Effective date: June 20, 2026
This policy describes how personal data is processed when you use dopaminebuy.com and the DopamineBuy Android app.
DopamineBuy is the commercial name of the service. The data controller under the GDPR (Regulation (EU) 2016/679) is:
DopamineBuy is an entertainment experience: simulated shopping, virtual coins, parody listings, and fictional "deliveries". There are no real product purchases, payments, or physical shipments.
The table below states what we process, where it is stored, why, and the legal basis under Article 6 GDPR.
| Category | Where stored / sent | Purpose | Legal basis |
|---|---|---|---|
| Email, password (hashed), display name, avatar URL | Supabase Auth + profiles table | Create and manage your account and profile | Art. 6(1)(b) — performance of service |
| Product listings, favorites, seller stats | Supabase (products, favorites, etc.) | User-generated content and social features | Art. 6(1)(b) — performance of service |
| Cart, orders, coins, coupons, game progress | Browser/app local storage; synced to Supabase orders when signed in | Simulated checkout and gameplay | Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interest (anti-abuse, service integrity) |
| Delivery address (name, street, city, postal code, country) and optional GPS-assisted fields | Stored in orders.shipping_address (JSON); address text sent to OpenStreetMap Nominatim for map coordinates | Fictional delivery map animation only — not used for real shipping. You may enter a real or fictional address; we treat it as personal data if it identifies a location. | Art. 6(1)(b) — performance of simulated checkout |
| Leaderboard and buyer rankings | Supabase (aggregated order/game data) | Public rankings and gamification | Art. 6(1)(b) — performance of service |
| In-app notifications | Supabase notifications + realtime | Order and activity alerts while using the app | Art. 6(1)(b) — performance of service |
| Web Push subscription (endpoint, encryption keys) | Supabase push_subscriptions | Optional alerts when the app is closed | Art. 6(1)(a) — consent (you enable in-app) |
| Usage analytics (page views, paths, device identifiers, identified user traits when logged in) | PostHog (EU cloud: eu.i.posthog.com when so configured) | Understand usage and improve the product | Art. 6(1)(a) consent for EEA/UK users (see §8); Art. 6(1)(f) elsewhere where permitted |
| Transactional email (order confirmations, shipping updates) | Email infrastructure via Supabase / Lovable | Communications about simulated orders | Art. 6(1)(b) — performance of service |
| Language preference | Browser local storage | Remember UI language | Art. 6(1)(f) — legitimate interest |
We do not sell your personal data.
We use the following service providers (processors or independent controllers where noted). Data may be processed outside the European Economic Area (EEA). Where required, transfers rely on the provider's Standard Contractual Clauses (SCCs) or equivalent safeguards.
VITE_POSTHOG_HOST points to eu.i.posthog.com.You may request deletion of your account and associated personal data by emailing privacy@dopaminebuy.com from the address linked to your account. We will respond within 30 days.
What we delete: profile, authentication record, orders, product listings, favorites, notifications, push subscriptions, and linked activity where technically feasible.
What we may retain: anonymised or aggregated statistics, and minimal logs required for security, fraud prevention, or legal obligations, for the retention periods above.
A dedicated in-app deletion flow and public deletion URL are planned for a future release to meet Google Play requirements.
If you are in the EEA, UK, or Switzerland, you have the right to: access your data; rectification; erasure; restriction of processing; data portability; object to processing based on legitimate interests; and withdraw consent at any time (without affecting prior lawful processing) for push notifications and analytics where consent applies.
To exercise these rights, contact privacy@dopaminebuy.com. You may also lodge a complaint with your supervisory authority. In Italy: Garante per la protezione dei dati personali.
We use PostHog, which may store cookies or similar identifiers in your browser and send usage events (pages viewed, interactions, and — when logged in — your user ID, email, and display name) to PostHog's EU servers when configured.
EEA/UK users: under GDPR, analytics that is not strictly necessary requires consent. We are implementing a consent banner so analytics will load only after you opt in. Until that banner is live, you may contact us to object to analytics processing or use browser privacy/blocking tools (with limited effect on app functionality).
Push notifications are optional and only activated after you tap "Enable alerts" and grant system permission. You can revoke consent in device settings or by disabling alerts in the app.
We apply appropriate technical and organisational measures, including: HTTPS/TLS encryption in transit; hashed passwords (never stored in plain text); row-level security on Supabase tables; restricted access to production systems; and data minimisation (we only collect what the simulated experience requires).
No method of transmission or storage is completely secure.
DopamineBuy is not directed at children. You must be at least 16 years old in the EEA (or 13 elsewhere, or the minimum age in your country) to create an account. We do not knowingly collect data from children. Contact us if you believe a child has provided personal data.
We may update this policy for legal, technical, or product reasons. We will update the effective date above. For material changes, we will provide notice in the app or by email where appropriate. Continued use after the effective date constitutes acceptance of the updated policy where permitted by law.
Data controller: Santiago Moran Labat, Via Quisisana 17, 90200 Alimena, Palermo, Italy.
Privacy requests and questions: privacy@dopaminebuy.com