Privacy Policy – DropBeat
Last updated: 9 July 2026 — Controller: MLH Ventures GmbH, Stolberggasse 38/9, 1050 Vienna, Austria — Data protection requests: privacy@mlh-ventures.com
Imprint: mlh-ventures.com/imprint
Languages: Deutsch · English
This is a translation for your convenience. In the event of discrepancies, the German version is authoritative.
In this Privacy Policy we inform you about which personal data we process when you use the DropBeat app, for what purposes, on what legal basis and what rights you have.
1. Controller
MLH Ventures GmbH
Stolberggasse 38/9, 1050 Vienna, Austria
FN 614753 z, ATU80019338
General contact: office@mlh-ventures.com
Data protection requests: privacy@mlh-ventures.com
Phone: +43 670 605 1854
A data protection officer is not legally required.
2. Scope
This Privacy Policy applies to the processing of personal data in connection with the use of the mobile app DropBeat for iOS and Android and the associated online functions.
A separate privacy policy applies to our website (mlh-ventures.com) and other products.
Note on planned future features: We plan to expand DropBeat with features such as paid premium modes, hint packages or a global leaderboard. As soon as such a feature is introduced, we will update this Privacy Policy before activation and inform you about the specific data processing pursuant to Section 16.
3. Principles of our processing
We process your data only insofar as it is necessary for the operation of the App or you have expressly consented. We do not use any advertising, tracking or analytics tools from third parties (with the exception of error monitoring, see Section 9). We do not sell personal data.
4. Data processed, purposes and legal bases
4.1 At registration
| Data | Purpose | Legal basis |
|---|---|---|
| Email address, verification status | Account creation, login, recovery | Art. 6(1)(b) GDPR (performance of contract) |
| Password (stored encrypted) or third-party auth ID (Apple, Google) | Authentication | Art. 6(1)(b) GDPR |
| Username | Identification, friend search, game interaction | Art. 6(1)(b) GDPR |
| Avatar colour | Profile display | Art. 6(1)(b) GDPR |
| Age confirmation (minimum age 16) | Compliance with legal requirements | Art. 6(1)(c) GDPR |
| Time of account creation | Contract administration, inactivity period | Art. 6(1)(b) and (f) GDPR |
4.2 During use
| Data | Purpose | Legal basis |
|---|---|---|
| Push token of your device | Sending transactional notifications | Art. 6(1)(b) GDPR |
| Push token for marketing | Sending product information, tips, updates | Art. 6(1)(a) GDPR (consent) |
| Time of last activity | Online status towards your friends | Art. 6(1)(f) GDPR (legitimate interest: game flow); opt-out by ending the friendship |
| Game statistics (games, wins, level, XP) | Core function, profile display | Art. 6(1)(b) GDPR |
| Match history, moves, answers | Game progress, asynchronous matches | Art. 6(1)(b) GDPR |
| Friend requests and friendships | Social function | Art. 6(1)(b) GDPR |
| Invitations, game participations, duels | Core multiplayer function | Art. 6(1)(b) GDPR |
| Reports of violations | Content moderation, legal obligations (DSA) | Art. 6(1)(c) and (f) GDPR |
4.3 Stored locally on your device
The following data is stored exclusively on your device and not transmitted to us:
- Login token in secure device storage (iOS Keychain / Android Keystore)
- Local cache of the song catalogue (contains no personal data)
- App settings
4.4 Guest players in Hot-Seat mode
In local Hot-Seat mode, additional people can participate on your device by entering a nickname and an avatar colour. This information is processed locally only on the device, not transmitted to us and not stored.
5. Visibility of your data to other users
| Data | Visible to |
|---|---|
| Username | all DropBeat users (publicly searchable) |
| Avatar colour | everyone |
| Game statistics, level | friends |
| Online status (last activity) | friends only |
| Email address | no one but you |
6. Push notifications
We use two separate categories of push messages:
Transactional pushes: Game events such as “it’s your move”, a new invitation, a game result. We send these on the basis of our contract with you (Art. 6(1)(b) GDPR). You can disable these pushes via your device’s system settings or in the App.
Marketing and update pushes: Information about new features, tips or product notices. We send these only if you have expressly consented (Art. 6(1)(a) GDPR in conjunction with §174 TKG 2021). Consent is given by actively enabling it in the app settings (“Receive marketing messages”). You can withdraw it at any time in the settings without this affecting the transactional notifications.
7. Email communication
We send emails for the following purposes:
- Transactional: email verification, password reset, deletion and security confirmations, advance warning of imminent inactivity deletion. Legal basis: performance of contract (Art. 6(1)(b) GDPR).
- Product updates and newsletter (future): Insofar as we offer such messages, they are sent exclusively after your express consent (Art. 6(1)(a) GDPR in conjunction with §174 TKG 2021). You can unsubscribe at any time via a link in each message.
8. Device permissions
DropBeat requests only the following permissions:
- Notifications / push — for sending game notifications and (if desired) product updates
We request no permissions for camera, location, microphone, contacts or photo library.
9. Third-party providers and processors
To provide our service we use the following providers. Contracts pursuant to Art. 28 GDPR exist with all processors.
| Provider | Function | Data processed | Region | Privacy policy |
|---|---|---|---|---|
| Supabase Inc. | Backend platform (database, authentication, realtime functions) | Account data, game content, social data | EU (Frankfurt / Ireland) | supabase.com/privacy |
| Expo / 650 Industries | App build and Expo Push service | Push tokens and content | USA | expo.dev/privacy |
| Apple Inc. | Push delivery on iOS, Sign in with Apple | Push token, auth identifier | USA | apple.com/legal/privacy |
| Google LLC | Push delivery on Android, Google sign-in | Push token, auth identifier | USA | policies.google.com/privacy |
| Apple Inc. (iTunes Search API) | Provision of 30-second song previews (default source) | Direct retrieval from the device, transmitting your device’s IP address to Apple; no user identifiers are transmitted | USA | apple.com/legal/privacy |
| Deezer S.A. | Provision of 30-second song previews (fallback source) | Direct retrieval from the device, transmitting your device’s IP address to Deezer | France (EU) | deezer.com/legal/personal-datas |
| Genius Media Group | Provision of cover images | Direct retrieval from the device, transmitting your device’s IP address to Genius | USA | genius.com/static/privacy_policy |
| Functional Software Inc. (Sentry) | Crash and error monitoring | Technical error data, possibly account IDs | EU (Germany) | sentry.io/privacy |
We use no advertising, tracking or analytics services from other providers and set no cookies or comparable technologies for marketing or analytics purposes.
10. Transfer to third countries
The central processing operations take place in the European Union. With some providers (Expo, Apple, Google, Genius) processing takes place in the USA. Transfers are carried out on the basis of the EU-US Data Privacy Framework or the standard contractual clauses of the EU Commission (Art. 46 GDPR). The respective safeguards ensure an adequate level of data protection.
11. Retention period
We store your data only as long as necessary for the stated purposes or as long as statutory retention obligations exist.
| Data category | Retention period |
|---|---|
| Active account | for the duration of use |
| Account upon inactivity | 12 months after last login; then advance warning by email, deletion after a further 30 days |
| Self-initiated account deletion | immediate deletion of your personal data incl. game and social data |
| Expired or declined game duels | up to 90 days |
| Sentry error data | up to 90 days |
| Push tokens | until account deletion or device sign-out |
| Consent records (marketing) | until withdrawal plus statutory limitation periods |
12. Security of processing
We implement technical and organizational measures to protect your data, in particular:
- TLS encryption of all data transfers between app and server
- encrypted storage of passwords using recognized hashing methods
- secure storage of login tokens on your device (iOS Keychain or Android Keystore)
- multi-factor authentication for administrative access to our backend systems
- role-based access controls following the principle of least privilege
- logging of administrative access
- regular encrypted backups
- automated security updates of the platforms used
- separation between development, test and production environments
- regular review and updating of these measures in line with the state of the art
13. Minimum age
DropBeat is intended for persons aged 16 and over. We knowingly do not process data of children under 16. If you become aware that a minor has transmitted data to us without the appropriate consent, please contact us at privacy@mlh-ventures.com.
14. Your rights
You have the following rights regarding your personal data:
- Access to your stored data (Art. 15 GDPR)
- Rectification of inaccurate data (Art. 16 GDPR)
- Erasure of your data (Art. 17 GDPR); can be carried out directly in the App via “Settings → Delete account”
- Restriction of processing (Art. 18 GDPR)
- Data portability in a structured, commonly used, machine-readable format (Art. 20 GDPR)
- Objection to processing based on legitimate interests (Art. 21 GDPR)
- Withdrawal of granted consent with effect for the future (Art. 7(3) GDPR)
Please address requests to privacy@mlh-ventures.com. We generally respond within 30 days.
15. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority, in particular the Austrian Data Protection Authority:
Österreichische Datenschutzbehörde
Barichgasse 40–42, 1030 Vienna
dsb@dsb.gv.at, dsb.gv.at
You may also contact the supervisory authority of your habitual residence or place of work.
16. Changes to this Privacy Policy
We may adapt this Privacy Policy where this becomes necessary due to new features, a changed legal situation or changed processing workflows. We will inform you of material changes in good time before they take effect, by email or directly in the App.