Privacy Policy

1. Data Controller

Mystery Live ("we", "us", "our") operates the website www.mystery-live.com. For any privacy-related inquiries, please contact us at info@mystery-live.com.

2. Data We Collect

2.1 Account Data

When you sign in with Google OAuth, we collect:

• Display name
• Email address
• Profile picture URL
• Google unique identifier (UID)

2.2 Platform Data

While using our platform, we store:

• Decks and cards you create (names, images, rarity, prizes)
• Extraction session history and results
• Buyer names associated with card extractions
• Achievements and leaderboard data
• Audit logs of account actions

2.3 Payment Data

Subscription payments are processed by Stripe. We do not store your credit card details. Stripe receives your email, name, and billing information. See Stripe's Privacy Policy.

2.4 TikTok Shop Data

If you connect your TikTok Shop account, we collect and process:

• Shop name, seller region, and shop identifier
• OAuth access and refresh tokens (encrypted at rest with AES-256-GCM)
• Order data (order ID, status, update timestamps)
• Product data (title, status, pricing, stock, images)

3. Third-Party Services

We use the following third-party services that may process your data:

• Google Firebase (Authentication, Firestore database, Cloud Storage) — Privacy Policy
• Stripe (Payment processing, subscription management) — Privacy Policy
• Resend (Transactional emails) — Privacy Policy
• TikTok Shop API (Order and product synchronization) — Privacy Policy
• Vercel (Hosting and edge network) — Privacy Policy
• Google Fonts (Font delivery — may log IP addresses) — Privacy Policy

4. Legal Basis for Processing

We process your personal data based on:

• Contract performance — to provide the platform service (account, decks, extractions)
• Consent — for optional integrations (TikTok Shop connection)
• Legitimate interest — for security, fraud prevention, and service improvement

5. Data Retention

Your account data and platform content are retained as long as your account is active. Upon account deletion or request, we will delete all personal data within 30 days. Anonymized analytics data may be retained for statistical purposes.

6. Data Security

We implement the following security measures:

• All data transmitted over HTTPS (TLS encryption in transit)
• Firebase/Google Cloud encryption at rest for all stored data
• TikTok Shop tokens encrypted with AES-256-GCM at rest
• Firestore Security Rules enforcing per-user data isolation
• HttpOnly, Secure session cookies
• CSRF protection on OAuth flows

7. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Data portability — receive your data in a structured format
• Objection — object to processing based on legitimate interest
• Restriction — request restriction of processing
• Withdraw consent — withdraw consent at any time for consent-based processing

To exercise any of these rights, contact us at info@mystery-live.com. We will respond within 30 days.

8. Cookies

We use strictly necessary cookies for authentication. For full details, see our Cookie Policy.

9. International Transfers

Your data may be processed in the United States (Google Cloud/Firebase) and within the European Union (Vercel edge network). All transfers are covered by appropriate safeguards including Standard Contractual Clauses.

10. Children's Privacy

Our service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us for deletion.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of significant changes via email. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For privacy inquiries or to exercise your rights, contact us at: info@mystery-live.com