Muppit authentication privacy policy
Last updated: May 15, 2026
This privacy policy describes how the Muppit authentication service at auth.muppit.au handles your data when you sign in to any Muppit application.
Overview
Muppit uses Zitadel, a self-hosted identity provider, to manage authentication across all Muppit applications. The developer operates the Zitadel instance on private infrastructure. Your authentication data is stored on the developer's own servers, not in a third-party cloud service.
Data collected during sign-in
Google sign-in
When you sign in with Google, Zitadel receives the following from Google:
| Data | Purpose |
|---|---|
| Name | Display name in Muppit applications |
| Email address | Account identifier and contact |
Zitadel does not receive from Google:
- Your Google password
- Contacts or address book
- Google Drive files or documents
- Photos or media
- Browsing history
- Profile photo (not synced or stored)
Email and password sign-in
When you create a Zitadel-local account, the following is stored:
| Data | Purpose |
|---|---|
| Email address | Account identifier and contact |
| Password (hashed) | Authentication |
| Name (if provided) | Display name in Muppit applications |
Passwords are stored using industry-standard hashing. The developer cannot read your password.
What applications receive
When you sign in to a Muppit application (e.g. Blaster), the application receives:
| Data | Purpose |
|---|---|
| User ID (opaque identifier) | Link your account to app-specific data |
| Display name | Show your name in the application |
| Email address | Contact and account identification |
Applications do not receive your Google password, Google OAuth tokens, or any data beyond what is listed above.
Per-application data
Each Muppit application has its own data handling beyond authentication:
| Application | Data stored | Details |
|---|---|---|
| Blaster | Gameplay scores, stats, achievements, username | Stored in the application's own database |
| Fitness coach | Planned | Not yet available |
| Client Portal | Planned | Not yet available |
No telemetry
The authentication service does not collect analytics, tracking pixels, usage statistics, or crash reports. There are no third-party analytics services in the authentication flow.
No advertising
Your data is never used for advertising, marketing, or profiling. Your data is never sold or shared with third parties.
Data retention
Your Zitadel account exists until you request deletion. To delete your account, contact support@muppit.au.
Application-specific data (e.g. Blaster scores) is retained separately by each application. Deleting your authentication account does not automatically delete application data. Contact support to request deletion of both.
Security
The authentication service implements the following security measures:
- All communication uses HTTPS encryption
- Zitadel runs on private infrastructure operated by the developer
- Database backups are encrypted and stored on-premises
- Passwords are hashed using industry-standard algorithms
- Multi-factor authentication is available for administrative accounts
GDPR and international compliance
For users in the European Union and other jurisdictions with data protection regulations:
- Legal basis: Account data is processed on the basis of contractual necessity (providing the authentication service you requested)
- Data minimisation: Only the minimum data required for authentication is collected
- Purpose limitation: Data is used solely for authentication and account management
- No profiling: The authentication service does not perform automated decision-making or profiling
- Right to erasure: Contact support@muppit.au to request deletion of your account and associated data
Australian privacy
For users in Australia, data handling complies with the Australian Privacy Principles under the Privacy Act 1988 (Cth). The authentication service collects only the minimum personal information necessary for account creation and sign-in.
Children's privacy
Some Muppit applications, such as Blaster, are designed for children. The authentication service:
- Collects only the minimum data required (name and email from Google, or email and password for local accounts)
- Does not sell, share, or disclose data to third parties
- Does not use data for advertising, marketing, or profiling
- Does not perform automated decision-making on children's data
- Complies with the Australian Online Safety Act 2021
Google's own age restrictions apply at the Google sign-in layer. Parents and guardians can request account deletion for minors by contacting support@muppit.au.
Changes to this policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date.
Contact
For questions about this privacy policy or the authentication service's data practices:
- Email: support@muppit.au
- Authentication home: Muppit authentication
Your rights
You have the right to:
- Access: Request a copy of the data held in your authentication account
- Control: Change your name or email address via the Zitadel account settings
- Delete: Request account deletion by contacting support@muppit.au
- Portability: Request an export of your account data