Privacy Policy - BedrockConnect

1. Introduction

This Privacy Policy explains how GKM Interactive UG (haftungsbeschränkt) ("Company", "we", "us", "our"), registered at Amtsgericht Göttingen (HRB 207239), collects, uses, discloses, and protects your information when you use our mobile application BedrockConnect ("App").

By downloading, installing, or using the App, you acknowledge that you have read and understood this Privacy Policy and consent to the collection and use of your information as described herein.

If you are under 16 years of age, your parent or legal guardian must review and agree to this Privacy Policy on your behalf.

2. Information We Collect

2.1 Information You Provide

2.2 Information Collected Automatically

Device and Technical Information

• Device model and operating system version
• App version and build number
• Language and locale settings
• General network information (connection type)

Usage Data

• App features accessed and interactions
• Server connection attempts and outcomes
• Session duration and frequency
• Error logs and crash data

Player Information (Listed Servers Only)

When you connect to partner or featured servers listed in our App, our server infrastructure processes:

• Xbox User ID (XUID): Your Xbox Live numeric identifier, used to establish the server connection
• Player Name: Your Xbox/Minecraft gamertag, used for session management
• Connection Timestamp: When the connection was initiated

Important clarifications:

• This data is processed for the technical purpose of facilitating your server connection
• We do not link your XUID or player name to any real-world identity information (such as your real name, email, address, or phone number)
• We do not create user profiles based on this data
• We do not use this data for advertising purposes
• This data is not collected when connecting to custom servers you add yourself

2.3 Information Collected by Third-Party Services

Advertising (Free Tier Only)

Our advertising partner Google AdMob and its mediation partners may collect:

• Advertising identifiers (IDFA on iOS, GAID on Android)
• General location (country/region level, derived from IP address)
• Device characteristics for ad targeting
• Ad interaction data (impressions, clicks)

Device Access Consent (§ 25 TTDSG / ePrivacy): Access to advertising identifiers and other information stored on your device requires your prior consent under § 25 TTDSG (Germany) and equivalent ePrivacy regulations in other EU/EEA member states. We obtain this consent through an in-app consent dialog before any advertising SDKs or tracking technologies access your device. If you decline, you will still be able to use the App; advertisements (if shown) will be limited to purely contextual delivery without accessing device identifiers.

We work with advertising mediation partners through Google AdMob. A full list of potential ad partners is available in Google's mediation partner documentation.

Premium subscribers do not receive advertisements and no advertising data is collected for them.

Analytics and Stability

• Firebase Crashlytics: Crash reports, stack traces, device state at time of crash
• RevenueCat: Subscription status, purchase receipts (no payment card details)

3. How We Use Your Information

3.1 App Functionality (Contract Performance)

• Facilitate connections between your console and Minecraft servers
• Process and apply custom texture packs
• Manage your Premium subscription status
• Restore purchases across devices

3.2 Stability and Improvement (Legitimate Interest)

• Identify and fix crashes and bugs
• Monitor app performance and reliability
• Understand feature usage to prioritize development

3.3 Advertising (Consent / Legitimate Interest)

• Display advertisements to non-Premium users
• Personalize ads based on your interests (with consent)
• Measure advertising effectiveness

Note: Accessing device identifiers (IDFA/GAID) for advertising purposes requires your prior consent under § 25 TTDSG / ePrivacy (device access layer). The subsequent processing of data for personalized advertising additionally requires consent under GDPR Art. 6(1)(a). Non-personalized, purely contextual advertising without device identifier access may be based on legitimate interest under GDPR Art. 6(1)(f).

3.4 Legal Compliance

• Respond to legal requests and prevent abuse
• Enforce our Terms of Service
• Comply with applicable laws and regulations

4. Legal Basis for Processing (EEA/UK/Swiss Users)

Under the General Data Protection Regulation (GDPR) and the Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TTDSG), we process your data based on the following legal grounds:

GDPR Legal Basis (Data Processing):

§ 25 TTDSG / ePrivacy (Device Access):

Important: The TTDSG/ePrivacy consent requirement for device access is separate from and in addition to the GDPR legal basis for subsequent data processing. Even where GDPR permits processing based on legitimate interest, accessing information stored on your device (such as advertising identifiers) requires your prior consent unless strictly necessary for the service.

Legitimate interest assessments: We have conducted balancing tests for all processing based on legitimate interest. Our legitimate interests include maintaining app stability, preventing abuse, and sustaining our free-tier service through contextual advertising. These interests do not override your fundamental rights.

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

Infrastructure Providers

App-Level Service Providers

Texture Pack Service

We operate a dedicated backend service that downloads and caches texture packs from Minecraft servers to deliver them to our users. This service:

• Connects to Minecraft servers using our own service credentials (not your personal credentials)
• Downloads and stores texture pack files for distribution via our CDN
• Does not process or store any user personal data
• Operates on dedicated servers in the USA

All providers are bound by Data Processing Agreements (DPAs) where applicable and process data only as necessary for the described purposes.

5.2 Server Connection Data

When you connect through our infrastructure to listed (partner/featured) servers:

• We share your XUID, player name, and connection timestamp with the respective server operator for the purpose of server management and analytics
• Server operators are independent data controllers for the data they receive. They process this data under their own responsibility and pursuant to their own privacy policies
• Server operators are contractually obligated to handle this data in accordance with applicable data protection laws
• This data sharing is necessary for the performance of the service and the partnership agreement
• You can find the privacy policy of each server operator through their respective server listing or community pages

5.3 Legal Disclosure

We may disclose your information if required to:

• Comply with applicable law, regulation, or legal process
• Respond to lawful requests from public authorities
• Protect the rights, safety, or property of GKM Interactive, our users, or the public
• Enforce our Terms of Service

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you of any such change.

5.5 No Sale of Personal Data

We do not sell your personal information to third parties. For purposes of the California Consumer Privacy Act (CCPA), we do not "sell" or "share" personal information as defined under that law.

6. Data Retention

We conduct annual reviews of stored server connection data to verify that retention remains necessary for the stated purposes. After the retention period expires, data is automatically deleted or anonymized. You may request earlier deletion of your personal data at any time (see Section 7).

7. Your Privacy Rights

7.1 Rights for All Users

Regardless of your location, you may:

• Access: Request information about what data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data
• Opt-Out of Personalized Ads: Adjust your device advertising settings

7.2 Additional Rights for EEA/UK Users (GDPR)

• Data Portability: Receive your data in a structured, machine-readable format
• Restriction: Request restriction of processing in certain circumstances
• Objection: Object to processing based on legitimate interest
• Withdraw Consent: Withdraw previously given consent at any time (without affecting the lawfulness of prior processing)
• Supervisory Authority: Lodge a complaint with your local data protection authority

Your relevant supervisory authority is:

Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5, 30159 Hannover, Germany
https://www.lfd.niedersachsen.de

7.3 Additional Rights for California Users (CCPA/CPRA)

• Right to Know: What personal information is collected, used, and disclosed
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt out of sale/sharing of personal information (we do not sell data)
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

7.4 How to Exercise Your Rights

Contact us at: contact@gkminteractive.com

Please include:

• Your request type (access, deletion, correction, etc.)
• Sufficient information to identify your data (e.g., your XUID if you know it, or device information)

We will respond within 30 days (GDPR) or 45 days (CCPA). We may request additional information to verify your identity before processing your request.

8. Children's Privacy

8.1 Age Policy

Our App is rated 9+ on the Apple App Store and Google Play Store. The App's core functionality (server connections, texture packs) is available to users of all ages without consent-based data processing.

Parental consent is required for users under 16 where we rely on consent as the legal basis for processing — specifically for personalized advertising and tracking (Art. 8 GDPR, § 25 TTDSG). For processing based on contract performance or legitimate interest, parental consent under Art. 8 GDPR is not required.

8.2 COPPA Compliance (United States)

We do not knowingly collect personal information from children under 13 without verifiable parental consent. If we become aware that we have collected data from a child under 13 without appropriate consent, we will take steps to delete that information promptly.

8.3 Child-Directed Ad Settings

Because our App relates to Minecraft, which is popular with younger audiences:

• Users who indicate they are under 16 do not receive personalized advertisements and no advertising identifiers are accessed from their device
• We apply Google AdMob's child-directed treatment (COPPA tag) for users under 13
• We do not use behavioral advertising or tracking for identified minors
• Non-personalized, contextual advertisements (without device identifier access) may still be displayed

8.4 Parental Controls

Parents or guardians may:

• Contact us to review, correct, or delete their child's data
• Request that we cease collection of their child's data
• Withdraw consent for advertising-related processing at any time
• Manage advertising settings on their child's device

Contact: help@bedrockconnect.app

9. Advertising and Tracking

9.1 Types of Advertising

• Contextual ads (without device identifier access): Displayed based on app content only; no device identifiers are accessed. No consent required.
• Non-personalized ads (with device identifier access): May access advertising identifiers for frequency capping and basic measurement. Requires device access consent (§ 25 TTDSG).
• Personalized ads: Displayed based on your interests and usage patterns. Requires both device access consent (§ 25 TTDSG) and GDPR consent (Art. 6(1)(a)).

9.2 Opting Out of Personalized Advertising

iOS: Settings > Privacy & Security > Tracking > Disable tracking for BedrockConnect

Android: Settings > Google > Ads > Opt out of Ads Personalization

9.3 App Tracking Transparency (iOS 14.5+)

We comply with Apple's App Tracking Transparency framework. We will request your permission before tracking your activity across other companies' apps and websites. You can change this at any time in Settings > Privacy & Security > Tracking.

9.4 Premium Ad-Free Experience

Premium subscribers do not see advertisements. When you subscribe to Premium:

• No advertising data is collected
• No ad identifiers are transmitted to ad networks
• Third-party advertising SDKs are not initialized

10. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. Specifically:

• Google Cloud Platform: USA
• Cloudflare: USA/EU
• Sentry: USA
• RevenueCat: USA
• Firebase/AdMob: USA

We ensure adequate protection for EU/EEA user data through:

• Standard Contractual Clauses (SCCs): EU-approved contractual safeguards with all US-based processors
• Data Processing Agreements (DPAs): Binding agreements with all service providers
• EU-U.S. Data Privacy Framework (DPF): Where providers are certified under the DPF

You may request a copy of the applicable Standard Contractual Clauses or information about the DPF certification status of our processors by contacting us at contact@gkminteractive.com (Art. 13 Abs. 1 f GDPR).

11. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• TLS/HTTPS encryption for all data transmitted between the App and our servers
• Secure API authentication mechanisms
• Database access controls and encryption at rest
• Regular review of data handling practices
• Principle of least privilege for data access

Despite these measures, no method of electronic storage or transmission is 100% secure. In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours where required under Art. 33 GDPR, and will inform affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR).

12. Pseudonymous Data and Identity

We want to be transparent about how data relates to your identity:

Data we do NOT collect:

• Real name
• Email address
• Phone number
• Physical address
• Social media profiles
• Photos or biometric data

Identifiers we process (pseudonymous personal data):

• XUID (Xbox User ID): A persistent numeric identifier assigned by Microsoft. Under the GDPR, XUID constitutes pseudonymous personal data (Art. 4 Nr. 5 GDPR) because it can be attributed to a specific person by Microsoft. However, we do not have access to and cannot determine your real-world identity from the XUID alone. We have no access to the name, email, or other personal information associated with your Microsoft account.
• Player Name (Gamertag): Your publicly visible Xbox/Minecraft username. This is also pseudonymous personal data.
• Device advertising ID: Used solely for ad delivery (with consent). You can reset or disable this at the device level.

Our processing approach: The pseudonymous data we process (XUID, player name) is used exclusively for providing the App's core server connection functionality and partner server analytics. We do not combine this data with other sources to re-identify you, create behavioral profiles, or track you across apps or websites. Despite being personal data in the legal sense, we treat it with appropriate safeguards and do not attempt to link it to your real-world identity.

13. Third-Party Links and Services

The App may contain links to third-party websites, services, or content (e.g., server Discord communities, partner websites). We are not responsible for the privacy practices or content of these third parties. We encourage you to review their privacy policies before providing any personal information.

14. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

• Updating the "Last Updated" date at the top of this Policy
• Posting a notice within the App for significant changes
• Where required by law, seeking your renewed consent

Your continued use of the App after changes become effective constitutes acceptance of the updated Privacy Policy.

15. Contact Information

GKM Interactive UG (haftungsbeschränkt)

• Managing Director: Davin Gindorf
• Registered: Amtsgericht Göttingen, HRB 207239
• VAT ID: DE364802252

• Privacy Inquiries: contact@gkminteractive.com
• Support: help@bedrockconnect.app
• Address: Wasserstraße 5, D-37186 Moringen, Germany

16. Additional Disclosures

16.1 Do Not Track

Our App does not respond to browser "Do Not Track" signals, as there is no industry-wide standard for mobile apps.

16.2 EU Online Dispute Resolution

EU consumers may use the European Commission's Online Dispute Resolution platform: https://ec.europa.eu/consumers/odr/

16.3 Data Protection Supervisory Authority

For EEA users, you have the right to lodge a complaint with your local supervisory authority. For users in Lower Saxony (Niedersachsen), Germany, this is:

Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5, 30159 Hannover
https://www.lfd.niedersachsen.de

Appendix: Apple App Privacy Label Summary

The following summarizes data collection for Apple's App Privacy disclosure:

Data Used to Track You

• None (we do not track users across apps/websites owned by other companies)

Data Linked to You

• Identifiers: Device ID (advertising), XUID (app functionality)
• Purchases: Purchase history (subscription management)

Data Not Linked to You

• Diagnostics: Crash data, performance data
• Usage Data: App interactions (aggregated)

Appendix: Third-Party Service Privacy Policies