Privacy Policy

Last updated: June 8, 2026

Enhanced privacy protections for an adult gaming platform. We prioritize discretion, clear user controls, and secure handling of sensitive data.

Privacy Overview

GOONMASTER is an adult-utility web app: a smart metronome, modular audio overlays, and a bring-your-own-content media player that runs entirely in your browser. We do not host any visual adult content; any video you load stays on your device. This policy explains what we DO collect, why, how long we keep it, and how you can exercise your rights.

Adult Content Notice

This platform is intended for users aged 18+. We do not permit accounts for people under 18. We currently use self-certification for age confirmation (we may introduce stronger verification methods in jurisdictions that require them).

No External Tracking by Default

We do not embed third-party trackers or advertising scripts by default.

Encryption and Security

We encrypt data in transit (TLS) and at rest in our infrastructure, and we apply strict access controls.

User-Controlled Data

Users can delete their accounts and export data. Account deletion is available in Settings.

Data Controller & Contact

Data Controller: Dopateq Kamil Lach (sole proprietorship registered in Poland), NIP 9581765529, REGON 544949243

Mailing address: al. Solidarności 68/121, 00-240 Warszawa, Poland

Privacy / support contact: support@goonmaster.io

If you have privacy questions, want to exercise your rights, or require assistance deleting your account, contact us at the address or email above. We aim to respond to verified requests as required by applicable law (typically within one month).

Note: we have not designated a separate Data Protection Officer (DPO). Use the email above for privacy inquiries.

What We Collect & Why

We collect information that is necessary to operate the service and to keep the platform secure. One thing we can never collect, by design: any media you play. The video player is 100% client-side — files you load (and anything you watch in Companion mode) stay on your device and are never uploaded, stored, scanned, or visible to us.

Lawful Bases for Processing (GDPR Article 6)

For users in the EU/UK, every processing activity rests on one of the following lawful bases:

  • Performance of a contract (Art. 6(1)(b)) — account data (email, hashed password via Supabase), gameplay/progress data, and subscription/billing status: all needed to deliver the service you signed up for.
  • Legal obligation (Art. 6(1)(c)) — payment transaction records and age-verification records retained for tax, accounting, and regulatory compliance.
  • Legitimate interests (Art. 6(1)(f)) — security logs, fraud and abuse prevention, and aggregated, non-identifiable product metrics. We balance these interests against your rights and use the minimum data necessary.
  • Consent (Art. 6(1)(a)) — anything optional, such as non-essential communications. Our cookieless analytics (Plausible) relies on legitimate interests rather than consent (see above); any future technology that DID require consent would be gated behind a clear consent mechanism first. Consent, where used, can be withdrawn at any time.

Detailed Data Collection

Age Verification

We require users to confirm they are 18+. At present we rely primarily on self-certification with timestamp recording. If we later implement stronger age verification (ID or third-party verification), we will disclose the method and legal basis and provide explicit notice and options to users in affected jurisdictions.

How We Use Your Information

We use data to operate the platform, protect users, and improve the service:

Platform Operation

  • Account authentication and access control
  • Track gameplay progress (XP, ranks, stats)
  • Provide paid/premium services and feature access

Safety & Security

  • Age verification, abuse prevention, fraud detection
  • Content moderation and safety enforcement
  • Responding to legal requests and protecting user safety

Service Improvement

  • Bug fixing, performance improvements
  • Product analytics (aggregated; no cross-site profiling)
  • Feature research based on aggregated metrics

User Support

  • Account recovery and security communications
  • Transactional notifications (service interruptions, billing)
  • Payment and subscription management

What We Don't Do

  • No targeted advertising: We do not engage in ad profiling or behavioral advertising.
  • No access to your media: GOONMASTER does not host visual adult content. The media player loads files from your device and plays them in your browser only — we never receive, store, scan, or analyze any media you load.
  • No sale of personal data: We do not sell or rent personal information to third parties.

Cookies & Local Storage

We use a small set of cookies and local storage for essential functionality. Below is a summary.

Local storage & essential technologies

We use strictly necessary technologies, including cookies and non-cookie storage (such as localStorage), to ensure the website functions correctly. Concretely: an age-gate cookie remembers that you confirmed you are 18+ (so the gate does not reappear on every page), an authentication session (managed by Supabase) keeps you signed in, a referral cookie (gm_ref) records whether a partner or affiliate link brought you to the site — for up to 90 days — so the right partner can be credited for your visit, and localStorage preferences hold interface and gameplay settings on your device — things like reduced-motion choice, performance mode, event frequency, audio settings, and a local cache of your game progress. These technologies do not involve tracking users across websites, are not used for advertising or analytics, and are not shared with third parties.

Analytics & third parties

We use privacy-friendly analytics from Plausible Analytics, an EU-based, cookieless analytics service, to understand aggregate usage — page views, referrers, device type, and approximate country derived from your IP address without storing the IP itself. It sets no cookies, does not track you across websites, builds no advertising or behavioural profiles, and collects no personal data. Plausible is EU-owned and EU-hosted and processes this data as our processor under a data processing agreement, with no transfer outside the EEA. We also run first-party error logging to diagnose and fix bugs (technical event data only, scrubbed of personal content). We do not use advertising or cross-site tracking technologies of any kind. Because this analytics is cookieless and stores nothing on your device, it does not require a consent banner; if we ever introduce technologies that do, we will add a clear consent mechanism first.

Your Rights & How to Use Them

Depending on where you live, you have certain rights regarding your personal data. Below is a summary of commonly applicable rights and how to exercise them.

Data subject rights (GDPR / UK GDPR)

  • Right of access — request a copy of personal data
  • Right to rectification — correct inaccurate data
  • Right to deletion — request erasure of personal data
  • Right to restriction — request limits on processing
  • Right to data portability — get your data in a structured format
  • Right to object — challenge processing based on legitimate interests
  • Right to withdraw consent — where processing relies on consent

California residents (CCPA/CPRA)

  • Right to know what personal data is collected and why
  • Right to delete personal data (subject to verification)
  • Right to opt-out of sale/sharing (we do not sell personal information)
  • Right to non-discrimination for exercising privacy rights

How to submit a request

To exercise any of the rights above, contact us at . For account-level actions such as deletion, you may also use the in-app Settings → Delete Account. Requests that affect personal data will require verification to protect user privacy (we may ask for proof of account ownership).support@goonmaster.io. For account-level actions such as deletion, you may also use the in-app Settings → Delete Account. Requests that affect personal data will require verification to protect user privacy (we may ask for proof of account ownership).

We will respond to verified requests in accordance with applicable law (commonly within one month). If we need more time, we will notify you.

You also have the right to lodge a complaint with your local supervisory authority (for EU/UK users) or the California Attorney General (for California users).

Data Retention & Deletion

We retain personal data only as long as necessary for the purposes described and as required by law. Specific retention practices:

  • Account & profile data: deleted immediately when you delete your account — a hard delete, with no soft-delete or recovery window; residual copies in encrypted backups are purged within the backup-retention cycle
  • Gameplay data (XP, progress): removed on account deletion or when user removes the data
  • Payment transaction records: retained for 7 years (tax/legal compliance)
  • Security logs: retained up to 90 days (longer only for ongoing investigations or legal obligations)
  • Aggregated analytics: retained as needed for product improvement (non-identifiable)

When you delete an account we run a secure deletion process; some backups or logs may persist in encrypted form for a short period for disaster recovery or legal compliance, but access is restricted and removed as soon as practical.

When Data is Shared

We do not sell personal information. We share data only in limited circumstances:

Authentication & Database (Supabase)

Supabase is our authentication and database processor: it stores your account email, your password (as a salted hash — we never see or store plaintext passwords), and your game state/progress, under a data processing agreement. Your data is stored on Supabase infrastructure hosted in the EU (Ireland, eu-west-1); no transfer outside the EEA occurs for this processor.

Payment Processors

Card payments are handled by SegPay; cryptocurrency payments are handled by NOWPayments. The processor collects your payment details directly — we never see or store card numbers or wallet credentials. SegPay is PCI-DSS compliant and bound by a data processing agreement with us. Review SegPay's policies at https://segpay.com and NOWPayments' policies at https://nowpayments.io.

Content Delivery (CDN)

Static audio assets (metronome ticks and the synthetic AI voice clips) are served from a content delivery network (Bunny.net, operated by BunnyWay d.o.o., EU). When your browser fetches these files, the CDN processes standard connection data (IP address, user agent) as any web host does; it receives no account data from us, and never any of your media — your media stays on your device.

Analytics (Plausible)

We use Plausible Analytics — a privacy-focused, cookieless analytics service — to understand aggregate site usage. It is EU-owned and EU-hosted, sets no cookies, collects no personal data, and builds no cross-site or advertising profiles. It acts as our processor under a data processing agreement, and no personal data leaves the EEA for this processor.

Service Providers

Limited data is shared with other service providers (server hosting, transactional email) under strict contracts (data processing agreements). Providers are instructed to handle adult-platform data with enhanced protections.

Legal Requirements

We may disclose data to comply with lawful requests from authorities, court orders, or to protect users and our platform. If permitted by law, we will notify affected users of such requests.

Business Transfers

In the event of a merger, acquisition, or asset sale, user data may be transferred. We will notify users and provide options (export/delete) where required by law.

Security & Compliance

Security

We apply industry-standard technical and organizational measures: TLS for transport, encryption at rest, access controls, monitoring, patching, and regular security audits. Administrative access is limited and logged. Payment card data is never stored on our servers—it is processed directly by PCI-DSS compliant payment processors.

Compliance

We aim to comply with EU/UK GDPR, the ePrivacy rules, and U.S. laws such as CCPA/CPRA where applicable. This policy will be updated to reflect material legal or product changes.

Policy Updates

Updates to this Policy

We may update this policy to reflect legal or product changes. For material changes that reduce privacy protections, we will provide advance notice to users (at least 60 days) and obtain consent where required.

Version & Last Updated

Last updated: June 8, 2026