Ranger Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

Account Information

When you create an account, we collect:

• Email address (required, used for authentication)
• Password (required, stored as a cryptographic hash — we never store or have access to your plaintext password)
• Display name (optional)
• Profile photo (optional)

Obligation to provide data. Your email address and password are contractual requirements necessary to create an account and use the App. If you do not provide this information, you will not be able to create an account or access the App's features. All other data (display name, firearm information, training data, photos, calendar events) is provided voluntarily. You may use the App without providing this optional data, although certain features may have limited functionality.

Firearm Data

If you use the armory features, you may choose to provide:

• Firearm name, make, model, and caliber
• Serial number (optional — see Section 5.5 for our sensitive data advisory)
• Round count and maintenance records (round count since cleaning, spring change intervals and dates)
• Purchase date
• Notes
• Photos of your firearms

Ammunition Data

If you use ammunition inventory features, you may choose to provide:

• Ammunition name, brand, caliber, and grain weight
• Quantity and price per round
• Notes
• Photos

Training and Performance Data

If you use the training features, you may choose to provide:

• Training session details (titles, dates, styles, duration, locations as free-text, round counts)
• Exercise performance metrics (par times, hit factors, points, sets, repetitions)
• Skill progress entries (metric type, value, unit, direction of improvement)
• Personal records for exercises
• VR (virtual reality) dry-fire training series names, scored run points, and timestamps
• Training plan titles, goals, notes, and comments

Calendar and Event Data

If you use the calendar features, you may choose to provide:

• Match and event titles, types, dates, and times
• Locations and addresses (entered as free-text, not derived from GPS)
• Match level and status
• Registration deadlines and entry fees
• Event URLs
• Match director names and contact information
• Planned and actual round counts

Preferences

• Notification settings (session reminders, match reminders, weekly digest toggles), stored locally on your device

1.2 Information Collected Automatically

Crash and Error Reports

We use Sentry for crash reporting. When the App encounters an error, the following is sent automatically:

• Error messages and stack traces
• Device type and operating system version
• App environment identifier (e.g., production or development)
• Custom diagnostic tags (e.g., which feature area encountered the error)

We have explicitly disabled personally identifiable information in crash reports (sendDefaultPii is set to false). Your email, name, user ID, and app content are not included in crash reports.

Subscription Data

When you subscribe to Ranger Pro, the following is processed through our subscription management provider (RevenueCat):

• A pseudonymous customer identifier (derived from your account ID)
• Purchase receipts (processed by Apple App Store or Google Play Store)
• Subscription status and entitlement records

AI Feature Usage Metrics

When you use AI-powered training plan generation, we record:

• The number of AI generations you have used per day and per month
• The type of generation requested

These metrics are used solely for rate limiting and fair-use enforcement and do not include the content of your requests or generated plans.

1.3 Photos and Camera Access

We request access to your device's camera and photo library solely to allow you to:

• Photograph your firearms for your armory
• Select existing photos of firearms, ammunition, or training exercise diagrams
• Set a profile picture

Photos you upload are stored in our cloud infrastructure (see Section 5). Photos are never used for facial recognition, machine learning training, advertising, or shared with third parties for their own purposes.

1.4 Information We Do NOT Collect

We want to be clear about what we do not collect:

• Precise geolocation or GPS data (the App does not request location permissions)
• Device advertising identifiers (IDFA, GAID, or equivalent)
• Contacts, device calendar, or health data from your device
• Browsing history or data from other apps
• Biometric data (fingerprint, face scan, voice)
• Microphone audio
• Data from Bluetooth or nearby devices

2. How We Use Your Information

We use the information we collect for the following purposes:

1. To provide and maintain the App — Creating and authenticating your account, storing your armory, training, and calendar data, and syncing data across your devices.
2. To generate AI-powered training plans — When you request an AI training plan, we send relevant training data to our AI service to generate personalized plans (see Section 13 for full details).
3. To process subscriptions — Managing your Ranger Pro subscription through Apple App Store or Google Play Store via our payment processor.
4. To improve app stability — Analyzing anonymized crash reports to identify and fix bugs.
5. To communicate with you — Sending password reset emails when you request them.
6. To enforce fair-use limits — Tracking AI generation counts to enforce rate limits on AI-powered features.
7. To comply with legal obligations — Responding to valid legal process and retaining subscription financial records as required by applicable tax and commercial law.

We do NOT use your information to:

• Display advertisements of any kind
• Build advertising or marketing profiles
• Sell, rent, or license your data to any third party
• Make automated decisions that produce legal or similarly significant effects concerning you
• Train artificial intelligence or machine learning models on your personal data
• Track you across other apps or websites

Data accuracy. We take reasonable steps to ensure your personal data is accurate and up to date. You can review and correct your data at any time through the App. If you believe any data we hold about you is inaccurate, please contact us at support@rangerapp.com.

3. Legal Basis for Processing (EEA/UK/Switzerland)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases as required by the General Data Protection Regulation (GDPR):

We record consent through your device's operating system permission prompts (for camera and photo library access) and through in-app preference toggles (for notifications). These mechanisms allow us to demonstrate that valid consent was obtained.

You may withdraw your consent at any time by revoking camera or photo library permissions in your device settings, deleting uploaded photos through the App, or adjusting your notification preferences. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

We do not process any “special categories” of personal data as defined in Article 9 of the GDPR (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification, health data, or data concerning sex life or sexual orientation).

4. Data Sharing and Third-Party Services

We share your data only with the following service providers who process data on our behalf under data processing agreements. We do not sell or share your data with any other third parties.

4.1 Supabase (Backend Infrastructure)

• Data processed: All synced user data (armory, training, calendar, plans, exercises, VR data), authentication credentials, uploaded photos, AI training plan generation requests and usage records
• Purpose: Cloud database hosting, user authentication, file storage, serverless functions for AI features
• Data location: European Union (EU West)
• Legal mechanism: Data Processing Agreement; data remains within the EU
• Privacy policy: https://supabase.com/privacy

4.2 Sentry (Crash Reporting)

• Data processed: Error reports, stack traces, device type, operating system version, app environment tags
• Data NOT processed: Your email, name, user ID, or any app content data (personally identifiable information is disabled)
• Purpose: Crash monitoring, error tracking, and bug fixing
• Data location: United States
• Legal mechanism: Data Processing Agreement with Standard Contractual Clauses (SCCs)
• Privacy policy: https://sentry.io/privacy/

4.3 RevenueCat (Subscription Management)

• Data processed: A pseudonymous customer identifier (derived from your account ID), purchase receipts, subscription status, and entitlement records
• Data NOT processed: Your email, name, or any app content data
• Purpose: Processing, validating, and managing in-app subscriptions for Ranger Pro
• Data location: United States
• Legal mechanism: Data Processing Agreement with Standard Contractual Clauses (SCCs)
• Privacy policy: https://www.revenuecat.com/privacy

4.4 Apple App Store and Google Play Store

• Data processed: Payment and transaction information for Ranger Pro subscriptions
• Purpose: Payment processing, subscription billing, and receipt validation
• Note: Apple and Google process this data as independent controllers under their own privacy policies. We do not receive or store your payment card details.

4.5 Disclosures We Do Not Make

We do not disclose your personal information to:

• Advertisers or advertising networks
• Data brokers or data aggregators
• Social media platforms
• Government or law enforcement agencies, except when required by valid legal process (such as a court order, subpoena, or warrant issued by a court of competent jurisdiction)

5. Data Storage and Security

5.1 Local Storage

Your data is stored locally on your device in a SQLite database within the App's sandboxed storage directory. This data is protected by your device's built-in security features (device passcode, biometric authentication, file-level encryption on iOS and Android). Local data remains available when you are offline.

5.2 Cloud Storage

When you use the App with an account, your data is synced to a PostgreSQL database hosted by Supabase in the European Union. Data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted by Supabase's infrastructure using AES-256 encryption.

5.3 Photo Storage

Photos you upload (firearm photos, ammunition photos, exercise diagrams, and profile pictures) are stored in Supabase Storage in the European Union.

5.4 Security Measures

We implement the following security measures to protect your data:

• Encryption in transit: All communications between the App and our servers use HTTPS with TLS 1.2+ encryption
• Encryption at rest: Cloud-stored data is encrypted using AES-256
• Password security: Passwords are hashed using bcrypt via Supabase Auth and are never stored in plaintext
• Access control: Row-Level Security (RLS) policies on Supabase ensure each user can only access their own data
• Anonymized diagnostics: Crash reports are sent without personally identifiable information
• Production logging controls: The App does not log sensitive data (such as serial numbers or passwords) to debug consoles in production builds
• Offline-first architecture: Data is available locally even without an internet connection, reducing exposure to network-based threats
• Data protection by design and by default: We implement data protection principles in the design of the App. By default, we collect only the minimum data necessary to provide the service (email and password for authentication). Additional data categories are collected only when you actively choose to use specific features. Crash reporting is configured to exclude personally identifiable information by default. Third-party integrations use pseudonymous identifiers where possible.

5.5 Sensitive Data Advisory — Firearm Serial Numbers

Firearm serial numbers are particularly sensitive information. While we protect serial number data with the same technical and organizational security measures applied to all user data, we advise you to carefully consider whether storing serial numbers digitally aligns with your personal security preferences. The serial number field is entirely optional — you may leave it blank and still use all armory features.

No security system is impenetrable. While we strive to protect your data, we cannot guarantee absolute security. You use the App and provide your data at your own risk.

6. Data Retention

We retain your data for the following periods:

When you delete your account, we will delete all personal data associated with your account from our active systems within 30 days. Residual copies in encrypted backups will be overwritten in accordance with our backup rotation schedule (typically within 90 days).

7. Your Privacy Rights

7.1 Rights for All Users

Regardless of your location, you have the right to:

• Access your personal data by viewing it within the App
• Correct inaccurate data by editing it within the App
• Delete individual records using the App's deletion functionality
• Delete your account through the App's settings screen or by contacting us at support@rangerapp.com

7.2 European Economic Area, United Kingdom, and Swiss Residents

Under the General Data Protection Regulation (GDPR) and the UK GDPR, you have the following additional rights:

• Right of access (Art. 15) — Request a complete copy of all personal data we hold about you, in a structured format
• Right to rectification (Art. 16) — Request correction of inaccurate or incomplete personal data
• Right to erasure (Art. 17) — Request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations
• Right to restriction of processing (Art. 18) — Request that we limit the processing of your personal data under certain circumstances
• Notification to recipients (Art. 19) — When we rectify, erase, or restrict the processing of your personal data, we will notify each recipient to whom the data has been disclosed, unless this proves impossible or involves disproportionate effort. We will inform you about those recipients if you request it.
• Right to data portability (Art. 20) — Receive your personal data in a structured, commonly used, and machine-readable format (JSON), and transmit it to another controller
• Right to object (Art. 21) — Object to processing based on legitimate interests; we will cease processing unless we demonstrate compelling legitimate grounds
• Right to withdraw consent — Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal
• Right to lodge a complaint — File a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu

7.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to know. You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, our business purposes for collecting it, and the categories of third parties with whom we shared it.

Right to delete. You have the right to request deletion of your personal information, subject to certain exceptions.

Right to correct. You have the right to request correction of inaccurate personal information.

Right to opt-out of sale or sharing. You have the right to opt out of the “sale” or “sharing” of personal information. We do not sell or share your personal information as those terms are defined by the CCPA/CPRA.

Right to non-discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you services, charge you different prices, provide you with a different quality of service, or suggest that you will receive a different level of service for exercising your rights.

Right to limit use of sensitive personal information. We use sensitive personal information (if applicable) only for purposes authorized by the CCPA/CPRA and do not use or disclose it for purposes beyond what is necessary to provide the services you request.

Categories of personal information we collect (per CCPA Section 1798.140):

Categories we do NOT collect: C (protected characteristics), E (biometric information), G (geolocation data), I (professional or employment information), J (education information).

Categories of sources from which we collect personal information:

• Directly from you: Account creation, in-app data entry (armory, training, calendar, plans), photo uploads
• Automatically from your device: Crash reports and device metadata (via Sentry, with PII disabled)
• From third-party service providers: Subscription status and purchase receipts (via RevenueCat and Apple/Google app stores)

Sensitive personal information disclosure: Firearm data, including optional serial numbers, may be considered sensitive in nature. We process this data solely to provide the armory management features you have explicitly chosen to use. This data is not used for profiling, advertising, or any purpose beyond service delivery. By entering firearm data into the App's optional features, you are expressly requesting that we process this information to provide you with armory management functionality.

Financial incentives: Ranger Pro subscription ($12.99/month or $129.99/year, each with a 1-week free trial) provides enhanced features including expanded armory capacity and increased AI generation limits. Subscription pricing is fixed and is not determined by, or adjusted based on, your personal data.

7.4 Virginia, Colorado, Connecticut, and Other US State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Oregon, Texas, Montana, and other states with comprehensive privacy laws have the following rights:

• Right to access your personal data we have collected
• Right to correct inaccurate personal data
• Right to delete your personal data
• Right to data portability — obtain a copy of your personal data in a portable and, to the extent technically feasible, readily usable format (JSON)
• Right to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects — we do not engage in any of these activities

Universal opt-out preference signals. We honor universal opt-out preference signals (such as the Global Privacy Control) as required by Colorado, Connecticut, Oregon, and other applicable state laws. Because we do not engage in targeted advertising or the sale of personal data, these signals do not change our processing of your data, but we recognize and acknowledge them.

Sensitive data. Under state privacy laws that require opt-in consent before processing sensitive data, we obtain your consent through your explicit and voluntary action of entering data into optional App features. You are never required to provide firearm data, training performance data, or any other potentially sensitive information to use the App's core features.

Appeal process. If we deny your privacy rights request, you may appeal by contacting us at support@rangerapp.com with the subject line “Privacy Rights Appeal.” We will respond to your appeal within 60 days. If your appeal is denied, we will provide you with instructions on how to contact your state attorney general to submit a complaint.

7.5 Exercising Your Rights

To exercise any of the rights described above, please contact us at:

Email: support@rangerapp.com

We will verify your identity before processing your request. For access and portability requests, we will ask you to confirm information associated with your account, such as your email address and account creation date. For requests to access specific pieces of personal information or to delete your account, we will apply a heightened level of verification.

Authorized agents. You may designate an authorized agent to submit a privacy rights request on your behalf. To do so, you must provide the authorized agent with written permission signed by you, and we may require you to verify your own identity directly with us and confirm that you have authorized the agent. Alternatively, your authorized agent may submit proof of a valid power of attorney under applicable law.

Response timeframes:

• GDPR requests: Within 30 days (extendable by an additional 60 days for complex requests, with notice)
• CCPA/CPRA requests: Within 45 days (extendable by an additional 45 days, with notice)
• Other US state law requests: Within the timeframes required by applicable law (typically 45 days)

You will not be charged a fee for exercising your rights, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act, as permitted by applicable law.

8. International Data Transfers

Our primary data infrastructure (Supabase) is located in the European Union (EU West). Your core app data — including account information, armory data, training records, calendar events, uploaded photos, and training plans — is stored and processed within the EU.

Certain service providers process limited data in the United States:

For transfers of personal data from the EEA, UK, or Switzerland to countries that have not received an adequacy decision from the European Commission, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), supplemented by additional technical and organizational safeguards where appropriate.

We maintain Data Processing Agreements (DPAs) with each of our sub-processors that include appropriate data protection obligations.

9. Children's Privacy

The App is restricted to users aged 18 and older. We do not knowingly collect personal information from anyone under the age of 18. Given the nature of the App and its association with competitive shooting sports, all users must be of legal adult age in their jurisdiction.

We enforce age restrictions through App Store age ratings (17+ on the Apple App Store) and require users to confirm they are 18 or older during account creation.

If you are a parent or guardian and believe that a person under 18 has provided personal data to us through the App, please contact us immediately at support@rangerapp.com. We will take prompt steps to delete such information and terminate the associated account.

10. Cookies, Tracking, and Local Storage

Cookies: The App does not use cookies.

Tracking: The App does not use any tracking technologies, advertising identifiers (IDFA, GAID), or analytics software development kits (SDKs). We do not participate in cross-app tracking. We have not implemented Apple's App Tracking Transparency framework because we do not engage in any tracking activities that would require it.

Local storage: The App stores the following data locally on your device:

• SQLite database — Your app data (armory, training, calendar, plans) for offline access and performance
• Shared Preferences — Notification preference settings and data sync timestamps
• Image cache — Temporarily cached photos for display performance

This locally stored data is protected by your device's operating system security and is not accessible to other apps. It is deleted when you uninstall the App.

11. Do Not Sell or Share My Personal Information

We do not sell your personal information. We have never sold personal information and have no plans to do so.

We do not share your personal information for cross-context behavioral advertising or any other form of targeted advertising.

As defined by the California Consumer Privacy Act (CCPA/CPRA), “sell” means disclosing personal information to a third party for monetary or other valuable consideration, and “share” means disclosing personal information for cross-context behavioral advertising purposes. We do not engage in either practice.

This notice is accessible within the App through the Settings screen under “Privacy Policy.” If you wish to submit a formal “Do Not Sell or Share” request, you may contact us at support@rangerapp.com, and we will confirm that no such activity occurs with respect to your data.

12. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33
• Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
• Comply with all applicable US state breach notification laws, including those of California (Cal. Civ. Code 1798.82), Virginia, Colorado, Connecticut, and all other states with breach notification requirements

Given the sensitive nature of firearm-related data, we treat any unauthorized access to firearm records — including serial numbers, ownership information, and photos — as a high-risk breach warranting direct individual notification regardless of the assessed risk level.

We maintain an internal data breach response plan that includes containment, investigation, notification, and remediation procedures.

13. AI-Powered Features

Ranger includes an AI-powered training plan generation feature. We believe in transparency about how AI processes your data.

What data is sent to the AI service when you request a training plan:

• Your user ID (a pseudonymous UUID, not your email or name)
• Your recent training session summaries (titles, dates, styles, round counts)
• Your skill progress summaries and personal records
• Upcoming match information (titles, dates, levels)
• Exercise library details (names, descriptions, related skills)
• Your text prompts and comments describing your training goals

What data is NOT sent to the AI service:

• Firearm serial numbers
• Photos of any kind
• Ammunition pricing information
• Calendar event addresses or specific locations
• Match director names or contact information
• Your email address or password
• Your display name or profile photo

How AI processing works:

• AI requests are processed by a serverless function hosted on our Supabase infrastructure in the EU
• The function calls an AI language model to generate your personalized plan
• Generated plans are saved to your account only if you choose to save them

AI training policy:

• Your personal data is not used to train, fine-tune, or improve any AI or machine learning models
• Your prompts and generated outputs are not used as training data

14. Contact Information

For any privacy-related questions, concerns, requests, or complaints, please contact us:

Email: support@rangerapp.com

Mailing Address:

Technology Efficiency Consulting Paweł Zalewski

Sołtyka 5/19, 31-529 Kraków, Poland

Data Protection Officer: We are not required to appoint a Data Protection Officer (DPO) under GDPR Article 37, as our core activities do not consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, nor do they involve large-scale processing of special categories of data. However, our privacy lead is reachable at the email address above and is responsible for overseeing data protection matters.

EU Representative: If we are required to appoint a representative in the EU under GDPR Article 27, details will be published here and in the App. For inquiries, please contact support@rangerapp.com.

Supervisory Authorities: If you are an EEA resident and believe we have not adequately addressed your privacy concern, you have the right to lodge a complaint with your local data protection supervisory authority. A directory is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• We will update the “Last Updated” date at the top of this policy
• For material changes (changes to data collection practices, new third-party services, changes to your rights), we will provide prominent notice within the App, such as a notification on the settings screen
• For changes that require your consent under applicable law, we will obtain your affirmative consent before the changes take effect
• Previous versions of this policy are available upon request by contacting support@rangerapp.com

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

16. Jurisdiction-Specific Disclosures

16.1 California “Shine the Light” (Cal. Civ. Code 1798.83)

California residents may request information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

16.2 Nevada Residents (SB 220)

Nevada residents may opt out of the “sale” of certain “covered information” as defined by Nevada law. We do not sell covered information as defined under Nevada law. If you wish to submit such a request, please contact support@rangerapp.com.

16.3 European Union — Data Processing Records and Assessments

Under GDPR Article 30, we maintain records of our processing activities. A summary is available upon request by contacting support@rangerapp.com.

We conduct Data Protection Impact Assessments (DPIAs) where processing is likely to result in a high risk to data subjects' rights and freedoms, as required by GDPR Article 35 and applicable US state privacy laws requiring data protection assessments.

Apple App Store Privacy Nutrition Label Declarations

The following summarizes data collection for Apple's App Privacy disclosures:

Data Used to Track You: None. We do not track users across other companies' apps or websites.

Data Linked to You:

Data Not Linked to You:

Data Not Collected: Location, Health & Fitness, Financial Info, Sensitive Info, Contacts, Browsing History, Search History, Device ID, Advertising Identifier.