Privacy Policy

1. The Controller

• Controller: Remény Farm Kft. ("Remény Farm", "we", "us", "our")
• Form: Hungarian limited-liability company
• Tax number: 26667089-2-10
• Company registry number: 10-09-037306
• Managing director: David Goldmann <!-- TODO: confirm the legal-name spelling that appears on the company filing -->
• General contact email: hello@remenyfarm.hu <!-- TODO: confirm this is the address we want listed as the primary controller contact -->
• Data-protection contact: <!-- TODO: confirm whether we will use a dedicated mailbox (e.g. `privacy@remenyfarm.hu`) or route data-protection requests through `hello@remenyfarm.hu` -->
• Data Protection Officer (DPO): <!-- TODO: not currently appointed; we are not statutorily required to appoint a DPO under GDPR Article 37, but if we do, the contact will be listed here -->

Remény Farm Kft. is a Hungarian limited-liability company with its registered seat in Hungary. Our full corporate identification — including the registered seat, the name of the company-registry court, and the statutory accounting identifier — is available in our Hungarian-language Impressum, which is the authoritative public record.

2. Scope of this Policy

This Privacy Policy describes how Remény Farm Kft. processes personal data in connection with Chirp Coop, our mobile and web game, including:

• the public web surface at chirpcoop.com;
• the Chirp Coop mobile applications for iOS and Android (current and future);
• supporting infrastructure used by the game (push notifications, analytics, AI generation, in-app purchases).

Chirp Coop is the game side of our business — a virtual world of named queens, daily chronicles, and egg-draw collection discovery. Our parallel real-world service, the real-chicken patronage service at tyuk.remeny.farm, is operated by the same company under its own Hungarian-language privacy notice. This Policy does not govern that service.

This Policy is based on Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and Act CXII of 2011 of Hungary on the right of informational self-determination and freedom of information ("Infotv.").

3. Principles of Processing

We process personal data in accordance with Article 5 of the GDPR. Specifically, we commit to:

• lawfulness, fairness, and transparency — processing only with a clear legal basis and in a manner explained to you in plain language;
• purpose limitation — using personal data only for the purposes described in this Policy;
• data minimisation — limiting collection to what is necessary;
• accuracy — correcting inaccurate data on request without undue delay;
• storage limitation — retaining personal data only as long as needed for the stated purpose or required by law;
• integrity and confidentiality — applying appropriate technical and organisational security measures;
• accountability — being able to demonstrate compliance with the above.

We do not sell personal data. We do not use personal data for behavioural advertising. We do not engage in automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 of the GDPR.

4. Categories of Personal Data We Process

The following sub-sections list, for each category, the data processed, the purpose, the legal basis under Article 6 GDPR, and the retention period.

4.1 Account registration data

• Data: your email address; a Supabase-generated unique user identifier; an optional display name you choose for yourself.
• Purpose: to identify you, secure your account, and deliver the game.
• Legal basis: GDPR Article 6(1)(b) — performance of the contract you enter into when you create a Chirp Coop account.
• Retention: for the lifetime of your active account. After account deletion, identifying fields linked to public artifacts (see § 7) are pseudonymised rather than removed.

4.2 Game-state data

• Data: the name you give to your virtual queen; her current mood and progression state; gameplay events (logins, taps, ritual completions); egg draws and their outcomes; clan membership and inter-player relationships within the game.
• Purpose: to run the game — persist your progress between sessions, render leaderboards and public profiles, enable social features.
• Legal basis: GDPR Article 6(1)(b) — performance of the contract.
• Retention: for the lifetime of the queen's profile. As described in § 7, a queen's public profile and chronicle history persist beyond the lifetime of your account.

4.3 AI prompt and output data

This category is summarised here and described in full in § 6.

• Data sent to the model: the queen's name; her mood (derived from aggregate gameplay signals); current weather at the simulated farm region; a short summary of the last 24–48 hours of gameplay events relevant to her story.
• Data received from the model: a 2–3 sentence English-language Morning Chronicle entry.
• Purpose: to generate the daily Morning Chronicle that is part of the core gameplay loop.
• Legal basis: GDPR Article 6(1)(b) — performance of the contract.
• Retention: the generated Chronicle entries are retained on the queen's public profile as part of her permanent record (see § 7). Prompt content sent to Anthropic is handled according to the Anthropic service terms and Trust Center configuration we have selected; we configure the integration so that prompt content is not used to train Anthropic's models, and Anthropic retains the content only within its operational service window. <!-- TODO: confirm the Anthropic DPA URL and the precise retention window once the Trust Center settings are signed off -->

4.4 Mobile in-app purchase metadata

• Data: your mobile Game purchase and entitlement state as reported by RevenueCat (active, in grace period, expired, refunded); the product identifier of any purchase; transaction timestamps; the platform of purchase (App Store or Play Store). Card numbers and platform-account credentials are processed exclusively by Apple Inc. or Google LLC; Remény Farm Kft. does not have access to them.
• Purpose: to deliver mobile in-app purchases, manage entitlements (virtual gifts, cosmetics, paid egg draws, noncompetitive convenience boosts, optional mobile-game subscriptions), and comply with Hungarian accounting and tax law.
• Legal basis: GDPR Article 6(1)(b) — performance of the contract; and GDPR Article 6(1)(c) — compliance with a legal obligation, specifically the accounting-record retention duty under Hungarian law.
• Retention: accounting records relating to purchases are retained for 8 years as required by section 169(2) of Act C of 2000 on Accounting. <!-- TODO: confirm the final retention configuration with our accountant; the 8-year period is the statutory floor for accounting records and may be applied more narrowly to in-app-purchase metadata that does not constitute an accounting document on its own -->

4.5 Diagnostic and security data

• Data: your IP address (held short-term, for error tracing and abuse prevention); your browser user-agent string and operating-system family; crash and error reports collected by Sentry, including stack traces and request paths. We configure Sentry to scrub personally identifying values (email, display name) from error reports before they are stored.
• Purpose: to keep the game stable, diagnose bugs, detect abuse, and protect against fraud.
• Legal basis: GDPR Article 6(1)(f) — legitimate interest in operating a safe and reliable service. We have considered and documented the balancing test: the data is limited, retention is short, the data subjects have an existing relationship with us, and you would reasonably expect this kind of operational logging.
• Retention: in accordance with Sentry's default retention rules (typically 30–90 days). IP addresses are not retained beyond the operational window required to investigate the event in which they were captured. <!-- TODO: confirm the precise Sentry project-level retention setting and document it here -->

4.6 Indirect contextual data

• Data from OpenWeatherMap: non-personal weather data for the geographic region of the simulated farm. This is not personal data about you and is not linkable to your account, but it is included here because it forms part of the prompt context described in § 4.3 and § 6.

5. Recipients and Processors

We use the following processors to deliver the game. Each is bound by a written data-processing agreement (DPA) under Article 28 of the GDPR.

| Processor | Activity | Seat | DPA / Compliance reference | |---|---|---|---| | Vercel Inc. | Hosting, CDN, build infrastructure | United States | DPA available <!-- TODO: confirm the public DPA URL --> | | Supabase Inc. | Database, authentication, Edge Function runtime, storage | United States | DPA available <!-- TODO: confirm DPA URL --> | | Anthropic PBC | AI generation — Claude Haiku (Morning Chronicle) | United States | Trust Center + DPA <!-- TODO: confirm DPA URL and Trust Center settings link --> | | RevenueCat Inc. | Mobile Game IAP purchase and entitlement orchestration | United States | DPA available <!-- TODO: confirm DPA URL --> | | Apple Inc. / Google LLC | Mobile platform billing (App Store, Play Store) | United States | platform terms | | OpenWeatherMap Ltd. | Weather data feed (non-personal) | United Kingdom | service terms | | Functional Software Inc. (Sentry) | Error tracking | United States | DPA available <!-- TODO: confirm DPA URL --> | | PostHog Inc. | Product analytics (only if and when activated) | United States | DPA available <!-- TODO: confirm DPA URL. Not currently active; if we activate product analytics we will update this Policy and notify you --> |

We only share personal data with these processors to the extent necessary for the activity listed. They are contractually prohibited from processing the data for their own purposes.

Beyond processors, we may also disclose personal data to:

• competent public authorities (courts, regulators, tax authorities, law-enforcement bodies) where we are legally required to do so;
• professional advisors (accountants, auditors, lawyers) bound by professional confidentiality obligations;
• a successor entity in the event of a corporate restructuring, merger, or acquisition, subject to the same protections set out in this Policy.

6. AI Processing — Specific Notice

A core feature of Chirp Coop is the Morning Chronicle: once per day, for each named queen, our system asks the Claude Haiku language model — operated by Anthropic PBC — to write a short 2–3 sentence narrative passage about how the queen spent her last day. This section explains exactly what flows through that pipeline, so that you can make an informed decision about whether to use the feature.

6.1 What we send

The prompt sent to Anthropic on your behalf contains:

• the name you chose for your queen — this is free-text you supplied and may, in principle, contain personal information if you elected to put your own name in it (we recommend you do not);
• the mood and gameplay state of the queen, derived from aggregate signals;
• the current weather at the simulated farm region, taken from OpenWeatherMap;
• a short summary of recent gameplay events for that queen.

We do not send your email address, your Supabase user identifier, your IP address, your billing information, or any payment data to Anthropic.

6.2 What we receive

A 2–3 sentence English-language narrative passage that is then stored against the queen's profile and rendered as her Morning Chronicle.

6.3 Training opt-out

We configure our Anthropic integration so that prompt content is not used to train Anthropic's models. Anthropic retains the content only within its operational service window for the limited purposes of operating the API, abuse prevention, and meeting its own legal obligations. The current applicable terms and Trust Center configuration are referenced in the processor table above. <!-- TODO: link the specific Anthropic Trust Center configuration page once finalised -->

6.4 Nature of the output

The Chronicle output is creative writing, not factual reporting. It is generated by a language model and may contain hallucinations, mistakes, or stylistic embellishments. It is not a record of anything that physically happened, and it is not medical, veterinary, or any other form of professional advice. The corresponding limitation of liability appears in our Terms of Service.

6.5 Your right to know

You have the right, at any time, to ask us what the model has generated about your queen, to receive a copy of the prompt and output for any specific Chronicle entry, and to ask us to delete a specific Chronicle entry if you find it inappropriate. Contact us using the addresses in § 1.

7. Profile Permanence and "Redact, Don't Delete"

Chirp Coop is built around the principle that a queen's identity is continuous and honoured — she has a name, a chronicle of her days, and a public profile at chirpcoop.com/{serial} that remains visible after her in-game transcendence and after you, the player, leave the game. This principle is recorded as INV-11 in our internal invariants and is part of the brand contract you accept when you create an account.

The same principle applies to any real-chicken profile that is mirrored onto the prestige surface from our patron service.

The privacy consequences of this principle are:

• The public profile URL persists. The route chirpcoop.com/{serial} will continue to resolve for as long as Chirp Coop operates. The queen's portrait, name (or pseudonymised replacement, see below), life-events ledger, and Morning Chronicle entries remain readable.
• Account deletion is supported but is implemented as a redaction. If you ask us to delete your account, we will:
  • remove your authentication record (you will no longer be able to sign in);
  • delete your email address and any other directly identifying account fields;
  • replace your display name and any social-link fields on the queen's profile with an anonymised handle (for example, keeper-7f3a);
  • retain the queen's portrait, name, mood history, life events, and Chronicle entries on the public profile, now linked to the anonymised handle rather than to you.
• We rely on GDPR Article 17(3)(b) as the legal basis for the carve-out. That provision allows continued processing where it is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest — and, more importantly for our case, the line of recitals and Article-29 guidance that supports continued processing where there is a legitimate interest in maintaining a public archive of cultural or community significance. We rely on the combined legitimate-interest and archiving-purpose reasoning, balanced against the limited identifying impact on you once redaction has been applied.
• You acknowledge this carve-out when you accept the Terms of Service. The corresponding clause is also recorded in our Terms of Service.

The redaction process is irreversible from our side: once a queen's profile has been redacted, we cannot re-link it to you, even at your request. If you want your display name to remain visible on the queen's profile, do not request account deletion; cancel any active subscription instead.

8. Your Rights

You have the following rights under the GDPR and the Infotv., subject to the redaction carve-out in § 7:

• Right of access (GDPR Article 15) — to obtain confirmation of whether we process personal data about you, and a copy of that data.
• Right to rectification (GDPR Article 16) — to have inaccurate personal data corrected.
• Right to erasure (GDPR Article 17) — to have your personal data deleted. In practice, this right is exercised through the redaction procedure described in § 7 for any data attached to a queen's public profile. All other data (your email address, your account record, your IP-address logs, your purchase metadata beyond statutory retention) is deleted in the ordinary sense.
• Right to restriction of processing (GDPR Article 18).
• Right to data portability (GDPR Article 20) — to receive a machine-readable copy of the personal data you provided to us.
• Right to object (GDPR Article 21) — to processing based on legitimate interest, on grounds relating to your particular situation.
• Right to withdraw consent (where processing is based on consent) — withdrawal does not affect the lawfulness of processing already carried out before the withdrawal.

To exercise any of these rights, contact us at the addresses in § 1. We will respond substantively within 30 days of receiving your request. If your request is complex or one of several requests, we may extend the response window by up to two further months under Article 12(3) GDPR; we will tell you if we do.

We will not charge you a fee for exercising your rights unless your request is manifestly unfounded or excessive (Article 12(5) GDPR).

9. Security Measures

We apply the following technical and organisational security measures, designed in line with Article 32 GDPR:

• HTTPS everywhere — all traffic between you and our services is encrypted in transit using TLS;
• Supabase Row Level Security (RLS) as the authoritative permission boundary on database tables; application code defers to RLS rather than reimplementing access rules;
• passwordless authentication — we sign you in with email "magic-link" tokens rather than storing passwords;
• secrets in Supabase Vault — service-role credentials, API keys, and webhook secrets are stored encrypted at rest and never embedded in client code;
• regular backups of the production database;
• PII-scrubbed error capture — Sentry stack traces are filtered to remove email addresses, display names, and other identifying values before they are stored;
• least-privilege access controls internally — only the people who need access to a category of data have access to it;
• subprocessor management — we review the security posture of each processor before engaging them and re-review on changes that affect our risk profile.

No system is perfectly secure. If we discover a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the competent supervisory authority in accordance with Articles 33 and 34 GDPR.

10. Cookies and Similar Technologies

Our use of cookies and similar technologies is described in detail in our Cookie Policy. In short: we currently use only the cookies that are strictly necessary to operate the service (session, security, load balancing) and we do not deploy advertising or cross-site tracking cookies.

11. Children's Data

Chirp Coop is intended for users aged 13 and over. The real-chicken patron service at tyuk.remeny.farm is a separate product with its own age threshold of 18+ under its own Terms.

11.1 Age of digital consent

Where you are a resident of the European Union or the European Economic Area, we rely on Article 8 GDPR. The default age of digital consent under the GDPR is 16, with Member States able to set a lower threshold no lower than 13. Where you are aged 13–15 and resident in a Member State whose national age threshold is higher than your age, we require verifiable parental consent before we may rely on consent as the legal basis for any processing that depends on consent. Hungary's age threshold for digital consent is 16; users aged 13–15 resident in Hungary therefore need verified parental consent.

We do not knowingly create accounts for users under 13. If we become aware that a user is under 13, we will close the account and delete the associated personal data (subject to the redaction carve-out for the queen's public profile, which we will pseudonymise immediately).

11.2 No targeted advertising to minors

We do not show targeted advertising to any user, and in particular we never profile users for marketing purposes. We do not use minors' personal data for marketing purposes of any kind.

11.3 Parental enquiries

A parent or legal guardian who believes their child has created an account without consent can contact us using the addresses in § 1. We will act on a substantiated parental request without undue delay.

12. International Data Transfers

Several of our processors are established in the United States (see § 5). Personal data transferred to those processors is transferred under:

• the European Commission adequacy decision for the EU–US Data Privacy Framework (where the processor is certified under the Framework); and/or
• Standard Contractual Clauses adopted by the European Commission under Article 46(2)(c) GDPR, supplemented by appropriate additional safeguards where required by the transfer-impact assessment.

We review the legal basis of each international transfer on an ongoing basis. If the European Court of Justice or the supervisory authorities determine that a transfer mechanism is no longer valid, we will update this Policy and, where necessary, change processors.

13. Right to Complain

If you believe our processing of your personal data violates the GDPR or the Infotv., you have the right to lodge a complaint:

• with the Hungarian supervisory authority — the National Authority for Data Protection and Freedom of Information (NAIH):
  • website: naih.hu
  • email: ugyfelszolgalat@naih.hu
• with the supervisory authority of the EU or EEA Member State of your habitual residence or place of work, if you are resident in another Member State; the European Data Protection Board maintains a list of national authorities at edpb.europa.eu;
• with a competent court, in addition to or instead of lodging an administrative complaint, where you believe your rights have been infringed (Article 79 GDPR).

You also have the right to seek a judicial remedy against a supervisory authority's decision under Article 78 GDPR.

14. Amendments to this Policy

We may amend this Privacy Policy from time to time — in particular when laws change, when we add or change processors, or when we introduce a new feature that affects how we process personal data.

When we make a material change, we will:

1. publish the updated Policy at chirpcoop.com/privacy;
2. send a notification to the email address on your account at least 30 days before the changes take effect;
3. give you the opportunity to cancel your account before the new terms apply if you do not agree with them.

Non-material changes (typo fixes, structural edits, clarifications that do not change the underlying processing) take effect immediately when we publish them. We update the Last updated date at the top of the page every time the Policy is republished.

15. Effective Date

This Privacy Policy is effective from 19 May 2026.