1. Preamble and data controller
This website (luciole.akateria.fr) and the Luciole Quest mobile application are operated by Tina Semashko, a sole proprietor (entrepreneur individuel) trading under the registered name AKATERIA WEB (SIRET 929 791 820 00012, APE code 62.01Z), under the commercial brand Akateria Studio.
Registered office: 1 rue de Fontenay, 94300 Vincennes, France
This privacy policy explains how we collect, use, and protect your personal data within the Luciole Quest application (hereinafter "the Application").
We comply with the General Data Protection Regulation (GDPR, EU Regulation 2016/679), the French Data Protection Act of 6 January 1978 as amended (Loi Informatique et Libertés), and the recommendations of the French data protection authority (CNIL — Commission Nationale de l'Informatique et des Libertés) regarding applications aimed at children.
The Application is designed in accordance with the best interests of the child, in line with CNIL recommendations and GDPR principles.
Given the nature and scale of our activity, we have not appointed a data protection officer (DPO), as our activity does not fall under any of the cases requiring mandatory designation set out in Article 37 of the GDPR.
For any questions concerning your personal data, you can contact us at: contact@akateria.fr
2. Target audience and how the Application works
Luciole Quest is a family treasure hunt application designed for children aged 5 and over, who play under the supervision of a parent or legal guardian.
- The parent (user aged 18 or over) creates an account, sets up treasure hunts (locations, riddles, photos), launches the game, and receives the child's submissions and hint requests.
- The child joins the game through a code provided by the parent. The child does not create a personal account and provides no identification data (email, password, etc.). The child only chooses a nickname to display during the game.
The Application is intended for family use, on the parent's mobile device. The child does not download or use the Application autonomously.
Account creation is strictly reserved for adults (aged 18 or over). By signing up, the parent confirms that they are of legal age and acting as the legal representative of the child.
Providing your email address is necessary to create your account and to perform the service (authentication, password reset). Without it, use of the Application is not possible.
3. Personal data collected
3.1 Parent data (authenticated user)
| Data | Source | Storage |
|---|---|---|
| Email address | Sign-up form | Supabase (Ireland) |
| Password (bcrypt-hashed) | Sign-up form / password reset | Supabase (Ireland) |
| Authentication metadata (sign-up date, last sign-in, email confirmation) | Automatically by Supabase Auth | Supabase (Ireland) |
| Treasure hunt content (titles, location descriptions, generated riddles, settings) | Manual entry by the parent | Supabase (Ireland) |
| Reference photos of locations | Parent's camera / gallery | Supabase Storage (Ireland, public access — see §10) |
| Pre-recorded hint photos | Parent's camera / gallery | Supabase Storage (Ireland, public access — see §10) |
| Text of hints sent during a game | Manual entry during the game | Supabase (Ireland) |
| Rejection comments on the child's photo submissions | Manual entry during the game | Supabase (Ireland) |
| Team names (race mode) | Manual entry by the parent | Supabase (Ireland) |
| Interface language preference (FR/EN/RU/UK) | In-app selection | Local storage on the device (not synced) |
3.2 Child data (unauthenticated user)
The child provides no identification data (no email, no password, no date of birth).
| Data | Source | Storage |
|---|---|---|
| Nickname (first name or made-up name, free text, max 20 characters) | Entered by the child or the parent when joining a game | Supabase (Ireland) |
| Validation photos for found locations | Camera of the mobile device | Supabase Storage (Ireland, private access — short-lived signed URLs) |
| Hint requests and progress within the game | Child's actions during play | Supabase (Ireland) |
⚠️ Important note for parents: the child's nickname is entered by you or your child. We recommend using a nickname rather than the full first name, in order to limit identifying data.
3.3 Technical data (collected automatically)
| Data | Purpose | Storage |
|---|---|---|
| Crash reports (stack traces, execution thread before the error) | Bug fixing | Sentry (Germany), 30 to 90 days depending on our plan |
| IP address, user identifier, locale | Technical context for crash reports | Sentry (Germany) |
| Structured application logs | Debugging | Sentry (Germany) |
3.4 Data processed by our riddle generation service
When the parent requests automatic generation of a riddle from the description of a location, the description text entered by the parent is transmitted to the Mistral AI API (a French processor based in Paris) in order to produce the riddle.
⚠️ If the parent includes the child's first name or personal details in the location description (e.g., "Under Sasha's bed"), this information will be transmitted to Mistral AI when the riddle is generated. We recommend avoiding the inclusion of identifying personal data in location descriptions.
4. Purposes and legal bases for processing
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Parent's email + password | Authentication, password reset | Performance of contract (Art. 6.1.b) |
| Treasure hunt content (titles, descriptions, riddles, photos) | Operation of the game | Performance of contract (Art. 6.1.b) |
| Child's nickname | Display in the game, progress tracking | Performance of the contract concluded with the parent (Art. 6.1.b) — since the child has no account or direct contractual relationship, processing relies on the contract concluded with the parent and falls within the exercise of parental authority |
| Validation photos sent by the child | Parent's validation of progress | Performance of the contract concluded with the parent (Art. 6.1.b) — same framework as above |
| Location description sent to Mistral AI | Automatic riddle generation | Performance of contract (Art. 6.1.b) |
| Sentry technical data (crashes, logs) | Improving the reliability of the Application | Legitimate interest (Art. 6.1.f) — see details below |
Balancing test — legitimate interest (Sentry). This legitimate interest is balanced against your rights and freedoms: the data collected by Sentry is strictly limited to what is necessary for technical diagnosis (execution traces, technical context, user identifier to link events). No use is made for commercial, marketing, or profiling purposes. You may object to this processing by contacting us (see §11).
5. Children's specifics (GDPR Art. 8 + CNIL recommendations)
In accordance with Article 8 of the GDPR and the CNIL recommendations for applications aimed at children:
- The child does not create a personal account. The child accesses the game only through a code provided by their parent.
- No identification data of the child is collected beyond the nickname they choose for the game (which may be a made-up name).
- The Application does not allow any interaction between the child and third parties. No public messaging, no social network, no advertising, no in-app purchases are accessible from the child's interface.
- The parent is solely responsible for the content and progress of the game. Riddles, photos, and hints are created by the parent.
- No data is used for commercial solicitation, profiling, or transmission to third parties for advertising purposes.
- The parent's account is protected by a password (≥8 characters, complexity required).
- We design the Application taking into account the best interests of the child, by strictly limiting data collection and excluding any interaction of the child with third parties.
Framework for processing the child's data. Since the Application is designed for supervised family use, the processing of the child's data (nickname, validation photos, hint requests) relies on the performance of the contract concluded with the parent (Art. 6.1.b GDPR), in compliance with parental authority and the principle of data minimisation. The parent, as the holder of parental authority, oversees the child's use of the Application and authorises us to carry out the processing strictly necessary for the operation of the game. As a parent or legal guardian, you may at any time exercise the child's rights on their behalf (access, deletion — see §11).
Age verification. The Application does not implement a technical age-verification mechanism. Account creation is reserved for adults by user declaration during sign-up, consistent with our supervised family use model: the child has no personal account and can only access the game with a code generated by the parent.
6. Processors (recipients of the data)
To provide the service, we rely on the following processors:
| Processor | Role | Country / Region | Compliance |
|---|---|---|---|
| Supabase Inc. | Authentication, database, file storage, edge functions, real-time | Ireland 🇮🇪 (aws-1-eu-west-1 region) | DPA signed, EU hosting |
| Sentry GmbH | Crash reports, application logs | Germany 🇩🇪 (de.sentry.io region) | DPA + integrated standard contractual clauses |
| Mistral AI | Automatic riddle generation (LLM) | France 🇫🇷 (Paris) | DPA validated at sign-up. Under the terms of the Mistral platform, data sent through the API is not used to train the models. |
| Mailjet (Sinch) | Sending of transactional emails (password reset, confirmations) | France 🇫🇷 (servers in Paris) | DPA signed, EU hosting |
| OVHcloud | Domain name registration, DNS, MX | France 🇫🇷 | OVH standard DPA |
| GitHub Pages (Microsoft Corporation) | Hosting of the static website luciole.akateria.fr (this policy, web password reset page, files required for Android App Links) | United States 🇺🇸 | DPA + standard contractual clauses (SCCs) — see §7 |
None of these processors is authorised to use your data for their own purposes (advertising, sales, profiling, etc.). They act only on our instructions.
7. Data transfers outside the European Union
The majority of our processors operate within the European Union. Only one transfer to a third country takes place:
- GitHub Pages (Microsoft Corporation, United States): hosts our static website
luciole.akateria.fr. No personal data is intentionally transferred to GitHub Pages as part of the operation of the Application. However, when the website is visited (this policy, terms of service, password reset page, technical files such asassetlinks.jsonfor Android App Links), certain technical data such as the visitor's IP address may be processed by the host according to its own terms.
The transfer to GitHub/Microsoft is governed by the standard contractual clauses adopted by the European Commission (Implementing Decision 2021/914 of 4 June 2021), as well as Microsoft Corporation's commitment under the EU-U.S. Data Privacy Framework (DPF).
8. Retention period
| Data | Retention period |
|---|---|
| Parent account (email, password, profile) | Until the parent deletes the account |
| Treasure hunt content (titles, locations, riddles, parent photos) | Until manual deletion or account deletion |
| Children's photos (validation submissions) | Until the game is deleted or the parent's account is deleted |
| Child nickname and progress data | Until the game is deleted or the parent's account is deleted |
| Sentry crash reports | 30 to 90 days depending on our current plan (automatic rotation by Sentry) |
| Mailjet email delivery logs | Approximately 30 days (automatic rotation by Mailjet) |
| Supabase backups | No automated backups under our current plan; in the case of a manual backup, maximum duration of 30 days |
Deletion period upon request. When you request the deletion of your account, all associated data is irreversibly deleted within a maximum of 30 days from the receipt of your request. This period includes deletion from any manual backups.
Exceptional deletion. In accordance with §10.2 of our Terms of Service, the Publisher may delete an Account and its associated data in exceptional circumstances (major security incidents, technical necessity related to maintenance or evolution of the Service). Where possible, you will be notified by email at least 30 days before actual deletion.
9. Data security
We implement the following technical and organisational measures:
- Encryption in transit: all communications with our servers (Supabase, Sentry, Mistral, Mailjet) use HTTPS/TLS.
- Passwords: stored in hashed form (bcrypt) by Supabase. We never have access to passwords in plain text.
- Database access control: Supabase's row-level security (RLS) rules ensure that a parent only accesses their own data.
- Children's photos: stored in a private bucket, accessible only via short-lived signed URLs (1 hour) generated for the parent who owns the hunt.
- Email authentication: emails we send are cryptographically signed (DKIM, DMARC, SPF) to prevent spoofing.
10. Photos uploaded by parents
Important information. The photos that you (the parent) upload as location references or as hints (to be distinguished from the validation photos sent by the child) are stored in a space where read access is not protected by authentication. These photos are not indexed by search engines and are accessible to third parties only through the use of complex unique identifiers (UUIDs) that are non-guessable and not publicly referenced. In practice, accidental discovery is extremely improbable.
Residual risk. If the exact URL of a photo were to be disclosed (e.g., shared screenshot, video capture, link sent through messaging), anyone in possession of that URL could access it. There is therefore a residual risk of uncontrolled dissemination which we wish to bring to your attention.
Recommendation. We recommend that you avoid including in these photos any identifiable children, faces, documents, addresses, or other personal information that you would not want to be potentially disclosed.
Safeguard in the interface. The Application displays a clear warning under each photo upload button used by the parent, recalling this limitation and inviting caution.
Validation photos sent by the child. Photos uploaded by the child during a game (validation of found locations) are not subject to this limitation: they are stored in a private space, accessible only by the parent who owns the hunt, through short-lived signed URLs (1 hour).
Planned improvement. This limitation is due to the technical need to make hint photos visible to the child (who is not authenticated). An improvement to the protection of parent photos is planned in a future version of the Application.
11. Your rights
In accordance with the GDPR and the French Data Protection Act of 6 January 1978 as amended, you have the following rights regarding your personal data and that of your child:
- Right of access (Art. 15 GDPR): obtain a copy of the data we hold about you and your child.
- Right of rectification (Art. 16 GDPR): correct inaccurate data (e.g., your email address).
- Right to erasure / right to be forgotten (Art. 17 GDPR): delete your account and all associated data.
- Right to restriction of processing (Art. 18 GDPR): temporarily suspend the processing of certain data.
- Right to data portability (Art. 20 GDPR): receive your data in a structured, machine-readable format. This right applies only to data that you have actively provided to us and that is processed by automated means.
- Right to object (Art. 21 GDPR): object to certain processing based on legitimate interest (in particular Sentry).
- Right to withdraw consent: at any time, without affecting the lawfulness of prior processing.
- Post-mortem directives (article 85 of the French Data Protection Act): you have the right to define directives concerning the fate of your personal data after your death, under the conditions provided by law. For any question concerning the exercise of this right, you may contact us at
contact@akateria.fr.
To exercise these rights, contact us at contact@akateria.fr from the email address associated with your account. We will respond within a maximum of one month from the receipt of your request, extendable by two months in the case of a complex or numerous request (with prior notice).
Identity verification. To protect the confidentiality of your account, we may ask you for proof of identity before processing your request, particularly in case of doubt about its origin.
Right to lodge a complaint with the CNIL. If you consider that your rights are not being respected, you can lodge a complaint with the French data protection authority (CNIL): https://www.cnil.fr/fr/plaintes
12. Cookies and local storage
The Application does not use cookies (it is native, not web-based).
On your device, the Application stores locally:
- Your authentication session (encrypted token, managed by Supabase, valid until logout)
- Your interface language preference (FR/EN/RU/UK)
None of this data is shared with third parties. It is erased when you uninstall the Application.
The website luciole.akateria.fr (password reset page) uses only the browser's localStorage to remember the chosen language. No cookies are set.
13. Changes to this policy
This privacy policy may be modified to reflect legal or technical developments.
- Any modification will be published on this page, with an update of the date at the top of the document.
- Substantial modifications (new type of data collected, new processor, change of purpose) will require your acceptance within the application at the next launch.
The current version is dated April 27, 2026.
14. Contact
For any question, to exercise your rights, or to lodge a complaint:
- Email:
contact@akateria.fr - Data controller: Tina Semashko, sole proprietor (entrepreneur individuel)
- Trading name: AKATERIA WEB
- SIRET: 929 791 820 00012
- APE code: 62.01Z (Computer programming)
- Registered office: 1 rue de Fontenay, 94300 Vincennes, France
- DPO: not appointed (see §1)
You may also lodge a complaint with the CNIL: https://www.cnil.fr/fr/plaintes