS encryption
• At rest: Database encryption provided by MongoDB Atlas
• Passwords: Hashed with bcrypt (10+ salt rounds, irreversible)

9.2 Access Controls

• Role-based access control (user/admin)
• JWT-based authentication with secure, HTTP-only cookies
• Rate limiting on all API endpoints
• Password reset tokens expire after 1 hour
• Purchase intent tokens expire after 5 minutes

9.3 Infrastructure Security

• Database hosted on secure MongoDB Atlas infrastructure
• Redis rate limiting via Upstash (cloud-based, encrypted)
• Payment processing via PCI-DSS compliant Stripe
• Regular security updates and patches

9.4 Fraud Prevention

• Stripe fraud detection and prevention
• Rate limiting to prevent brute-force attacks
• Webhook signature verification
• Account monitoring for suspicious activity

Note: While we implement strong security measures, no system is 100% secure. You are responsible for maintaining the confidentiality of your password and reporting any unauthorized access immediately.

10. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

To exercise your rights, please contact us at hello@usegrand.app. We will respond to your request within 30 days as required by GDPR.

11. International Data Transfers

We are based in Hungary (EU), but some of our service providers are located outside the EU:

• Stripe (USA): Covered by Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework
• Resend (USA): GDPR-compliant data processing agreement

We ensure that all international data transfers comply with GDPR requirements through:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions for certain countries
• Data processing agreements with GDPR compliance guarantees

12. Children's Privacy

Our Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at hello@usegrand.app. We will delete such information from our records.

13. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours (GDPR requirement)
• Notify affected users without undue delay if the breach poses a high risk
• Provide information about the nature of the breach and remedial actions taken
• Take immediate steps to contain and remediate the breach

14. Automated Decision-Making

We do NOT use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

The only automated processes we use are:

• Rate limiting: Automatic blocking of excessive requests (abuse prevention)
• Fraud detection: Stripe's automated fraud screening (payment security)
• Backlink verification: Automatic verification of backlinks in the exchange system

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we do:

• We will update the "Last Updated" date at the top of this page
• We will notify you of material changes via email or through the Service
• We will provide a prominent notice on our website
• For significant changes, we may require your renewed consent

Your continued use of the Service after changes indicates your acceptance of the updated Privacy Policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:

We will respond to your inquiry within 30 days as required by GDPR.