Last updated: May 20, 2026

Privacy Policy

Effective date: May 20, 2026
Version: 2026-05-20

This policy explains what personal data TierScope (the "Service", "we", "us") processes, the purposes and legal bases for processing, how long data is stored, who it is shared with and what rights users ("you", the "User") have. The document is prepared with regard to Federal Law No. 152-FZ "On Personal Data" (the "152-FZ"), and, for users located in the European Economic Area and the United Kingdom, with regard to the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") and the UK GDPR.

1. Personal data controller

TierScope is a personal pet project operated by an individual who is not registered as an individual entrepreneur or legal entity. For any questions related to personal data processing, including exercising data subject rights, requests and complaints, please contact:

Email: info@tierscope.ru
Other contact channels are listed on the Service home page in the "Contact" section.

The controller has not appointed a representative in the European Union within the meaning of Art. 27 GDPR. If such an appointment becomes required due to a change in legal status or processing scale, this policy will be updated accordingly.

2. Categories of data we process

2.1. Account data

Email address, display name, username, avatar if uploaded, interface language and public profile settings. This data is provided directly by the User during registration and in the account area.

2.2. Google OAuth authorization data

When signing in with Google, the provider sends us: email address, Google user identifier (sub), display name and avatar URL. We do not request or store any other data from the Google account, such as contacts, documents or history.

2.3. User content

Tier lists, including S-F tier structure, descriptions, movie statuses, watchlist, likes, follows of other users, incoming and outgoing notifications and swipe mode actions.

2.4. Security data and logs

Server-side refresh token hashes, the browser localStorage refresh token used to maintain the session, IP address, browser user-agent, timestamps of logins and significant actions, the fact and version of document acceptance (termsAcceptedAt, termsVersion, privacyVersion) and the fact and version of the analytics cookie choice stored in the browser.

2.5. Technical and analytics data

URLs of visited pages, with sensitive authorization and password recovery URLs sanitized, device and browser parameters and behavioral metrics. This data is collected only after analytics consent is given.

2.6. Data we do NOT collect

The Service does not request or process special categories of personal data, such as racial origin, political opinions, health data or biometrics, precise geolocation, phone contacts or payment data.

3. Purposes and legal bases for processing

Each purpose lists the legal basis under 152-FZ and under the GDPR. If you are located in Russia, 152-FZ applies; if you are located in the EEA or the United Kingdom, the GDPR/UK GDPR applies.

Purpose	Data categories	Legal basis (152-FZ)	Legal basis (GDPR)
Registering and maintaining an account	2.1, 2.2	clause 5 part 1 art. 6 (performance of a contract to which the User is a party)	Art. 6(1)(b) - performance of a contract
Storing and displaying user content	2.3	clause 5 part 1 art. 6	Art. 6(1)(b)
Protecting the account, rotating and revoking tokens, investigating incidents	2.4	clause 7 part 1 art. 6 (legitimate interest of the controller)	Art. 6(1)(f) - legitimate interest
Recording consents and proving document acceptance	2.4 (Terms/Privacy/consent fields)	clause 2 part 1 art. 6 (compliance with a legal obligation)	Art. 6(1)(c) - legal obligation
Service emails, such as email verification, login codes and password recovery	2.1	clause 5 part 1 art. 6	Art. 6(1)(b)
Product usage analytics	2.5	clause 1 part 1 art. 6 (consent)	Art. 6(1)(a) - consent
Publishing public tier lists	2.3 + public fields from 2.1	art. 10.1 (publicly available personal data with the data subject's consent)	Art. 6(1)(a) - consent to publication

Consent to analytics and consent to making content public can be withdrawn at any time in Service settings. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

4. Retention periods

Category	Retention period
Active account data	Until the User deletes the account
Server-side refresh token hashes	Until token expiry or revocation, but no longer than 30 days after last use
Login records (IP, user-agent, time)	12 months
Document acceptance and consent log	3 years after account deletion (limitation period under art. 196 of the Civil Code of the Russian Federation)
Service email content inside the provider	Up to 30 days, as determined by the email provider's policy
Backups	Up to 30 days from backup creation
Yandex Metrica data	According to the Yandex Metrica policy, 25 months by default; see section 5

After the retention period expires, data is deleted or anonymized.

5. Third parties that receive data

The Service uses the following service providers (under 152-FZ, persons entrusted with processing under part 3 art. 6; under the GDPR, processors under Art. 28):

5.1. Google LLC (Google OAuth)

Purpose: authentication through a third-party identity provider.
Data transferred: OAuth token request; in response, email, sub-ID, name and avatar URL.
Jurisdiction: United States.
Transfer regime: cross-border transfer to a country that is not listed by Roskomnadzor as ensuring adequate protection of personal data subjects' rights. The transfer is based on the User's consent expressed by choosing Google sign-in (part 4 art. 12 of 152-FZ; Art. 49(1)(a) GDPR - explicit consent for transfers).
Google policy: https://policies.google.com/privacy

5.2. Yandex Metrica (Yandex LLC)

Purpose: product usage analytics.
Data transferred: IP address, user-agent, page URL and behavioral metrics.
Jurisdiction: Russian Federation.
Legal regime: processing on instruction within Russia; there is no cross-border transfer. Data is collected only after the User consents through the cookie banner.
Yandex Metrica policy: https://yandex.ru/legal/metrica_termsofuse/

5.3. The Movie Database (TMDB)

Purpose: receiving movie metadata, such as posters, descriptions and ratings.
User data transferred: none. Requests to TMDB are made by the Service, and User identifiers are not included.
TierScope is not endorsed or certified by TMDB.

5.4. Russian email provider

Purpose: delivery of service emails, such as email verification, codes and password recovery.
Data transferred: recipient email address and email content.
Jurisdiction: Russian Federation.
The specific provider name can be requested by email at info@tierscope.ru.

5.5. Russian S3-compatible storage provider

Purpose: storing user avatars and movie posters.
Data transferred: image files relating to the User, such as an avatar, or public TMDB movie posters.
Jurisdiction: Russian Federation.

5.6. Russian hosting provider

Purpose: hosting the web application and database.
Data transferred: all data processed by the Service.
Jurisdiction: Russian Federation. The database is hosted in Russia in accordance with part 5 art. 18 of 152-FZ.

The Service does not sell personal data, does not transfer it to advertisers and does not use it for cross-context behavioral advertising. The Service does not use automated decision-making that produces legal effects for Users within the meaning of Art. 22 GDPR.

6. Public user content

If a User sets a tier list or profile to public, the relevant content becomes publicly available within the meaning of art. 10.1 of 152-FZ. This means:

Public content is available to any Internet visitor without authorization and may be indexed by search engines and stored in their caches.
The Service does not control copies of public content made by third parties or search engines.
When content is changed from public to private or deleted, the Service removes it from its systems within a reasonable time, but cannot guarantee removal from third-party caches.
Setting content to public is the User's explicit consent to making the relevant data publicly available. This consent can be withdrawn by changing the status to private or deleting the content.

The User is responsible for the content they publish. See also the Terms of Use.

7. Data subject rights

Regardless of your location, you have the right to:

obtain confirmation that your data is being processed and receive a copy of it;
request correction of inaccurate data;
request deletion of data (right to erasure);
withdraw any consent previously given;
restrict processing (for GDPR, Art. 18);
receive your data in a structured, machine-readable format; account export in JSON is available in the account area or by request (right to data portability, GDPR Art. 20);
object to processing based on legitimate interest (GDPR Art. 21);
lodge a complaint with a supervisory authority:
in Russia: Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor), https://rkn.gov.ru/;
in the EEA: the supervisory authority of your habitual residence (list: https://edpb.europa.eu/about-edpb/about-edpb/members_en);
in the United Kingdom: Information Commissioner's Office, https://ico.org.uk/.

Requests should be sent to info@tierscope.ru. We respond no later than 30 days after receiving the request for GDPR requests, or within the time limits set by 152-FZ (10 business days, with possible extension). To verify the applicant's identity, we may request additional information that allows us to associate the request with a specific account.

8. Account deletion

The User can delete the account in profile settings. Upon deletion:

Profile data, such as email, name, avatar and settings, is permanently deleted.
Private user content is permanently deleted.
For public user content, the User chooses on deletion whether it is (a) fully deleted or (b) anonymized, meaning the link to the account is removed and the content remains publicly available without author attribution.
Document acceptance and consent logs are retained for the period specified in section 4 in a de-identified form tied to technical identification rather than identity.
Backups containing data of the deleted account are overwritten within 30 days.

9. Data protection

The following technical and organizational measures are used:

data transmission over TLS;
password storage as hashes using bcrypt or an equivalent algorithm;
server-side storage of refresh tokens as hashes, with rotation and revocation when suspicious activity is detected;
access controls for the production database;
regular backups;
sanitization of sensitive URLs, such as login and password recovery pages, before analytics transmission.

If an incident creates a risk to data subjects' rights and freedoms, the Service notifies: in Russia, Roskomnadzor within the periods set by part 3.1 art. 21 of 152-FZ (24 hours for the initial notice, 72 hours for the extended notice); in GDPR jurisdictions, the relevant supervisory authority within 72 hours (Art. 33 GDPR) and affected data subjects when the risk is high (Art. 34).

10. Age limits

The Service is not intended for persons under 14 years old. Registration by persons under 14 is not allowed. For users from jurisdictions where the minimum age for independent consent is higher, such as 16 in some EEA countries, consent or authorization from a person with parental responsibility is required. If we learn that an account was created in violation of these requirements, the account will be deleted.

11. Cookies and similar technologies

Details about cookies, browser local storage and consent to analytics technologies are described in the Cookie Policy.

12. Changes to this policy

Material changes to this policy are published on this page with a new effective date and version. If changes significantly expand the scope of processing or introduce new purposes, we will additionally request the User's consent at the next sign-in. Non-material edits, such as wording clarifications or typo fixes, apply from the moment of publication.

Version history is available by request at info@tierscope.ru.