Privacy Policy

Last updated: June 2026

1. Controller

The controller responsible for processing personal data in connection with the “Lookas” app and this website is:

MRIT – Michael Röther IT Services, Michael Röther, Alexanderstraße 86, 70182 Stuttgart, Germany.

2. Overview

This privacy policy explains which personal data we process when you use the Lookas app or visit this website, for which purposes and on which legal basis this happens, and which rights you have under the General Data Protection Regulation (GDPR).

Lookas is a game in which you guess other people's ages from photos. We deliberately process as little data as possible.

3. What data we process

Depending on how you use Lookas, we process the following categories of personal data:

Account data: display name, email address and the password you choose when signing up. If you use “Sign in with Google”, additionally the basic profile data provided by Google (e.g. name and email address).
Profile data: profile picture (optional), friend code and an optional date of birth.
Content: photos you upload (e.g. for age guessing or your own challenges), including the actual age of the depicted person that you provide.
Game and usage data: your guesses, XP, levels, Drops (Spots), streaks, combos, challenges you create, friendships, your leaderboard position and timestamps of your activity.
Notification data: a push token (via Firebase Cloud Messaging) and your notification preferences, if you allow push notifications.
Technical data: device type and operating system, app version, an approximate region derived from your IP address, unique device or installation identifiers, as well as log and diagnostic data required to provide and secure the service.
Advertising data: the data described in section “6. Advertising (Google AdMob)”.

Important: if you upload photos of other people, you must be entitled to do so and, where required, have obtained their consent. Do not upload photos of people who have not agreed to it, and no content that infringes the rights of third parties.

4. Purposes and legal bases

We process your data for the following purposes on the following legal bases:

Providing the game and your account, saving your progress, calculating leaderboards and rewards, and the friend features – legal basis: performance of the user contract (Art. 6(1)(b) GDPR).
Secure and stable operation, abuse and fraud prevention, and error diagnosis – legal basis: legitimate interest in a functioning, secure service (Art. 6(1)(f) GDPR).
Displaying non-personalised advertising to finance the free app – legal basis: legitimate interest (Art. 6(1)(f) GDPR). Where consent is required for storing or accessing information on your device, we obtain it within the European Economic Area and the United Kingdom via a consent banner (Art. 6(1)(a) GDPR).
Sending push notifications – legal basis: your consent via the device permission (Art. 6(1)(a) GDPR), which you can withdraw at any time.
Compliance with legal obligations – legal basis: Art. 6(1)(c) GDPR.

5. Hosting and backend (Firebase / Google)

For hosting, data storage and backend functions, Lookas uses Google's “Firebase” services (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). Specifically, we use:

Firebase Authentication – sign-up and account management (email/password and sign-in with Google).
Cloud Firestore – storage of your profile, game and challenge data.
Firebase Storage – storage of the photos you upload.
Cloud Functions – server-side game logic (e.g. evaluating guesses, rewards, leaderboards).
Firebase Cloud Messaging – sending push notifications.
Firebase App Check – protecting the backend against abusive access.
Firebase Hosting – delivery of this website.

In doing so, data may be processed on Google's servers and transferred to countries outside the EU (in particular the USA). Appropriate safeguards are in place for this (see section “10. International data transfers”). A data processing agreement pursuant to Art. 28 GDPR is in place with Google.

Further information is available at https://firebase.google.com/support/privacy and https://policies.google.com/privacy.

6. Advertising (Google AdMob)

The Lookas app is financed through advertising. For this we show ads via “Google AdMob” (Google Ireland Limited). We display occasional full-screen ads (interstitials) between game rounds and – only voluntarily and at your request – rewarded ads, which credit you Spots when you watch them in full.

We expressly request only non-personalised advertising from AdMob. This means no advertising profiles are built based on your behaviour and no cross-app advertising tracking takes place. Because we request only non-personalised advertising, no App Tracking Transparency (ATT) dialog is required on iOS; the advertising identifier (IDFA) is currently not used for cross-app tracking purposes.

Even non-personalised advertising technically requires limited data processing by Google – in particular the IP address (for coarse location and ad delivery), device and diagnostic information, and ad-delivery details. Google uses this data, among other things, to deliver contextual ads, to cap how often you see the same ad (frequency capping), to combat fraud and abuse, and to measure ad performance in aggregate. On iOS, Apple's “SKAdNetwork” is used for privacy-friendly, aggregated measurement.

Consent in the EEA/UK: within the European Economic Area and the United Kingdom we show you – where required – a consent banner provided by Google (Google User Messaging Platform) before serving ads. You can change or withdraw your choice at any time in the app under Settings → “Datenschutz für Werbung” (Ad privacy).

Ad-free: in the app you can unlock an ad-free period using your in-game balance (Spots). While it is active, we do not show any interstitial ads.

Google is independently responsible for the advertising-related data processing. Further information: Google Privacy Policy (https://policies.google.com/privacy), information on how Google uses data from partner apps (https://policies.google.com/technologies/partner-sites), and AdMob information (https://support.google.com/admob/answer/6128543).

7. Push notifications

If you allow push notifications, we store a device token via Firebase Cloud Messaging so we can send you messages (e.g. when your challenge reaches a milestone or someone adds you as a friend). You can disable notifications at any time individually in the app settings or entirely in your device settings; if you disable them entirely, the token is removed.

8. Visibility to other users and recipients

Certain content is visible to other users within the app: your display name, your profile picture, your leaderboard values (XP, Drops/Spots, level, streak), and the photos and challenges you publish. Therefore, do not disclose any sensitive information in your display name or in images.

Beyond this, we only share data with the processors named here (Google/Firebase, Google AdMob) or where we are legally required to do so.

9. Retention period

We store your data for as long as your account exists. If you delete your account, the associated data is deleted unless statutory retention obligations require otherwise. Technical log data is kept only for a short time. Advertising-related data is processed by Google in accordance with its own retention periods.

10. International data transfers

Within the Google services mentioned, data may be transferred to third countries, in particular the USA. Google is certified under the EU-US Data Privacy Framework; in addition, EU Standard Contractual Clauses are in place as appropriate safeguards within the meaning of Art. 44 et seq. GDPR.

11. Your rights

Under the GDPR you have the following rights:

Access to the data stored about you (Art. 15 GDPR).
Rectification of inaccurate data (Art. 16 GDPR).
Erasure of your data (Art. 17 GDPR).
Restriction of processing (Art. 18 GDPR).
Data portability (Art. 20 GDPR).
Objection to processing based on a legitimate interest (Art. 21 GDPR).
Withdrawal of consent with effect for the future (Art. 7(3) GDPR).

Where we process data on the basis of a legitimate interest (Art. 6(1)(f) GDPR) – namely for secure operation, abuse prevention and the ad-financed provision of the app – you may object to that processing at any time on grounds relating to your particular situation (Art. 21 GDPR).

You also have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (Germany); however, you may contact any supervisory authority.

12. Account and data deletion

You can request the deletion of your account and the associated data at any time – directly in the app or via our account deletion page. You can find the link in the footer of this website.

13. Protection of children

Lookas is not directed at children. Persons below the minimum age required under applicable law (16 years in case of doubt) may only use the app with the consent of a parent or guardian. If we become aware that we have processed a child's data without the required consent, we delete it.

14. Automated decisions and “Do Not Track”

There is no automated decision-making, including profiling, that produces legal effects concerning you. We do not evaluate browser “Do Not Track” signals, as there is no uniform standard for them.

15. Changes to this privacy policy

We may adapt this privacy policy, for example when we introduce new features or the legal situation changes. The current version published here applies in each case; the date of the last change is shown above.

16. Contact

For questions about data protection or to exercise your rights, you can reach us at: hey@lookas.app.