← Back to DopamineBuy

Privacy Policy

Effective date: June 20, 2026

This policy describes how personal data is processed when you use dopaminebuy.com and the DopamineBuy Android app.

1. Data controller

DopamineBuy is the commercial name of the service. The data controller under the GDPR (Regulation (EU) 2016/679) is:

  • Santiago Moran Labat — individual entrepreneur / ditta individuale
  • Address: Via Quisisana 17, 90200 Alimena, Palermo, Italy
  • Privacy contact: privacy@dopaminebuy.com

2. Nature of the service

DopamineBuy is an entertainment experience: simulated shopping, virtual coins, parody listings, and fictional "deliveries". There are no real product purchases, payments, or physical shipments.

3. Personal data we process

The table below states what we process, where it is stored, why, and the legal basis under Article 6 GDPR.

CategoryWhere stored / sentPurposeLegal basis
Email, password (hashed), display name, avatar URLSupabase Auth + profiles tableCreate and manage your account and profileArt. 6(1)(b) — performance of service
Product listings, favorites, seller statsSupabase (products, favorites, etc.)User-generated content and social featuresArt. 6(1)(b) — performance of service
Cart, orders, coins, coupons, game progressBrowser/app local storage; synced to Supabase orders when signed inSimulated checkout and gameplayArt. 6(1)(b) contract; Art. 6(1)(f) legitimate interest (anti-abuse, service integrity)
Delivery address (name, street, city, postal code, country) and optional GPS-assisted fieldsStored in orders.shipping_address (JSON); address text sent to OpenStreetMap Nominatim for map coordinatesFictional delivery map animation only — not used for real shipping. You may enter a real or fictional address; we treat it as personal data if it identifies a location.Art. 6(1)(b) — performance of simulated checkout
Leaderboard and buyer rankingsSupabase (aggregated order/game data)Public rankings and gamificationArt. 6(1)(b) — performance of service
In-app notificationsSupabase notifications + realtimeOrder and activity alerts while using the appArt. 6(1)(b) — performance of service
Web Push subscription (endpoint, encryption keys)Supabase push_subscriptionsOptional alerts when the app is closedArt. 6(1)(a) — consent (you enable in-app)
Usage analytics (page views, paths, device identifiers, identified user traits when logged in)PostHog (EU cloud: eu.i.posthog.com when so configured)Understand usage and improve the productArt. 6(1)(a) consent for EEA/UK users (see §8); Art. 6(1)(f) elsewhere where permitted
Transactional email (order confirmations, shipping updates)Email infrastructure via Supabase / LovableCommunications about simulated ordersArt. 6(1)(b) — performance of service
Language preferenceBrowser local storageRemember UI languageArt. 6(1)(f) — legitimate interest

We do not sell your personal data.

4. Processors, recipients, and international transfers

We use the following service providers (processors or independent controllers where noted). Data may be processed outside the European Economic Area (EEA). Where required, transfers rely on the provider's Standard Contractual Clauses (SCCs) or equivalent safeguards.

  • Supabase Inc. — database, authentication, storage, edge functions, realtime. Project region: EU (Frankfurt). Privacy: supabase.com/privacy
  • PostHog Inc. — product analytics. Data hosted in the EU when VITE_POSTHOG_HOST points to eu.i.posthog.com.
  • Google LLC — optional Sign in with Google (OAuth). Processing may occur in the United States under Google's terms and SCCs.
  • Google Firebase (FCM) — delivery of optional Web Push notifications. Processing may occur in the United States.
  • OpenStreetMap Foundation / Nominatim — geocoding: checkout address text is sent to public geocoding servers to obtain coordinates for the map animation.
  • Cloudflare, Inc. — CDN, security, and edge hosting for the website.
  • Lovable (GPT Engineer, Inc.) — application hosting, deployment, and OAuth broker for Google sign-in in some environments.

5. Retention

  • Account and profile: retained while your account is active; deleted within 30 days after a confirmed deletion request (see §6).
  • Orders and delivery addresses: retained while your account is active or until you request deletion; not used for marketing.
  • Push subscriptions: deleted when you revoke permission, disable alerts, or delete your account.
  • Analytics events: retained according to PostHog project settings (typically up to 12 months — confirm in your PostHog dashboard).
  • Local storage (cart, guest orders): remains on your device until you clear site data or uninstall the app.
  • Backups: encrypted provider backups may persist for up to 90 days after deletion before automatic rotation.

6. Account and data deletion

You may request deletion of your account and associated personal data by emailing privacy@dopaminebuy.com from the address linked to your account. We will respond within 30 days.

What we delete: profile, authentication record, orders, product listings, favorites, notifications, push subscriptions, and linked activity where technically feasible.

What we may retain: anonymised or aggregated statistics, and minimal logs required for security, fraud prevention, or legal obligations, for the retention periods above.

A dedicated in-app deletion flow and public deletion URL are planned for a future release to meet Google Play requirements.

7. Your rights (GDPR)

If you are in the EEA, UK, or Switzerland, you have the right to: access your data; rectification; erasure; restriction of processing; data portability; object to processing based on legitimate interests; and withdraw consent at any time (without affecting prior lawful processing) for push notifications and analytics where consent applies.

To exercise these rights, contact privacy@dopaminebuy.com. You may also lodge a complaint with your supervisory authority. In Italy: Garante per la protezione dei dati personali.

8. Analytics, cookies, and similar technologies

We use PostHog, which may store cookies or similar identifiers in your browser and send usage events (pages viewed, interactions, and — when logged in — your user ID, email, and display name) to PostHog's EU servers when configured.

EEA/UK users: under GDPR, analytics that is not strictly necessary requires consent. We are implementing a consent banner so analytics will load only after you opt in. Until that banner is live, you may contact us to object to analytics processing or use browser privacy/blocking tools (with limited effect on app functionality).

Push notifications are optional and only activated after you tap "Enable alerts" and grant system permission. You can revoke consent in device settings or by disabling alerts in the app.

9. Security

We apply appropriate technical and organisational measures, including: HTTPS/TLS encryption in transit; hashed passwords (never stored in plain text); row-level security on Supabase tables; restricted access to production systems; and data minimisation (we only collect what the simulated experience requires).

No method of transmission or storage is completely secure.

10. Children

DopamineBuy is not directed at children. You must be at least 16 years old in the EEA (or 13 elsewhere, or the minimum age in your country) to create an account. We do not knowingly collect data from children. Contact us if you believe a child has provided personal data.

11. Changes to this policy

We may update this policy for legal, technical, or product reasons. We will update the effective date above. For material changes, we will provide notice in the app or by email where appropriate. Continued use after the effective date constitutes acceptance of the updated policy where permitted by law.

12. Contact

Data controller: Santiago Moran Labat, Via Quisisana 17, 90200 Alimena, Palermo, Italy.

Privacy requests and questions: privacy@dopaminebuy.com