Privacy Policy

The Banana Standard LLC builds a small portfolio of products, and some of them now actively collect data to operate. This Privacy Policy explains what we collect, why we collect it, who we share it with, and the rights you have over your information. It covers Color Lock (iOS, Android, web, and Reddit), the thebananastandard.xyz website, and any other products published by The Banana Standard LLC. By using our Services you agree to the practices described here. If you do not agree, please refrain from using our Services.

Trust and Security Practices

We aim for transparency and minimal data handling across every product we build:

  • Privacy by design: We collect only what is needed to deliver each product, and we tell you what that is below.
  • Operational safeguards: Access is limited to required systems, and routine maintenance is performed to reduce avoidable security risk.
  • Disclosure process: Security concerns can be reported directly to our team and are reviewed for triage and remediation.

For vulnerability reporting expectations and contact metadata, see /security.txt.

Information We Collect

What we collect varies by product. Here is the complete list:

Color Lock

Color Lock ships on iOS, Android, the web, and Reddit. The data practices differ by platform, so each surface is described separately below.

Color Lock — iOS & Android

User-provided data (you give it to us when you sign up or play):

  • Email address — used to create your account and recover access.
  • Password — never stored in plaintext; hashed and managed by Firebase Authentication.
  • Display name (optional) — shown on leaderboards if you opt in.
  • Gameplay state — puzzles completed, scores, streaks, and similar progression data needed to keep your game state across devices.

Automatically collected data:

  • Anonymous user ID — the Firebase Authentication UID assigned to your account.
  • App Check tokens — Firebase App Check issues device tokens that verify requests are coming from a legitimate Color Lock client. We use this to block automated abuse.
  • Firebase Analytics events — collected in production builds. Specifically: first_open, app_open, first_puzzle_started, first_puzzle_completed, sign_up, and share. We also record one user property, current_streak. The first_open event is shared with Google Ads for install attribution.

Color Lock — Web

User-provided data:

  • Email address — used to create your account and recover access.
  • Password — never stored in plaintext; hashed and managed by Firebase Authentication.
  • Display name (optional) — shown on leaderboards if you opt in.
  • Gameplay state — puzzles completed, scores, streaks, and similar progression data needed to keep your game state across devices.

Automatically collected data:

  • Anonymous user ID — the Firebase Authentication UID assigned to your account.
  • App Check tokens — Firebase App Check issues device tokens that verify requests are coming from a legitimate Color Lock web client.

The web version of Color Lock does not use Firebase Analytics and does not share any install attribution events with Google Ads.

Color Lock — Reddit (Devvit)

The Reddit version of Color Lock runs as a Devvit app inside Reddit. It is fully self-contained on Reddit-managed infrastructure and does not use Firebase, Google Ads, or any other external service.

Automatically collected data (provided by the Devvit platform context, not entered by you):

  • Reddit user ID — the stable identifier Reddit assigns to your account, used to associate gameplay state with the correct player.
  • Reddit username — used to display who scored what on in-game leaderboards inside the Reddit post.
  • Gameplay state — puzzles completed, scores, and streaks, stored in Devvit Redis on Reddit-managed infrastructure.

The Reddit version explicitly does not collect email addresses or passwords (Reddit handles authentication), does not use Firebase Authentication, Cloud Firestore, Firebase Analytics, Firebase App Check, or Google Ads, does not run any analytics or telemetry, does not perform install or ads attribution, and does not share data with any third-party processor outside of Reddit / Devvit itself.

The Banana Standard website (thebananastandard.xyz)

The website uses Cloudflare Web Analytics for anonymous Real User Monitoring of Core Web Vitals (INP, LCP, CLS). This service does not set cookies and does not collect personally identifiable information. We use it to make sure pages load quickly and respond well.

RetroFantasy

RetroFantasy does not collect any data at this time.

How We Use Your Information

We use the data described above for the following purposes:

  • Operating Color Lock features — authentication, leaderboards, and saving gameplay state across devices.
  • Anti-abuse — Firebase App Check helps us block automated traffic and protect game integrity.
  • Measuring product performance and improving onboarding — Firebase Analytics (Color Lock iOS/Android) and Cloudflare Web Analytics (website) help us see where players get stuck and where pages are slow.
  • Install attribution for paid acquisition — the Color Lock first_open event on iOS and Android is shared with Google Ads so we can measure which campaigns drove installs.
  • Responding to support requests — when you email us, we use your message and email address to reply.
  • Legal compliance and protecting users from abuse.

Sharing and Disclosure

We share data with the following third parties so that our products can run:

  • Google / Firebase — Firebase Authentication, Cloud Firestore, Firebase Analytics, and Firebase App Check provide the backend infrastructure for Color Lock on iOS, Android, and the web. Account credentials, gameplay state, and (for iOS and Android only) analytics events are processed by Firebase. The Reddit version does not use Firebase.
  • Google Ads — receives the first_open install attribution event from Color Lock on iOS and Android only.
  • Reddit / Devvit Platform — for the Reddit version of Color Lock only, your Reddit user ID, Reddit username, and gameplay state are processed by Reddit through the Devvit runtime and stored in Devvit Redis on Reddit-managed infrastructure. No data from the Reddit version flows to Firebase, Google Ads, or any other third party.
  • Cloudflare — provides hosting and Web Analytics for thebananastandard.xyz.

In addition, we may disclose information in these limited cases:

  • With your consent — when you explicitly agree to a specific sharing arrangement.
  • For legal reasons — when required by law, valid legal process, or to protect against fraud, security incidents, or harm.
  • Business transfers — in the event of a merger, acquisition, or sale of assets, your information could be included in the transferred assets, subject to this Policy.

We do not sell personal information.

Third-Party Services

The third-party services we rely on have their own privacy policies, which apply to data they process on our behalf:

Legal Bases for Processing

We rely on the following legal bases for processing personal information today:

  • Consent: when you opt in to analytics, leaderboards, or marketing communications.
  • Legitimate Interest: to operate, secure, and improve our Services, including anti-abuse measures and aggregate performance monitoring.
  • Contractual Necessity: to deliver the Services you requested, such as creating an account and saving your gameplay state.
  • Legal Obligations: to comply with applicable laws and respond to lawful requests from public authorities.

Your Choices and Rights

All users

You can request to access, correct, or delete the personal information we hold about you, and you can withdraw consent at any time. Email anthony@thebananastandard.xyz to make a request and we will respond within a reasonable timeframe.

Color Lock analytics opt-out

Inside Color Lock, open Settings and toggle analytics off. This disables Firebase Analytics events on your device, including the events shared with Google Ads.

California (CCPA) rights

If you are a California resident, you have the right to know what personal information we have collected about you, to request deletion of that information, and to not be discriminated against for exercising these rights. We do not sell personal information.

EEA / UK (GDPR) rights

If you are in the European Economic Area or the United Kingdom, you have the right to access your personal data, request rectification or erasure, restrict or object to processing, request data portability, and lodge a complaint with your local supervisory authority.

Children under 13 (COPPA)

Our Services are not directed at children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us information, please contact anthony@thebananastandard.xyz and we will delete it.

Data Security

We take the protection of your information seriously and rely on a combination of platform-level and operational safeguards:

  • Password hashing: passwords are handled by Firebase Authentication and are never stored in plaintext.
  • Access controls: Cloud Firestore security rules restrict access to game and account data so users can only read and write their own records.
  • Encryption in transit: all traffic to our backends and websites is served over HTTPS.
  • Anti-abuse: Firebase App Check blocks automated requests from non-legitimate clients.

No system is completely secure. We continue to invest in safeguards, and we encourage you to use a strong, unique password on your Color Lock account.

Updates to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page, and where appropriate, you will be notified. Please review this Policy periodically to stay informed.

Last updated: April 30, 2026

Contact Us

If you have any questions or concerns regarding this Privacy Policy or our data practices, please contact us at:
Email: anthony@thebananastandard.xyz