Privacy Policy

HiddenFlame ("we", "us", or "our"), a company, operates the Numisma mobile application available on iOS and Android. Numisma is a coin collector's companion app that enables users to scan and identify coins using AI, browse an extensive coin catalogue, manage personal collections, track coin valuations, and explore an interactive world map of coin origins.

For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), HiddenFlame acts as the Data Controller for personal data collected through the Numisma application.

Contact: contact@intripp.com

Account Information

When you register for a Numisma account, we collect:

• Full name or display name
• Email address
• Password (stored in hashed, non-recoverable form)

Photos & Media

To use the coin scanning and identification feature, you may grant the app access to your device's camera or photo library. Images you submit for AI identification are processed to detect and classify the coin. Coin photos are stored in two places:

• Locally on your device — as part of your personal collection record
• On our servers (Supabase) — to synchronise your collection across devices and back up your data

Photos are associated with your account and retained for as long as your account is active or until you delete the individual coin record.

User-Generated Content

Information you enter manually, including collection names, coin details, personal notes, and valuations you associate with coins in your collection.

Usage & Analytics Data

We collect anonymised and pseudonymised usage data via PostHog (self-hosted within the EU) to understand how users interact with the app. This may include:

• Features accessed and frequency of use
• Device type, operating system, and app version
• Session duration and navigation patterns
• Crash reports and performance metrics

PostHog analytics data does not include coin images or personal collection details.

Data You Do Not Have to Provide

Coin details can always be entered manually — use of the AI scanning feature and camera access is entirely optional.

We do not sell your personal data. We do not use your data for targeted advertising.

Under the GDPR, we rely on the following legal bases:

• Contract (Art. 6(1)(b)): Processing your account information and collection data is necessary to provide the Numisma service you have signed up for.
• Legitimate Interests (Art. 6(1)(f)): Anonymised analytics help us improve the app. We have balanced our interests against your rights and concluded this processing is proportionate.
• Legal Obligation (Art. 6(1)(c)): We may retain certain data to comply with Polish and EU legal requirements.
• Consent (Art. 6(1)(a)): Where we ask for your explicit consent (e.g., camera access for coin scanning), you may withdraw it at any time via your device settings without affecting prior processing.

Numisma is intended for users aged 18 and over. We do not knowingly collect personal data from individuals under the age of 18. If you are under 18, please do not use the app or provide any personal information.

If we become aware that we have inadvertently collected data from a person under 18, we will delete that data promptly. If you believe this has occurred, please contact us at contact@intripp.com.

We use a limited set of third-party services to operate Numisma:

PostHog (Analytics)

We use PostHog Cloud for product analytics. PostHog is a third-party service operated by PostHog, Inc. Anonymised usage data (events, device info, session data) may be processed on PostHog's infrastructure under Standard Contractual Clauses ensuring GDPR-compliant transfers. PostHog does not receive your name, email address, coin photos, or collection contents. For more information, see posthog.com/privacy.

Supabase (Database & Storage)

We use Supabase as our backend database and file storage provider. Your account data, collection records, and coin photos are stored on Supabase infrastructure configured within the European Union. Supabase acts as a Data Processor under a Data Processing Agreement with us. For more information, see supabase.com/privacy.

Apple App Store & Google Play Store

Downloading the app through Apple's App Store or Google Play is subject to their respective privacy policies. We do not receive your payment information from either platform.

All personal data collected by Numisma is stored on servers located within the European Economic Area (EEA) — via Supabase (EU region). Analytics data processed by PostHog Cloud may be transferred outside the EEA under Standard Contractual Clauses as required by GDPR Art. 46.

Data at rest is encrypted. Data in transit is protected using TLS 1.2 or higher.

• Account data — retained for as long as your account is active. Upon deletion, personal data is erased within 30 days.
• Coin photos — stored locally on your device and in Supabase for as long as your account is active, or until you delete the individual coin record.
• Collection data — deleted within 30 days of account deletion.
• Analytics data — anonymised events retained for up to 24 months for product improvement.
• Legal compliance data — retained as required by applicable Polish and EU law (typically up to 5 years).

As a data subject in the EU/EEA, you have the following rights:

• Right of Access (Art. 15): Request a copy of all personal data we hold about you.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to Erasure / "Right to be Forgotten" (Art. 17): Request deletion of your personal data.
• Right to Restriction of Processing (Art. 18): Request that we limit how we use your data.
• Right to Data Portability (Art. 20): Receive your data in a machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time via app settings or by contacting us.

To exercise any of these rights, contact us at contact@intripp.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority. In Poland, this is the Urząd Ochrony Danych Osobowych (UODO) at uodo.gov.pl.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

• Encrypted data storage and transport (TLS 1.2+)
• Hashed and salted password storage
• Access controls limiting employee access to personal data
• Regular security reviews

No method of transmission over the internet is 100% secure. If you believe your account has been compromised, please contact us immediately at contact@intripp.com.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you via the app or by email at least 14 days before the change takes effect. The "Effective Date" at the top of this page will always reflect the current version.

Continued use of Numisma after the effective date constitutes your acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please contact us:

• Email: contact@intripp.com
• Company: HiddenFlame, registered in Poland

We aim to respond to all privacy-related enquiries within 30 days. For urgent matters concerning potential data breaches or misuse, please mark your message as urgent.

If you are not satisfied with our response, you have the right to lodge a complaint with the Polish data protection authority: