Privacy Policy

Last Updated: May 6, 2026

1. Introduction

This Privacy Policy describes how your personal information is collected, used, and shared when you use the Dartly application ("App"), available on Android, iOS, desktop, and web platforms.

Dartly is a darts scoring application developed by Fratres ("we", "us", or "our"), an informal development group based in the Czech Republic. On Apple platforms (iOS/iPadOS), the App is published by Osomahe o.s.

The App can be used in two modes:

• Offline mode (no account): All data stays on your device. This mode does not require registration or any personal information beyond what you voluntarily enter as player names.
• Online mode (with account): Optional features such as cloud synchronization across devices, server-side statistics, and premium subscriptions become available. These features require creating a user account and transmit data to our servers.

By using the App, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use the App.

2. Contact Information

Fratres
Email: fratresfun+dartly@gmail.com

For any questions or concerns regarding this Privacy Policy or your personal data, please contact us at the email address above.

3. Age Restrictions

Dartly is intended for users aged 13 and older. We do not knowingly collect personal information from children under the age of 13. If you are a parent or guardian and believe your child under 13 has provided us with personal data, please contact us at fratresfun+dartly@gmail.com, and we will take steps to delete such information.

In the European Economic Area (EEA), where local laws require a higher age of digital consent (up to 16 years in some Member States), users below the applicable age threshold should only use the App with the consent of a parent or legal guardian.

4. Information We Collect

4.1 Information You Provide

4.1.1 Game Content (always optional)

The App allows you to create player profiles and teams for the purpose of scorekeeping. This may include:

• Player names (first name, last name)
• Nicknames
• Team names
• Player photos (optional)

This information is entered voluntarily and may be fictional or pseudonymous. In offline mode it stays on your device. In online mode (with an account) it can be synchronized to our servers.

4.1.2 Account Data (only if you create an account)

If you decide to register a Dartly account, we collect:

• Email address — used as your unique login identifier and for transactional communication (verification, password reset).
• Password — never stored in plain text. We use industry-standard BCrypt password hashing to compute a one-way hash. We cannot recover the original password.
• Display name — shown in the app and shared games.
• Email verification token — a single-use random token used to confirm your email; expires after a short period.
• Social account identifiers — if you sign in with Google or Facebook, we receive a stable provider user ID (Google "sub" claim or Facebook user ID) and the email and display name your provider returns. Tokens are validated server-side; we do not receive your social account password.
• Subscription state — if you purchase a premium subscription, we store a reference to the platform receipt (Apple, Google Play, Stripe), the purchase status, current period end and a flag indicating whether your subscription is active.

4.2 Information Collected Automatically

When you use the App, certain information may be collected automatically through third-party services integrated into the App:

• Device information: device type, model, operating system and version, screen resolution, device language
• App usage data: features used, session duration, crash logs, performance data
• Advertising identifiers: such as Google Advertising ID (GAID) or Apple Identifier for Advertisers (IDFA), used to serve and measure advertisements
• Network information: IP address (which may be used to approximate general geographic location), connection type
• Analytics data: in-app events, navigation patterns, aggregated usage statistics

For account-related actions (registration, login, password reset, email verification), our backend additionally records:

• IP address and timestamps — logged in dedicated authentication-attempt records to detect abuse, brute-force login attempts and email enumeration. Records are retained briefly while the rate-limit window is in effect, then automatically deleted.
• Authentication tokens — we issue short-lived access tokens and longer-lived refresh tokens with optional extended persistence (controlled by the "remember me" choice at sign-in). Refresh tokens are stored only as a hash in our database and are revoked on logout, password change or account deletion.
• Client error reports — if the App crashes or hits an unexpected state, a description of the error and the screen where it occurred can be sent to our backend (rate-limited). We do not include the contents of your games or other personal data in these reports.

4.3 Information Stored Locally and Synchronized to the Cloud

Local storage (always): All game-related data — including player profiles, team information, game sessions, game history, scores, throws, statistics, and player photos — is stored on your device using an on-device database (Room on Android/iOS, IndexedDB in the browser). When you use the App without an account, this is the only place this data lives, and we have no access to it.

Optional cloud synchronization (only with an account): If you sign in and enable cloud sync, the following data is transmitted to and stored on our servers so it can be synchronized between your devices:

• Teams and players you create (names, nicknames, optional photos)
• Saved (in-progress) games and finished games
• Application settings linked to your account (e.g. preferred language)

Photo storage: Player photos follow a hybrid model. The base64 thumbnail used for display lives in the on-device database; when cloud sync is enabled, the full image is uploaded to an S3-compatible object storage provider in an EU region and referenced by a per-photo URL. Photos are deleted when you delete the player or your account.

Cloud sync is opt-in: it never starts automatically without an account, and you can sign out at any time to stop further synchronization. Data already synchronized stays on the server until you delete the account (see Section 11).

5. Third-Party Services

The App uses the following third-party services, each of which may collect information as described in their respective privacy policies:

5.1 Google Firebase

We use Firebase for analytics and crash reporting:

• Firebase Analytics — collects app usage data, session information, and device properties to help us understand how the App is used and to improve user experience.
• Firebase Crashlytics — collects crash reports, stack traces, and device state information to help us identify and fix technical issues.

Firebase Privacy Policy: https://firebase.google.com/support/privacy

5.2 Google AdMob

We use Google AdMob to display advertisements within the App. AdMob may collect and process data including device identifiers, IP addresses, and usage data to serve personalized or non-personalized ads.

Google AdMob Privacy Policy: https://policies.google.com/privacy

5.3 Google AdSense

We use Google AdSense for advertising on the web version of the App. AdSense may use cookies and similar technologies to serve ads based on your prior visits to our App or other websites.

Google AdSense Privacy Policy: https://policies.google.com/privacy

5.4 Google Analytics

We use Google Analytics to collect and analyze aggregated usage data for the web platform to improve the App experience.

Google Analytics Privacy Policy: https://policies.google.com/privacy

5.5 Microsoft Clarity

We use Microsoft Clarity (clarity.microsoft.com) to capture how users interact with the App through behavioral metrics, heatmaps, and session replay. Clarity collects information about device, IP address (truncated), pages visited, interactions (clicks, scrolls, taps), and approximate location. This helps us improve App usability and identify issues. Clarity respects user consent through the IAB TCF v2 framework on the web platform; on mobile, Clarity is initialized only after you grant consent. Personal information you enter into form fields is masked by default.

Microsoft Clarity Cookie and Consent Information: https://learn.microsoft.com/en-us/clarity/setup-and-installation/clarity-cookie-consent
Microsoft Privacy Statement: https://privacy.microsoft.com/privacystatement

5.6 Google Sign-In and Facebook Login

If you choose to sign in with Google or Facebook, we receive your provider user ID, email and display name as confirmed by the provider. We never receive your social account password. Tokens are validated server-side against the provider's public endpoint before any account is created or linked.

Google Privacy Policy: https://policies.google.com/privacy
Facebook Data Policy: https://www.facebook.com/policy.php

5.7 Resend (Email Delivery)

We use Resend (resend.com) to deliver transactional emails such as account verification and password reset messages. Resend processes the recipient email address and the message content on our behalf. We do not send marketing emails.

Resend Privacy Policy: https://resend.com/legal/privacy-policy

5.8 Apple In-App Purchase (iOS subscriptions)

Subscriptions purchased on iOS are processed through Apple's In-App Purchase system. Apple is the merchant of record and handles your payment. We receive a transaction identifier and the subscription state from Apple, but we do not receive your full payment card details.

Apple Privacy Policy: https://www.apple.com/legal/privacy/en-ww/

5.9 Google Play Billing (Android subscriptions)

Subscriptions purchased on Android are processed through Google Play Billing. Google is the merchant of record. We receive a purchase token and the subscription state from Google, but we do not receive your full payment card details.

Google Play Privacy Policy: https://policies.google.com/privacy

5.10 Stripe (Web subscriptions)

Subscriptions purchased on the web are processed through Stripe (stripe.com). Stripe acts as the payment processor and the merchant of record where applicable. Stripe collects your payment information directly through their secure checkout; we receive only a customer reference, the subscription identifier and the subscription state.

Stripe Privacy Policy: https://stripe.com/privacy

5.11 Object Storage for Photos

Player photos uploaded with cloud sync enabled are stored in an EU-region S3-compatible object storage bucket. The provider acts as a sub-processor and only stores the binary file; access is controlled by short-lived authenticated URLs.

6. How We Use Your Information

We use the information collected for the following purposes:

• To provide and maintain the App: enabling core functionality such as game scoring, player management, and statistics tracking
• To operate user accounts: creating and authenticating accounts, verifying email addresses, resetting forgotten passwords, and securing accounts against abuse
• To synchronize your data: moving your players, teams, games, settings and photos between your devices when cloud sync is enabled
• To deliver transactional emails: sending verification, password reset and important service messages (we do not send marketing emails)
• To process subscriptions: verifying purchases with Apple, Google or Stripe, applying entitlements, and storing accounting records as required by law
• To improve the App: analyzing usage patterns, identifying bugs, and optimizing performance
• To serve advertisements: displaying ads within the App to support its free availability (free tier only)
• To ensure stability and security: monitoring crashes, technical issues and suspicious activity

We do not use your information for:

• Selling personal data to third parties
• Creating individual user profiles for marketing purposes
• Sending marketing or promotional emails (only transactional)

7. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data based on the following legal grounds under the General Data Protection Regulation (GDPR):

• Contract performance (Art. 6(1)(b) GDPR) — Providing the core functionality of the App; creating and operating your user account; cloud synchronization; processing premium subscriptions and providing the corresponding entitlements.
• Legitimate interest (Art. 6(1)(f) GDPR) — Analytics and crash reporting to improve the App and ensure its stability; security measures such as authentication-attempt logging, rate limiting and fraud prevention.
• Legal obligation (Art. 6(1)(c) GDPR) — Retention of accounting and tax records related to subscriptions, in accordance with Czech accounting law (§31 ZoÚ).
• Consent (Art. 6(1)(a) GDPR) — Serving personalized advertisements; use of non-essential cookies and tracking technologies; optional features that you explicitly enable.

Where we rely on consent, you may withdraw it at any time through your device settings or the consent management options within the App. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

8. Advertising and Your Choices

8.1 Personalized Advertising

By default, our advertising partners may serve personalized ads based on your interests. You can opt out of personalized advertising through:

• Android: Settings → Privacy → Ads → Delete advertising ID or Opt out of Ads Personalization
• iOS: Settings → Privacy & Security → Tracking → disable tracking for Dartly
• Web: Through the cookie consent banner or your browser settings

8.2 Non-Personalized Advertising

If you opt out of personalized advertising, you will still see ads, but they will not be tailored to your interests. Non-personalized ads may still use contextual information such as general geographic location or the content of the App.

9. Data Retention

• Locally stored data (player profiles, game history, statistics): retained on your device until you delete the App or clear the App's data manually. We have no access to this data and cannot delete it remotely.
• User account record (email, password hash, display name, social account links): retained until you delete your account, or up to 3 years after your last sign-in if the account becomes inactive (we may notify you before deletion).
• Refresh tokens: retained as a hash for the validity period (with optional extended persistence under "remember me"). Revoked immediately on logout, password change, or account deletion.
• Authentication attempt logs (IP address): retained briefly while the rate-limit window is in effect and then deleted automatically.
• Synchronized game content (teams, players, games, settings, photos): retained for the lifetime of your account, deleted on account deletion (subject to a short grace period — see Section 11).
• Subscription and billing records: retained for the duration of the subscription and for an additional period required by Czech accounting law (up to 10 years for tax records, §31 ZoÚ). Records are anonymized where possible after the account is deleted.
• Database backups: encrypted server backups are retained for a limited period and then permanently deleted. Account data may persist in backups for that period after deletion.
• Analytics data (Firebase Analytics, Google Analytics): retained according to Google's standard retention policies. We have configured our analytics to retain data for the minimum period necessary.
• Behavioral analytics data (Microsoft Clarity): retained according to Microsoft's standard retention period (currently approximately 1 year for session recordings).
• Crash reports (Firebase Crashlytics, our own backend client-error log): retained for up to 90 days.
• Advertising data: retained by Google in accordance with their privacy policies.

10. Data Sharing and Transfers

We do not sell, rent, or trade your personal information.

The processors we share data with, the type of data they receive and where they process it:

• Our backend (Fratres): hosted on a hardened cloud server in the European Union, running a managed relational database with regularly scheduled encrypted backups. Stores your account, synchronized content, subscription state and authentication logs.
• Google LLC (Firebase, AdMob, AdSense, Analytics, Sign-In, Play Billing): may process data in the United States or other countries outside the EEA.
• Microsoft Corporation (Clarity): may process behavioral analytics data (session recordings, heatmaps) in the United States or other countries outside the EEA.
• Apple Inc. (App Store, In-App Purchase): processes payment data and subscription records.
• Meta Platforms (Facebook Login): if you sign in with Facebook, processes the OAuth handshake.
• Stripe, Inc.: web payment processing.
• Resend: transactional email delivery.
• Object storage sub-processor (S3-compatible, EU region): stores player photos when cloud sync is enabled.

Where data is transferred outside the European Economic Area, transfers are safeguarded by appropriate mechanisms, including Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, additional supplementary measures (encryption at rest and in transit).

11. Your Rights

11.1 Rights Under GDPR (EEA/UK Users)

If you are located in the EEA or UK, you have the following rights:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate data
• Right to erasure ("right to be forgotten"): request deletion of your personal data
• Right to restriction: request that we limit the processing of your data
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interest, including profiling for advertising
• Right to withdraw consent: where processing is based on consent, withdraw it at any time

To exercise any of these rights, please contact us at fratresfun+dartly@gmail.com. We will respond to your request within 30 days.

You also have the right to lodge a complaint with your local data protection supervisory authority. In the Czech Republic, this is the Office for Personal Data Protection (UOOU): https://www.uoou.cz.

11.2 Rights Under CCPA (California Users)

If you are a California resident, you have the right to:

• Know what personal information is collected about you
• Request deletion of your personal information
• Opt out of the sale of your personal information (we do not sell personal information)
• Non-discrimination for exercising your privacy rights

11.3 Rights for All Users

Regardless of your location, you can:

• Delete local data: uninstall the App or clear its data through your device settings to remove all locally stored information
• Delete your account in-app: if you have a Dartly account, open the App and go to Settings → Account → Delete Account. After confirmation, your account, synchronized content (teams, players, games, photos) and authentication tokens are deleted from our database. Encrypted backups are purged within 30 days. Subscription and billing records are retained for the period required by accounting law as described in Section 9.
• Cancel your subscription before deletion: if you have an active premium subscription, cancel it first through the App Store, Google Play, or your in-app billing portal (Stripe). Deleting your Dartly account does not automatically cancel a subscription billed by Apple or Google.
• Request deletion by email: if you cannot access the App, write to fratresfun+dartly@gmail.com from the email associated with your account. We respond within 30 days.
• Export your data: contact us by email to request an export of the personal data we hold about you in a structured, machine-readable format.
• Opt out of personalized ads: adjust your device advertising settings as described in Section 8
• Disable analytics: where applicable, disable analytics collection through the App settings or your device settings

12. Data Security

We take reasonable measures to protect the information collected through the App:

• Encryption in transit: all communication between the App and our backend is protected by TLS (HTTPS).
• Password storage: passwords are stored only as industry-standard BCrypt hashes. We cannot read your password.
• Token storage on device: authentication tokens are stored using each platform's recommended secure-storage mechanism, with refresh tokens kept inaccessible to in-page scripts on the web.
• Rate limiting and abuse protection: registration, login and password-reset endpoints are rate-limited per IP and per account.
• Server hardening: our backend runs on a hardened cloud server with restricted administrative access, network firewalling, regular encrypted database backups and monitored health checks.
• Locally stored data resides on your device and is protected by your device's own security mechanisms (lock screen, full-disk encryption, etc.).

No method of electronic storage or transmission over the internet is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security.

13. Cookies and Similar Technologies

The web version of the App may use cookies and similar tracking technologies for:

• Essential cookies: necessary for the App to function properly
• Analytics cookies: to understand how users interact with the App
• Advertising cookies: to serve relevant advertisements

You can manage your cookie preferences through the cookie consent banner displayed on first visit, or through your browser settings. Note that disabling certain cookies may affect the functionality of the App.

The mobile and desktop versions of the App do not use cookies but may use device-level identifiers for analytics and advertising purposes.

14. Links to Other Websites

The App may contain links to third-party websites or services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party websites or services. We encourage you to review the privacy policy of every site you visit.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy within the App
• Updating the "Last Updated" date at the top of this document
• Displaying an in-app notification for significant changes

We encourage you to review this Privacy Policy periodically. Changes are effective when they are posted.

16. Applicable Law

This Privacy Policy is governed by the laws of the Czech Republic and, where applicable, by the General Data Protection Regulation (EU) 2016/679. Any disputes arising from this Privacy Policy shall be subject to the jurisdiction of the courts of the Czech Republic, without prejudice to any mandatory consumer protection provisions of your country of residence.

17. Consent

By using the App, you consent to the processing of your information as described in this Privacy Policy. For users in the EEA, specific consents (such as for personalized advertising) are obtained separately through the App's consent management mechanisms.

Dartly — developed by Fratres | Published on Apple platforms by Osomahe o.s.

Contact: fratresfun+dartly@gmail.com