Privacy Policy for Stryked

Last Updated: December 8, 2025

Updated to accurately reflect analytics data collection practices and provide enhanced data processing details

1. Information We Collect

1.1 Location Data

We collect and process your precise location data to enable the core functionality of Stryked.

What location data we collect:

• GPS coordinates (latitude and longitude)
• Altitude, speed, and direction of travel
• Location accuracy and timestamp
• Device motion data (accelerometer, gyroscope, magnetometer) for anti-spoofing

When we collect location data:

• Continuously while the app is open
• Periodically in the background (every 30 minutes when you enable background location services) to detect nearby trophies and validate visits
• When you are near a trophy location (within 1000 meters)
• When you visit a trophy (within 50 meters)

Why we collect location data:

• Essential: To detect nearby trophies and validate your visits
• Analytics (optional): To understand how users discover and interact with trophies (only if you grant Behavioral Analysis consent)
• Anti-Fraud: To prevent location spoofing and ensure fair gameplay

1.2 Photos and Media

We collect photos you upload as part of the Snapventure feature.

• Photos you capture or select for Snapventures
• We do not intentionally collect embedded photo metadata (EXIF). Images are processed and re-encoded during upload.
• Photo thumbnails for display purposes

Snapventure location: If a fresh location is available at the moment you upload, we may store the Snapventure's GPS coordinates (a GeoPoint) so it can be shown on maps or used for location-based discovery. This is separate from photo metadata.

These photos can be shared with other users as part of the social features of the app. You can control the visibility of each snapventure individually - you can make them public (visible to all users) or private (visible only to you). You can change the privacy setting of any snapventure at any time after uploading.

1.3 User Profile Data

• User ID (automatically generated by Firebase)
• Username and display name you choose
• Email address (when provided during sign-in)
• Profile picture (optional)
• Game statistics (points, trophies visited, achievements)

1.4 Purchase Information

• In-app purchase history (subscription status, unlocked tiers)
• Purchase dates and renewal status
• Payment information is processed by Apple and is not accessible to us. We only process purchase-related data (product ID, subscription status, dates) to provide the service and to meet legal retention requirements; we never receive or store payment card or other payment details.

1.5 Device and Usage Data

We collect device and usage information for security, performance, and analytics purposes:

• Biometric authentication (optional): If you use Face ID or Touch ID for sign-in, biometric data is processed only on your device (Apple Secure Enclave). We do not receive or store any biometric data on our servers. Legal basis: contract performance or consent.
• Device information: Device type, model, iOS version, screen resolution (automatically collected by Firebase Analytics when behavioral analytics consent is granted)
• App information: App version and build number (automatically collected by Firebase Analytics)
• Security data: Device integrity status (to detect jailbroken devices for security), device attestation tokens (via Apple App Attest) for security verification
• Usage patterns: App usage patterns and interaction data (only when behavioral analytics consent is granted; logged for product insight, aggregated for reporting)
• Visit speed insights (aggregated): We may measure, in broad time ranges (for example 0–3 minutes, 3–8 minutes, 8–15 minutes, 15–30 minutes, 30+ minutes), how long it typically takes visitors to reach certain partner locations. These insights are stored only as aggregated counts per partner and trophy per day, without any user identifiers or exact timestamps, so they cannot be traced back to you as an individual.
• Approximate location: City-level geolocation (automatically collected by Firebase Analytics, not precise GPS coordinates)
• IP address: May be processed by Firebase (e.g., for security, fraud prevention, and city-level geolocation). We do not use IP addresses for tracking, profiling, or advertising.

Security Verification: We use Firebase App Check (Apple App Attest) to verify that requests come from legitimate, unmodified app installations. This helps prevent abuse and protects your data.

Note: Most device and usage data collection requires your consent for behavioral analytics. You can control this in Settings > Account Management > Privacy & Consent.

1.6 Crash and Error Data

We collect crash reports and error information to improve app stability and fix bugs.

• Crash reports and stack traces when the app encounters errors
• Device information associated with crashes (model, OS version)
• Custom context data to help diagnose issues
• Error logs and diagnostic information

Why we collect this: To identify and fix bugs, improve app stability, and ensure a better user experience.

Legal basis: We process crash and error data on the basis of our legitimate interest (GDPR Article 6(1)(f)): ensuring app stability and security for all users. We do not include your name, email, or other directly identifying information in crash reports; we limit data to what is necessary for diagnosis (e.g. app version, device type, error details). You can find our balancing of interests for this processing in Section 11 below.

Service Provider: Firebase Crashlytics (Google LLC)

2. How We Use Your Information

2.1 Core Game Functionality

• Detect nearby trophies based on your location
• Validate trophy visits to award points and achievements
• Display your progress and statistics
• Enable Snapventure social features

2.2 Anti-Spoofing and Security

We use behavioral analysis and automated systems to maintain game integrity:

• Movement Pattern Analysis: We analyze your movement patterns, travel speed, and location history to detect location spoofing and ensure fair gameplay for all users. This includes analyzing GPS coordinates, speed, direction, and device motion sensor data (accelerometer, gyroscope, magnetometer). In some cases we also compare the distance and time between your last trophies using static trophy locations (not your personal GPS history) to detect clearly impossible “teleport” movements.
• Device Integrity Verification: We verify device integrity to detect jailbroken devices and prevent cheating. This includes checking device attestation tokens via Apple App Attest.
• Automated Security Measures: Our system may automatically apply temporary bans (typically 24 hours) when suspicious activity is detected. These automated decisions are based on analysis of movement patterns, trust scores, and violation history.
• Trust Score Calculation: We maintain a trust score for each user based on validation results from location checks. This score helps identify patterns of suspicious behavior over time.
• Fair Gameplay: All security measures are designed to maintain fair gameplay and prevent cheating that would negatively impact other users' experience.

2.3 Service Improvement

• Analyze usage patterns to improve app features
• Optimize performance and fix bugs
• Develop new features based on user behavior

Usage and Product Insight:

When you use the app—for example, when you activate a challenge or redeem a trophy—we log these actions for product and usage insight. These are core app actions, not separate tracking. We use a technical user ID (the same identifier needed for the app to function) to link events to a session. We do not store personally identifiable information (name, email, phone number) in this data and do not use it for advertising.

Automatically collected data (Firebase Analytics):

• Device information (device type, model, iOS version)
• App version and build number
• Approximate geolocation (city-level, not precise GPS coordinates)
• Screen resolution and device capabilities

Account lifecycle: Sign-in and sign-out events are logged for account management and security. These are functional logs, not usage analytics.

Note: This data collection respects your GDPR consent preferences. You can opt out in Settings > Account Management > Privacy & Consent.

3. Data Storage and Security

3.1 Where We Store Your Data

• Firebase/Google Cloud: User profiles, trophy visit history, trust score validation logs, photos, and game data
• On Your Device: Temporary location data, app preferences, cached content
• Apple Servers: Purchase and subscription information (managed by Apple)

Data Storage Location: Your app data is stored on servers in the European Union (Belgium, europe-west1 region). We use Google Cloud Platform's EU data centers for our Firebase services. We do not transfer your data outside the EU.

3.2 How Long We Retain Your Data

• Location data: Processed in real-time for trophy validation and anti-spoofing. For most gameplay actions, raw GPS coordinates are not stored long-term; instead we store the outcome of validation checks (e.g., trust score validation results) and, for teleport detection, derived metrics based on static trophy locations and visit timestamps (no raw GPS history). For Snapventures, we may store GPS coordinates (a GeoPoint) associated with your uploaded Snapventure (see Section 1.2).
• Trust score and teleport validation logs: Retained for a limited period (typically 49 hours or as specified in the in-app GDPR export), then automatically deleted. These logs contain validation results and ban decisions (not raw GPS coordinates) for anti-spoofing purposes.
• Trophy visit history: Retained for the lifetime of your account
• User profile: Until you delete your account
• Snapventure photos: Until you delete them or your account. You can also hide individual snapventures at any time, which will make them private and invisible to other users, but they will remain stored until you delete them or your account.
• Purchase history: Retained as required by law (typically 7 years for tax purposes)
• Analytics data: User data retained for 14 months, event data retained for 2 months (Firebase Analytics default), then automatically anonymized
• Crash reports: Retained for 90 days, then automatically deleted
• Device information: Retained while your account is active, deleted upon account deletion
• Backups: After your account and data are deleted, backup copies held by our service providers (e.g. Google/Firebase) are purged within 30 days, in line with our agreements with them.
• Ban records:
  • Temporary bans: 24 hours after ban expires
  • Permanent bans: Retained indefinitely for security purposes
  • Appeal status (in-app): Stored with your ban record and removed when the underlying ban record is deleted (temporary bans) or when the ban record is removed as part of account deletion.
  • Appeal communications (email): We may retain appeal emails and related support communications as needed to respond to your request and for compliance/security record-keeping.

3.3 Security Measures

• Data encryption in transit (HTTPS/TLS)
• Firebase authentication and security rules
• Regular security audits
• Access controls and monitoring

4. Data Sharing and Disclosure

4.1 With Other Users

• Your chosen display name (alias), profile picture, and public statistics are visible to other users. You can change your alias anytime.
• Snapventure photos and captions you choose to make public are visible to all users. You can set any snapventure to private at any time; private snapventures are only visible to you.
• Leaderboard rankings and achievements are publicly visible

4.2 With Service Providers

• Firebase/Google Cloud: For hosting, database, authentication, and analytics
• Apple: For in-app purchases and App Store services

4.3 Legal Requirements

We may disclose your information if required by law or to:

• Comply with legal processes or government requests
• Enforce our Terms of Service
• Protect the rights, property, or safety of our users or others
• Prevent fraud or security issues

4.4 We Do NOT:

• Sell your personal data to third parties
• Share your data for advertising purposes
• Use your data for cross-app tracking
• Use App Tracking Transparency (ATT) — we do not track you across apps or websites for advertising or other purposes

Tracking and identifiers: We do not use Apple’s App Tracking Transparency (ATT) or the Identifier for Advertisers (IDFA). We do not track you across apps or websites for advertising or profiling, so we do not request ATT permission. Any analytics we use are limited to our app and are described in this policy.

5. Your Rights and Choices

5.1 Location Services

• Disable location tracking: Go to iPhone Settings > Stryked > Location
• Note: Disabling location will prevent trophy discovery and visit validation

5.2 Account Management

• Update profile: Edit your username, display name, and profile picture in Settings
• Control Snapventure visibility: Make individual snapventures public or private at any time
• Delete or hide Snapventures: Remove your uploaded photos anytime, or hide a snapventure without deleting it
• Manage subscriptions: Go to iPhone Settings > Your Name > Subscriptions

5.3 GDPR Rights (EU Users)

If you are in the European Union, you have additional rights:

• Right to Access: Request a copy of your personal data. You can export your data through the app's data export feature in Settings > Account Management > Export Data, or contact us directly.
• Right to Rectification: Correct inaccurate personal data. You can update your profile information directly in the app (Settings > Edit Public Profile) or contact us for assistance.
• Right to Erasure: Request deletion of your account and data. You can delete your account directly in the app (Settings > Account Management > Delete Account) or contact us for assistance.
• Right to Data Portability: Receive your data in a machine-readable format (JSON). Use the data export feature in Settings > Account Management > Export Data to download your complete data.
• Right to Object: Object to automated decision-making (including anti-spoofing bans). You can appeal any automated ban decision through the in-app appeal system (see Section 6.2 for details).
• Right to Withdraw Consent: Withdraw your consent for data processing at any time. Go to Settings > Account Management > Privacy & Consent to modify your consent preferences. Note: Withdrawing consent for location tracking will prevent core app functionality.
• Right to Restrict Processing (GDPR Article 18): You may ask us to restrict how we use your data (e.g. only store it and not use it) in certain cases—for example when you contest the accuracy of the data, when the processing is unlawful but you prefer restriction over erasure, or when you have objected and we are assessing whether our grounds override yours. Contact us using the details in Section 10; we will respond within one month and, where applicable, restrict processing as required by law.
• Right to Lodge a Complaint: If you are not satisfied with how we handle your data, you have the right to lodge a complaint with your local data protection authority.

5.4 Account Deletion

To delete your account and all associated data:

1. Go to Settings in the app
2. Select "Delete Account"
3. Confirm your decision

Upon deletion:

• Your profile, trophy visit history, trust score validation logs, and uploaded photos will be permanently deleted
• Your username will become available for others to use
• This action cannot be undone
• Purchase records may be retained as required by law

6. Automated Decision-Making

6.1 Anti-Spoofing System

The app uses automated systems to detect location spoofing and cheating. This system:

• Movement Pattern Analysis: Analyzes your movement patterns, travel speed, acceleration, and location history to identify impossible or suspicious travel patterns (e.g., teleporting between distant locations, traveling at impossible speeds).
• Device Sensor Data: Uses device motion sensors (accelerometer, gyroscope, magnetometer) to verify that location changes correspond to actual device movement, helping detect location spoofing apps.
• Trust Score System: Maintains a trust score based on validation results from location checks. Multiple failed validations or suspicious patterns lower your trust score.
• Automated Bans: May automatically apply temporary bans (typically 24 hours) when the system detects violations such as location spoofing, impossible travel speeds, or repeated suspicious behavior patterns.
• Decision Logic: Automated ban decisions are based on objective criteria including:
  • Travel speed exceeding reasonable limits (e.g., >200 km/h over short distances)
  • Impossible location changes (e.g., appearing in distant locations without travel time)
  • Repeated validation failures in trust score checks
  • Device integrity violations (jailbroken devices used for spoofing)
• Transparency: When a ban is applied, you will see the reason for the ban, supporting information about what triggered it, and the duration of the restriction.

6.2 Your Right to Appeal Automated Decisions (GDPR Article 22)

Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing, including automated bans. You have the right to request human review of any automated decision that affects you.

If you believe you were incorrectly banned:

How to Submit an Appeal

1. In-App Appeal: Use the built-in ban appeal flow in the app. When you see a ban notification, tap "Appeal Ban" to submit your appeal directly within the app.

What Happens After You Submit an Appeal

• Review Process: Our support team manually reviews your appeal by examining your account's trust score validation logs, trophy visit history, and the circumstances that led to the ban.
• Response Time: We commit to reviewing and responding to all ban appeals within 48 hours of receipt.
• Possible Outcomes:
  • Ban Overturned: If the ban was incorrect, your account will be immediately restored and you can continue playing.
  • Ban Upheld: If the ban was correct, we will explain the reason and provide information about when the ban will expire.
  • Additional Review: In complex cases, we may request additional information or extend the review period (we will notify you if this happens).
• Notification: You will receive an email response with the decision and any relevant details. Where supported, you may also see the current appeal status in-app.

Your Rights

In addition to the appeal process, you have the right to:

• Request Human Review: You can request that any automated decision be reviewed by a human (GDPR Article 22(3))
• Express Your Point of View: You can provide additional context or explanations in your appeal
• Challenge the Decision: If you disagree with the appeal outcome, you can contact us again or lodge a complaint with your local data protection authority

Note: Automated bans are typically temporary (24 hours) and are designed to prevent cheating and maintain fair gameplay. Most bans are automatically lifted after the specified duration, but you can appeal at any time if you believe the ban was incorrect.

7. Children's Privacy

Stryked is not intended for anyone under the age of 13. We do not knowingly collect personal data from children under 13. If you are under 13, please do not use the app. If we become aware that we have collected data from a child under 13, we will delete it promptly. We do not process personal data of children for the purposes described in this policy unless required by applicable law (e.g. with parental consent where applicable). In some countries, the minimum age for valid consent may be higher (e.g. 14 or 16 years); in that case, that age applies.

8. Changes to This Policy

We may update this privacy policy from time to time. When we do:

• The "Last Updated" date at the top will be changed
• Significant changes will be announced in the app
• Continued use of the app constitutes acceptance of the updated policy

9. Third-Party Services

Our app uses the following third-party services:

9.1 Firebase (Google LLC)

• Purpose: Authentication, database, hosting, analytics, crash reporting, security verification
• Services Used:
  • Firebase Authentication (user sign-in)
  • Cloud Firestore (database)
  • Firebase Storage (photo storage)
  • Firebase Analytics (usage analytics)
  • Firebase Crashlytics (crash reporting)
  • Firebase App Check (security verification)
• Data Collected: User data, location data, usage data, crash reports, device information, IP address (for security and approximate geolocation; not used for tracking or advertising)
• Data Location: All data stored in EU region (europe-west1, Belgium)
• Data transfers: Firebase Analytics and Crashlytics data may be processed by Google outside the EU. Where such transfers occur, we rely on appropriate safeguards (e.g. Standard Contractual Clauses) as set out in Google Cloud/Firebase terms and privacy documentation.
• Privacy Policy: firebase.google.com/support/privacy
• Data Processing Agreement: Automatically incorporated via Google Cloud Terms of Service (GDPR compliant)

9.2 Apple Sign-In

• Purpose: User authentication
• Data Collected: Email, name (if you choose to share)
• Privacy Policy: apple.com/legal/privacy

9.3 Google Sign-In

• Purpose: User authentication (alternative to Apple Sign-In)
• Data Collected: Email address, name, profile picture (if you choose to share)
• Privacy Policy: policies.google.com/privacy

11. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal bases under GDPR:

• Consent (Article 6(1)(a) and Article 9(2)(a)):
  • Location tracking and precise location data
  • Device motion sensor data (accelerometer, gyroscope, magnetometer)
  • Behavioral analytics and usage pattern analysis
  • Automated decision-making for anti-spoofing (Article 22)

  You provide explicit consent for these activities through the GDPR consent screen when you first use the app. You can withdraw this consent at any time in Settings > Account Management > Privacy & Consent.

• Contract Performance (Article 6(1)(b)):
  • Trophy validation and visit detection
  • Core game features and functionality
  • User account management and authentication
  • Snapventure photo storage and sharing
  • Leaderboard and statistics display

  This processing is necessary to provide the services you have requested when using the app.

• Legitimate Interest (Article 6(1)(f)):
  • Anti-spoofing and fraud prevention to maintain fair gameplay
  • Security measures and device integrity verification
  • Crash reporting and error diagnostics: To improve app stability and fix bugs. We rely on legitimate interest because this processing is necessary for the stability and security of the app for all users. Balancing of interests: Our interest (reliable app, quick bug fixes) is balanced against your privacy by (1) not including your name, email, or other directly identifying data in crash reports, (2) limiting data to what is needed for diagnosis (e.g. app version, device model, error type), and (3) retaining crash data for 90 days only. Right to object (GDPR Article 21): You may object to this processing at any time by contacting us at support@getstryked.com or via Settings > About > Contact Support; we will consider your request and, where required by law, restrict processing.
  • Aggregated visit-speed statistics: For partner locations, we only store visit-speed in aggregated, anonymous form (time buckets per partner and trophy per day, such as 0–3 minutes, 3–8 minutes, 8–15 minutes, 15–30 minutes, 30+ minutes), without any user identifiers or exact timestamps. These statistics are intended to help partners understand general visitor flows and cannot be traced back to individual users.
  • Preventing abuse and protecting user data

  These activities are necessary to protect the integrity of the game and the interests of all users.

• Legal Obligation (Article 6(1)(c)):
  • Retaining purchase records as required by tax and accounting laws (typically 7 years)
  • Compliance with data protection regulations
  • Responding to legal requests or court orders

Special Category Data: Location data may be considered special category data under GDPR Article 9. We process this data based on your explicit consent (Article 9(2)(a)) which you provide through the GDPR consent screen.

© 2025 Stryked. All rights reserved.
This privacy policy is effective as of December 8, 2025.