Privacy Policy
Last updated: 4 July 2026
This Privacy Policy describes how Riplay (riplay.app), published by Lorenzer, collects, uses, and protects your personal data, in accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and the French Data Protection Act of January 6, 1978, as amended.
1. Data Controller
- Publisher: Lorenzer
- Status: Non-commercial personal project
- Email: contact@riplay.app
2. Data Collected
Riplay collects the following categories of data:
Registration Data
- Email address
- Password (stored in hashed form, never in plain text)
- Profile picture / avatar (optional)
- Terms of Use consent (date and time)
Google OAuth Data
- Google account email address
- Display name
- Google profile picture
Collection Data
- Games, consoles, and accessories added to the collection
- Declared purchase prices and shipping costs
- Condition, completeness, region, personal notes
- Purchase and sale dates
- Sale prices (sold items)
Preference Data
- Selected market (EUR / USD / GBP)
- Preferred language (FR / EN)
- Profile visibility settings
Technical Data
- IP address (stored for rate limiting, abuse prevention, and service security)
- Session data (JWT token in an httpOnly cookie)
3. Purposes and Legal Basis
| Purpose | Legal Basis |
|---|---|
| Account creation and management | Performance of contract (Terms) |
| Collection management and dashboard | Performance of contract |
| Community price calculation (anonymized data) | Legitimate interest |
| Suspect price detection and moderation | Legitimate interest |
| Service security (rate limiting, anti-spam) | Legitimate interest |
| Two-factor authentication (2FA) | Legitimate interest (security) |
4. Data Retention
- Account data: retained while the account is active. Deleted within 30 days of account deletion request.
- Collection data: retained while the account is active. Deleted with the account, except for purchase prices which are anonymized and retained for community price calculations (dissociated from any personal data).
- IP addresses: retained for a maximum of 1 year, in compliance with LCEN obligations regarding connection data.
- Contact messages: retained for 3 years then deleted.
5. Recipients and Processors
Your personal data may be shared with the following processors:
| Processor | Service | Location |
|---|---|---|
| OVHcloud (OVH SAS) | Server hosting (VPS), database | France (Strasbourg) |
| IONOS SE | Domain name registration and management | Germany |
| Google LLC | OAuth authentication | United States |
| Stripe Inc. | Payments (currently disabled) | United States |
Riplay never sells, rents, or shares your personal data with third parties for commercial or advertising purposes.
6. International Transfers
Riplay's primary hosting is provided by OVHcloud in France (Strasbourg datacenter). The domain name is managed by IONOS in Germany. Your data therefore remains within the European Union.
Some of our processors (Google, Stripe) are located in the United States. These transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework (DPF), ensuring an adequate level of data protection.
7. Cookies
Riplay only uses cookies strictly necessary for the service to function:
| Cookie | Purpose | Duration |
|---|---|---|
| authjs.session-token | Authentication and user session (JWT) | Session / 30 days |
| authjs.csrf-token | CSRF attack protection | Session |
| authjs.callback-url | Post-authentication redirect | Session |
| riplay_2fa | Two-factor authentication verification | 24 hours |
Riplay uses no advertising, analytics, or tracking cookies. No third-party cookies are set for ad targeting purposes. As these cookies are strictly necessary for the service, they do not require prior consent (CNIL exemption).
8. Data Security
Riplay implements the following security measures:
- Encrypted communications (HTTPS / TLS)
- Passwords hashed with bcrypt (never stored in plain text)
- TOTP secrets encrypted with AES-256-GCM
- 2FA backup codes hashed with SHA-256
- httpOnly and signed session cookies (HMAC)
- Rate limiting against brute force attacks
- Suspect price detection system
9. Your Rights (GDPR)
Under the GDPR, you have the following rights regarding your personal data:
- Right of access: obtain a copy of your personal data
- Right to rectification: correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten"): request deletion of your data and account
- Right to data portability: receive your data in a structured format (CSV/PDF export available in the app)
- Right to object: object to the processing of your data on legitimate grounds
- Right to restriction: request restriction of processing in certain circumstances
- Withdrawal of consent: withdraw your consent at any time when processing is based on it
To exercise these rights, contact us at: contact@riplay.app
We commit to responding within 30 days.
If you believe that the processing of your data does not comply with regulations, you have the right to lodge a complaint with the CNIL — 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France — cnil.fr
10. Minors
Riplay is not intended for children under the age of 15. In accordance with Article 8 of the GDPR and Article 45 of the French Data Protection Act, consent for processing a minor's data under 15 must be given by the holder of parental authority.
If we learn that a user under 15 has registered without parental consent, we will delete their account and data as soon as possible.
11. Changes
This Privacy Policy may be updated at any time. Users will be notified of any substantial changes via in-app notification. The last update date is shown at the top of this page.
12. Contact
For any questions about the protection of your personal data, contact us at: contact@riplay.app