Privacy Policy

1. Who Is the Data Controller?

The data controller responsible for your personal data is the Developers of Alfa Power, a privately operated independent game project. Our server infrastructure is hosted within the European Union (Netherlands).

Contact: privacy@alfa-power.se

2. What Data We Collect

2.1 Registered Account Users

When you create a registered account, we collect:

• Your chosen display name
• Your email address (used for account identification and communication)
• Your country of origin, determined automatically from your IP address at the time of account creation
• A hashed, salted password (we never store passwords in plain text)

2.2 Guest Account Users

When you use the App in Guest Mode, we collect:

• A randomly generated unique identifier assigned to your guest session
• A randomly generated display name
• Your country of origin, determined automatically from your IP address at the time of first use

Guest accounts are not linked to any email address or personally identifying credential. However, your game data (see Section 2.3) is stored server-side and tied to your guest identifier.

2.3 Game Statistics and Progress Data

For all users (registered and guest), we collect and store gameplay statistics and progress data to enable game functionality and provide in-game features such as high scores and performance tracking. This includes, but is not limited to:

• Game session duration and frequency
• Scores, high scores, and game outcomes
• Game mode usage (Bot, PvP)
• Board and tile interaction data
• Additional gameplay metrics necessary for features introduced in future updates will be documented in an updated version of this Privacy Policy at the time of introduction

This data is associated with your account identifier (registered or guest) and is used to operate the App and improve the player experience.

2.4 Technical and Device Data

We may automatically collect limited technical data necessary for operating the service, such as:

• IP address (used to derive country of origin at registration; not stored long-term for other purposes)
• Device type and operating system version (for debugging and compatibility)
• Crash reports and error logs

2.5 Push Notification Data

If you enable push notifications, we collect:

• A device token issued by Firebase Cloud Messaging (FCM), used to deliver notifications to your device
• Your notification preferences (which categories of notifications you wish to receive, such as turn reminders, messages, and social updates)

You may disable push notifications at any time through the App's settings or your device settings. If you disable notifications, your FCM device token will no longer be used to send notifications, though it may be retained until you explicitly revoke it or delete your account.

2.6 Advertising Data

If you use the App without a Premium subscription, advertisements may be displayed through Google AdMob. Personalised advertisements are only shown where you have given explicit consent via the in-app consent prompt shown on first launch. If you decline personalised ads, non-personalised (contextual) advertisements will be shown instead.

You may review or change your ad consent at any time via Settings → Privacy within the App.

Google AdMob may collect device identifiers and usage data for the purposes described in Google's Privacy Policy. This data collection is governed by Google's own privacy policy and data transfer mechanisms, including Standard Contractual Clauses.

3. Why We Collect This Data (Legal Basis)

We collect and process your data on the following legal bases under GDPR:

• Performance of a contract: To create and operate your account, save your game progress, and deliver the core functionality of the App
• Legitimate interests: To maintain server logs for security and anti-abuse purposes, collect anonymised gameplay statistics to improve the App, and determine user geography for operational planning and analytics
• Consent: For personalised advertising shown to non-Premium users and for push notifications. You may withdraw or amend your advertising consent at any time via Settings → Privacy in the App. You may withdraw notification consent via the App's notification settings or your device settings

4. How Long We Keep Your Data

• Registered account data: Retained for as long as your account is active, plus a reasonable period thereafter in case of disputes or legal requirements
• Guest account data: Retained until the account has been inactive for 6 consecutive months, after which the account and all associated data will be permanently deleted
• Game statistics: Retained for as long as the associated account exists
• Push notification tokens: Retained for as long as your account exists and notifications are enabled; removed upon account deletion
• Crash logs and technical data: Retained for up to 90 days unless needed for ongoing incident resolution
• IP address: Used only to determine country of origin at the time of account creation and not retained independently for other tracking purposes

5. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights regarding your personal data:

• Right to access: You may request a copy of the personal data we hold about you
• Right to rectification: You may request that we correct inaccurate data
• Right to erasure: You may request deletion of your account and associated personal data
• Right to restriction: You may request that we limit processing of your data in certain circumstances
• Right to data portability: You may request your data in a structured, machine-readable format
• Right to object: You may object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal

To exercise any of these rights, contact us at privacy@alfa-power.se. We will respond within 30 days. In complex cases we may extend this period by a further 30 days and will notify you of the extension and the reason within the initial 30-day period. In some cases we may need to verify your identity before processing your request.

6. Account and Data Deletion

You may request deletion of your account and all associated personal data at any time. To do so:

• Use the account deletion option in the App's settings menu, or
• Send a request to privacy@alfa-power.se from the email address associated with your account

Following a deletion request, your personal data will be removed within a reasonable period. Some anonymised, aggregated statistical data may be retained where it is no longer identifiable to you.

7. Data Security

We implement reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or alteration. This includes password hashing, encrypted data transmission (HTTPS/TLS), and access controls on our server infrastructure. However, no system is completely secure. By using the App, you acknowledge and accept this inherent risk.

7.1 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Swedish supervisory authority (IMY) within 72 hours of becoming aware of it, in accordance with our obligations under GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users directly without undue delay, in accordance with GDPR Article 34.

8. Data Transfers

Our servers are hosted within the European Union (Netherlands). If you access the App from outside the EU, your data may be transferred to and processed within the EU. We take steps to ensure such transfers are compliant with GDPR requirements.

Third-party services (such as Google AdMob and Firebase Cloud Messaging) may transfer data outside the EEA in accordance with their own data transfer mechanisms, including Standard Contractual Clauses.

9. Children's Privacy

The App is rated for users aged 16 and above. We do not knowingly collect personal data from children under 16 without verifiable parental consent. If you believe we have inadvertently collected data from a child under 16, please contact us immediately at privacy@alfa-power.se and we will take steps to delete such data promptly.

10. Third-Party Services

The App uses the following third-party services which may process your data:

• Railway (server hosting and database) — hosted within the European Union. Subject to Railway's Privacy Policy
• Google Firebase Cloud Messaging (push notifications) — subject to Google's Privacy Policy
• Google AdMob (advertising, for non-Premium users) — subject to Google's Privacy Policy

We are not responsible for the privacy practices of third-party services. We encourage you to review their respective privacy policies.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time as the App evolves or as legal requirements change. When we do, we will update the effective date at the top of this document. Continued use of the App after an updated policy is posted constitutes your acceptance of the changes. For significant changes, we will aim to notify users within the App.

12. Contact and Complaints

For all privacy-related enquiries or to exercise your rights, contact us at: privacy@alfa-power.se

If you are unsatisfied with our response, you have the right to lodge a complaint with your national data protection authority. In Sweden, this is the Integritetsskyddsmyndigheten (IMY): www.imy.se. In other EU countries, you may contact your local supervisory authority.