Privacy Policy
Data Controller
Under the EU General Data Protection Regulation (GDPR) and applicable data protection laws, the data
controller is:
TimerBattle
Email: privacy@timerbattle.com
DPO Email: dpo@timerbattle.com
For users in Poland, you may also contact the Polish Personal Data Protection Office (UODO) at uodo.gov.pl
1. Introduction
Welcome to TimerBattle ("we," "our," or "us"). We are committed to protecting your privacy and complying
with the EU General Data Protection Regulation (GDPR), Polish data protection laws, and other applicable
privacy regulations. This Privacy Policy explains how we collect, use, protect, and share your personal
data when you use our game across web, iOS, and Android platforms.
2. Legal Basis for Processing (GDPR Article 6)
We process your personal data based on the following legal grounds:
- Consent (Article 6(1)(a)): For analytics, crash reporting, and marketing communications
- Contract Performance (Article 6(1)(b)): To provide game services and manage your
account
- Legal Obligation (Article 6(1)(c)): To comply with applicable laws and regulations
- Legitimate Interests (Article 6(1)(f)): For fraud prevention, security, and service
improvement
3. Information We Collect
3.1 Information You Provide Directly
- Account Information: Email address, username, password (encrypted)
- Profile Information: Optional profile customization, game preferences
- Authentication Data: Social login information (Google Sign-In) - email and profile
information
- Payment Information: Processed by Stripe (web payments) and RevenueCat (mobile
payments). We only receive transaction ID and payment status, not full card details. Stripe is PCI-DSS
Level 1 compliant. RevenueCat handles in-app purchases through Apple App Store and Google Play Store
- Communications: Messages you send us for support or feedback
3.2 Automatically Collected Information (With Consent)
- Game Analytics (Firebase Analytics): Game statistics, session duration, game modes
played, performance metrics, button interactions
- Crash Reports (Firebase Crashlytics): Device state at crash, stack traces, app version,
OS version - to identify and fix bugs
- Device Information: Device model, operating system version, browser type, screen
resolution, language settings
- Network Information: IP address (anonymized after 24 hours), general location
(country/city level, not precise geolocation)
- Usage Data: Pages visited, features used, time spent in-app, interaction patterns
3.3 iOS-Specific Data Collection (Privacy Manifest)
In compliance with Apple's Privacy Manifest requirements:
- User Defaults API: Used to store app preferences and settings locally
- File Timestamp API: Used to manage cached game data
- System Boot Time API: Used for analytics session tracking (with consent)
- Disk Space API: Used to ensure sufficient storage for game data
4. How We Use Your Information
- Service Provision: To provide and maintain game functionality, process your requests,
and manage your account
- Authentication: To verify your identity and secure your account
- Payment Processing: To process premium feature purchases via Stripe (web) and
RevenueCat (iOS/Android mobile apps)
- Analytics (Consent Required): To understand usage patterns, improve game balance, and
enhance user experience
- Bug Fixes (Consent Required): To identify, diagnose, and fix technical issues and
crashes
- Communication: To respond to support requests, send important service updates (no
marketing without explicit consent)
- Security: To detect and prevent fraud, abuse, and security threats
- Legal Compliance: To comply with legal obligations and protect our rights
5. Data Sharing and Transfers
5.1 Third-Party Service Providers
We share data with the following processors (all with GDPR-compliant Data Processing Agreements):
- Supabase (Database & Authentication): Personal data stored in EU region (eu-west-1).
DPA available at supabase.com/legal/dpa
- Google Sign-In (OAuth): When you choose to sign in with Google, we receive your email
address, name, and profile photo from your Google account. This data is used solely for authentication
and account creation. Your use of Google Sign-In is also governed by Google's
Privacy Policy
- Firebase (Google): Analytics and Crashlytics (with consent only). Standard Contractual
Clauses in place for data transfers
- Stripe (Payment Processing - Web): Payment data for web transactions. EU-certified
under EU-US Data Privacy Framework. PCI-DSS Level 1 compliant
- RevenueCat (Payment Processing - Mobile): In-app purchase data for iOS and Android.
Processes transactions through Apple App Store and Google Play Store. GDPR compliant with Standard
Contractual Clauses. Data stored in US with appropriate safeguards
5.2 International Data Transfers
Your data may be transferred outside the European Economic Area (EEA) to the United States. Such transfers
are protected by:
- EU-approved Standard Contractual Clauses (SCCs)
- EU-US Data Privacy Framework certification (Stripe, Google)
- Adequacy decisions where applicable
5.3 We Do NOT Sell Your Data
We do not sell, rent, or trade your personal information to third parties for marketing purposes.
6. Your Rights Under GDPR (EU/Poland)
As an EU/Poland resident, you have the following rights:
Right to Access (Article 15)
Request a copy of all personal data we hold about you
Right to Rectification (Article 16)
Correct inaccurate or incomplete data
Right to Erasure / "Right to be Forgotten" (Article 17)
Request deletion of your data when no longer necessary. Available in-app under Profile → Delete
Account or by emailing privacy@timerbattle.com
Right to Restriction of Processing (Article 18)
Request we stop processing your data while verifying accuracy or processing legality
Right to Data Portability (Article 20)
Receive your data in a machine-readable format (JSON export available)
Right to Object (Article 21)
Object to processing based on legitimate interests. Disable analytics in Settings → Privacy & Data
Right to Withdraw Consent (Article 7(3))
Withdraw consent at any time via Settings → Privacy & Data or by clearing cookies (web)
Right to Lodge a Complaint
Contact your national data protection authority:
Response Time: We will respond to all requests within 30 days (1 month) as required by GDPR Article
12(3)
7. Children's Privacy (GDPR Article 8)
Age Requirement: Our game is intended for users aged 13 and above. We do not knowingly
collect personal data from children under 13 years of age.
For EU/Poland Users Under 16: In accordance with GDPR Article 8, users under the age of 16
require parental consent to create an account. We verify age during account creation.
Parental Rights: If you believe we have collected information from a child without proper
consent, please contact us immediately at privacy@timerbattle.com and we will delete the information within
30 days.
8. Data Retention
We retain your data for the following periods:
- Account Data: Until account deletion or 3 years of inactivity
- Game Statistics: Until account deletion or consent withdrawal
- Payment Records: 7 years (legal requirement for accounting/tax purposes)
- Analytics Data: 14 months (Firebase default), then automatically deleted
- Crash Reports: 90 days, then automatically deleted
- IP Addresses: Anonymized after 24 hours
- Support Communications: 2 years after resolution
After deletion, some data may persist in backups for up to 90 days before complete removal.
9. Data Security (GDPR Article 32)
We implement appropriate technical and organizational measures:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Access controls and authentication (OAuth 2.0, password hashing with bcrypt)
- Regular security audits and penetration testing
- Secure development practices and code reviews
- Employee training on data protection
- Incident response and breach notification procedures
Data Breach Notification: In the event of a personal data breach, we will notify the
relevant supervisory authority within 72 hours (GDPR Article 33) and affected users without undue delay
(GDPR Article 34).
10. Cookies and Tracking (ePrivacy Directive)
10.1 Web Platform
We use the following types of cookies:
- Strictly Necessary: Authentication session, security (no consent required)
- Preference: Language, theme, game settings (no consent required)
- Analytics: Firebase Analytics, usage tracking (consent required - cookie banner)
10.2 Mobile Platforms
iOS and Android apps do not use cookies but may use similar technologies (local storage, preferences). You
can control analytics in Settings → Privacy & Data.
10.3 Cookie Duration
- Session Cookies: Deleted when you close your browser
- Persistent Cookies: Up to 365 days for consent preferences
11. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significantly
affects you (GDPR Article 22).
12. Platform-Specific Information
12.1 iOS (Apple App Store)
- Privacy Manifest file included in app bundle (required as of May 2024)
- App Tracking Transparency (ATT) framework - we do not track across other apps/websites
- Data linked to you: Email, username, game statistics, crash data
- Data not linked to you: Diagnostic data (anonymized)
12.2 Android (Google Play Store)
- Data Safety section completed in Play Console
- Account deletion available in-app (required as of May 2024)
- All data types disclosed in Play Store listing
13. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes
will be notified via:
- In-app notification
- Email to registered users
- Prominent notice on our website
Continued use after notification constitutes acceptance. The "Last Updated" date at the top indicates the
most recent revision.
15. Applicable Law and Jurisdiction
This Privacy Policy is governed by the GDPR (EU Regulation 2016/679), Polish data protection laws
(Act of May 10, 2018), and applicable ePrivacy regulations. For EU users, disputes shall be subject
to the jurisdiction of the courts of your local jurisdiction as permitted by consumer protection laws.