← Back to sign up

Privacy Policy

Last updated: 1 May 2026

1. Who is responsible

RUIN is operated by James Reid, a sole trader based in England, United Kingdom ("RUIN", "we", "us"). For the purposes of UK data protection law (the UK GDPR and the Data Protection Act 2018) we are the controller of the personal data described below. You can reach us at support@ruinapp.com.

2. What data we collect

We collect only the data we need to run the Service:

  • Account data — email address, chosen username, and (for password sign-up) a hashed password. Authentication is handled by Supabase Auth.
  • Profile data — display name, avatar, bio, banner choice, theme preference, and any badges, points or expedition history you accumulate through use of the Service.
  • Content you create — photographs you upload (including any embedded EXIF data such as GPS, capture time, and camera model), AI reconstructions and cutouts derived from those photographs, post titles and descriptions, comments, reactions, and follows.
  • Location — your device GPS coordinates when you ask the app to find nearby sites, post a check-in, place a post pin, or use the AR viewer. We do not track your location in the background.
  • Push subscriptions — if you opt in, your device's push endpoint and the public keys needed to deliver notifications.
  • Technical data — IP address, user-agent string, and crash or error reports. We use these for security and debugging.

3. Why we use it (lawful bases)

  • Performance of a contract — to create and maintain your account, generate reconstructions you request, and display content you post.
  • Legitimate interests — to keep the Service secure, prevent abuse, moderate content, run the historian review queue, fix bugs via aggregated error reports, and understand how the Service is used.
  • Consent — for push notifications, precise location access, and any optional analytics. You can withdraw consent at any time from the relevant device or profile settings.
  • Legal obligation — where we have to retain or disclose data in response to a valid legal request.

4. Who we share data with

We do not sell your personal data. We share it only with the processors and providers we need to run the Service:

  • Supabase — hosts your account, content, and database. Data may be stored in the European Union or the United States depending on the project region.
  • Vercel — hosts the web application and serves it from their global edge network.
  • Google (Gemini) — receives the photograph and prompt context when you generate a reconstruction, and returns a generated image.
  • OpenAI — receives the URL of your photograph for the omni-moderation safety check before publication.
  • Replicate — used historically for some image-generation paths; may be deprecated in favour of Gemini.
  • Apple, Google, and Mozilla push services — receive push payloads in order to deliver them to your device, if you opt in to notifications.
  • Sentry — receives error and crash reports for debugging.
  • OpenStreetMap / Nominatim / CARTO — receive your map viewport coordinates and search queries when you use the map and site-creation tools.

5. International transfers

Several of the providers above are based in the United States. Where personal data is transferred outside the United Kingdom or the European Economic Area, we rely on the UK International Data Transfer Addendum, the EU Standard Contractual Clauses, or an adequacy decision (where one applies) to provide an appropriate level of protection.

6. How long we keep it

  • Account and profile data: while your account is active.
  • Posts, reconstructions, and comments: while published, plus a short backup window after deletion.
  • Push subscriptions: until you disable notifications or remove the device.
  • Technical / error logs: typically up to 90 days.
  • Moderation logs and audit trails: up to 12 months for abuse-prevention purposes.

When you delete your account we delete or anonymise your personal data within 30 days, except where we need to retain specific records to comply with a legal obligation, defend legal claims, or enforce our Acceptable Use Policy against repeat infringers.

7. Your rights

Under the UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Have your data deleted where the legal grounds for keeping it no longer apply.
  • Restrict or object to processing in certain circumstances.
  • Receive a copy of your data in a portable format.
  • Withdraw consent (for things you opted in to) at any time.

To exercise these rights, email support@ruinapp.com. You also have the right to complain to the UK Information Commissioner's Office at ico.org.uk.

8. Cookies and local storage

RUIN does not use advertising or third-party tracking cookies. We use first-party cookies and browser local storage strictly to keep you signed in (Supabase auth cookies), to remember theme and offline-region preferences, and to auto-save post drafts so you don't lose work. You can clear these from your browser settings at any time.

9. Children

The Service is not directed at children under 13, and we do not knowingly collect data from children under 13. If you believe we have collected such data, contact us and we will delete it. Where local law requires a higher minimum age (for example 16 in some EU member states), that local minimum applies.

10. Security

We use industry-standard measures including TLS in transit, encrypted storage at rest, row-level security on the database, and least-privilege service credentials. No system is perfectly secure; please use a strong, unique password and enable your device's screen lock.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be flagged in the app and dated above. Your continued use of the Service after the change indicates your acceptance.

12. Contact

Questions, requests, or complaints about how we handle your personal data? Email support@ruinapp.com.

See also our Terms of Service and Acceptable Use Policy.