Blast Buddy Logo Blast Buddy Back to Home

Privacy Policy

Your privacy matters to us. Learn how Blast Buddy collects, uses, and protects your data.

Last updated: 28/04/2026

Default mode

Blast Buddy is fully usable without an account.

We know shooters take their data seriously. By default, Blast Buddy is offline-first: you can run sessions, build stages, record video, and review your stats without ever creating an account or signing in. In that mode:

  • No personal data ever leaves your device. No email, no name, no UID, no sessions, no stages, no recordings.
  • No usage tracking, no behavioural analytics, no crash-reporting SDK.
  • No advertising identifier is read or transmitted (no IDFA, no Android Advertising ID).
  • The only data leaving the device is a Firebase Installation ID (a device-scoped, anonymous identifier that resets on uninstall) needed for the App's technical operation, and — only if you make a purchase — the data Apple or Google needs to process the transaction.

In short: if you don't sign in, no personal data of yours reaches Endcode S.R.L. Cloud sync, multi-device access, and account-tied features are strictly opt-in — described in the sections below, which apply only if you choose to create an account or sign in to cloud services.

At a glance

The following points apply only if you choose to create an account or sign in to cloud services. If you don't, see the green box above.

  • If you choose to create an account or sign in to cloud services, we collect only what is needed to run your account: email, password (stored as a salted hash by our authentication provider), an optional display name, and the shooting sessions and stage configurations you choose to sync.
  • We do not sell your data, do not use ad networks, and do not run third-party analytics or crash-reporting SDKs.
  • You can delete your account and all associated data at any time, either from inside the App or via our account & data deletion form.

1. Who we are

This Privacy Policy explains how Endcode S.R.L. ("we", "us", "our"), with registered office at Via Giovanni Durando 38, Milan – Italy (P.IVA IT10560900960), processes personal data when you use the Blast Buddy mobile application ("the App"), available on the Apple App Store and Google Play.

Endcode S.R.L. is the data controller for the personal data described below. For any privacy question or to exercise any of the rights described in this policy, please use our privacy & account request form.

2. What data we collect

2.1 Data you provide when you create an account or sign in to cloud services

Creating an account is strictly optional. The data described in this section is collected only if you choose to create an account or sign in to cloud services:

  • Email address — used as your login identifier and to send service-related messages (such as account deletion confirmation).
  • Password — we never see or store your password in plain text. Our authentication provider (Firebase Authentication) stores only a salted hash.
  • Display name — optional, only if you choose to set one.
  • Apple Sign-In identifiers — if you sign in with Apple, we receive a unique account identifier from Apple and, only if you choose to share it, the email address Apple relays to us.

2.2 Data generated by your use of the App (synced to your account)

If you choose to create an account or sign in to cloud services, the following data is sent to our backend so it can be synchronised across your devices:

  • Shooting sessions — timestamps, splits, scores, statistics, and any notes you add.
  • Stage configurations — the stages you build, their layouts, and your settings.
  • Account preferences — the App settings tied to your profile.
  • Purchase & entitlement status — whether you hold an active subscription, derived from purchase tokens issued by the App Store or Google Play. We never see your payment card details, which are handled exclusively by Apple or Google.

All of this data is stored in our backend hosted on Amazon Web Services (AWS) in the European Union, in a private database that is not accessible from the public internet.

2.3 Data processed only on your device (never sent to us)

The following data stays on your device and is never transmitted to our servers or to any third party:

  • Microphone audio — processed in real time to detect shots. Raw audio is not recorded, uploaded, or shared.
  • Camera and video recordings — used for on-device shot detection and overlay rendering. Videos remain in your device's local storage or photo library unless you choose to share them.
  • Location (only if you grant the permission) — used solely to attach a location label to a session record stored on your device.
  • Photos and media you select for use within the App.

2.4 Data collected automatically

  • Firebase Installation ID — a Google-issued, device-scoped identifier generated by the Firebase SDK when the App first launches. It allows the App instance to be authenticated against our backend. It is not linked to your identity, is not an advertising identifier, and is reset whenever you uninstall the App or clear its data.
  • Authentication tokens — short-lived ID tokens issued by Firebase Authentication only after you choose to sign in to cloud services, used to authorise requests to our backend.

We do not use Firebase Crashlytics, Firebase Analytics, Google Analytics for Firebase, or any third-party advertising or analytics SDK inside the App. We do not collect contacts, calendar, SMS, browsing history, advertising identifiers (e.g. Android Advertising ID, IDFA), biometric data, health data, or precise location for tracking.

2.5 If you use the App without an account (default)

This is the default mode for Blast Buddy — see the highlighted box at the top of this page. To recap, when you don't sign in to cloud services:

  • We do not collect your email, name, password, or any other personal identifier.
  • Your sessions, stages, recordings, and any location labels stay only on your device and are never sent to our servers.
  • The only data leaving your device is the Firebase Installation ID (described in 2.4) needed for the App's technical operation, and — if you make a purchase — the data the App Store or Google Play needs to process the transaction.

3. Why we use your data (purposes)

We process your personal data only for the following purposes:

Purpose Data used Legal basis (GDPR)
Create and authenticate your account Email, hashed password, UID, display name Performance of contract (Art. 6(1)(b))
Sync sessions and stages across your devices UID, sessions, stages, preferences Performance of contract (Art. 6(1)(b))
Verify subscription / entitlement status UID, purchase tokens, entitlement status Performance of contract (Art. 6(1)(b))
Keep the service secure and prevent abuse UID, authentication tokens, request metadata Legitimate interests (Art. 6(1)(f))
Comply with tax and accounting obligations Purchase records Legal obligation (Art. 6(1)(c))
Use device permissions you grant (camera, microphone, location, media) Data processed only on your device (see 2.3) Consent (Art. 6(1)(a))

We do not use your data for advertising, profiling, or automated decision-making with legal effect, and we do not sell or rent it.

4. Where your data is stored

Your account data, sessions, stages, and entitlement status are stored in our backend hosted on Amazon Web Services (AWS), in a private database located in the European Union. Access to the database is restricted to a small number of authorised Endcode S.R.L. personnel, protected by strong authentication, and audit-logged.

Authentication (email + hashed password, OAuth identifiers, ID tokens) is handled by Google Firebase Authentication, which may store data on Google's infrastructure outside the European Economic Area.

5. Who we share data with

We share data only with the following service providers, who act as our data processors and process data strictly on our documented instructions:

Provider Purpose Data shared Location
Amazon Web Services, Inc. Backend & database hosting UID, sessions, stages, preferences, entitlement status EU
Google LLC (Firebase Authentication) Account authentication Email, salted password hash, UID, ID tokens USA / global
Apple Inc. (App Store, Apple Sign-In) iOS purchase processing & sign-in Purchase tokens, entitlement status, OAuth identifier, email (only if you share it) USA / global
Google LLC (Google Play Billing) Android purchase processing Purchase tokens, entitlement status USA / global

When data is transferred outside the European Economic Area, the transfer is governed by the EU Standard Contractual Clauses (2021/914) and equivalent safeguards offered by each provider.

We do not share data with advertising networks, data brokers, or analytics companies, and we do not sell personal data.

6. How long we keep your data

Data Retention
Account data (email, UID, display name) For as long as your account is active
Sessions, stages, preferences (on AWS) For as long as your account is active, or until you delete the individual record
Authentication tokens Session duration only (typically up to 1 hour, then refreshed)
Purchase & billing records Up to 10 years, as required by Italian tax and accounting law
Backups of the AWS database Rotated and overwritten within 30 days

Data stored only on your device (recordings, on-device session history, location labels) is removed when you uninstall the App or clear its data in your device Settings.

7. Delete your account and data

You have the right to delete your account and all the personal data we hold about you, at any time, free of charge. There are two ways to do this:

Option A — Delete from inside the App

  1. Open Blast Buddy and sign in.
  2. Go to Settings → Account → Delete account.
  3. Confirm the deletion.

This action permanently and immediately removes your Firebase Authentication record and triggers deletion of your server-side profile, sessions, and stage configurations stored on AWS.

Option B — Request deletion via the web form

If you cannot access the App (for example, you have already uninstalled it), submit our account & data deletion form and we will process the request:

Open the Account & Data Deletion Form

What gets deleted

  • Your Firebase Authentication record (email, salted password hash, UID).
  • Your profile, sessions, stages, preferences, and entitlement status stored on AWS.
  • Any backups containing your data are overwritten within 30 days.

Timing

In-App deletion is effective immediately. Deletion requests submitted through the web form are processed within 30 days, and we will confirm completion. Backups are rotated and overwritten within 30 days of deletion.

What we are legally required to keep

Italian tax and accounting law requires us to retain invoices and purchase records for up to 10 years. These records are kept in a separate, access-restricted accounting system, are not used for any other purpose, and are deleted at the end of the legal retention period.

8. Your other rights

In addition to the right to delete your data (Section 7), if you are in the EU, UK, or another jurisdiction with similar laws, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Port your data to another service in a structured, commonly used, machine-readable format.
  • Restrict or object to processing based on our legitimate interests.
  • Withdraw consent at any time, where processing is based on consent (this does not affect the lawfulness of processing carried out beforehand).
  • Lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) or with your local supervisory authority.

To exercise any of these rights, please use our privacy & account request form. We will respond within 30 days.

9. Security

  • All traffic between the App, our backend, and Firebase is encrypted in transit using TLS 1.2+ (HTTPS).
  • Passwords are never stored in plain text. Firebase Authentication stores only a salted hash.
  • The AWS database is private (not exposed to the public internet), encrypted at rest, and accessible only to authorised personnel through audited, multi-factor-protected access.
  • API requests must carry a valid, short-lived authentication token; users can only read or write their own data.
  • We log access to administrative interfaces and review those logs for unusual activity.

No system can be guaranteed 100% secure, but we apply industry-standard measures and review them regularly.

10. Children's privacy

Blast Buddy is not directed at, and not intended for, users under 14 years of age. We do not knowingly collect personal data from children under this age. If you believe a child has provided us with personal data, contact us through our privacy & account request form and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated within the App or to the email address on your account. Continued use of the App after the effective date constitutes acceptance of the updated policy.

12. Contact & data controller

For all privacy questions, requests, and rights described in this policy, please use our privacy & account request form. It is the fastest and most reliable way to reach the team handling your data.

Endcode S.R.L. — Data Controller

Via Giovanni Durando 38, Milan – Italy

P.IVA: IT10560900960

Privacy & account requests: submit via this form