Privacy Policy

Last Updated: 13 August 2025

At IconicBound ("we", "us"), we respect your privacy and comply with applicable data protection laws, including the EU/UK GDPR where relevant. This policy explains what we collect, how we use it, the legal bases we rely on, and your rights. It covers our website, our business platform IconicLoop, and our game project IconicQuest.

Who is the Controller

IconicBound (Portugal). For privacy queries, contact privacy@iconicbound.com.
Supervisory authority: Comissão Nacional de Proteção de Dados (CNPD), Portugal. You have the right to lodge a complaint with the CNPD or your local authority.

1. Information We Collect

1.1 Personal Information

We may collect the following types of personal information:

• Contact information (name, email address, shipping address, phone number)
• Payment information (processed securely through our payment processors)
• Account information when you create an IconicQuest account
• Information you provide when contacting customer support
• User-generated content you provide through the IconicQuest application

1.2 Fitness/Health Data (IconicQuest, optional)

If you choose to connect Apple Health or Google Fit, we may receive step counts, workout sessions, distance, and active minutes. We do not access raw medical records. This integration is optional and used only to generate in-game, non-medical bonuses. You can disconnect at any time in your device settings or in-app.

1.3 Waitlist & Community

Email and preference data you submit (e.g., /iconicquest waitlist). We store timestamps and source to understand sign-up channels.

1.4 Automatically Collected Information

When you visit our website or use the IconicQuest application, we automatically collect certain information about your device and usage, including:

• IP address and geographic location
• Browser and device information
• Website usage data (pages visited, time spent, referral sources)
• App usage data (features used, workout data, progress statistics)

2. How We Use Your Information

Legal Bases (GDPR)

We process data under:

• Contract – to provide services you request (orders, accounts, access).
• Legitimate Interests – to secure our services, prevent abuse, and improve features (balanced against your rights).
• Consent – for marketing emails and any fitness/health data integration (you can withdraw at any time).
• Legal Obligation – to comply with tax, accounting, and regulatory duties.

We use your personal information for the following purposes:

• Process and fulfill your orders
• Create and manage your IconicQuest account
• Provide customer support
• Send transactional emails and order updates
• Send marketing communications (with your consent)
• Improve our website, products, and services
• Track and analyze application usage and performance
• Detect and prevent fraudulent activities
• Provide optional fitness-powered game features (with your consent)
• Send service notifications (e.g., waitlist confirmations, transactional updates)
• Prevent fraud and abuse (rate limiting, anomaly detection, anti-cheat for IconicQuest)

3. How We Share Your Information

We may share your personal information with:

• Service providers who help us operate our business (payment processors, shipping companies, hosting providers)
• Professional advisors (lawyers, accountants, insurers)
• Government authorities when required by law
• Business partners with your explicit consent

Service Providers (Processors)

We use trusted vendors under data processing agreements, including:

• Supabase (database, authentication, hosting, Edge Functions)
• Stripe (payments—card data handled by Stripe, not stored by us)
• Resend (transactional email notifications)
• Apple Health / Google Fit (at your direction, as data sources)
• Hosting/CDN and analytics providers as needed

We only share what's necessary to run the service, and vendors are contractually bound to protect your data.

We do not sell your personal information to third parties.

4. Data Security

We protect data with encryption in transit (HTTPS/TLS) and at rest (provider default), strict access controls (least-privilege), and Row Level Security (RLS) on our databases where applicable. Sensitive operations (e.g., waitlist notifications) use signed requests and secret headers. While no system is perfectly secure, we continuously review access, rotate keys, and log critical events. If we become aware of a data breach affecting you, we'll notify you and the relevant authority when required by law.

5. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access the personal information we hold about you
• Correct inaccurate or incomplete information
• Request deletion of your personal information
• Object to or restrict certain processing activities
• Data portability (receiving your data in a structured, machine-readable format)
• Withdraw consent at any time (where processing is based on consent)

To exercise your rights, email privacy@iconicbound.com from the address you used with us. We'll respond within one month (GDPR).

You can unsubscribe from marketing emails at any time via the link in the message or by contacting us. Service emails (e.g., receipts, policy updates) are not marketing and may still be sent.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect information about your browsing activities and to remember your preferences. You can manage your cookie preferences through your browser settings. For more information, please see our Cookie Policy.

Where required, we present a cookie consent banner so you can accept, reject, or customize non-essential cookies (e.g., analytics). You can change your preferences at any time via your browser or our cookie settings.

7. Children's Privacy

IconicBound services are not directed to children under 16 in the EU/UK (or the age of digital consent in your country). If you believe a child provided data to us, contact privacy@iconicbound.com and we will delete it.

8. International Data Transfers

We may transfer data outside your country (e.g., to the U.S. or EEA). Where we do, we rely on appropriate safeguards, such as the EU Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms. Copies of relevant safeguards are available on request where legally permissible.

9. Data Retention

• Orders/Payments: kept as required by tax/accounting law (typically 10 years in the EU).
• Waitlist: email retained until launch or until you unsubscribe or request deletion; we periodically prune bounced/invalid addresses.
• Support tickets: up to 24 months after resolution, unless we need to keep longer for legal or security reasons.
• Fitness data (IconicQuest): stored only as needed to provide in-game boosts; deleted when you disconnect Apple Health/Google Fit or on deletion request. Aggregated, non-identifiable stats may be kept for analytics.

10. Automated Decisions / Profiling

We do not make decisions with legal or similarly significant effects based solely on automated processing. We may use basic profiling (e.g., anti-cheat risk scores, gameplay segmentation) to protect the service and improve features.

11. Changes to This Privacy Policy

We may update this policy periodically. If changes are material, we'll notify you via email or a prominent notice on the site before they take effect. The "Last Updated" date will reflect the latest version.

12. Contact Us

If you have any questions about this privacy policy or our privacy practices, please contact us through our Contact page or by email at privacy@iconicbound.com.

Appendix — Data Sources & Vendors

• Apple Health (user-authorized; steps/workouts)
• Google Fit (user-authorized; steps/workouts)
• Supabase (database, auth, hosting, Edge Functions)
• Resend (email delivery)
• Stripe (payments)
• Analytics/CDN providers as listed on our site or in product docs