Privacy Policy
Last updated: 24 May 2026
1. Who we are (the controller)
BLACKLYNX BV, registered in Belgium under company number 0667.606.458, with registered office at Broekkantstraat 28 box A, 9051 Gent. For any privacy question or request, write to hello@odinsjourney.app.
2. What we collect, and why
| Data | Why |
|---|---|
| Email address | To create your account, log you in, send receipts and password resets |
| Password (hashed) | To verify it's you — we never see the original |
| Progress data (which requirements you've checked off) | The whole point of the product — tracking your journey across devices |
| Billing name, address, and (optional) VAT number | Collected by Stripe at checkout for tax compliance and invoicing |
| Payment status (paid / not paid, paid date, Stripe customer ID) | To unlock the app for paid users — we do not store your card details, Stripe does |
| Server logs (IP address, browser type, timestamp of requests) | Standard hosting logs from Vercel, retained for ~30 days for abuse detection and debugging |
We do not run third-party tracking, analytics, behavioral advertising, or fingerprinting. There are no Google Analytics, Meta Pixel, or similar trackers on the site.
3. Legal basis for processing (GDPR)
- Contract: We need your email, password, payment status, and progress data to provide the service you bought. (GDPR Art. 6(1)(b))
- Legal obligation: We retain invoices and tax records for the period required by Belgian tax law. (GDPR Art. 6(1)(c))
- Legitimate interest: Standard server logs for security and abuse detection. (GDPR Art. 6(1)(f))
4. Who else can see your data (sub-processors)
We run on a small, deliberately chosen stack. Your data passes through these processors, each under their own GDPR safeguards (Standard Contractual Clauses where data leaves the EU):
- Supabase (database + authentication). Hosted in the United States (us-east-1). Receives: your email, hashed password, progress data, paid status.
- Stripe (payments and invoicing). Hosted in the US and Ireland. Receives: your billing name, address, card details, optional VAT number.
- Vercel (web hosting). Edge-served globally, with origin in the US. Receives: your IP address and request metadata via server logs.
- Cloudflare (email forwarding for hello@odinsjourney.app, if you contact us). Receives: the content of any email you send us.
We do not sell or rent your personal data to anyone. We do not share it for advertising. The only times we share data are with the sub-processors above, when legally required (court order), or in the event of a business transfer (we'd notify you).
5. How long we keep your data
- Account data (email, password hash, progress): for as long as your account is active, plus up to 30 days after deletion request to handle reversals.
- Invoices and payment records: 7 years, as required by Belgian tax law.
- Server logs: ~30 days, automatically deleted by Vercel.
6. Your rights under GDPR
If you are in the EU, UK, or another jurisdiction with similar rights, you can:
- Access a copy of the personal data we hold about you
- Correct any inaccurate data
- Delete your data ("right to be forgotten")
- Port your data to another service in a machine-readable format
- Restrict or object to certain processing
- Withdraw consent where processing is based on consent
- Complain to your local data protection authority. In Belgium that is the Gegevensbeschermingsautoriteit / Autorité de protection des données.
To exercise any of these rights, email hello@odinsjourney.app. We will respond within 30 days.
7. Cookies
We use only essential cookies — an authentication session cookie set by Supabase when you log in, and a payment session cookie set by Stripe during checkout. Both are strictly necessary to operate the service and do not require consent under EU law.
We do not use any tracking, analytics, advertising, or behavioral cookies.
8. International data transfers
As noted in section 4, some of our sub-processors are located in the United States. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented where appropriate by the EU-US Data Privacy Framework adherence of those providers.
9. Children
Odin's Journey is not directed at anyone under 16. We do not knowingly collect data from minors. If you are a parent and believe your child has created an account, contact us and we will delete it.
10. Changes to this policy
Material changes will be communicated by email to the address on your account at least 14 days before taking effect. The "last updated" date at the top of this page always reflects the current version.
11. Contact
For any privacy question, request, or complaint: hello@odinsjourney.app.