Privacy policy

Ystia attaches particular importance to the protection of personal data and undertakes to process it in accordance with the General Data Protection Regulation, the French Data Protection Act and the applicable regulations.

1. Who is responsible for processing the data?

The data controller is:

• Name: YSTIA
• Legal form: SAS
• Address: 1066 Chemin de Rabiac Estagnol, 06600 Antibes, France
• SIRET: 103195012 00010
• RCS: Antibes 103 195 012
• Contact: contact@ystia.fr

Ystia determines the purposes and means of the processing carried out within the application. For any question relating to your personal data or to exercise your rights, you can contact us at: contact@ystia.fr. You can also write to us at the postal address indicated above.

2. What data do we collect?

Ystia collects only the data necessary for the operation of the application, the security of the service, user support, improvement of the experience and compliance with its legal obligations.

Account data

When you create an account, we collect in particular:

• your email address;
• your password, processed in a secure form;
• your username;
• your profile picture, if you add one;
• your account identifier;
• the account creation date;
• certain settings associated with your account.

Your password is not stored in plain text by Ystia.

Game and progress data

When you use the application, we may collect or generate:

• quests started, in progress or completed;
• validated steps;
• answers given to quizzes, riddles or challenges;
• validation dates and times;
• XP earned;
• Ystia Coins earned or used;
• levels, badges, achievements and game statistics;
• the progress history associated with your account.

Geolocation data

Certain features require access to your device location, for example to:

• display your position on a map;
• suggest nearby quests;
• guide you to a place;
• verify your presence in a specific area to validate a step.

Ystia does not track your movements continuously and does not keep a permanent history of your GPS positions. However, when a quest or step is validated, Ystia may keep a record of that validation. This record may make it possible to infer that you took part in an activity located in a given geographical area on a given date.

Photos and submitted content

Certain quests may ask or allow you to submit a photo or content. This may include:

• a photo taken as part of a quest;
• your profile picture;
• an answer or text entered in the application;
• a message sent to support;
• a screenshot or attachment sent to Ystia.

Photos taken as part of quests are mainly used to carry out, validate, track or keep a memory of the game experience. They are not used by Ystia for external commercial, advertising or promotional purposes without your specific authorisation.

Data related to Treasures and partner benefits

When you obtain or use a Treasure, partner benefit, QR code, promotional code or alphanumeric code, Ystia may process in particular:

• the benefit obtained;
• the partner concerned;
• the date of acquisition;
• any expiration date;
• the number of Ystia Coins used;
• the status of the benefit: active, used, expired, cancelled or disabled;
• the QR code, code or associated identifier;
• the information necessary to verify or use the benefit.

Technical data

Ystia may also collect certain technical data necessary for the operation and security of the application, such as:

• IP address;
• type of device used;
• operating system;
• application version;
• language or certain technical settings;
• connection dates and times;
• technical logs;
• errors, bugs, diagnostics or crash reports;
• data required for fraud prevention and service security.

Support data

When you contact Ystia, we may process:

• your email address;
• your username or the identity you provide;
• the content of your message;
• attachments or screenshots sent;
• information needed to identify your account;
• the history of exchanges.

Newsletter

When creating your account, you may choose to receive the newsletter or information communications from Ystia. If you agree, Ystia may use your email address to send you information relating to the application, new features, quests, events, partners, Treasures or Ystia news.

You can withdraw your consent at any time, in particular from the Settings tab of the application or through an unsubscribe link when one is provided.

3. Why do we use your data?

Ystia uses your data for the following purposes:

• creating and managing your account;
• allowing you to use the application;
• allowing you to take part in quests;
• validating game steps and objectives;
• displaying your progress, XP, Ystia Coins, levels and statistics;
• managing the Shop, Treasures and partner benefits;
• allowing partners to verify certain benefits when necessary;
• providing user support;
• securing the application;
• preventing fraud, cheating or abuse;
• correcting technical errors;
• improving the application and user experience;
• producing internal statistics;
• producing aggregated or anonymised reports for partners, local authorities or professional clients;
• sending important communications related to the service;
• sending the newsletter if you have consented to it;
• complying with our legal obligations;
• managing potential disputes.

Ystia does not sell users’ personal data to third parties.

4. What are the legal bases for processing?

Performance of the Terms of Use

This applies when the data is necessary to provide the requested service, for example creating and managing your account, taking part in quests, tracking your progress, obtaining XP or Ystia Coins, accessing Treasures or using partner benefits.

Your consent

This applies in particular to newsletter subscription, certain permissions granted through your phone such as geolocation or camera access, and certain optional features when your agreement is requested.

You may withdraw your consent at any time. However, certain features may become unavailable if the data or permissions concerned are necessary for them to function.

Ystia’s legitimate interest

Ystia may process certain data to ensure application security, fraud prevention, anomaly detection, service improvement, internal statistics production or the defence of its rights.

Compliance with a legal obligation

Certain data may be retained or disclosed when required by law, in particular in the event of a request from a competent authority or the need to keep evidence.

5. Geolocation

Geolocation is used only when necessary for the operation of certain features. It may be used to display your position on a map, suggest quests near you, guide you to a place or verify that you are in a given area to validate a step.

You can disable geolocation from your device settings. In that case, certain features may be limited or unavailable.

Unless a specific feature is clearly indicated, Ystia does not use geolocation in the background. Ystia does not keep a continuous history of your GPS positions. However, quest or step validations may be retained in order to track your progress, award rewards, secure the service and prevent fraud.

6. Photos and user content

Photos or content you submit in the application are used only for the needs of the service: profile, quests, validations, support, security, moderation or fraud prevention.

You are responsible for the photos and content you submit. You must ensure in particular that you do not infringe another person’s privacy, image rights, copyright, trademarks or third-party rights.

Ystia may remove or hide content that is manifestly unlawful, inappropriate, fraudulent, dangerous or contrary to the Terms of Use. Ystia does not reuse your photos for external commercial, advertising or promotional purposes without your specific authorisation.

7. Data visible to other users

Certain information may be visible to other users as part of profile, ranking, statistics or progress features.

This may include in particular:

• your username;
• your profile picture;
• your level;
• your XP;
• certain badges or achievements;
• certain game statistics;
• your position in a ranking, when this feature exists.

Your email address, password, personal QR codes, promotional codes, support requests and technical data are not visible to other users. It is your responsibility to choose a username and profile picture that you agree to make visible in the application.

8. Partners and benefits

Certain Treasures or benefits may be offered by local partners. When you present a QR code or use a partner benefit, the partner concerned may access only the information necessary to verify or apply the benefit.

This may include in particular:

• the status of the benefit;
• its expiration date;
• its usage status;
• the QR code, code or verification identifier;
• the information necessary to apply the offer.

Ystia does not provide partners with data that is not necessary for the execution of the benefit. If you leave the application to use a website, ticketing service, booking platform, payment service or any other external service of a partner, the data you submit to that service is processed by that partner or third-party service according to its own privacy policy.

9. Statistics and reporting

Ystia may produce statistics on the use of the application, for example:

• number of quests started or completed;
• number of steps validated;
• number of Treasures obtained or used;
• attendance of a quest or territory;
• overall performance of a campaign or partnership.

These statistics may be used by Ystia or communicated to partners, local authorities, tourist offices, territories or professional clients. Unless specifically necessary for the execution of a benefit, support, security or a dispute, these statistics are provided in aggregated or anonymised form, so as not to directly identify users.

10. Who can access the data?

Personal data is primarily intended for Ystia. It may be accessible, as needed, to authorised persons within Ystia to manage the application, provide support, process complaints, manage Treasures and partner benefits, ensure security, detect fraud, produce statistics and respond to requests relating to personal data.

Ystia may also use technical service providers, in particular for:

• authentication;
• hosting;
• database management;
• file storage;
• mapping;
• notifications;
• technical analysis;
• error diagnostics;
• reporting;
• support;
• security.

These providers process data only on behalf of Ystia, according to its instructions, when they act as processors.

The main services used or likely to be used by Ystia include:

• Firebase / Google Cloud: authentication, database, hosting, storage, security, technical analysis;
• Mapbox: display of maps and geographical elements;
• Google Maps or equivalent services: opening routes or external itinerary links;
• BigQuery and Looker Studio: statistics, dashboards, internal or aggregated reporting;
• Apple App Store and Google Play: downloading, installing and updating the application.

When you use a third-party service directly, that service may process your data according to its own terms and privacy policy.

11. Transfers outside the European Union

Data is, where possible, processed and hosted within the European Union or the European Economic Area. However, certain technical providers or third-party services used by Ystia may be located outside the European Union or involve transfers of data to third countries.

When this occurs, Ystia ensures that such transfers are governed in accordance with the applicable regulations, in particular by an adequacy decision of the European Commission, standard contractual clauses, appropriate contractual, technical or organisational safeguards, or any other mechanism provided for by applicable regulations.

When you use a third-party service directly, any transfers carried out by that service are governed by its own privacy policy.

12. How long do we keep the data?

Ystia keeps data only for as long as necessary for the purposes for which it was collected.

Account data

Account data is kept as long as the account exists. If the account is deleted, it is deleted or anonymised within a maximum period of 30 days, unless temporary retention is necessary for security, evidence, fraud, complaint or legal obligation purposes. In that case, strictly necessary data may be retained for up to 2 years.

Progress and validation data

Progress, XP, Ystia Coins, quests and validation data are kept for the entire lifetime of the account. If the account is deleted, they are deleted or anonymised within a maximum period of 30 days, unless temporary retention is needed for evidence, security, fraud or dispute purposes. Anonymised or aggregated data may be kept for statistical purposes.

Geolocation data

Ystia does not keep a continuous history of your GPS positions. Data used occasionally to display a map or validate a step is kept only for the time necessary for the feature to function. Validation records are retained with progress data.

Photos and content

The profile picture is kept as long as the account exists, unless deleted or modified by the user. Photos and content linked to quests are kept as long as the account exists, unless deleted, an accepted erasure request, removal obligation or account deletion occurs.

If the account is deleted, these contents are deleted or anonymised within a maximum period of 30 days, unless necessary for security, moderation, fraud, legal obligation or dispute purposes. Technical backups may remain for up to 90 days.

Treasures and partner benefits

Data related to Treasures, QR codes, promotional codes and partner benefits is kept for the time necessary for their management, use, expiration, support and evidence. After use or expiration, strictly necessary data may be kept for up to 2 years.

Technical data

Logs, technical journals, diagnostic, security or error data are kept for a maximum of 12 months. In the event of an incident, fraud, abuse or dispute, certain data may be kept for up to 2 years after the case is closed.

Support and GDPR requests

Data related to support or complaints is kept for the time needed to process the request. Elements necessary to prove processing may be kept for up to 2 years. For requests relating to GDPR rights, limited proof may be kept for up to 3 years.

Newsletter

Data related to the newsletter is kept until you withdraw your consent. After unsubscribing, Ystia stops sending communications within a maximum period of 30 days. Limited proof of consent or withdrawal may be kept for up to 3 years.

13. Website and cookies

The Ystia website is primarily intended to present the application, the project, and useful information for users, partners and professional clients.

At this stage, Ystia does not plan to place advertising cookies, audience measurement cookies, marketing trackers or behavioural tracking devices on its website.

If Ystia later uses cookies or trackers requiring information or consent, this Privacy Policy will be updated.

14. Data security

Ystia implements technical and organisational measures designed to protect personal data against loss, unauthorised access, disclosure, modification, alteration or misuse.

These measures may include in particular:

• secure authentication;
• secure password processing;
• limited access to data;
• access control rules;
• backups;
• anomaly detection measures;
• fraud prevention measures;
• use of providers offering security guarantees.

The user is also responsible for the security of their account. They must choose a sufficiently strong password, not share it with third parties, protect access to their device and quickly report any suspicious use.

No IT system can be guaranteed as completely secure. In the event of an incident affecting personal data, Ystia will take the necessary measures and inform the persons concerned or the competent authority when required by regulation.

15. Your rights

In accordance with applicable regulations, you have rights over your personal data. You may request:

• access to your data;
• rectification of inaccurate data;
• erasure of your data;
• restriction of processing;
• objection to certain processing operations;
• portability of certain data;
• withdrawal of your consent when processing is based on it;
• definition of instructions relating to the fate of your data after your death.

To exercise your rights, you can contact Ystia at: contact@ystia.fr.

In order to process your request, Ystia may ask you for certain information to verify your identity and identify the account concerned. Ystia will respond within a maximum period of one month from receipt of the complete request. This period may be extended by two additional months in the event of a complex request or a large number of requests.

Certain rights may be limited when the retention of certain data is necessary to comply with a legal obligation, ensure service security, prevent fraud, process a complaint, keep evidence or defend Ystia’s rights.

If you believe that your rights are not respected, you may lodge a complaint with the CNIL.

16. Minors

The Ystia application is accessible to users aged at least thirteen, under the conditions set out in the Terms of Use.

Minor users are invited to use the application with the agreement and under the supervision of their legal representatives, in particular when they take part in outdoor quests, use geolocation, take or submit photos, access community features or obtain Treasures.

When processing is based on consent and concerns a minor under the age of fifteen, consent must be given jointly by the minor concerned and by the holder(s) of parental authority, when required by regulation.

Legal representatives may contact Ystia to exercise rights relating to the personal data of the minor concerned. If Ystia finds that an account has been created by a user who does not meet the age requirements or without the required authorisation, Ystia may restrict, suspend or delete the account concerned.

17. Changes to the Privacy Policy

Ystia may modify this Privacy Policy to take into account changes to the application, features, tools used, partners, providers or applicable regulations.

In the event of a significant change, Ystia may inform users by any appropriate means, including display in the application, notification, email, message upon login or publication on the website.

When the change requires new consent, Ystia may ask the user to confirm or update their choices. The applicable version is the one in force at the time the application is used.