Privacy Policy / Datenschutzerklärung
Last updated: 30 June 2026
Language note: This Privacy Policy is provided in English. It is based on the EU General Data Protection Regulation (GDPR/DSGVO) and the Austrian Data Protection Act (Datenschutzgesetz, DSG). Where the Service is directed at Austrian or other German-speaking users, an authoritative German-language version (Datenschutzerklärung) may be published in addition.
18+ Birb is strictly for adults of legal drinking age and is not directed to children or minors. We do not knowingly collect personal data from anyone under 18.
1. Data controller
The controller responsible for the processing of your personal data within the meaning of the EU General Data Protection Regulation (GDPR) is:
Robin Embacher
Muldenstraße 8, 4863 Seewalchen, Austria
Email: support@embxr.eu
Data Protection Officer: No data protection officer has been appointed, as this is not required for a sole proprietor of this size under the GDPR and the Austrian Data Protection Act (DSG). For any data-protection matters, please contact us at support@embxr.eu.
2. Scope
This policy explains how we handle personal data when you use the Birb mobile app and the related backend service ("the Service"). It applies to data processed through your account, gameplay, and our servers.
3. What data we collect and why
We collect only the data we need to run the Service. The table below reflects exactly what the app and server process.
3.1 Account data
| Data | Purpose |
|---|---|
| Username | Identifies your account and you to other players. |
| Password (stored only as a bcrypt hash — never in plain text) | Authenticating you securely. We cannot read your password. |
| Email address (optional) | Account recovery and, where applicable, service communications. Only collected if you choose to provide it. |
| Chosen avatar id | Your in-game profile picture selection. |
| Date of birth | Collected solely to verify you are 18 or older (age verification). We do not use your date of birth for any other purpose. |
| Country / flag / country name (derived from your username) | Display of your country flag in-game. |
| Google account id and/or Apple account id (only if you use social sign-in) | Linking your account to your chosen sign-in provider so you can log in. |
| Account creation and last-login timestamps | Account management, security and abuse prevention. |
3.2 Authentication data
| Data | Purpose |
|---|---|
| Bearer token (JWT, expiring after approximately 30 days), stored on your device | Keeping you signed in. The token is stored securely on your device using the iOS Keychain or Android EncryptedSharedPreferences. It is functional (it keeps you logged in) and is not used for advertising or cross-site tracking. |
3.3 Gameplay data
| Data | Purpose |
|---|---|
| Room / lobby membership | Running multiplayer games and showing who is in your room. |
| Game statistics: sips taken / given, full drinks, unlucky points, jokers used, reverses used, rooms played | Running the game and showing your history and stats. |
| House-rule text you write | Showing your custom rules to players in your room. Do not include personal or sensitive information in house-rule text, as other players will see it. |
| In-game events | Synchronising game state between players in real time. |
3.4 Technical and usage data
| Data | Purpose |
|---|---|
| IP address (in server request logs and for rate limiting) | Security, abuse and fraud prevention, rate limiting, and keeping the Service stable. |
| Request metadata (HTTP method, path, status code, timing) | Operating, debugging and securing the Service. |
| Presence timestamps | Showing whether players are online / active in a room. |
4. Legal bases for processing (GDPR Art. 6)
- Performance of a contract (Art. 6(1)(b)): creating and managing your account, authentication, running rooms and gameplay, storing your statistics and house rules. Without this data we cannot provide the Service you ask for.
- Legitimate interests (Art. 6(1)(f)): security, anti-abuse, fraud prevention, rate limiting and server logging. Our legitimate interest is in keeping the Service secure, available and free from abuse. The retention of date of birth is also supported by our legitimate interest in, and legal need for, age verification of an alcohol-themed service.
- Consent (Art. 6(1)(a)): any advertising, marketing communications, or non-essential third-party SDKs (such as an ad network or analytics), where applicable. You can withdraw consent at any time with effect for the future.
- Legal obligation (Art. 6(1)(c)): where we must retain or disclose data to comply with applicable law.
5. Recipients and processors
We do not sell your personal data. We share data only with service providers who help us run the Service ("processors"), and only as needed. Depending on how you use the app and which features are enabled, recipients may include:
- Apple Inc. — "Sign in with Apple" (if you use it) and Apple account verification.
- Google LLC — Google Sign-In and Google token verification (if you use it).
- Apple App Store / Google Play — processing purchases and donations made through the stores. Payment details are handled by Apple/Google, not by us.
- Mobile ad network (e.g. Google AdMob) — only if enabled — serving ads; this typically involves device/advertising identifiers and is subject to your consent where required.
- Push-notification service — only if enabled — delivering push notifications to your device.
- Hosting / infrastructure provider — Hetzner Online GmbH, Germany, with the primary data centre located in Frankfurt am Main, Germany (EU). Your primary data is stored within the European Union.
Where these parties act as our processors, we put in place data-processing agreements as required by Art. 28 GDPR. We may also disclose data where required by law or to protect our rights.
6. International data transfers
Some recipients — notably Apple and Google — may process personal data outside the European Economic Area (for example, in the United States). Where data is transferred to a country without an EU adequacy decision, such transfers are safeguarded by appropriate measures such as the European Commission's Standard Contractual Clauses (SCCs) and/or applicable certification frameworks. You can request more information about these safeguards using the contact details below.
7. Data retention
- Account data, gameplay data, statistics and house rules: kept until you delete your account. When you delete your account, this data is deleted or anonymised, except where we must keep certain records to comply with legal obligations.
- Server logs (including IP address and request metadata): kept for 14 days, then deleted.
- Date of birth: retained for age-verification and abuse-prevention purposes for as long as the account exists.
- Purchase / donation records: retained as required by applicable Austrian tax and accounting law (generally 7 years under § 132 of the Austrian Federal Fiscal Code, Bundesabgabenordnung).
8. Security measures
- Passwords are stored only as bcrypt hashes; we never store or transmit your plain-text password.
- Network traffic is encrypted in transit using TLS / HTTPS.
- Authentication uses signed, time-limited JWT bearer tokens; tokens are stored in the device's secure storage (iOS Keychain / Android EncryptedSharedPreferences).
- Rate limiting and logging help us detect and prevent abuse.
No method of transmission or storage is 100% secure; we cannot guarantee absolute security but we work to protect your data using appropriate technical and organisational measures (Art. 32 GDPR).
9. Device / local storage
Your authentication token is stored locally on your device's secure storage to keep you signed in. This storage is functional — it is required for the app to work — and is not used for advertising, profiling or cross-app tracking.
10. Advertising and push notifications (only if enabled)
If advertising is enabled, we may use a mobile ad network such as Google AdMob. Ad networks may process device and advertising identifiers to show and measure ads. Where the law requires consent for advertising or tracking (for example, under the ePrivacy rules and GDPR), we will ask for your consent first and you can withdraw it at any time.
If push notifications are enabled, a push-notification service is used to deliver messages to your device. You can disable push notifications in your device settings at any time.
These features are not enabled by default. If and when a specific advertising or push-notification provider is introduced, this policy will be updated to name the provider and link to its privacy policy.
11. Children
The Service is strictly for adults (18+) and is not directed to children or minors. We do not knowingly collect personal data from anyone under 18. We use date of birth to prevent under-age use. If you believe a minor has provided us with personal data, please contact us and we will delete it.
12. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectification of inaccurate or incomplete data (Art. 16).
- Erasure ("right to be forgotten") (Art. 17).
- Restriction of processing (Art. 18).
- Data portability — receive your data in a structured, machine-readable format (Art. 20).
- Object to processing based on legitimate interests (Art. 21).
- Withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of processing before withdrawal.
-
Lodge a complaint with a supervisory authority. Our competent
supervisory authority is the Austrian Data Protection Authority:
Österreichische Datenschutzbehörde (DSB), Barichgasse 40–42, 1030 Wien, Austria — dsb@dsb.gv.at — www.dsb.gv.at. You may also lodge a complaint with the supervisory authority in your country of residence.
13. How to exercise your rights
To exercise any of these rights, contact us at support@embxr.eu. We will respond within the time limits set by the GDPR (generally one month). We may need to verify your identity before acting on a request. You can also delete your account from within the app, which deletes or anonymises the associated data as described in section 7.
14. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version here and change the "Last updated" date above. Where changes are significant, we will provide a more prominent notice as required by law.
15. Contact
Questions about this policy or your data? Contact us at support@embxr.eu or by post at Robin Embacher, Muldenstraße 8, 4863 Seewalchen, Austria. See also our Imprint / Impressum.