Back to home

Privacy Policy

Last updated: 4 July 2026

This Privacy Policy describes how Riplay (riplay.app), published by Lorenzer, collects, uses, and protects your personal data, in accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and the French Data Protection Act of January 6, 1978, as amended.

1. Data Controller

  • Publisher: Lorenzer
  • Status: Non-commercial personal project
  • Email: contact@riplay.app

2. Data Collected

Riplay collects the following categories of data:

Registration Data

  • Email address
  • Password (stored in hashed form, never in plain text)
  • Profile picture / avatar (optional)
  • Terms of Use consent (date and time)

Google OAuth Data

  • Google account email address
  • Display name
  • Google profile picture

Collection Data

  • Games, consoles, and accessories added to the collection
  • Declared purchase prices and shipping costs
  • Condition, completeness, region, personal notes
  • Purchase and sale dates
  • Sale prices (sold items)

Preference Data

  • Selected market (EUR / USD / GBP)
  • Preferred language (FR / EN)
  • Profile visibility settings

Technical Data

  • IP address (stored for rate limiting, abuse prevention, and service security)
  • Session data (JWT token in an httpOnly cookie)

3. Purposes and Legal Basis

PurposeLegal Basis
Account creation and managementPerformance of contract (Terms)
Collection management and dashboardPerformance of contract
Community price calculation (anonymized data)Legitimate interest
Suspect price detection and moderationLegitimate interest
Service security (rate limiting, anti-spam)Legitimate interest
Two-factor authentication (2FA)Legitimate interest (security)

4. Data Retention

  • Account data: retained while the account is active. Deleted within 30 days of account deletion request.
  • Collection data: retained while the account is active. Deleted with the account, except for purchase prices which are anonymized and retained for community price calculations (dissociated from any personal data).
  • IP addresses: retained for a maximum of 1 year, in compliance with LCEN obligations regarding connection data.
  • Contact messages: retained for 3 years then deleted.

5. Recipients and Processors

Your personal data may be shared with the following processors:

ProcessorServiceLocation
OVHcloud (OVH SAS)Server hosting (VPS), databaseFrance (Strasbourg)
IONOS SEDomain name registration and managementGermany
Google LLCOAuth authenticationUnited States
Stripe Inc.Payments (currently disabled)United States

Riplay never sells, rents, or shares your personal data with third parties for commercial or advertising purposes.

6. International Transfers

Riplay's primary hosting is provided by OVHcloud in France (Strasbourg datacenter). The domain name is managed by IONOS in Germany. Your data therefore remains within the European Union.

Some of our processors (Google, Stripe) are located in the United States. These transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework (DPF), ensuring an adequate level of data protection.

7. Cookies

Riplay only uses cookies strictly necessary for the service to function:

CookiePurposeDuration
authjs.session-tokenAuthentication and user session (JWT)Session / 30 days
authjs.csrf-tokenCSRF attack protectionSession
authjs.callback-urlPost-authentication redirectSession
riplay_2faTwo-factor authentication verification24 hours

Riplay uses no advertising, analytics, or tracking cookies. No third-party cookies are set for ad targeting purposes. As these cookies are strictly necessary for the service, they do not require prior consent (CNIL exemption).

8. Data Security

Riplay implements the following security measures:

  • Encrypted communications (HTTPS / TLS)
  • Passwords hashed with bcrypt (never stored in plain text)
  • TOTP secrets encrypted with AES-256-GCM
  • 2FA backup codes hashed with SHA-256
  • httpOnly and signed session cookies (HMAC)
  • Rate limiting against brute force attacks
  • Suspect price detection system

9. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access: obtain a copy of your personal data
  • Right to rectification: correct inaccurate or incomplete data
  • Right to erasure ("right to be forgotten"): request deletion of your data and account
  • Right to data portability: receive your data in a structured format (CSV/PDF export available in the app)
  • Right to object: object to the processing of your data on legitimate grounds
  • Right to restriction: request restriction of processing in certain circumstances
  • Withdrawal of consent: withdraw your consent at any time when processing is based on it

To exercise these rights, contact us at: contact@riplay.app

We commit to responding within 30 days.

If you believe that the processing of your data does not comply with regulations, you have the right to lodge a complaint with the CNIL — 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France — cnil.fr

10. Minors

Riplay is not intended for children under the age of 15. In accordance with Article 8 of the GDPR and Article 45 of the French Data Protection Act, consent for processing a minor's data under 15 must be given by the holder of parental authority.

If we learn that a user under 15 has registered without parental consent, we will delete their account and data as soon as possible.

11. Changes

This Privacy Policy may be updated at any time. Users will be notified of any substantial changes via in-app notification. The last update date is shown at the top of this page.

12. Contact

For any questions about the protection of your personal data, contact us at: contact@riplay.app