MISSION MORSE
Start
// PERSONAL DATA

Privacy Policy

Last updated: May 9, 2026

Mission Morse is built to collect the strict minimum. No ads, no ad tracking, no data resale. This page explains exactly what data we process, why, and how you can control it.

1. Data controller

The data controller is SASU MILOU, publisher of Mission Morse. For any question about your personal data, contact mail@missionmorse.com.

2. Data we collect

Mission Morse collects only the data needed to operate the Service:

  • Account identity: email (only if you create an authenticated account), codename, auto-detected country, chosen avatar, equipped badge.
  • Learning progress: XP, level, streak, lives, learned letters, quiz sessions, unlocked badges, leaderboard rank.
  • Premium status: access type (free / lifetime / subscription), Stripe identifiers (customerId, subscriptionId, paymentIntentId).
  • Referrals: referral code, optional referrer, reward-already-granted flag.
  • Technical data: Supabase session cookies to maintain login, referral cookie, server logs (IP, user-agent) limited to security and debugging.
  • Guest mode: no email, no identity — an anonymous identifier managed by Supabase ties progress to the device.

3. Purposes and legal bases

Every processing has a clear legal basis (GDPR art. 6):

  • Service delivery (authentication, progress saving, leaderboard, gamification) — performance of the contract.
  • Premium payments and billing — performance of the contract / accounting legal obligation.
  • Referral system and rewards — performance of the contract when you use an invite link.
  • Security (anti-abuse, anti-bot, error logs) — legitimate interest.
  • Transactional communications (magic link, purchase confirmation, end-of-subscription notice) — performance of the contract.

4. No ad tracking

Mission Morse uses no advertising cookies, displays no ads, sets no Meta / Google Ads / TikTok pixels. No data is ever sold to third parties.

No consent banner is displayed because no non-exempt analytics cookie is set. If analytics is added in the future, it will be anonymized and compliant with CNIL recommendations (no consent required).

5. Sub-processors

Mission Morse relies on a limited number of sub-processors covered by Data Processing Agreements (DPAs):

  • Vercel Inc. (USA) — application hosting, access logs. Standard EU contractual clauses.
  • Supabase (European Union) — database, authentication, progress storage. Data hosted in the EU.
  • Stripe Inc. (USA) — Premium payments processing. Stripe acts as joint controller for the strictly necessary payment data.
  • Resend / transactional email provider — sending magic links and purchase confirmations.

6. Retention

Account data (including progress): kept while the account is active. After prolonged inactivity (24 months without sign-in), the account may be anonymized after email notice.

Payment data: kept 10 years to meet accounting and tax obligations (billing data only — never card numbers, which are stored exclusively by Stripe).

Server logs: kept at most 12 months.

Referral cookie: 30 days.

7. Your rights

Under GDPR, you have the following rights over your data:

  • Right of access: obtain a copy of your data.
  • Right to rectification: correct inaccurate data (codename, country, email).
  • Right to erasure: delete your account and all associated data.
  • Right to portability: receive your data in a structured format.
  • Right to object and restrict processing.
  • Right to lodge a complaint with the CNIL (cnil.fr) or your local DPA.

8. How to exercise your rights

To delete your account, request erasure by email at mail@missionmorse.com from the address linked to the account. Deletion is effective within 30 days, except for billing data retained under legal obligations.

For other requests (access, rectification, portability), write to the same address with your codename and account email. A reply is provided within 30 days.

9. Security

All Service traffic is encrypted via HTTPS. Authentication is passwordless (magic link) to reduce leak risk. Databases are protected by Supabase Row Level Security, ensuring a user can only access their own data. Payments transit via Stripe, PCI-DSS Level 1 certified.

10. Minors

Mission Morse is suitable from age 8, but registration of a minor under 15 must be authorized by a parent or guardian (GDPR art. 8). In guest mode, no email is required, allowing immediate use without identifier collection for kids.

11. Transfers outside the EU

Some sub-processors (Vercel, Stripe) are based in the United States. These transfers are framed by the EU-US Data Privacy Framework or by Standard Contractual Clauses approved by the European Commission.

12. Changes

This policy may change. Any substantial change (e.g. a new sub-processor handling identifying data) is notified by email and inside the app.

Contact / DPO

To exercise your rights or ask a question about how we process your data:

See also: Terms of Service · Refund Policy