Privacy Policy

1. Introduction

Tuxxin ("we", "us", "our") operates Empire War at empirewar.co. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the UK-GDPR, the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Data Controller

Tuxxin is the data controller for the personal data processed through the Game. Contact: [email protected]

3. Data We Collect

Data Type	Purpose	Legal Basis	Retention
Email address	Account creation, authentication, communication	Contract performance	Until account deletion + 30 days
Username	Public display, gameplay identification	Contract performance	Until account deletion
Password (hashed)	Authentication	Contract performance	Until account deletion
IP address	Security, anti-bot, rate limiting	Legitimate interest	7 days (action logs), 30 days (account)
Game activity data	Gameplay mechanics, anti-bot detection	Contract performance / Legitimate interest	Action logs: 7 days. Game state: until account deletion.
Browser/device info	Push notifications, session management	Consent (push) / Legitimate interest (sessions)	Until token refresh or account deletion
Analytics data	Usage statistics, improvement	Consent (cookie banner)	Per Google Analytics retention settings

4. Cookies and Tracking

We use the following types of cookies:

Essential cookies (always active): Session authentication, CSRF protection. These are required for the Game to function and cannot be disabled.
Analytics cookies (opt-in): Google Analytics 4 for aggregated usage statistics. You can opt out via the cookie consent banner or your browser settings.
Advertising cookies (opt-in): Google AdSense for ad personalization. You can opt out via the cookie consent banner.

You can manage your cookie preferences at any time via the cookie consent banner (clear localStorage key cookie_consent to reset).

5. How We Use Your Data

Providing and maintaining the Game service
Authenticating your identity and securing your account
Detecting and preventing cheating, botting, and abuse
Displaying leaderboards and public player profiles
Sending push notifications (with your consent)
Displaying relevant advertisements
Improving game balance and user experience

6. Data Sharing

We share data with the following third parties:

Google (Analytics & AdSense): Anonymized usage data and ad serving. Google Privacy Policy
Amazon (Associates): Click tracking for affiliate links. Amazon Privacy Notice
Cloudflare: DDoS protection, CDN. Processes IP addresses. Cloudflare Privacy Policy

We do not sell your personal data. We do not share your data with third parties for their own marketing purposes.

7. Data Retention

Action logs (IP, timestamps): Automatically purged after 7 days
Notifications: Automatically purged after 30 days
Sessions: Purged on expiry or logout
Account data: Retained until you request deletion, then permanently deleted within 30 days
Anonymized aggregate data: May be retained indefinitely for game balance analysis

In accordance with UK GDPR Article 5(1)(e) and the ICO's guidance on data retention, we do not retain personal data longer than necessary for the purposes for which it was collected.

8. International Data Transfers

Your data is processed on servers located in the European Union (OVH, France). For users outside the EU, by using the Game you consent to the transfer of your data to EU-based servers. We ensure appropriate safeguards are in place for any data transferred outside the UK/EEA, including Standard Contractual Clauses where required.

9. Your Rights

Under GDPR, UK-GDPR, and applicable data protection laws, you have the right to:

Access: Request a copy of your personal data
Rectification: Correct inaccurate personal data
Erasure: Request deletion of your personal data ("right to be forgotten")
Restriction: Restrict processing of your data
Portability: Receive your data in a structured, machine-readable format
Object: Object to processing based on legitimate interest
Withdraw consent: Withdraw consent for analytics/advertising cookies at any time

To exercise any of these rights, contact: [email protected]. We will respond within 30 days (or one calendar month for UK/EU requests as required by law).

10. Children's Privacy

The Game is not intended for children under 13 (or 16 in the UK/EEA). We do not knowingly collect personal data from children below these ages. If you believe we have collected data from a child, contact us immediately and we will delete it.

11. Security

We implement appropriate technical and organizational measures to protect your data, including:

Password hashing using bcrypt
HTTPS encryption for all communications
CSRF protection on all forms
XSS output sanitization
Prepared SQL statements (injection prevention)
Rate limiting and anti-bot detection
Cloudflare DDoS protection

12. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (as required by GDPR Article 33 and UK GDPR) and affected users without undue delay where the breach poses a high risk.

13. Supervisory Authority

UK users: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

EU users: You may lodge a complaint with your local data protection authority.

14. California Residents (CCPA)

California residents have additional rights under the CCPA, including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact: [email protected].

15. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via in-game notification and updated date at the top of this page.

16. Contact

For privacy inquiries: [email protected]

For general inquiries: [email protected]