Privacy Policy.

Last updated 2026-06-05 · Version 4.0 (effective from app v2.1.0) · The Mini Colorbench

Who we are

The Mini Colorbench ("the app") is developed and operated by:

Philipp Buchwald (trading as Pixel Paladin)
Contact: hi@pixel-paladin.de
Support: support@pixel-paladin.de
Website: pixel-paladin.de

What the app does

The Mini Colorbench is a companion app for miniature painters. It stores palettes, paint collections, hobby projects, and notes locally on your device. As of v2.0.0, you can optionally sign in with Google or Apple to enable upcoming community features. Without an account, your data never leaves your phone unless you explicitly:

• export it (manual share-out from a settings action — we never see the export), OR
• send us feedback via the in-app feedback form (you choose what to write), OR
• opt in to community stats (anonymous counts only — see below).

Data we collect

1. Nothing about you (default state)

• No name, email, phone number, address, IP address, location, or other identifying information.
• No account, no login.
• No behavior tracking (no analytics, no ads, no fingerprinting, no advertising ID).
• No selling or sharing of data, because there is no personal data to share.

2. Anonymous community stats — opt-in, default OFF

Unchanged from v2.0. The app shows a consent screen on first launch explaining what gets shared, with a green "Opt in" button and a smaller "No thanks" button. Both choices are persisted; the consent screen never shows again. The choice can be flipped at any time from Settings → Share anonymous stats. Telemetry is off by default until you actively opt in.

What gets sent (only when opted in, at most once per 24 hours):

• A one-way hash of a per-install random ID (SHA-256, computed on your device). The original ID never leaves the device. Two installs — even on the same phone — produce different hashes. The hash cannot be reversed to identify you.
• Ownership counts — for each paint you've marked as owned, a row of {paint id: 1}. No paint names, no order of acquisition, no timestamps.
• Palette view counts — for each palette you've opened, a row of {palette id: count}. No timestamps.
• App version — the version string of the app you're running, e.g. 2.1.1.

This identity layer (the install-id hash) is completely separate from your sign-in account. Even if you sign in with Google, telemetry rows continue to use the install-id hash, never your account. Telemetry rows are NOT deleted when you delete your account.

You can opt back out at any time via the Settings → Share anonymous stats Switch.

3. In-app feedback form — explicit, per-submission

Unchanged from v2.0. When you tap Settings → Send feedback and submit the form, the app sends the text, a type tag (bug / idea / other), the install-id hash, and device info (app version, Android version, device model). No automatic sends; nothing leaves the device until you hit Submit.

Feedback rows live in the same Supabase region (EU/Frankfurt) under the same processor agreement.

4. Account data via Google / Apple sign-in — opt-in (NEW in v3.0)

If you choose to sign in with Google or Apple (Settings → Account), your provider shares the following with us:

• Your display name (the name on your Google or Apple account).
• Your email address — used only for account uniqueness. We never send marketing emails; we have no marketing-email surface.
• Your avatar URL — the public image URL from your provider account, if one exists.

We store these on Supabase (EU/Frankfurt) in a profile row tied to your account. The email is stored in the Supabase Auth system separately, used for account uniqueness only, and never displayed publicly.

What ELSE happens when you sign in:

• A record is created in the Supabase Auth system tied to your Google or Apple identity.
• A stable per-account ID (UUID) is generated. The photo upload pipeline (see section 6) uses this ID to associate uploaded photos with your account. Future community features (competition entries, votes, comments) will use the same ID.

Sign-in providers — what they receive:

• Google: receives our app's package name (de.pixelpaladin.colorbench) plus a public OAuth client ID. Google may apply its own privacy policy to that interaction — consult Google's Privacy Policy.
• Apple: receives our app's Services ID. Apple may apply its own privacy policy — consult Apple's Privacy Policy.

We never see your password. We only ever receive what Google or Apple choose to share with us based on the permissions you grant.

5. Account deletion (NEW in v3.0)

You can delete your account at any time from Settings → Account → Delete account. Deletion is immediate, permanent, and not reversible. It removes:

• Your sign-in record on our backend.
• Your profile row (display name, avatar URL).
• All photos you've uploaded — both database rows and the underlying storage files (both thumbnail and full-size versions).
• All local data on this device (owned paints, projects, view history, settings).
• Future account-linked rows (community features land in a later release; everything cascades on deletion).

Deletion does NOT remove:

• Anonymous telemetry rows you may have opted into — those are tied to your device's pseudonymous install-id hash, NOT your account. The install-id is regenerated after account deletion, so future telemetry from the same device contributes to a fresh anonymous identity.
• Anonymous feedback you submitted before signing in.

We do not retain backups of your account beyond standard Supabase nightly snapshots, which roll off after 7 days.

If you can no longer access the app: email support@pixel-paladin.de with the subject Account deletion request. Include the email address you used to sign in. We will delete the account within 30 days.

The accessible web URL for the deletion procedure (referenced by Google Play's Data Safety form) is:
pixel-paladin.de/projects/colorbench/account-deletion.

6. User-uploaded photos — NEW in v4.0

If you upload a photo via a future in-app photo-upload feature (the pipeline is wired in v2.1 but no UI consumes it yet — a later release will add the surface), the app:

1. Strips all EXIF metadata from the photo on your device BEFORE the photo leaves your phone. EXIF metadata typically includes GPS coordinates, camera model and serial number, and the original capture timestamp. We never see any of it.
2. Resizes the photo to a small thumbnail (320px max edge, ~50 KB) and a mobile-sized version (1080px max edge, ~500 KB), both in WebP format.
3. Uploads both sizes to our Supabase Storage in EU/Frankfurt under the same processor terms as the rest of our backend.
4. Tags each upload with a moderation status defaulting to "pending". Photos are only publicly visible after a manual approval (this matters only when a public-display surface ships in a later release; in v2.1 nothing is publicly visible).

Per-user limits in v2.1:

• Maximum 5 uploads per 24-hour window.
• Maximum 50 photos total per account.

What we DO NOT do with your photos:

• We do not run any image analysis on them (no face recognition, no content classification, no AI training).
• We do not share photos with any third party.
• We do not retain photos that were never publicly approved beyond your own deletion.

Account deletion + photo retention: when you delete your account (section 5 above), ALL your photos are removed in the cascade — both the database rows and the storage files. Photos deleted before the 7-day Supabase backup window may persist in those backups; after 7 days, no copy exists.

When the public-visibility competition surface ships, this policy will be updated with the corresponding sections.

7. Crash diagnostics — still none

v2.1.0 still does not collect crash reports automatically. If we add crash reporting later, we'll update this policy and disclose it in the in-app About screen and the release notes.

8. Google Play Store

When you install the app from Google Play, Google collects standard install telemetry under Google's Privacy Policy. We do not control this and we do not see your individual install/uninstall data — only aggregated counts.

Data we do not collect

• Analytics about feature usage outside the opt-in counts above (no per-screen view tracking, no event funnels, no time-spent metrics).
• Advertising data.
• Device contacts, calendar, or files (the app does not request these permissions).
• Microphone or location (the app does not request these permissions).
• Photo content beyond what you explicitly upload — the app reads photos from your library only after you tap a photo-upload button and grant the library permission; we receive nothing automatically. Camera permission, if granted, is used solely to capture a photo for an explicit upload.

Where the data lives

• Default mode (no sign-in, no telemetry): entirely on your phone, in app-private storage. Uninstalling the app removes it all.
• Opt-in community stats + in-app feedback: Supabase Inc. (eu-central-1, Frankfurt, Germany). Standard processor terms; data not linked to anything that identifies you.
• Account data (signed-in users): same Supabase project, same region. Tied to your Google/Apple identity. Hard-deletable from Settings → Account → Delete account.
• Uploaded photos: same Supabase project, same region, in dedicated storage buckets for thumbnail and full-size versions. Cascade-deleted with your account.

Your rights under GDPR

As an EU/EEA user, you have the right to:

• Access —
  • For anonymous data (telemetry, feedback): keyed only by the irreversible install-id hash; if you can supply the hash (Settings → Clear all local data shows it), we can return matching rows.
  • For account data (including uploaded photos): email support@pixel-paladin.de with the email tied to your account; we'll provide a JSON export of your profile, photo rows, and future account-linked rows within 30 days.
• Deletion —
  • For anonymous data: provide the hash, we'll delete matching rows. Or uninstall + reinstall the app (new install-id, fresh start).
  • For account data: the immediate path is Settings → Account → Delete account (in-app, no email needed) — this also removes all your uploaded photos. Email support if you can no longer access the app.
• Object / Opt-out —
  • For telemetry: flip Settings → Share anonymous stats off.
  • For account: sign out (your data stays in our backend, ready for sign-in again) or delete (permanent removal).
• Lodge a complaint — with your national data protection authority. The German supervisory authority is the BfDI.

Children

The app is rated for general audiences (PEGI 3 / IARC Everyone). We do not knowingly collect data from children under 13. The sign-in flow is gated behind Settings → Account and is not required to use the app. Google and Apple's own age-of-consent enforcement applies to the OAuth flow.

Changes to this policy

If we update this policy, we will change the "Last updated" date at the top and note the change in the app's About screen. Material changes will be announced in the app's release notes on Google Play.

Changelog

• v4.0 (2026-06-05, effective from app v2.1.0): Added section 6 (user-uploaded photos): EXIF strip on-device, two-size WebP storage, per-user limits (5/day + 50 total), moderation default, cascade-delete on account deletion. Explicitly disclaims face recognition, content classification, AI training, third-party sharing. Updated section 5 (account deletion) to include the photo cascade. Updated "Data we do not collect" to clarify how camera + photo-library permissions are used. Updated "Where the data lives" with the new buckets. Updated GDPR access path to cover photos.
• v3.0 (2026-06-03, effective from app v2.0.0): Added section 4 (account data via Google/Apple sign-in) and section 5 (account deletion). Added the Play Console data-deletion URL.
• v2.0 (2026-05-09, effective from app v1.6.0): Added section 2 (opt-in community stats) and section 3 (in-app feedback form). Both are opt-in/explicit per submission.
• v1.0 (2026-04-24, effective from app v1.0.0): Initial policy. Local-only, no data collection.

Contact

Questions about privacy? Email support@pixel-paladin.de.