PRIVACY POLICY
LAST UPDATED: APRIL 1, 2026 · EFFECTIVE DATE: [TO BE SET AT LAUNCH]
1. INTRODUCTION AND DATA CONTROLLER
This Privacy Policy explains how [Developer Legal Entity Name — to be confirmed before publication] ("Company," "we," "our," or "us"), the developer and publisher of Scorched Reach, collects, uses, shares, and protects personal information when you use the Scorched Reach mobile application, the scorchedreach.com website, and related services (collectively, the "Service").
Data Controller:
[Developer Legal Entity Name]
[Address — to be confirmed]
Email: [email protected]
EU/UK Representative: [To be appointed if required — mandatory if Company is not established in EU/UK and processes EU/UK personal data. Appointment required under GDPR Article 27 and UK GDPR Article 27.]
Data Protection Officer (DPO): [Assess whether DPO appointment is required under Article 37 GDPR — large-scale processing of location data is one of the mandatory triggers. Confirm with counsel.]
If you have questions about this policy or your personal data, contact us at [email protected].
2. INFORMATION WE COLLECT
2.1 Information You Provide Directly
| Data Type | Examples | Collected At |
|---|---|---|
| Email address | [email protected] | Account registration |
| Password | (stored as a bcrypt hash by Supabase Auth — we never see plaintext) | Account registration |
| Username / Player name | Your chosen in-game name | Account registration |
| Avatar selection | Your chosen character appearance | Account registration / in-game |
2.2 Location Data (GPS)
The Service collects real-time GPS coordinates from your device during active gameplay.
| Field | What It Is | When Collected |
|---|---|---|
| Real-time coordinates | Your precise latitude/longitude | During active play sessions |
| Last known location | Most recent recorded coordinates | Persisted to database on each GPS update |
| Shelter location | Location where you place an in-game shelter | When you set a shelter |
GPS data is sensitive personal information under California law (CPRA) and is treated with heightened care under all applicable frameworks. See Section 5 for lawful basis and Section 9 for California-specific rights.
2.3 In-Game Behavioral Data
| Data Type | Examples |
|---|---|
| Player statistics | XP, rank, HP, radiation level, chip balance |
| In-game actions | Scavenge events, territory claims, garrison activities |
| Gameplay timestamps | Last active session, cooldown states |
| Subscription status | Free / Pro tier; subscription lifecycle events |
| RevenueCat customer ID | Assigned identifier for subscription management |
| Class, faction, and avatar selections | In-game identity choices |
| Recruit roster | Names, stats, status of in-game recruits |
2.4 Technical and Device Data
When you use the Service, we or our service providers automatically collect:
| Data Type | Examples |
|---|---|
| IP address | Your device's public IP address at time of connection |
| Device identifiers | Device type, operating system, app version |
| Usage data | Features used, session timestamps, error logs |
| Network data | Connection type (Wi-Fi / cellular) |
2.5 Data Collected via the Marketing Website
When you visit scorchedreach.com:
| Data Type | How Collected |
|---|---|
| IP-based approximate location | Via ipapi.co API — used to center the map display on your estimated city; not stored in our database |
| Email address (optional) | If you submit the beta signup form |
| Session data | Via Supabase Auth and Cloudflare session cookies |
3. HOW WE USE YOUR INFORMATION
We use the information described above for the following purposes:
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Providing core gameplay | GPS coordinates, account data, behavioral data | Contract performance (Article 6(1)(b)) |
| Account authentication | Email, hashed password | Contract performance |
| Server-side game validation | GPS coordinates, timestamps | Contract performance; legitimate interests (cheating prevention) |
| Processing and managing subscriptions | Email, subscription status, RevenueCat ID | Contract performance |
| Sending transactional communications | Email address | Contract performance |
| Security, fraud prevention, and cheating detection | IP address, GPS coordinates, behavioral patterns | Legitimate interests (Article 6(1)(f)) |
| Improving the Service | Aggregated usage data | Legitimate interests |
| Complying with legal obligations | All relevant data | Legal obligation (Article 6(1)(c)) |
| Marketing website map display | IP-based approximate location (not stored) | Legitimate interests |
We do not use your personal information for behavioral advertising, profiling for commercial purposes, or sale to third parties.
3.1 Consent-Based Processing
For EU/EEA users, processing of your GPS coordinates for gameplay purposes is based on contract performance — GPS is necessary to provide the service you've requested. You may withdraw consent for optional data uses at any time by contacting [email protected]. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.
4. INFORMATION SHARING AND THIRD-PARTY PROCESSORS
We do not sell your personal information. We do not share it with advertisers or data brokers.
We share information only as described below:
4.1 Service Providers (Data Processors)
| Processor | Role | Data Shared | Location |
|---|---|---|---|
| Supabase, Inc. | Authentication, database hosting | All account and gameplay data | US-West-2 (Oregon, USA) |
| RevenueCat, Inc. | Subscription management | Email, subscription events, purchase records | USA |
| Cloudflare, Inc. | CDN, DDoS protection, Turnstile CAPTCHA | IP address, CAPTCHA interaction data | USA (global edge network) |
| OpenSky Network | Aircraft location data for in-game airdrop events | Outbound query only — no user personal data is shared with OpenSky | Switzerland |
| Apple Inc. | iOS distribution, in-app purchase processing | As required by App Store terms | USA |
| Google LLC | Android distribution, in-app purchase processing | As required by Play Store terms | USA |
We execute Data Processing Agreements (DPAs) with all processors that process EU/UK personal data, as required by GDPR Article 28. [Action required before launch: execute DPA with Supabase; confirm RevenueCat GDPR DPA is current.]
4.2 Legal Disclosure
We may disclose personal information if required by law, legal process, or government request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, or to investigate fraud.
4.3 Business Transfers
If we are involved in a merger, acquisition, or asset sale, your personal information may be transferred as a business asset. We will notify you via email and/or a prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy.
5. DATA RETENTION
| Data Category | Retention Period |
|---|---|
| Account data (email, username) | Duration of account + [30/60/90] days after account deletion request |
| GPS coordinates (real-time) | Not stored beyond the current session buffer (processing in-memory for validation) |
| Last known location | Until account deletion |
| In-game behavioral data | Duration of account + [30/60/90] days after deletion |
| Subscription records | 7 years (financial/tax record obligations) |
| Security/audit logs | 12 months |
| Scavenge audit log (anonymized) | 12 months |
| IP addresses (in security logs) | 90 days |
[Note for counsel: Confirm retention periods with applicable financial record-keeping and statute of limitations requirements before publication. EU/UK data minimization principle requires you can justify each period.]
After the retention period expires, personal data is deleted or anonymized.
6. CHILDREN'S PRIVACY
6.1 Under-13 Policy (COPPA)
We do not knowingly collect personal information from children under 13 years of age. The Service is not directed to children under 13. If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us immediately at [email protected] or [email protected]. We will promptly delete the account and associated personal information.
Under the Children's Online Privacy Protection Act (COPPA) and the FTC's 2025 amended COPPA Rule (effective June 23, 2025), we:
- Do not knowingly collect personal information from children under 13 without verifiable parental consent
- Do not use children's data for behavioral advertising
- Do not condition participation on providing more personal information than is reasonably necessary
- Promptly delete accounts when we discover a user is under 13
6.2 Teens (Ages 13–17)
Users between 13 and 17 may use the Service with parental or guardian consent. We apply the following additional protections for users we know or reasonably believe are minors:
- We do not target minors with advertising or marketing profiling
- Default privacy settings are set to the most restrictive available
- We do not share minors' location data with third parties except as necessary to provide the Service
- GPS/location access for minors is subject to the same consent and purpose limitation as for adult users
Note on California AADC (AB 2273): As of the date of this policy, California's Age-Appropriate Design Code (AB 2273) is subject to an ongoing court injunction and is not currently being enforced. However, we are committed to implementing privacy-by-design principles consistent with the spirit of the AADC regardless of its enforcement status.
6.3 UK Children's Code
If you access the Service from the United Kingdom, the UK ICO's Age Appropriate Design Code may apply. We are committed to implementing the 15 standards of the Children's Code for UK users, including:
- Geolocation tracking for users likely to be minors defaults to the minimum necessary for gameplay
- No profiling of minors for commercial purposes
- High-privacy settings as the default
7. INTERNATIONAL DATA TRANSFERS
Our primary database and authentication service (Supabase) is hosted in the US-West-2 region (Oregon, USA).
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data is transferred to the United States. We rely on the following transfer mechanisms:
- Supabase: Supabase has published EU Standard Contractual Clauses (SCCs) for GDPR compliance. We execute these as part of our DPA with Supabase. [Action: Execute Supabase DPA before launch.]
- RevenueCat: RevenueCat maintains GDPR compliance documentation and DPA. [Action: Confirm DPA is executed.]
- Cloudflare: Cloudflare participates in Data Privacy Framework (DPF) and offers SCCs. [Action: Confirm DPF status as of launch date.]
For UK users, we rely on the UK International Data Transfer Agreement (IDTA) as the transfer mechanism, or applicable adequacy decisions. [Note for counsel: confirm current UK adequacy decisions and IDTA requirements as of launch date.]
For Swiss users, we comply with Switzerland's Federal Act on Data Protection (nFADP). [Note for counsel: confirm Swiss transfer mechanisms as of launch date.]
8. YOUR RIGHTS
Depending on your location, you may have the following rights regarding your personal data:
8.1 Rights for All Users
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate personal data
- Deletion: Request deletion of your personal data ("right to be forgotten")
- Data Portability: Request your personal data in a structured, machine-readable format
8.2 Additional Rights — EU/EEA/UK (GDPR and UK GDPR)
- Right to Object: Object to processing based on legitimate interests
- Right to Restrict Processing: Request that we limit how we use your data
- Right to Withdraw Consent: Where processing is based on consent, withdraw consent at any time
- Right to Lodge a Complaint: Lodge a complaint with your local supervisory authority (EU) or the ICO (UK)
EU/UK supervisory authority finder: edpb.europa.eu/about-edpb/board/members_en
ICO (UK): ico.org.uk | 0303 123 1113
8.3 California Rights (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, disclose, and sell
- Delete personal information we hold about you
- Correct inaccurate personal information
- Opt out of the sale or sharing of personal information (we do not sell or share your data)
- Limit the use and disclosure of sensitive personal information (including GPS coordinates)
- Non-discrimination for exercising your rights
To exercise California rights: Contact us at [email protected] or use the in-app data rights feature. [Action: Implement in-app data rights request feature before launch.]
8.4 How to Exercise Your Rights
To exercise any of the rights described above:
- Email: [email protected] with subject line "Privacy Rights Request"
- In-app: Account Settings → Data & Privacy → [Request form — to be implemented before launch]
We will respond to verified requests within 30 days (45 days for complex requests, with notice). We may need to verify your identity before processing your request.
8.5 How to Delete Your Account
To delete your account and personal data:
- In the app: Account Settings → Delete Account → Confirm
- Or email [email protected] with subject line "Account Deletion Request"
Following deletion, we will delete or anonymize your personal data within [30/60] days, except where retention is required by law (see Section 5).
9. CALIFORNIA — ADDITIONAL DISCLOSURES (CCPA/CPRA)
9.1 Categories of Personal Information Collected
Under CCPA, the categories of personal information we collect include:
- Identifiers: Email address, username, device identifiers, IP address
- Geolocation Data (Sensitive PI): Precise GPS coordinates
- Commercial Information: Subscription status, purchase history
- Internet/Electronic Activity: Gameplay activity, session logs
- Inferences: Player rank, behavioral patterns derived from gameplay
9.2 Categories of Sources
We collect personal information directly from you (account registration, gameplay), automatically (GPS, device data), and from service providers (subscription events from RevenueCat).
9.3 Business or Commercial Purpose
Personal information is collected for the purposes described in Section 3.
9.4 Categories of Third Parties with Whom We Share
We share with service providers as described in Section 4.1. We do not sell or share personal information with third parties for cross-context behavioral advertising.
9.5 Sensitive Personal Information
GPS coordinates are Sensitive Personal Information under CPRA. We use GPS data solely to provide the Service (gameplay) and do not use it to infer sensitive characteristics. You may request to limit the use of your sensitive personal information at any time.
10. SECURITY
We implement technical and organizational measures to protect your personal information, including:
- Encrypted data transmission (HTTPS/TLS)
- Bcrypt password hashing (no plaintext passwords stored)
- Database Row Level Security (RLS) to restrict data access
- Server-side validation of GPS coordinates (anti-spoofing)
- Supabase Auth for session management
No security system is impenetrable. We cannot guarantee the absolute security of your data. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and applicable regulatory authorities as required by applicable law (GDPR Article 33/34 requires notification within 72 hours).
[Action: Enable email confirmation for production accounts. Email confirmation is currently disabled in development mode — this must be re-enabled before public launch to meet GDPR Article 32 security obligations and App Store security guidelines.]
11. COOKIES AND TRACKING TECHNOLOGIES
11.1 Marketing Website (scorchedreach.com)
The marketing website uses the following:
| Technology | Provider | Purpose | Opt-out |
|---|---|---|---|
| Session cookies | Supabase | Authentication state management | Required for function — cannot opt out |
| CAPTCHA widget | Cloudflare Turnstile | Protect registration from automated abuse | Required for registration — functional necessity |
| IP geolocation | ipapi.co | Display map centered on visitor's approximate location | No data stored; refresh without JS to disable |
We do not use advertising cookies, analytics trackers, or third-party tracking pixels on the marketing website.
11.2 Mobile Application
The mobile application does not use browser cookies. It uses:
- Supabase session tokens (stored in device secure storage) for authentication
- RevenueCat SDK identifiers for subscription management
11.3 Do Not Track
We do not currently respond to Do Not Track signals, as there is no industrywide standard for such signals.
For full details on cookies and tracking, see our Cookie Notice.
12. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting a notice in the app before the change takes effect
- Sending an email to your registered address
- Updating the "Last Updated" date at the top of this policy
For material changes that expand our collection or use of your data, we will seek fresh consent where required by applicable law.
13. CONTACT US
For questions, requests, or concerns about this Privacy Policy or how we handle your personal data:
[Legal Entity Name]
Email: [email protected]
General support: [email protected]
Legal: [email protected]
For EU/UK data subject rights inquiries, include "GDPR Request" or "UK GDPR Request" in the subject line.
For California privacy rights inquiries, include "California Privacy Request" in the subject line.
DRAFT — This document has not been reviewed by licensed counsel in all applicable jurisdictions. Do not publish without legal review. Key items requiring counsel review before publication: (1) legal entity name, address, and contact information; (2) EU/UK representative appointment (GDPR Article 27); (3) DPO assessment and appointment if required; (4) DPA execution with Supabase and RevenueCat; (5) data retention periods; (6) in-app data rights request mechanism; (7) email confirmation re-enablement; (8) international transfer mechanisms as of launch date; (9) COPPA verifiable parental consent mechanism; (10) age gate implementation.