Privacy Policy
Introduction
Echoes of Battle ("we", "our", "the app") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our mobile application. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and similar laws.
Information We Collect
We collect the following categories of data:
Account Data: When you sign in (via Google, Apple, or as a guest), we store your user ID, display name, and email address. Guest accounts use a locally generated anonymous ID.
Usage Data: Battle listening history, quiz scores, GPS visits, achievements, XP, coins, streaks, and activity logs. This data is stored locally on your device and optionally synced to Firebase for cross-device access.
Location Data: When you use GPS battlefield detection, we access your device location to determine proximity to historical battle sites. Location data is processed on-device. Pin coordinates (when you publicly place a pin) are stored on our servers.
Purchase Data: In-app purchase transactions are processed by Apple App Store or Google Play Store via RevenueCat. We do not store payment card details.
Push Notification Token: When you grant push permission, we store an Expo push token on the user record so re-engagement and event reminders can reach your device. This token is treated as personal data under GDPR.
Age Declaration: Before you can reach a real-money purchase, we show a neutral age screen and store the year of birth you enter on your account. We use it only to decide whether a parental gate is required and to serve age-appropriate content. We do not collect your full date of birth.
Advertising Data: The app includes Google AdMob to offer optional rewarded ads. Ads are strictly opt-in — they appear only after you tap a "Watch ad" button — and there are no banners or interstitials. When you choose to watch an ad, AdMob may access your device's advertising identifier and limited ad-interaction data to serve and measure that ad. For users who declared an age below the age of consent, ads are tagged so only non-personalized, child-appropriate ads are served.
Analytics: With your consent, we collect anonymous usage analytics (screen views, feature usage) via Firebase Analytics (web platform only) and crash reports via Sentry.
How We Use Your Data
We use collected data to:
- Provide core app functionality (progress tracking, achievements, leaderboards)
- Sync your progress across devices (Firebase)
- Process in-app purchases (RevenueCat)
- Improve app stability (crash reporting, with consent)
- Understand usage patterns (analytics, with consent)
- Deliver push notifications (streaks, achievements, with your permission)
- Show optional rewarded ads via Google AdMob, only when you choose to watch them
- Verify you are old enough for real-money purchases (age screen + parental gate)
Legal Basis for Processing (GDPR Art. 6)
We process your personal data on the following legal bases:
Contract (Art. 6(1)(b)): Account data, usage data, in-app purchase data, and cloud sync are required to deliver the app's core functionality you have requested.
Legitimate Interest (Art. 6(1)(f)): The push notification token, re-engagement reminders, and aggregated leaderboard standings serve our legitimate interest in keeping users engaged. You can opt out at any time via Settings > Notifications.
Consent (Art. 6(1)(a)): Optional analytics, optional crash reporting, optional personalization, and optional advertising (opt-in rewarded ads) rely on your explicit consent (Settings > Privacy; for ads, Google's User Messaging Platform consent prompt). You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legal Obligation (Art. 6(1)(c)): Where applicable, we retain payment records for the period required by tax law.
Data Storage & Security
Your data is stored locally on your device using AsyncStorage. When signed in, progress data is synced to Firebase Firestore (Google Cloud, EU region: europe-west1). All data transmission uses HTTPS encryption. We do not sell your personal data. We share data only with the service providers listed under "Third-Party Services" below, and only to the extent needed to provide the functionality you use.
Your Rights (GDPR)
Under GDPR/RODO, you have the right to:
- Access (Art. 15): Export all your data (Settings > Privacy > Export Data). The export includes both the data stored locally on your device AND the data we hold on our servers (account record, last 100 PvP matches with opponent IDs hashed, tournament registrations, league standing, clan war IDs). Delivered as a JSON file via the standard share sheet.
- Rectification (Art. 16): Update your profile information from the Profile screen.
- Erasure (Art. 17): Delete all your data (Settings > Delete Account). This triggers a server-side cascade that removes your account record, your PvP matches (opponent's record is preserved with your slot replaced by '[deleted]'), tournament registrations, league standing, and your participation in clan war records.
- Portability (Art. 20): Your export is delivered as JSON, a machine-readable format suitable for porting to any other service.
- Restriction (Art. 18): You may request we restrict processing while exercising the right to object — contact privacy@echoesofbattle.com.
- Objection (Art. 21): You may object to processing based on legitimate interest — disable push notifications in Settings > Notifications, or revoke analytics/crash reporting consent in Settings > Privacy.
- Withdraw Consent: Revoke analytics/crash reporting consent at any time (Settings > Privacy) without affecting prior lawful processing.
To exercise these rights, use the in-app options or contact us at privacy@echoesofbattle.com. We respond within 30 days as required by Art. 12(3).
Consent Management
On first launch, we ask for your consent regarding:
- Analytics: Anonymous usage tracking (optional)
- Crash Reporting: Error logging for stability (optional)
- Personalization: Tailored content recommendations (optional)
- Advertising: Optional rewarded ads via Google AdMob (opt-in — shown only when you tap "Watch ad")
You can change your consent preferences at any time in Settings > Privacy. For ads, Google's User Messaging Platform (UMP) collects your GDPR consent before any personalized ad is served, and you can revisit that choice from the same screen. We maintain an audit log of all consent changes for 50 entries.
Children's Privacy
Echoes of Battle is designed for educational use and is suitable for users aged 12+. We do not knowingly collect personal information from children under 13. Before any real-money purchase, we present a neutral age screen and require a parental gate (an arithmetic challenge) for anyone who declares an age below 18. Users who declare an age below the age of consent are tagged so that only non-personalized, child-appropriate ads are served. The Classroom Mode is designed for supervised educational environments.
Third-Party Services
We use the following third-party services:
- Firebase (Google, EU region): Authentication, data storage; analytics (web only)
- RevenueCat: In-app purchase management
- Google AdMob: Optional opt-in rewarded ads; accesses the device advertising identifier when you choose to watch an ad. Consent collected via Google's User Messaging Platform (UMP)
- Sentry: Crash reporting (with consent)
- Expo Push Service: Notification delivery
- Apple/Google: Authentication via Sign in with Apple/Google
Data Retention
We retain your data according to the following periods:
- Account record (Firestore users/{uid}): For as long as your account is active. Deleted within 24 hours of you exercising your right to erasure.
- PvP matches & replays: Replay docs auto-expire 90 days after settlement. Match docs survive longer for opponent's history but are anonymized on your account deletion.
- Crash reports (Sentry): 30 days, then auto-deleted by Sentry's hosted retention policy.
- Purchase records (RevenueCat): Retained for the duration required by tax law.
- Consent audit log: Last 50 consent change entries, stored locally on your device.
- Advertising identifier (AdMob): Managed by Google under its own retention policy; you can reset or limit it in your device's privacy settings.
- Cache (audio, images): User-controllable via Downloads > Clear All.
Privacy Contact
For privacy-related questions, complaints, or to exercise your GDPR rights:
- Primary contact: privacy@echoesofbattle.com
- Designated privacy contact (acts as DPO for inquiries): the privacy contact above
- Response time: Within 30 days as required by GDPR Art. 12(3)
- Supervisory authority: If you believe your data is being processed unlawfully, you have the right to lodge a complaint with your local data protection authority. For EU users, see https://edpb.europa.eu/about-edpb/board/members_en for your national authority.