Privacy Policy
Last updated: 7 May 2026
This English text is a convenience translation. The binding version is the Italian Privacy Policy; in case of any discrepancy, the Italian version prevails.
This policy describes how the AxoBeat mobile application (the "Service") collects and processes users' personal data, in compliance with EU Regulation 2016/679 (GDPR) and Italian Legislative Decree 196/2003 (Privacy Code).
1. Data controller
Gabor Adorni, as data controller (sole proprietorship).
Registered office: Via Caduti di Via Fani 9, 40060 Dozza (BO), Italy
Tax code: DRNGBR90A10L826I
VAT number: 04109601205
Email: privacy@axobeat.com
2. Categories of data collected
2.1 Registration and authentication data
To access the Service we collect, depending on the chosen sign-in provider:
- Email address (always, including with Apple's "Hide My Email", which still provides a working relay alias)
- Name (optional, provided by Google or Apple Sign In)
- Unique user identifier (Firebase UID)
- Profile photo URL (if provided by the provider or uploaded by the user)
The supported authentication providers are:
- Email and password: the password is managed and, where applicable, hashed by Firebase Authentication, and is never seen or stored by us in plaintext
- Sign in with Google
- Sign in with Apple, compatible with "Hide My Email"
2.2 User profile and generated content
- Username chosen by the user, publicly visible in the leaderboards
- Profile photo uploaded by the user, publicly visible in the leaderboards and profile
- Game preferences: countries, music genres, decades
The profile photo can be selected from the device gallery or taken with the camera. The app requests the relevant system permissions only at the moment of selection; granting them is optional (users who do not want a profile photo need not grant them).
2.3 Game data
- Game sessions (date, mode, score, answers given, response time, applied filters)
- Available energy, daily streak, cumulative XP, last access date
- Aggregated statistics for the public leaderboards
2.4 User reports
When a user reports an issue with a track (broken audio, wrong metadata, etc.) we collect:
- The reported track and the selected reasons (predefined categories)
- An optional free-text note of up to 2000 characters written by the user
- A reference to the user submitting the report (automatically removed if the user deletes their account, so that the report remains useful as catalog feedback but is no longer linked to a person)
2.5 Technical data
- Push notification token (Firebase Cloud Messaging)
- IP address, collected by Firebase servers for security purposes
- Timestamps of application events
2.6 Optional telemetry (with explicit consent)
Only with explicit consent given at the first launch of the app:
- Aggregated analytics (Firebase Analytics): usage patterns, screens visited, game events. These do not contain direct identifying data.
- Crash and performance diagnostics (Firebase Crashlytics): technical information about the device and the crash stack, for bug diagnosis and resolution.
Consent can be withdrawn at any time from the app settings. Without consent, this collection is disabled.
2.7 Data local to the device
The following data is stored exclusively on the user's device and is not transmitted:
- Interface preferences and consent status (SharedPreferences)
- Audio cache of the samples downloaded during gameplay (automatically deleted at the end of each match)
2.8 Opening external apps
From the results screen the user can open a track in Spotify, Apple Music or YouTube Music. This action merely launches a link to the external app containing only the title and artist of the track: no personal data of the AxoBeat user is transmitted to these services. Any processing on their part is governed by their respective privacy policies.
2.9 What we do NOT collect
- The user's geographic location (precise or approximate)
- Advertising identifiers, tracking cookies, marketing profiling
- Biometric data, health data, contacts, calendar, microphone audio
- Web browsing history, SMS, or files other than the chosen profile photo
The app does not integrate advertising networks and does not share data with third parties for advertising or profiling purposes.
3. Purposes and legal bases of processing
| Purpose | Data involved | Legal basis |
|---|---|---|
| Account creation and management | Email, UID, username | Performance of the contract (Art. 6.1.b GDPR) |
| Game delivery and leaderboards | Profile, game data | Performance of the contract |
| Handling of track reports | Reported track, reasons, free-text note, user reference | Performance of the contract and legitimate interest in keeping the catalog accurate |
| Service push notifications | FCM token | Performance of the contract |
| Security, abuse prevention and anti-cheat | IP, access logs | Legitimate interest (Art. 6.1.f GDPR) |
| Product improvement via analytics | Aggregated behavioral data | Consent (Art. 6.1.a GDPR) |
| Crash and performance diagnostics | Device technical data, stack trace | Consent (Art. 6.1.a GDPR) |
4. Minimum age
The Service is reserved for those who are at least 14 years old, pursuant to Art. 2-quinquies of Italian Legislative Decree 196/2003 (Privacy Code) as amended by Legislative Decree 101/2018. Should we become aware that a child under 14 has created an account without the consent of a parent or guardian, the account will be deleted.
5. Retention periods
Personal data is retained for the duration of the user account. When the user deletes their account from the app:
- Profile, game sessions, answers, profile photo: deleted immediately from the active systems
- Any track reports submitted by the user: the reference to the user is removed, while the content of the report (reasons and note) may remain for the benefit of the catalog, in anonymous form
- Technical backups and system snapshots held by the providers: removed within a maximum of 30 days according to the retention periods declared by the providers themselves
- Application logs (for security purposes): retained for up to 90 days after deletion, then erased
6. Data recipients (data processors)
To deliver the Service we rely on the following providers, which act as data processors pursuant to Art. 28 GDPR:
- Google Ireland Limited: Firebase Authentication, Firebase Data Connect (Cloud SQL PostgreSQL), Cloud Storage, Cloud Functions, Cloud Messaging, Remote Config, Hosting, Analytics, Crashlytics. Firebase privacy policy
- Google LLC: Sign in with Google. Google privacy policy
- Apple Distribution International Limited: Sign in with Apple, App Store, TestFlight, iOS distribution. Apple privacy policy
The main Firebase servers for AxoBeat are in the europe-west1 region (Belgium).
7. Data transfers outside the EU
Some services (in particular Firebase Analytics) may involve the transfer of data to the United States. Such transfers take place on the basis of:
- Standard Contractual Clauses (SCC) approved by the EU Commission
- The EU-US Data Privacy Framework (DPF), to which Google and Apple adhere
8. Rights of the data subject
Pursuant to Articles 15-22 GDPR the user has the right to:
- Access: obtain a copy of the personal data processed
- Rectification: correct inaccurate data (editable directly in the app)
- Erasure: delete their data (the "Delete account" function is available in the app)
- Restriction: restrict processing in specific cases
- Objection: object to processing based on legitimate interest
- Portability: receive their data in a structured, machine-readable format
- Withdrawal of consent: for processing based on consent, at any time
- Complaint: lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali, www.garanteprivacy.it)
To exercise these rights, write to privacy@axobeat.com. We respond within 30 days of receiving the request.
Users in the EU/EEA or the United Kingdom. In addition to the Italian Garante mentioned above, you may lodge a complaint with the supervisory authority of your own country — for example your national data protection authority in the EU/EEA, or the UK Information Commissioner's Office (ico.org.uk). The data controller is established in the European Union and applies the GDPR standard of protection to all users, regardless of the country from which they access the Service.
California residents. Under the CCPA/CPRA you have the right to know, access, delete and correct the personal information we hold about you, and the right not to be discriminated against for exercising these rights. AxoBeat does not "sell" or "share" your personal information for cross-context behavioral advertising, and does not use it for targeted advertising. To exercise these rights, contact privacy@axobeat.com.
9. Cookies and website
The axobeat.com website hosts exclusively static informational pages (this privacy policy, the terms of service, a landing page). It does not use cookies, advertising identifiers, tracking tools, web analytics or profiling. Hosting is provided by Firebase Hosting which, for technical reasons related to the operation of the CDN, may record the visitor's IP address and user-agent in its logs in accordance with the Firebase privacy policy.
10. Changes to this policy
Any updates will be published on this page together with the date of the latest revision. Substantial changes will be notified via email or through the app.
11. Contact
Email: privacy@axobeat.com