← Back to Home
Privacy Policy
Last updated: February 2026
1. Information We Collect
Account information: Email address, username, and password (hashed — we never store plain text passwords).
Activity data: Training history, candy balances, faction choice, raid results, raffle entries, referral activity, and leaderboard stats.
Location data: GPS coordinates only when you use the QR check-in feature at partner stores. This is used solely to verify you are physically at the store. We do not track your location otherwise.
Technical data: IP address, browser type, and device information for security and rate limiting purposes.
Activity data: Training history, candy balances, faction choice, raid results, raffle entries, referral activity, and leaderboard stats.
Location data: GPS coordinates only when you use the QR check-in feature at partner stores. This is used solely to verify you are physically at the store. We do not track your location otherwise.
Technical data: IP address, browser type, and device information for security and rate limiting purposes.
2. How We Use Your Information
- To provide and operate the GCEA platform
- To verify your identity and prevent fraud
- To send account-related emails (verification, password reset, raffle wins)
- To enforce our Terms of Service
- To improve the Service based on usage patterns
- To deliver prizes to raffle winners
3. Information We Do NOT Collect
- We do not sell your personal data to third parties
- We do not use your data for targeted advertising
- We do not track your location outside of explicit QR check-in actions
- We do not store payment information (there are no paid features)
4. Data Sharing
We do not share your personal information with third parties except:
- Email delivery: We use Resend to send transactional emails (verification, password reset)
- Legal obligations: If required by law or legal process
- Prize fulfillment: Shipping address provided by raffle winners is used solely for delivery
5. Data Security
We take reasonable measures to protect your data:
- Passwords are hashed with bcrypt (12 rounds)
- All connections use HTTPS/TLS encryption
- JWT tokens expire after 24 hours
- Rate limiting protects against brute-force attacks
- Admin actions are logged for audit purposes
6. Cookies & Local Storage
We use browser local storage to keep you logged in (JWT tokens). We do not use third-party tracking cookies or analytics services.
7. Your Rights
You have the right to:
- Access your personal data through your profile page
- Request correction of inaccurate data
- Request deletion of your account and associated data
- Opt out of non-essential emails
8. Children's Privacy
The Service is not intended for children under 13. We do not knowingly collect information from children under 13. If you believe a child has created an account, please contact us.
9. Data Retention
We retain your data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days. Anonymized, aggregated data may be retained for analytics purposes.
10. Changes to This Policy
We may update this Privacy Policy at any time. Significant changes will be communicated via email or in-app notification. Continued use of the Service constitutes acceptance.
11. Contact
For privacy-related questions or requests, email us at support@gcea.app.