Privacy Policy

1. Who we are

TierPad ("TierPad", "we", "us", or "our") is a tier-list creation and sharing service available at tierpad.com and through our mobile and web applications.

TierPad is operated as an individual undertaking based in Portugal. For the purposes of the EU General Data Protection Regulation (GDPR) and the Brazilian General Data Protection Law (LGPD), the data controller is the operator of TierPad, reachable at privacy@tierpad.com.

2. Scope of this policy

This Privacy Policy applies to personal data we process when you:

• Visit our website or open our application;
• Create or use a TierPad account;
• Create, edit, view, comment on, like, or share tier lists;
• Contact us, submit feedback, or rate the app.

It does not cover third-party websites or services that we link to. Their privacy practices are governed by their own policies.

3. Data we collect

3.1 Information you provide

• Account data when you sign up with email and password or sign in with Google: your email address, display name, profile photo (optional), and an authentication identifier issued by Firebase Authentication.
• Profile data you choose to add: bio, avatar, theme preference, and language preference.
• Content you create or upload: tier lists (titles, descriptions, categories, tags, ranked items), images you upload to items or as thumbnails, comments, and ratings/feedback you submit.
• Communications: messages you send to us, including support requests at privacy@tierpad.com.
• Consent records: the version of our Terms & Conditions you accepted and the timestamp of acceptance.

3.2 Information collected automatically

• Authentication tokens and session state issued by Firebase Authentication.
• Usage and event data via Firebase Analytics: pages/screens viewed, actions taken in the app, approximate (city/country-level) location derived from IP, device type, operating system, language, app version, and an anonymous installation/instance identifier.
• Diagnostics and security logs generated by our infrastructure providers (Google Cloud / Firebase), including IP address and timestamps, used to keep the service running and to detect abuse.
• Engagement counters on tier lists: view counts and like counts (aggregate, not per-user).

3.3 What we do not collect

• We do not knowingly collect special categories of personal data (such as health, biometric, or political opinions). Please do not include such data in tier lists or comments.
• We do not collect precise GPS location.
• We do not display third-party advertising and do not use advertising identifiers.
• We do not sell or "share" your personal information for cross-context behavioral advertising as defined by US state privacy laws.

4. How we use your data

We use the data described above to:

• Provide the core service: register accounts, authenticate you, store and display your tier lists, comments, and likes.
• Make public content discoverable to other users when you choose to publish a tier list (you can keep tier lists private at any time).
• Maintain, troubleshoot, and improve the app, fix bugs, and develop new features.
• Personalize your experience: remember your theme and language preferences across devices.
• Communicate with you about service-related matters (e.g., security issues, changes to terms or this policy).
• Detect, prevent, and address fraud, abuse, security incidents, and violations of our terms.
• Comply with legal obligations and respond to lawful requests from public authorities.

We do not use your personal data or content to train artificial intelligence or machine learning models, and we do not make automated decisions that produce legal or similarly significant effects on you.

5. Legal bases for processing

Where the GDPR or LGPD applies, we rely on the following legal bases:

6. Sharing and processors

We do not sell your personal data. We share it only with the following categories of recipients, and only to the extent necessary:

6.1 Service providers (processors)

We use Google LLC and its affiliates (Google Ireland Ltd. for users in the EEA/UK, Google Cloud) as our primary infrastructure provider. Specifically:

• Firebase Authentication — manages sign-in, sessions, and account credentials.
• Cloud Firestore — stores user profiles, tier lists, comments, and ratings.
• Firebase Storage — stores images you upload (item images, thumbnails, profile photos).
• Firebase Analytics — provides aggregated usage analytics.
• Google Sign-In — used when you choose to sign in with a Google account.
• Firebase Hosting / Google Cloud — serves the website and handles related logging.

These providers act as our processors (or, for Google Sign-In, as an independent controller for the authentication step) and are bound by data-processing terms. More information is available in Firebase's privacy and security documentation and Google's Privacy Policy.

6.2 Other users

When you publish a tier list, set its visibility to public, post a comment, or like a public list, the following becomes visible to other users: your display name, profile photo, the public content you posted, and the time of posting. Tier lists set to private are visible only to you.

6.3 Legal and safety disclosures

We may disclose personal data when we believe in good faith that disclosure is required to (i) comply with applicable law or a valid legal request; (ii) enforce our terms; (iii) protect the rights, property, or safety of TierPad, our users, or the public; or (iv) detect or prevent fraud or security incidents.

6.4 Business transfers

If TierPad is involved in a merger, acquisition, or sale of assets, personal data may be transferred. We will notify users before personal data is transferred and becomes subject to a different privacy policy.

7. International data transfers

Because we use Google Cloud / Firebase, your personal data may be processed in countries outside your country of residence, including the United States.

For transfers of personal data out of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (or the UK addendum), and on Google's certification under the EU–US Data Privacy Framework where applicable. For transfers out of Brazil, we rely on the safeguards listed in Article 33 of the LGPD, including standard contractual clauses and the data subject's specific consent where required.

You can request a copy of the safeguards we apply by writing to privacy@tierpad.com.

8. Data retention

• Account data is kept while your account is active. If you delete your account, we delete or anonymize your profile, tier lists, comments, and uploaded images within 30 days, except where we must retain limited information to comply with legal obligations or resolve disputes.
• Public tier lists and comments remain visible to other users until you delete them or your account.
• Analytics events are retained according to our Firebase Analytics retention setting (no longer than 14 months for event-level data).
• Security and abuse logs are retained for the period necessary to investigate incidents, typically up to 12 months.
• Consent records (e.g., terms acceptance) are retained while you have an account and for a reasonable period afterwards as evidence of consent.

9. Security

We use technical and organizational measures appropriate to the risk, including encryption in transit (HTTPS/TLS), encryption at rest provided by Google Cloud, role-based access controls, Firestore Security Rules that restrict each user's access to their own data, and strong authentication for administrative access.

No system is perfectly secure. If we become aware of a personal data breach affecting you, we will notify you and, where required, the competent supervisory authority within the time limits set by applicable law (e.g., 72 hours under GDPR, "reasonable" period under LGPD).

10. Your rights

Depending on where you live, you have some or all of the following rights regarding your personal data:

• Access — get confirmation of, and a copy of, the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — ask us to delete your data.
• Restriction — ask us to limit how we process your data.
• Objection — object to processing based on legitimate interests.
• Portability — receive your data in a structured, commonly used, machine-readable format and ask us to transmit it to another controller.
• Withdraw consent — at any time, without affecting the lawfulness of processing carried out before withdrawal.
• Lodge a complaint — with your local supervisory authority (see regional sections below).

To exercise any of these rights, write to privacy@tierpad.com from the email address linked to your account, or use the in-app account settings where available. We respond within the time frames required by applicable law (typically 30 days under GDPR, 15 days under LGPD, 45 days under CCPA/CPRA). We may need to verify your identity before fulfilling your request.

Exercising your rights is free of charge unless your request is manifestly unfounded or excessive. We will not discriminate against you for exercising any privacy right.

11. Additional information for users in the EU/EEA, UK, and Switzerland

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the GDPR (or UK GDPR / Swiss FADP) applies to our processing of your personal data, and you have the rights listed in section 10.

You have the right to lodge a complaint with the supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement. In Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD) — www.cnpd.pt. In the UK, this is the Information Commissioner's Office — ico.org.uk.

We have not appointed a Data Protection Officer because we are not required to do so under Article 37 GDPR. For all data-protection matters, please contact us at privacy@tierpad.com.

12. Additional information for users in Brazil (LGPD)

If you are located in Brazil, Federal Law No. 13.709/2018 (Lei Geral de Proteção de Dados Pessoais — LGPD) applies. You have the rights listed in Article 18 of the LGPD, including: confirmation of processing; access; correction of incomplete, inaccurate, or outdated data; anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD; portability; deletion of personal data processed with consent; information about public and private entities with which we have shared your data; information about the possibility of denying consent and the consequences of such denial; and revocation of consent.

You may file a complaint with the Brazilian National Data Protection Authority — Autoridade Nacional de Proteção de Dados (ANPD) — at www.gov.br/anpd.

The encarregado (DPO) for purposes of Article 41 of the LGPD can be contacted at privacy@tierpad.com.

13. Additional information for users in the United States

This section provides specific disclosures for residents of California, Virginia, Colorado, Connecticut, Utah, and other US states with comprehensive privacy laws.

Categories of personal information

In the past 12 months, we have collected the categories of personal information described in section 3, which correspond to the following CCPA/CPRA categories: identifiers (e.g., email, account ID); customer records (display name, profile photo); internet or other electronic network activity (usage analytics); inferences (limited, e.g., language preference); and user-generated content. Sources, business purposes, and categories of recipients are described elsewhere in this policy.

Sale, sharing, and targeted advertising

We do not sell personal information for monetary or other valuable consideration, and we do not "share" personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) and similar laws. We have not done so in the past 12 months and have no plans to do so. Because of this, we do not currently process Global Privacy Control (GPC) or Do Not Track signals as opt-out-of-sale signals; if our practices change, we will update this policy and honor those signals.

Sensitive personal information

We do not use or disclose sensitive personal information for purposes other than those permitted under CCPA section 1798.121 (such as providing the service, ensuring security, and short-term transient use).

Your US state privacy rights

Subject to verification and applicable law, you may request: (i) to know the categories and specific pieces of personal information we hold about you; (ii) to delete your personal information; (iii) to correct inaccurate personal information; (iv) to opt out of any future "sale" or "sharing" or processing for targeted advertising or significant profiling. To submit a request, email privacy@tierpad.com. You may designate an authorized agent to make a request on your behalf with proof of authorization. We will not discriminate against you for exercising your rights. If we deny your request, you may appeal by replying to our response.

Shine the Light (California)

California Civil Code §1798.83 permits California residents to request information about disclosures of personal information to third parties for direct-marketing purposes. We do not disclose personal information to third parties for their own direct marketing.

14. Cookies and similar technologies

We use a small number of cookies and similar storage technologies (local storage, IndexedDB) on the web app:

• Strictly necessary — to keep you signed in and remember your security session (Firebase Authentication tokens). These cannot be turned off without breaking the service.
• Functional — to remember preferences such as theme and language (stored locally on your device).
• Analytics — Firebase Analytics may set identifiers to measure aggregate usage of the app. Where required by law (including the EU ePrivacy regime), we will request your consent before setting non-essential analytics identifiers, and you can withdraw consent at any time through your browser controls or by contacting us.

You can also clear cookies and local storage through your browser settings; doing so will sign you out and reset your local preferences.

15. Children

TierPad is not intended for children under 13, and we do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided personal data to us, please contact privacy@tierpad.com and we will delete it.

In jurisdictions where the age of digital consent is higher than 13 (for example, 16 in some EU Member States, or 18 under the LGPD without parental authorization in Brazil), users under that age must obtain verifiable consent from a parent or legal guardian before using TierPad.

16. Google services and Limited Use

If you sign in with Google, our use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. We only request the minimum scopes needed to authenticate you and read your basic profile (name, email, profile picture). We do not use Google user data to develop, improve, or train generalized or non-personalized AI/ML models, and we do not transfer this data except as necessary to provide the service or as required by law.

Our app uses Firebase services. Your use of Firebase is also governed by the Firebase Terms of Service and the Google Privacy Policy.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The "Effective date" at the top of this page indicates when it was last revised. If changes are material, we will notify you in advance through the app, by email, or by a prominent notice on the website, and we will obtain your consent again where required by law. Continuing to use TierPad after changes take effect means you accept the updated policy.

18. Contact us

For any question, request, or complaint about this Privacy Policy or our data-processing practices, contact us at:

• Email: privacy@tierpad.com
• Postal correspondence: please contact us by email first to obtain the current postal address.

We aim to respond to all requests within the time limits required by applicable law.