Privacy Policy
This Privacy Policy explains how Gorgeous Orchids (“we”, “us”) collects, uses, and shares information when you use our mobile app and related services (the “Service”). It also describes your privacy rights and choices.
Who we are
For the purposes of applicable data protection laws (including the GDPR where it applies), Gorgeous Orchids is the data controller for personal information processed through the Service. You can contact us via our contact form.
Summary (high level)
- We use Apple Sign-In / Google Sign-In to create and authenticate your account.
- We store gameplay and account data needed to run features like collections, albums, and trading.
- If you enable push notifications, we store device push tokens and use Firebase Cloud Messaging to deliver notifications.
- If you make in-app purchases, we verify purchases with Apple/Google and store transaction metadata to prevent fraud.
- We do not sell your personal information.
Information we collect
The types of information we process depend on how you use the Service.
Account and profile data
- Platform account identifier (Apple or Google) used to create your account.
- Email address and display name (if provided by your sign-in provider or if you choose to provide them).
Gameplay and community features
- Collection and album progress, inventory, and other in-app state.
- Trading-related data (for example, trade offers, trade status, and timestamps).
- Information that may be visible to other users in the context of trading/search features (for example, your display name and collection stats as shown in the app).
Purchase and transaction data
- Product identifiers, platform (iOS/Android), and transaction identifiers for in-app purchases.
- Purchase verification data (iOS receipt base64 / Android purchase token) is used to verify purchases with Apple/Google.
Push notification data (if enabled)
- Firebase Cloud Messaging (FCM) device tokens used to deliver push notifications.
Technical and security data
- Basic operational logs and security-related data needed to run and protect the Service.
Admin portal data (administrators only)
- Admin account credentials and session data (including a secure, HTTP-only session cookie and session expiry).
- Session metadata such as IP address and user agent may be collected for security.
How we use information
We use information for the following purposes:
- Provide the Service (account access, gameplay features, trading, customer support).
- Security and fraud prevention (prevent abuse, verify purchases, protect accounts).
- Operations (maintain, troubleshoot, and improve performance and reliability).
- Compliance (respond to lawful requests and meet legal obligations).
Legal bases (GDPR/UK GDPR)
If you are located in the EEA/UK (or where similar laws apply), we rely on one or more of these legal bases:
- Contract – to provide the Service you request (for example, account and gameplay features).
- Legitimate interests – to operate, secure, and improve the Service (balanced against your rights).
- Legal obligation – to comply with applicable laws (for example, financial/accounting requirements).
- Consent – where required (for example, certain push notifications depending on your settings and local law).
Sharing and third parties
We share information only as needed to operate the Service, including with the following categories of recipients:
- Authentication providers: Apple and Google (to authenticate your account).
- Push notification delivery: Firebase Cloud Messaging (to send push notifications if enabled).
- In-app purchase verification: Apple and Google (to verify purchases and prevent fraud).
- Infrastructure providers: hosting, database, and storage providers used to run the Service (including object storage for app images).
We may also share information if we believe disclosure is necessary to comply with the law, enforce our terms, or protect the rights, property, or safety of users, the public, or the Service.
International transfers
Our service providers may process information outside your country of residence. Where the GDPR/UK GDPR applies and a transfer is considered international, we aim to rely on appropriate safeguards (such as standard contractual clauses) or other lawful transfer mechanisms.
Retention
We keep personal information only as long as necessary for the purposes described in this policy, including:
- Account and gameplay data: while your account is active and for a reasonable period after to handle support and fraud prevention.
- Purchase transaction metadata: as needed to prevent fraud and comply with legal/accounting requirements.
- Push tokens: until you disable notifications, uninstall the app, or we remove/replace outdated tokens.
- Admin sessions: expire automatically and can be deleted on logout.
Service Shutdown and Data Deletion
If we discontinue the Service (as described in our Terms of Use), we will:
- Provide at least 30 days' advance notice where reasonably practical
- Allow you to export or download your collection data if technically feasible
- Delete all user account data, gameplay data, and personal information within 90 days of the final shutdown date, except as required by law for accounting, fraud prevention, or legal compliance purposes
- Permanently delete all images, database records, and backup data
We reserve the right to retain aggregated, anonymized usage statistics that cannot identify individual users.
Security
We use reasonable technical and organizational measures designed to protect information. No system is 100% secure, and we cannot guarantee absolute security.
Your rights and choices
Depending on your location and the laws that apply, you may have rights such as access, correction, deletion, portability, restriction, and objection. You may also have the right to withdraw consent where processing is based on consent.
To exercise your rights, you can submit a request using the feedback form in the mobile app or on our website (select "Privacy/Data Request" category). We may need to verify your request.
Self-service account deletion: You can delete your account directly in the mobile app via Profile → Delete Account. Deletion is permanent and will remove your account and associated gameplay data, subject to limited exceptions where we are required or permitted to retain certain information (for example, for legal obligations, accounting, or fraud prevention).
Account deletion does not remove shared catalog image assets used by the Service. Those images are platform content generated and managed by administrators, not user-uploaded or user-generated personal content.
For California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information:
Right to Know:
You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you. This includes:
- The categories and specific pieces of personal information we've collected
- The categories of sources from which we collected it
- Our business or commercial purpose for collecting it
- The categories of third parties with whom we share it
Right to Delete:
You have the right to request deletion of your personal information, subject to certain exceptions (e.g., to complete transactions, detect security incidents, comply with legal obligations, or enable internal uses reasonably aligned with your expectations).
You can also delete your account yourself in the mobile app via Profile → Delete Account.
Sale or Sharing of Personal Information:
We do NOT sell your personal information. We do NOT share your personal information with third parties for cross-context behavioral advertising or targeted advertising purposes.
Your data is used only to operate the Service (gameplay, collections, trading features). We only share data with service providers necessary to run the app (hosting, authentication, push notifications) under strict data processing agreements. If our practices ever change, we will update this policy and provide an opt-out mechanism as required by law.
Right to Correct:
You have the right to request correction of inaccurate personal information.
Right to Limit Use of Sensitive Personal Information:
We do not collect or use sensitive personal information beyond what is necessary to provide the Service.
Right to Non-Discrimination:
We will not discriminate against you for exercising your CCPA/CPRA rights (e.g., by denying goods or services, charging different prices, or providing a different level of service).
How to Exercise Your Rights:
To exercise your California privacy rights, you can:
- Submit a request using the feedback form in the mobile app or on our website (select "Privacy/Data Request" category)
- Submit via our contact form with "California Privacy Request" in the message
We will verify your identity before processing your request.
You may also designate an authorized agent to make requests on your behalf. We will require written proof of the agent's authority and may verify your identity directly.
Response Timing:
We will respond to verifiable requests within 45 days. If we need more time (up to 90 days total), we will notify you.
For European Economic Area (EEA), UK, and Swiss Residents (GDPR)
If you are located in the EEA, UK, or Switzerland, the General Data Protection Regulation (GDPR) provides you with specific rights regarding your personal data:
Legal Basis for Processing:
We process your personal data based on the following legal grounds:
- Contract Performance: To provide the Service you've signed up for
- Legitimate Interests: To improve the Service, prevent fraud, and ensure security
- Consent: Where you've given explicit consent (e.g., marketing communications, push notifications)
- Legal Obligation: To comply with applicable laws and regulations
Your GDPR Rights:
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Correct inaccurate or incomplete personal data
- Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data in certain circumstances
- Right to Restriction: Request that we limit how we use your personal data
- Right to Data Portability: Receive your personal data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests or for direct marketing
- Right to Withdraw Consent: Withdraw consent at any time (without affecting prior processing)
To exercise your Right to Erasure, you can delete your account directly in the mobile app via Profile → Delete Account, or submit a request using the methods described below.
International Data Transfers:
If we transfer your personal data outside the EEA/UK/Switzerland, we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or reliance on adequacy decisions.
Data Protection Officer:
For GDPR-related inquiries, you can:
- Submit a request using the feedback form in the mobile app or on our website (select "Privacy/Data Request" category)
- Submit via our contact form with "GDPR Request" in the message
Supervisory Authority:
You have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection laws. In the UK, this is the Information Commissioner's Office (ICO). In the EEA, find your authority at edpb.europa.eu.
Response Timing:
We will respond to GDPR requests within one month. If the request is complex, we may extend this by two additional months and will notify you.
Children
The Service is not intended for children. If you believe a child has provided personal information, contact us and we will take appropriate steps.
Changes to this policy
We may update this Privacy Policy from time to time. We will update the effective date above and, where appropriate, provide additional notice in the Service.
Contact
Contact: contact form
Note: This policy is intended to describe the Service as currently implemented. Before store submission and release, have counsel review and finalize the policy text for your specific business and jurisdictions.