1. Introduction

RunWars ("we", "our") respects your privacy. This Privacy Policy explains what information we process, for which purposes, and what choices you have when using the RunWars mobile application (the "App").

2. Information We Process

2.1. Account and profile data

Account identifiers: internal RunWars user identifier.
Login data: depending on your chosen method, you can sign in with email/password or via providers (e.g., Google or Apple through Firebase Authentication). In such cases, an authentication token is used to sign into our services.
Profile data: username and optionally first/last name fields (including extended fields depending on language) and an avatar/photo if you choose to upload one.
Email address: used to manage your account and may be displayed in your profile.

2.2. Location and sport activity data (tracking)

Location (GPS) during use: the App may access your location for map/game features.
Activity tracking: when you start an activity in the App, route points (latitude, longitude, optional altitude, optional speed, GPS accuracy and timestamp) are recorded to compute activity metrics (distance/time) and support game mechanics.

Important note about background location: the App does not explicitly request the "Always" background location permission as a requirement. During an active workout, Android may use a foreground service (with a visible notification) to keep tracking. On iOS, the background location indicator may appear while the activity is ongoing.

2.3. Strava integration (optional)

If you choose to connect Strava, the App starts an OAuth authorization flow to obtain an authorization code which is sent to our backend to complete the link. Requested permissions may include reading profile and reading activities.

What it is used for: to sync Strava activities into RunWars to power game mechanics.
Disconnect: you can disconnect Strava from the Profile screen, which removes the link on our backend.

2.4. Notifications (optional)

Push token: if you allow notifications, the App obtains a Firebase Cloud Messaging (FCM) token.
Device technical data: when registering notifications, we may send platform and device/app info (when available) along with the token to our backend to manage delivery.

You can enable/disable notifications in the App and/or in your OS settings. When disabling, the App attempts to unregister the token from our backend.

2.5. Analytics (optional, consent-based)

In production environments, the App may use Firebase Analytics only if the feature is enabled in the App configuration and you grant consent using the Analytics toggle in the Profile screen. If you disable analytics, collection is disabled. Your consent state is stored locally on your device.

2.6. Diagnostics and error reporting

To improve stability, we may use Sentry for error and performance monitoring. In our configuration, we do not send default PII (sendDefaultPii=false). After login, we may associate reports with an internal user identifier and username for debugging.

2.7. Local storage and offline mode

The App stores certain information locally for offline support and performance, for example session tokens and identifiers in secure device storage, a local user cache, a local database (e.g., activities and GPS points) with sync metadata, and a pending actions queue.

3. Purposes

Provide the service: create/manage your account and enable App usage.
Game mechanics: process activities (recorded or synced) to compute progress and game events.
Sync: upload activities recorded in the App when online, including via background tasks where allowed by the OS.
Notifications: send game-related notifications if enabled.
Improve & protect: diagnose issues and improve the App.
Analytics (if consented): measure usage/performance to improve features.

4. Legal bases (summary)

Contract performance: to deliver core App features (account, gameplay, synchronization).
Consent: for notifications (platform-dependent), analytics (Profile toggle), and Strava connection.
Legitimate interests: stability, security, and fraud prevention while minimizing data.

5. Sharing

We do not sell your personal data. We share data with service providers as needed:

Google Firebase (Google LLC): authentication, notifications (FCM), analytics (only if consented).
Sentry: error/performance monitoring.
Strava: if you connect your account, OAuth flow and APIs are used for activity sync.

6. Retention

Server-side account data: kept while your account is active or until you request deletion.
Device-local data: may remain on your device until you log out, clear app data, or uninstall.
Backups: backend operational backups may exist for a limited period.

7. Your controls

Notifications: enable/disable in the App and/or OS settings.
Strava: connect/disconnect in Profile.
Analytics: grant/withdraw consent in Profile (production).
Delete account: delete from within the App (see the Data Deletion page).

8. Security

We take reasonable measures to protect your information. No system is 100% secure; security also depends on your device and OS.

9. Children

The App is not directed to children under 13 and we do not knowingly collect information from children under 13.

10. Contact

For privacy questions or requests: support@runwars.app