Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

• Waitlist Information: When you join our pre-launch waitlist, we collect your first name and email address. This information is used solely to notify you when MingleTrivia becomes available and to send you product updates you've opted into.
• Account Information: When you create a MingleTrivia account (upon app launch), we collect your name, email address, and a password or authentication token. You may optionally provide a display name or avatar used within the game.
• Document Uploads: If you use the Doc-to-Trivia feature, you may upload PDF or DOCX files. We extract the text content of these documents to generate trivia questions using AI. Uploaded document content is processed transiently and is not stored permanently on our servers after trivia generation is complete.
• Support Communications: If you contact us for support, we collect the information you provide in your message, including your email address and any details about your issue.
• In-App Purchases: Payments for premium packs, subscriptions, and AI credits are processed entirely by Apple through StoreKit 2. We do not collect or store your payment card details. We receive only a transaction receipt from Apple confirming purchase status.

1.2 Information Collected Automatically

• Usage Analytics: We use Firebase Analytics to collect anonymized data about how you interact with MingleTrivia, including which features you use, session duration, game modes played, and navigation paths. This data helps us understand aggregate usage patterns and improve the app.
• Device Information: We collect information about the device you use to access MingleTrivia, including device model, operating system version, unique device identifiers (such as vendor ID), and app version.
• Log Data: Our servers automatically collect log data when you use certain features, including your IP address (used for rate limiting and security, then discarded), timestamps, error reports, and crash diagnostics via Firebase Crashlytics.
• Performance Data: Firebase Performance Monitoring may collect anonymized performance metrics such as app start time, network request latency, and rendering performance to help us identify and resolve performance bottlenecks.

1.3 AR and Device Data

• Multiplayer Networking (MultipeerConnectivity): Gameplay between devices uses Apple's MultipeerConnectivity framework for peer-to-peer (P2P) networking over Bluetooth and local Wi-Fi. Game state, player nicknames, question data, and score information are transmitted directly between players' devices. This data travels only between devices on the local network and is never relayed through or stored on our servers. No internet connection is required for P2P gameplay.
• QR Code Scanning: The QR codes used during gameplay are generated and scanned on-device. They contain only encoded game data (player IDs, answer tokens) and do not contain personal information. QR scan events are not transmitted or logged.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Delivering Game Services: To create and manage your account, authenticate you, sync game state via Firebase where applicable, and provide the core MingleTrivia gameplay experience.
• Processing Waitlist Signups: To add you to our pre-launch waitlist and send you a confirmation email and launch notification. We use Brevo (formerly Sendinblue) to manage and deliver these emails.
• AI Trivia Pack Generation: To process your document uploads and generate trivia question sets using our AI backend powered by AWS (Anthropic Claude via Amazon Bedrock). Document text is sent to our AI service, trivia is generated, and the source text is discarded.
• App Improvements and Analytics: To analyze how players use MingleTrivia in aggregate, identify popular features, diagnose crashes, and make data-driven decisions about product improvements.
• Communications: To send you transactional emails (account verification, purchase receipts, password reset), service announcements, and, with your consent, marketing updates about new packs, features, and promotions. You can opt out of marketing communications at any time.
• Security and Fraud Prevention: To detect, investigate, and prevent unauthorized access, abuse, cheating, or other fraudulent activity that could harm MingleTrivia or its users.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, including tax obligations related to in-app purchases.
• Enforcing Our Terms: To enforce our Terms of Service and protect the rights, property, and safety of MingleTrivia, our users, and the public.

3. Data Sharing and Disclosure

3.1 No Sale of Personal Data

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes. Period.

3.2 Service Providers

We share data with trusted service providers who perform functions on our behalf, under strict contractual data processing agreements. These providers are permitted to use your data only to provide services to us and are not authorized to use it for their own independent purposes:

• Amazon Web Services (AWS): Cloud hosting for our API server (mingletrivia.com), AI trivia generation via Amazon Bedrock, and secure data storage. Data is hosted in US East (Northern Virginia) regions. AWS participates in the AWS Data Processing Addendum covering EU standard contractual clauses.
• Brevo (formerly Sendinblue): Email delivery service for waitlist confirmations, launch notifications, and transactional emails. We share your name and email address with Brevo for this purpose.
• Google Firebase (Google LLC): Provides Firebase Analytics (usage data), Firebase Crashlytics (crash reports), Firebase Authentication (account management), and Firebase Performance Monitoring. Google's data processing terms apply. Analytics data is anonymized before transmission where possible. You can opt out of Firebase Analytics data collection via device settings.
• Apple Inc.: Processes all in-app purchases and subscriptions through StoreKit 2. Apple's privacy practices govern payment processing. We receive only transaction receipt data (purchase status and entitlements) — no payment card or banking information.

3.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you of any such change via email or a prominent notice on our website, and your continued use of MingleTrivia after the transfer constitutes acceptance of the successor's privacy practices (which must be materially equivalent to or better than this policy).

3.4 Legal Requirements

We may disclose your information if required to do so by law or in good faith that such action is necessary to: (a) comply with a legal obligation, subpoena, court order, or legal process; (b) protect and defend the rights or property of MingleTrivia; (c) prevent or investigate possible wrongdoing in connection with the service; (d) protect the personal safety of users of MingleTrivia or the public; or (e) protect against legal liability.

3.5 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data — information that cannot reasonably identify you — with partners, researchers, or the public for purposes such as demonstrating product usage trends, publishing research, or improving the broader ecosystem. This data is not linked to any individual user.

4. Data Storage and Retention

4.1 Where Your Data is Stored

Your personal data is stored on servers located in the United States, hosted on Amazon Web Services infrastructure in the US East (Northern Virginia) region. Firebase services (Google LLC) store data primarily in US-based Google data centers, with replication per Google's standard architecture.

4.2 Security in Transit and at Rest

All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher. Data stored on our servers is encrypted at rest using AES-256 encryption. Our AI backend authenticates requests using HMAC-SHA256 signatures to prevent unauthorized API access. P2P game data transmitted via MultipeerConnectivity uses Apple's built-in encryption for that framework.

4.3 Retention Periods

• Waitlist Information: Retained until you request removal or until MingleTrivia has launched and the waitlist is closed, whichever comes first. After launch, waitlist-only records are deleted within 90 days unless converted to an account.
• Account Information: Retained while your account is active. If you delete your account, your profile data is deleted within 30 days, except where we are required to retain it for legal or compliance reasons (e.g., financial records of in-app purchases may be retained for up to 7 years for tax purposes).
• Document Upload Content: Uploaded document text is processed transiently for AI trivia generation and is not retained on our servers after the generation job completes. Generated trivia packs (the output) may be saved to your account if you choose to save them.
• Usage and Analytics Data: Anonymized analytics data is retained for up to 24 months to support trend analysis and product planning, after which it is aggregated or deleted.
• Crash and Log Data: Crash reports and server logs are retained for up to 90 days for debugging purposes, then deleted.
• Communications: Email records are retained for up to 3 years for customer support purposes.

4.4 Deletion Requests

You may request deletion of your personal data at any time by emailing privacy@mingletrivia.com. We will process verified deletion requests within 30 days, subject to any legal obligations to retain certain data.

5. Your Rights and Choices

Depending on your location and applicable law, you may have the following rights regarding your personal information:

• Access: You have the right to request a copy of the personal information we hold about you, including what categories of data we have collected and how it has been used.
• Correction: You have the right to request that we correct inaccurate or incomplete personal information about you.
• Deletion: You have the right to request that we delete your personal information, subject to certain exceptions (e.g., legal compliance obligations, active contractual relationships).
• Portability: You have the right to request a machine-readable copy of personal information you have provided to us, where technically feasible.
• Opt-Out of Marketing: You can unsubscribe from marketing emails at any time by clicking "unsubscribe" in any marketing email or emailing us at privacy@mingletrivia.com. Opting out of marketing does not affect transactional communications (e.g., purchase confirmations, security alerts).
• Object to Processing: Where we rely on legitimate interests as a legal basis for processing, you have the right to object to that processing. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Restrict Processing: In certain circumstances, you may have the right to request that we restrict the processing of your personal data while a dispute is being resolved.
• Cookie Preferences: You can manage your cookie and analytics preferences via the cookie consent banner displayed on our website, or by adjusting your browser's cookie settings. Note that disabling certain cookies may affect website functionality.
• Analytics Opt-Out (App): On iOS, you can limit ad tracking and analytics data collection via Settings > Privacy & Security > Tracking. Firebase Analytics also respects Apple's App Tracking Transparency framework.

To exercise any of these rights, please contact us at privacy@mingletrivia.com. We will respond to verified requests within 30 days (or 45 days where permitted by law for complex requests). We may need to verify your identity before processing your request. We will not discriminate against you for exercising your privacy rights.

6. Cookies and Tracking Technologies

6.1 Our Website (mingletrivia.com)

Our website uses cookies and similar technologies (such as localStorage and sessionStorage) to operate, remember your preferences, and analyze site usage. When you first visit our website, we display a cookie consent banner where you can choose which categories of cookies to accept.

6.2 Cookie Categories

• Strictly Necessary Cookies: These cookies are required for the website to function and cannot be disabled. They include session management, CSRF protection, and our cookie consent preference record (stored in localStorage). No personal data is shared with third parties as a result of these cookies.
• Analytics Cookies: These are optional cookies used to understand how visitors interact with our website. We may use Firebase Analytics or similar tools to collect anonymized data such as page views, referral sources, and session duration. You can decline these by selecting "Reject Optional" on our cookie banner.
• Marketing Cookies: If we run digital advertising campaigns in the future, marketing cookies may be used to measure the effectiveness of ads and avoid showing you the same ad repeatedly. These are optional and disabled by default. You can opt out via the cookie banner.

6.3 Managing Cookies

Your cookie consent preferences are stored in your browser's localStorage under the key cookieConsent. You can change your preferences at any time by clearing your browser's localStorage or by contacting us to reset your consent record. Most browsers also allow you to view, manage, and delete cookies via browser settings.

6.4 Do Not Track

Some browsers include a "Do Not Track" (DNT) signal. Our website does not currently respond to DNT signals in a standardized way. However, if you decline analytics cookies via our cookie banner, we will not place analytics tracking cookies on your device.

6.5 The MingleTrivia iOS App

The MingleTrivia iOS app does not use browser cookies. Analytics within the app are handled by Firebase Analytics SDK, which collects anonymized usage events. Apple's App Tracking Transparency framework governs any cross-app tracking, and we request user permission before tracking across apps if applicable.

7. Children's Privacy

We do not knowingly collect personal information from children under 13 years of age. In compliance with the Children's Online Privacy Protection Act (COPPA) in the United States, and similar laws in other jurisdictions, we do not solicit or intentionally receive personal information from children under 13.

If we become aware that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will take immediate steps to delete that information from our records. If you believe we may have collected information from a child under 13, please contact us immediately at privacy@mingletrivia.com.

For users between the ages of 13 and 17 (or the applicable age of majority in their jurisdiction), we encourage parents and guardians to review this Privacy Policy with their child and to supervise their use of the app. In-app purchases require Apple ID authorization, which provides a parental control layer via Family Sharing and "Ask to Buy" functionality.

8. Security Measures

We take the security of your personal information seriously and implement a range of technical and organizational measures to protect it:

• Encryption in Transit: All communications between the MingleTrivia app and our servers use TLS 1.2 or higher. Our AI API backend enforces HMAC-SHA256 request signing to authenticate all API calls, preventing unauthorized or replayed requests.
• Encryption at Rest: User data stored on AWS is encrypted at rest using AES-256 encryption. Firebase also encrypts stored data per Google's platform security standards.
• Access Controls: Access to production systems and user data is restricted to authorized personnel on a need-to-know basis. We use role-based access controls and audit logging for administrative access.
• Rate Limiting: Our API enforces rate limits (10 requests per hour per user for AI generation) to protect against abuse and denial-of-service attacks.
• On-Device AR Processing: AR face tracking data never leaves your device, eliminating the associated transmission and storage security risks entirely.
• P2P Encryption: MultipeerConnectivity P2P sessions use Apple's built-in encryption (required encryption mode), ensuring game data between devices is protected.
• Security Audits: We conduct periodic security reviews of our codebase, dependencies, and infrastructure to identify and remediate vulnerabilities.
• Dependency Management: We monitor our third-party dependencies for known vulnerabilities and apply security updates promptly.

While we implement these safeguards, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, and we encourage you to use strong, unique passwords and to keep your device software up to date.

Vulnerability Disclosure: If you discover a security vulnerability in MingleTrivia, please report it responsibly to security@mingletrivia.com. We appreciate responsible disclosure and will acknowledge your report within 72 hours.

9. International Data Transfers

MingleTrivia is operated by Kyle Borg, based in the United States. Our servers and infrastructure are hosted in the United States (AWS US East region). If you are located outside the United States — including in the European Economic Area (EEA), the United Kingdom, or other countries — your personal information will be transferred to and processed in the United States.

The United States may not provide the same level of data protection as the laws in your country. We take the following measures to ensure that your personal data receives adequate protection when transferred internationally:

• Standard Contractual Clauses (SCCs): We rely on European Commission-approved Standard Contractual Clauses with our service providers (including AWS and Google Firebase) that process data on our behalf in the US, ensuring an adequate level of protection for EEA personal data transferred internationally.
• UK International Data Transfer Agreements: For transfers of UK personal data, we use the UK International Data Transfer Agreement (IDTA) or UK addendum to EU SCCs as appropriate.
• Adequacy Decisions: Where the European Commission has issued an adequacy decision for a recipient country, we rely on that decision for transfers to that country.

By using MingleTrivia and providing us with your personal information, you acknowledge that your data may be transferred to and processed in the United States in accordance with this Privacy Policy and the safeguards described above.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information. This section describes those rights and how to exercise them.

10.1 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information from California consumers:

• Identifiers: Name, email address, device identifiers (vendor ID), IP address (transient)
• Internet or Other Electronic Network Activity: App usage data, feature interactions, crash reports
• Commercial Information: In-app purchase transaction receipts (purchase status only, no payment details)
• Inferences: Derived preferences based on trivia pack usage patterns (for personalization, in aggregate)

10.2 Your California Privacy Rights

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which personal information is collected, the business purposes for collecting personal information, and the categories of third parties with whom we share personal information.
• Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions permitted by the CCPA (e.g., completing a transaction, security purposes, legal obligations).
• Right to Correct: You have the right to request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing: We do not sell personal information and do not share personal information with third parties for cross-context behavioral advertising. Therefore, there is no need to opt out of these practices. If this changes, we will update this policy and provide an opt-out mechanism.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights. We will not deny you goods or services, charge different prices, provide a different level of service quality, or suggest that you may receive a different price or level of service because you exercised your privacy rights.
• Right to Limit Use of Sensitive Personal Information: To the extent we collect sensitive personal information (which we limit to account credentials and the transient AR data processed on-device), you have the right to direct us to limit its use to what is necessary to perform the services you requested.

10.3 How to Submit a California Privacy Request

To exercise your California privacy rights, please email us at privacy@mingletrivia.com with "California Privacy Request" in the subject line, specifying the right(s) you wish to exercise. We will verify your identity before processing your request and will respond within 45 days (with a possible 45-day extension for complex requests, with notice to you).

You may designate an authorized agent to make a request on your behalf by providing a signed written authorization or a power of attorney.

11. European Economic Area & UK Rights (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR respectively provide you with comprehensive rights regarding your personal data. This section describes our obligations and your rights under these frameworks.

11.1 Data Controller

The data controller for personal data processed by MingleTrivia is:

• MingleTrivia / Kyle Borg
• Email: privacy@mingletrivia.com

11.2 Legal Bases for Processing

We process your personal data under the following legal bases:

• Consent (Article 6(1)(a) GDPR): We process your name and email address to add you to our waitlist and send you marketing communications based on your explicit consent. You may withdraw this consent at any time without affecting the lawfulness of prior processing.
• Contract (Article 6(1)(b) GDPR): When you create an account and use the MingleTrivia app, we process your account information and usage data as necessary to provide the services you have contracted for, including gameplay, AI pack generation, and in-app purchases.
• Legitimate Interests (Article 6(1)(f) GDPR): We process anonymized analytics data, crash reports, and security-related data based on our legitimate interests in improving the app, ensuring its security, and preventing fraud. We have assessed that these interests do not override your fundamental rights and freedoms.
• Legal Obligation (Article 6(1)(c) GDPR): We may process your data to comply with applicable legal obligations, such as retaining financial transaction records for tax purposes.

11.3 Your Rights Under GDPR

• Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data and information about how it is processed.
• Right to Rectification (Article 16): You have the right to have inaccurate personal data corrected and incomplete personal data completed without undue delay.
• Right to Erasure / "Right to be Forgotten" (Article 17): You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent and there is no other legal basis for processing, or where you object and there are no overriding legitimate grounds for processing.
• Right to Data Portability (Article 20): Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller.
• Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or have objected to processing pending verification of legitimate grounds.
• Right to Object (Article 21): You have the right to object at any time to processing of your personal data that is based on our legitimate interests, including profiling based on those interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defense of legal claims.
• Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent prior to its withdrawal.
• Right Not to be Subject to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you. MingleTrivia does not make such automated decisions about you.

11.4 Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. In the EU, this is typically the data protection authority (DPA) in your country of residence or place of work. In the UK, this is the Information Commissioner's Office (ICO). We encourage you to contact us first at privacy@mingletrivia.com so we can address your concerns directly.

11.5 Exercising Your GDPR Rights

To exercise any of your GDPR rights, please email privacy@mingletrivia.com with "GDPR Data Request" in the subject line. We will respond within one month of receiving your verified request. For complex or multiple requests, we may extend this period by a further two months, and we will notify you of any such extension within one month.

12. Third-Party Links and Services

MingleTrivia may contain links to third-party websites, services, or resources (for example, links to the App Store, social media profiles, or support documentation). This Privacy Policy applies only to MingleTrivia's own data practices and does not extend to any third-party websites or services.

When you click on a third-party link, you leave MingleTrivia's services and are subject to that third party's privacy policy and terms. We are not responsible for the content, privacy practices, or data handling of any third-party websites or services, even if we link to them. We encourage you to review the privacy policies of any third-party services you visit.

Similarly, our app integrates with third-party SDKs and frameworks (Firebase, ARKit, StoreKit, MultipeerConnectivity). While we have described their data practices in this policy, each third party's data use is ultimately governed by their own privacy policies:

• Google Firebase / Google LLC: policies.google.com/privacy
• Apple Inc. (ARKit, StoreKit, MultipeerConnectivity): apple.com/privacy
• Amazon Web Services: aws.amazon.com/privacy
• Brevo: brevo.com/legal/privacypolicy

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will update the "Last Updated" date at the top of this page.

For material changes — those that significantly affect how we collect, use, or share your personal information, or that reduce your rights under this policy — we will provide at least 14 days' advance notice via one or more of the following methods:

• Email notification to the address associated with your account or waitlist signup
• A prominent notice on the MingleTrivia website (mingletrivia.com)
• An in-app notification banner when you open the app

For non-material changes (such as clarifications, corrections, or additions of examples), we may update the policy without advance notice beyond updating the "Last Updated" date.

Your continued use of MingleTrivia after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms. If you do not agree with any changes, you should stop using MingleTrivia and may request deletion of your account and personal data as described in Section 4 and Section 5.

We recommend reviewing this Privacy Policy periodically to stay informed about how we protect your information.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to us. We take privacy inquiries seriously and will respond promptly.

• Privacy Requests & General Inquiries:
  privacy@mingletrivia.com
  Use this address for: data access requests, deletion requests, corrections, portability requests, opt-out requests, GDPR rights, CCPA rights, and general privacy questions.
• Security Vulnerabilities:
  security@mingletrivia.com
  Use this address to report security vulnerabilities or suspected breaches. We follow responsible disclosure practices and will acknowledge reports within 72 hours.
• General Support:
  support@mingletrivia.com
  Use this address for app support, bug reports, and general customer service inquiries.

When contacting us about a privacy request, please include:

• Your name and email address associated with your account or waitlist signup
• The specific right(s) you wish to exercise or the nature of your inquiry
• For California residents: include "California Privacy Request" in the subject line
• For EEA/UK residents: include "GDPR Data Request" in the subject line

We will respond to all privacy-related inquiries within 30 days (or within the timeframes required by applicable law, as described in Sections 10 and 11).

MingleTrivia is developed and operated by Kyle Borg. This policy is governed by and construed in accordance with the laws of the United States, with specific provisions applicable to residents of California (CCPA/CPRA) and the European Economic Area and United Kingdom (GDPR/UK GDPR) as described herein.