Privacy Policy – DropBeat

Last updated: 9 July 2026 — Controller: MLH Ventures GmbH, Stolberggasse 38/9, 1050 Vienna, Austria — Data protection requests: privacy@mlh-ventures.com
Imprint: mlh-ventures.com/imprint
Languages: Deutsch · English

This is a translation for your convenience. In the event of discrepancies, the German version is authoritative.

In this Privacy Policy we inform you about which personal data we process when you use the DropBeat app, for what purposes, on what legal basis and what rights you have.

1. Controller

MLH Ventures GmbH
Stolberggasse 38/9, 1050 Vienna, Austria
FN 614753 z, ATU80019338

General contact: office@mlh-ventures.com
Data protection requests: privacy@mlh-ventures.com
Phone: +43 670 605 1854

A data protection officer is not legally required.

2. Scope

This Privacy Policy applies to the processing of personal data in connection with the use of the mobile app DropBeat for iOS and Android and the associated online functions.

A separate privacy policy applies to our website (mlh-ventures.com) and other products.

Note on planned future features: We plan to expand DropBeat with features such as paid premium modes, hint packages or a global leaderboard. As soon as such a feature is introduced, we will update this Privacy Policy before activation and inform you about the specific data processing pursuant to Section 16.

3. Principles of our processing

We process your data only insofar as it is necessary for the operation of the App or you have expressly consented. We do not use any advertising, tracking or analytics tools from third parties (with the exception of error monitoring, see Section 9). We do not sell personal data.

4. Data processed, purposes and legal bases

4.1 At registration

DataPurposeLegal basis
Email address, verification statusAccount creation, login, recoveryArt. 6(1)(b) GDPR (performance of contract)
Password (stored encrypted) or third-party auth ID (Apple, Google)AuthenticationArt. 6(1)(b) GDPR
UsernameIdentification, friend search, game interactionArt. 6(1)(b) GDPR
Avatar colourProfile displayArt. 6(1)(b) GDPR
Age confirmation (minimum age 16)Compliance with legal requirementsArt. 6(1)(c) GDPR
Time of account creationContract administration, inactivity periodArt. 6(1)(b) and (f) GDPR

4.2 During use

DataPurposeLegal basis
Push token of your deviceSending transactional notificationsArt. 6(1)(b) GDPR
Push token for marketingSending product information, tips, updatesArt. 6(1)(a) GDPR (consent)
Time of last activityOnline status towards your friendsArt. 6(1)(f) GDPR (legitimate interest: game flow); opt-out by ending the friendship
Game statistics (games, wins, level, XP)Core function, profile displayArt. 6(1)(b) GDPR
Match history, moves, answersGame progress, asynchronous matchesArt. 6(1)(b) GDPR
Friend requests and friendshipsSocial functionArt. 6(1)(b) GDPR
Invitations, game participations, duelsCore multiplayer functionArt. 6(1)(b) GDPR
Reports of violationsContent moderation, legal obligations (DSA)Art. 6(1)(c) and (f) GDPR

4.3 Stored locally on your device

The following data is stored exclusively on your device and not transmitted to us:

  • Login token in secure device storage (iOS Keychain / Android Keystore)
  • Local cache of the song catalogue (contains no personal data)
  • App settings

4.4 Guest players in Hot-Seat mode

In local Hot-Seat mode, additional people can participate on your device by entering a nickname and an avatar colour. This information is processed locally only on the device, not transmitted to us and not stored.

5. Visibility of your data to other users

DataVisible to
Usernameall DropBeat users (publicly searchable)
Avatar coloureveryone
Game statistics, levelfriends
Online status (last activity)friends only
Email addressno one but you

6. Push notifications

We use two separate categories of push messages:

Transactional pushes: Game events such as “it’s your move”, a new invitation, a game result. We send these on the basis of our contract with you (Art. 6(1)(b) GDPR). You can disable these pushes via your device’s system settings or in the App.

Marketing and update pushes: Information about new features, tips or product notices. We send these only if you have expressly consented (Art. 6(1)(a) GDPR in conjunction with §174 TKG 2021). Consent is given by actively enabling it in the app settings (“Receive marketing messages”). You can withdraw it at any time in the settings without this affecting the transactional notifications.

7. Email communication

We send emails for the following purposes:

  • Transactional: email verification, password reset, deletion and security confirmations, advance warning of imminent inactivity deletion. Legal basis: performance of contract (Art. 6(1)(b) GDPR).
  • Product updates and newsletter (future): Insofar as we offer such messages, they are sent exclusively after your express consent (Art. 6(1)(a) GDPR in conjunction with §174 TKG 2021). You can unsubscribe at any time via a link in each message.

8. Device permissions

DropBeat requests only the following permissions:

  • Notifications / push — for sending game notifications and (if desired) product updates

We request no permissions for camera, location, microphone, contacts or photo library.

9. Third-party providers and processors

To provide our service we use the following providers. Contracts pursuant to Art. 28 GDPR exist with all processors.

ProviderFunctionData processedRegionPrivacy policy
Supabase Inc.Backend platform (database, authentication, realtime functions)Account data, game content, social dataEU (Frankfurt / Ireland)supabase.com/privacy
Expo / 650 IndustriesApp build and Expo Push servicePush tokens and contentUSAexpo.dev/privacy
Apple Inc.Push delivery on iOS, Sign in with ApplePush token, auth identifierUSAapple.com/legal/privacy
Google LLCPush delivery on Android, Google sign-inPush token, auth identifierUSApolicies.google.com/privacy
Apple Inc. (iTunes Search API)Provision of 30-second song previews (default source)Direct retrieval from the device, transmitting your device’s IP address to Apple; no user identifiers are transmittedUSAapple.com/legal/privacy
Deezer S.A.Provision of 30-second song previews (fallback source)Direct retrieval from the device, transmitting your device’s IP address to DeezerFrance (EU)deezer.com/legal/personal-datas
Genius Media GroupProvision of cover imagesDirect retrieval from the device, transmitting your device’s IP address to GeniusUSAgenius.com/static/privacy_policy
Functional Software Inc. (Sentry)Crash and error monitoringTechnical error data, possibly account IDsEU (Germany)sentry.io/privacy

We use no advertising, tracking or analytics services from other providers and set no cookies or comparable technologies for marketing or analytics purposes.

10. Transfer to third countries

The central processing operations take place in the European Union. With some providers (Expo, Apple, Google, Genius) processing takes place in the USA. Transfers are carried out on the basis of the EU-US Data Privacy Framework or the standard contractual clauses of the EU Commission (Art. 46 GDPR). The respective safeguards ensure an adequate level of data protection.

11. Retention period

We store your data only as long as necessary for the stated purposes or as long as statutory retention obligations exist.

Data categoryRetention period
Active accountfor the duration of use
Account upon inactivity12 months after last login; then advance warning by email, deletion after a further 30 days
Self-initiated account deletionimmediate deletion of your personal data incl. game and social data
Expired or declined game duelsup to 90 days
Sentry error dataup to 90 days
Push tokensuntil account deletion or device sign-out
Consent records (marketing)until withdrawal plus statutory limitation periods

12. Security of processing

We implement technical and organizational measures to protect your data, in particular:

  • TLS encryption of all data transfers between app and server
  • encrypted storage of passwords using recognized hashing methods
  • secure storage of login tokens on your device (iOS Keychain or Android Keystore)
  • multi-factor authentication for administrative access to our backend systems
  • role-based access controls following the principle of least privilege
  • logging of administrative access
  • regular encrypted backups
  • automated security updates of the platforms used
  • separation between development, test and production environments
  • regular review and updating of these measures in line with the state of the art

13. Minimum age

DropBeat is intended for persons aged 16 and over. We knowingly do not process data of children under 16. If you become aware that a minor has transmitted data to us without the appropriate consent, please contact us at privacy@mlh-ventures.com.

14. Your rights

You have the following rights regarding your personal data:

  • Access to your stored data (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of your data (Art. 17 GDPR); can be carried out directly in the App via “Settings → Delete account”
  • Restriction of processing (Art. 18 GDPR)
  • Data portability in a structured, commonly used, machine-readable format (Art. 20 GDPR)
  • Objection to processing based on legitimate interests (Art. 21 GDPR)
  • Withdrawal of granted consent with effect for the future (Art. 7(3) GDPR)

Please address requests to privacy@mlh-ventures.com. We generally respond within 30 days.

15. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority, in particular the Austrian Data Protection Authority:

Österreichische Datenschutzbehörde
Barichgasse 40–42, 1030 Vienna
dsb@dsb.gv.at, dsb.gv.at

You may also contact the supervisory authority of your habitual residence or place of work.

16. Changes to this Privacy Policy

We may adapt this Privacy Policy where this becomes necessary due to new features, a changed legal situation or changed processing workflows. We will inform you of material changes in good time before they take effect, by email or directly in the App.