Privacy Policy for Stryked

Last Updated: June 7, 2026 (Policy version 2.4)

Aligned with in-app privacy choices: required service processing (location, account security) vs optional behavioral analytics consent

Your Privacy Matters: Stryked ("we", "our", or "the app") is committed to protecting your privacy. This policy explains what data we collect, why we collect it, and how you can control your information. For how we use platform technology (location, maps, and interactions), see our Technology & Platform Use page.

1. Information We Collect

1.1 Location Data

We collect and process your precise location data to enable the core functionality of Stryked.

What location data we collect:

GPS coordinates (latitude and longitude)
Altitude, speed, and direction of travel
Location accuracy and timestamp
Device motion data (accelerometer, gyroscope, magnetometer) for anti-spoofing

When we collect location data:

Continuously while the app is open
Periodically in the background (every 30 minutes when you enable background location services) to detect nearby trophies and validate visits
When you are near a trophy location (within 1000 meters)
When you visit a trophy (within 50 meters)

Why we collect location data:

Essential: To detect nearby trophies and validate your visits
Analytics (optional): To understand how users discover and interact with trophies (only if you grant Behavioral Analysis consent)
Anti-Fraud: To prevent location spoofing and ensure fair gameplay

1.2 Photos and Media

We collect photos you upload as part of the Snapventure feature.

Photos you capture or select for Snapventures
We do not intentionally collect embedded photo metadata (EXIF). Images are processed and re-encoded during upload.
Photo thumbnails for display purposes

Snapventure location: We do not store your personal GPS coordinates with Snapventures. Photos are linked to the trophy you selected (the trophy's location is already public game data). EXIF/GPS metadata is stripped from images before upload.

These photos can be shared with other users as part of the social features of the app. You can control the visibility of each snapventure individually - you can make them public (visible to all users) or private (visible only to you). You can change the privacy setting of any snapventure at any time after uploading.

1.3 User Profile Data

User ID (automatically generated by Firebase)
Username and display name you choose
Email address (when provided during sign-in)
Profile picture (optional)
Game statistics (points, trophies visited, achievements)

1.3.1 Demographic Profile

When you activate free trophy categories, we ask you to complete a short demographic profile:

Age range (e.g. 18–24, 25–34)
Gender (self-reported options you select in the app)
Family situation (e.g. lives alone, with partner, with family/roommates)

This information is stored in your user profile and linked to your account. We use it to understand our community in aggregate and to improve trophy recommendations. Partner-facing statistics use only k-anonymized, aggregated counts (see Section 1.5 and Section 11) — partners do not receive your individual demographic answers.

Why we collect this: Required to unlock free trophy categories (contract performance) and for aggregated product and partner insights (legitimate interest). We do not sell this data or use it for advertising.

Your choices: The form is required for free categories in production. You can update your answers when editing your profile. Deleting your account removes this data (see Section 5.5).

1.4 Purchase Information

In-app purchase history (subscription status, unlocked tiers)
Purchase dates and renewal status
Payment information is processed by Apple and is not accessible to us. We only process purchase-related data (product ID, subscription status, dates) to provide the service and to meet legal retention requirements; we never receive or store payment card or other payment details.

1.5 Device and Usage Data

We collect device and usage information for security, performance, and analytics purposes:

Biometric authentication (optional): If you use Face ID or Touch ID for sign-in, biometric data is processed only on your device (Apple Secure Enclave). We do not receive or store any biometric data on our servers. Legal basis: contract performance or consent.
Device information: Device type, model, iOS version, screen resolution (automatically collected by Firebase Analytics when behavioral analytics consent is granted)
App information: App version and build number (automatically collected by Firebase Analytics)
Security data: Device integrity status (to detect jailbroken devices for security), device attestation tokens (via Apple App Attest) for security verification
Usage patterns: App usage patterns and interaction data (only when behavioral analytics consent is granted; logged for product insight, aggregated for reporting)
Visit speed insights (aggregated): We may measure, in broad time ranges (for example 0–3 minutes, 3–8 minutes, 8–15 minutes, 15–30 minutes, 30+ minutes), how long it typically takes visitors to reach certain partner locations. These insights are stored only as aggregated counts per partner and trophy per day, without any user identifiers or exact timestamps, so they cannot be traced back to you as an individual.
Approximate location: City-level geolocation (automatically collected by Firebase Analytics, not precise GPS coordinates)
IP address: May be processed by Firebase (e.g., for security, fraud prevention, and city-level geolocation). We do not use IP addresses for tracking, profiling, or advertising.

Security Verification: We use Firebase App Check (Apple App Attest) to verify that requests come from legitimate, unmodified app installations. This helps prevent abuse and protects your data.

Note: Most device and usage data collection requires your consent for behavioral analytics. You can control this in Settings > Account Management > Privacy & Consent.

1.6 Crash and Error Data

When you opt in to Behavioral Analysis, we collect crash reports and error information via Firebase Crashlytics to improve app stability and fix bugs.

Crash reports and stack traces when the app encounters errors
Device information associated with crashes (model, OS version)
Custom context data to help diagnose issues
Error logs and diagnostic information

Why we collect this: To identify and fix bugs, improve app stability, and ensure a better user experience.

Legal basis: Consent (GDPR Article 6(1)(a)) via Behavioral Analysis. Crashlytics is off by default until you enable it in Settings > Account Management > Privacy & Consent. You can withdraw consent at any time.

Service Provider: Firebase Crashlytics (Google LLC). Data may be processed outside the EER under Firebase DPA and Standard Contractual Clauses.

1.7 Partner Rewards

When you participate in optional partner reward offers (vouchers, codes, or similar benefits at participating locations), we process:

Offer metadata: Gift title, description, partner name, unlock rules, and whether an offer is active (stored in our database; basic offer listings may be visible before sign-in)
Unlock and redemption status: Whether you have unlocked or redeemed a specific offer, timestamps, and your user ID in server-side records used to prevent duplicate redemption and fraud
QR redemption payloads: Short-lived, cryptographically signed codes generated when you choose to redeem; validated when scanned by an authorised partner
Gameplay linkage: We use your existing trophy visit history (already stored for core gameplay) to determine eligibility. We do not collect additional precise GPS coordinates solely for Partner Rewards beyond what is already processed for trophy validation

What partners receive: Partners fulfil rewards themselves. When a partner scans your QR code, they receive only the information needed to verify redemption through our systems. We do not sell your profile or share your email with partners for marketing through the redemption flow unless you contact them separately.

Legal basis: Contract performance (Article 6(1)(b)) — processing necessary to operate the reward unlock and redemption feature you use. See also our Terms of Service (Section 8) for your contractual rights and limitations regarding partner fulfilment, expiry, and third-party liability.

2. How We Use Your Information

2.1 Core Game Functionality

Detect nearby trophies based on your location
Validate trophy visits to award points and achievements
Display your progress and statistics
Enable Snapventure social features
Determine eligibility for and validate redemption of optional Partner Rewards (see Section 1.7)

2.2 Anti-Spoofing and Security

We use behavioral analysis and automated systems to maintain game integrity:

Movement Pattern Analysis: We analyze your movement patterns, travel speed, and location history to detect location spoofing and ensure fair gameplay for all users. This includes analyzing GPS coordinates, speed, direction, and device motion sensor data (accelerometer, gyroscope, magnetometer). In some cases we also compare the distance and time between your last trophies using static trophy locations (not your personal GPS history) to detect clearly impossible “teleport” movements.
Device Integrity Verification: We verify device integrity to detect jailbroken devices and prevent cheating. This includes checking device attestation tokens via Apple App Attest.
Automated Security Measures: Our system may automatically apply temporary bans (typically 24 hours) when suspicious activity is detected. These automated decisions are based on analysis of movement patterns, trust scores, and violation history.
Trust Score Calculation: We maintain a trust score for each user based on validation results from location checks. This score helps identify patterns of suspicious behavior over time.
Fair Gameplay: All security measures are designed to maintain fair gameplay and prevent cheating that would negatively impact other users' experience.

2.3 Service Improvement

Analyze usage patterns to improve app features
Optimize performance and fix bugs
Develop new features based on user behavior

Usage and Product Insight:

When you use the app—for example, when you activate a challenge or redeem a trophy—we log these actions for product and usage insight. These are core app actions, not separate tracking. We use a technical user ID (the same identifier needed for the app to function) to link events to a session. We do not store personally identifiable information (name, email, phone number) in this data and do not use it for advertising.

Automatically collected data (Firebase Analytics):

Device information (device type, model, iOS version)
App version and build number
Approximate geolocation (city-level, not precise GPS coordinates)
Screen resolution and device capabilities

Account lifecycle: Sign-in and sign-out events are logged for account management and security. These are functional logs, not usage analytics.

Note: This data collection respects your GDPR consent preferences. You can opt out in Settings > Account Management > Privacy & Consent.

3. Data Storage and Security

3.1 Where We Store Your Data

Firebase/Google Cloud: User profiles, trophy visit history, trust score validation logs, photos, and game data
On Your Device: Temporary location data, app preferences, cached content
Apple Servers: Purchase and subscription information (managed by Apple)

Data Storage Location: Your app data is stored on servers in the European Union (Belgium, europe-west1 region). We use Google Cloud Platform's EU data centers for our Firebase services. We do not transfer your data outside the EU.

3.2 How Long We Retain Your Data

Location data: Processed in real-time on your device for trophy validation and anti-spoofing. Raw GPS coordinates are not sent to our servers. We store validation outcomes (e.g., trust score logs with 49-hour TTL) and, for teleport detection, derived metrics based on static trophy locations and visit timestamps (no raw GPS history). Snapventures do not store your personal GPS (see Section 1.2).
Trust score and teleport validation logs: Retained for a limited period (typically 49 hours or as specified in the in-app GDPR export), then automatically deleted. These logs contain validation results and ban decisions (not raw GPS coordinates) for anti-spoofing purposes.
Trophy visit history: Retained for the lifetime of your account
User profile: Until you delete your account
Snapventure photos: Until you delete them or your account. You can also hide individual snapventures at any time, which will make them private and invisible to other users, but they will remain stored until you delete them or your account.
Purchase history: Retained as required by law (typically 7 years for tax purposes)
Partner reward records: Unlock and redemption records (including user ID, partner name, gift ID, and timestamps) are retained while your account is active and as needed for fraud prevention, partner reporting, and dispute resolution. They are deleted when you delete your account, except where retention is required by law or where anonymised aggregate statistics remain
Analytics data: User data retained for 14 months, event data retained for 2 months (Firebase Analytics default), then automatically anonymized
Crash reports: Retained for 90 days, then automatically deleted
Device information: Retained while your account is active, deleted upon account deletion
Backups: After your account and data are deleted, backup copies held by our service providers (e.g. Google/Firebase) are purged within 30 days, in line with our agreements with them.
Ban records:
- Temporary bans: 24 hours after ban expires
- Permanent bans: Retained indefinitely for security purposes
- Appeal status (in-app): Stored with your ban record and removed when the underlying ban record is deleted (temporary bans) or when the ban record is removed as part of account deletion.
- Appeal communications (email): We may retain appeal emails and related support communications as needed to respond to your request and for compliance/security record-keeping.

3.3 Security Measures

Data encryption in transit (HTTPS/TLS)
Firebase authentication and security rules
Regular security audits
Access controls and monitoring

4. Data Sharing and Disclosure

4.1 With Other Users

Your chosen display name (alias), profile picture, and public statistics are visible to other users. You can change your alias anytime.
Snapventure photos and captions you choose to make public are visible to all users. You can set any snapventure to private at any time; private snapventures are only visible to you.
Leaderboard rankings and achievements are publicly visible
Reporting content: You can report Snapventures or other user content you believe is illegal, inappropriate, or infringes rights via the in-app report option or by emailing support@getstryked.com. See our Terms of Service (Section 6.3) for how we handle reports under the EU Digital Services Act.

4.2 With Service Providers and Partners

Firebase/Google Cloud: For hosting, database, authentication, and analytics
Apple: For in-app purchases and App Store services
Participating partners (Partner Rewards only): When you redeem an offer, the partner receives verification data through our redemption systems so they can honour the reward. Partners do not receive ongoing access to your full profile or location history through this feature. Partner-facing visit statistics are aggregated and pseudonymous (see Section 1.5 and Section 11)

4.3 Legal Requirements

We may disclose your information if required by law or to:

Comply with legal processes or government requests
Enforce our Terms of Service
Protect the rights, property, or safety of our users or others
Prevent fraud or security issues

4.4 We Do NOT:

Sell your personal data to third parties
Share your data for advertising purposes
Use your data for cross-app tracking
Use App Tracking Transparency (ATT) — we do not track you across apps or websites for advertising or other purposes

Tracking and identifiers: We do not use Apple’s App Tracking Transparency (ATT) or the Identifier for Advertisers (IDFA). We do not track you across apps or websites for advertising or profiling, so we do not request ATT permission. Any analytics we use are limited to our app and are described in this policy.

5. Your Rights and Choices

5.1 Location Services

Disable location tracking: Go to iPhone Settings > Stryked > Location
Note: Disabling location will prevent trophy discovery and visit validation

5.2 Account Management

Update profile: Edit your username, display name, and profile picture in Settings
Control Snapventure visibility: Make individual snapventures public or private at any time
Delete or hide Snapventures: Remove your uploaded photos anytime, or hide a snapventure without deleting it
Manage subscriptions: Go to iPhone Settings > Your Name > Subscriptions

5.3 Privacy Choices in the App

Your privacy choices are stored on your device (not per account). If someone else signs in on the same iPhone, they inherit the device's analytics preference until they change it in Settings > Account Management > Privacy & Consent.

Required for the game (information only — no withdrawable toggle while you use the app):

Location: On-device processing to detect trophies and validate visits (contract / legitimate interest)
Account Security & Fair Play: Automated anti-cheat may temporarily restrict accounts; you can appeal for human review within 24 hours (contract / fraud prevention, GDPR Article 22(2)(a))

Optional (you can withdraw anytime):

Behavioral Analysis: Firebase Analytics and Crashlytics for usage insights and crash reports (consent, Article 6(1)(a))

5.4 GDPR Rights (EU Users)

If you are in the European Union, you have additional rights:

Right to Access: Request a copy of your personal data. You can export your data through the app's data export feature in Settings > Account Management > Export Data, or contact us directly.
Right to Rectification: Correct inaccurate personal data. You can update your profile information directly in the app (Settings > Edit Public Profile) or contact us for assistance.
Right to Erasure: Request deletion of your account and data. You can delete your account directly in the app (Settings > Account Management > Delete Account) or contact us for assistance.
Right to Data Portability: Receive your data in a machine-readable format (JSON). Use the data export feature in Settings > Account Management > Export Data to download your complete data.
Right to Object: Object to automated decision-making (including anti-spoofing bans). You can appeal any automated ban decision through the in-app appeal system (see Section 6.2 for details).
Right to Withdraw Consent: You may withdraw Behavioral Analysis consent at any time in Settings > Account Management > Privacy & Consent. Location and account security are required to play and are not controlled by a consent toggle.
Right to Restrict Processing (GDPR Article 18): You may ask us to restrict how we use your data (e.g. only store it and not use it) in certain cases—for example when you contest the accuracy of the data, when the processing is unlawful but you prefer restriction over erasure, or when you have objected and we are assessing whether our grounds override yours. Contact us using the details in Section 10; we will respond within one month and, where applicable, restrict processing as required by law.
Right to Lodge a Complaint: If you are not satisfied with how we handle your data, you have the right to lodge a complaint with your local data protection authority.

5.5 Account Deletion

To delete your account and all associated data:

Go to Settings in the app
Select "Delete Account"
Confirm your decision

Upon deletion:

Your profile, trophy visit history, trust score validation logs, uploaded photos, and partner reward unlock/redemption records will be permanently deleted
Your username will become available for others to use
This action cannot be undone
Purchase records may be retained as required by law

6. Automated Decision-Making

6.1 Anti-Spoofing System

The app uses automated systems to detect location spoofing and cheating. This system:

Movement Pattern Analysis: Analyzes your movement patterns, travel speed, acceleration, and location history to identify impossible or suspicious travel patterns (e.g., teleporting between distant locations, traveling at impossible speeds).
Device Sensor Data: Uses device motion sensors (accelerometer, gyroscope, magnetometer) to verify that location changes correspond to actual device movement, helping detect location spoofing apps.
Trust Score System: Maintains a trust score based on validation results from location checks. Multiple failed validations or suspicious patterns lower your trust score.
Automated Bans: May automatically apply temporary bans (typically 24 hours) when the system detects violations such as location spoofing, impossible travel speeds, or repeated suspicious behavior patterns.
Decision Logic: Automated ban decisions are based on objective criteria including:
- Travel speed exceeding reasonable limits (e.g., >200 km/h over short distances)
- Impossible location changes (e.g., appearing in distant locations without travel time)
- Repeated validation failures in trust score checks
- Device integrity violations (jailbroken devices used for spoofing)
Transparency: When a ban is applied, you will see a plain-language explanation of the restriction, what it means for your account, and the duration. We do not show internal anti-cheat scores or detection logic in the app.

6.2 Your Right to Appeal Automated Decisions (GDPR Article 22)

Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing, including automated bans. You have the right to request human review of any automated decision that affects you.

If you believe you were incorrectly banned:

How to Submit an Appeal

In-App Appeal: Use the built-in ban appeal flow in the app. When you see a ban notification, tap "Appeal Ban" to submit your appeal directly within the app.

What Happens After You Submit an Appeal

Review Process: Our support team manually reviews your appeal by examining your account's trust score validation logs, trophy visit history, and the circumstances that led to the ban.
Response Time: We commit to reviewing and responding to all ban appeals within 24 hours of receipt.
Possible Outcomes:
- Ban Overturned: If the ban was incorrect, your account will be immediately restored and you can continue playing.
- Ban Upheld: If the ban was correct, we will explain the reason and provide information about when the ban will expire.
- Additional Review: In complex cases, we may request additional information or extend the review period (we will notify you if this happens).
Notification: You will receive an email response with the decision and any relevant details. Where supported, you may also see the current appeal status in-app.

Your Rights

In addition to the appeal process, you have the right to:

Request Human Review: You can request that any automated decision be reviewed by a human (GDPR Article 22(3))
Express Your Point of View: You can provide additional context or explanations in your appeal
Challenge the Decision: If you disagree with the appeal outcome, you can contact us again or lodge a complaint with your local data protection authority

Note: Automated bans are typically temporary (24 hours) and are designed to prevent cheating and maintain fair gameplay. Most bans are automatically lifted after the specified duration, but you can appeal at any time if you believe the ban was incorrect.

7. Children's Privacy

Stryked is not intended for anyone under the age of 16. In the European Economic Area (EEA), including the Netherlands, the minimum age is 16, in line with the GDPR age of digital consent for processing personal data (such as location data). We do not knowingly collect personal data from anyone under 16, including location data. If you are under 16, please do not use the app or create an account. If we become aware that we have collected data from someone under 16, we will delete it promptly. This aligns with our Terms of Service.

8. Changes to This Policy

We may update this privacy policy from time to time. When we do:

The "Last Updated" date at the top will be changed
Significant changes will be announced in the app
Continued use of the app constitutes acceptance of the updated policy

9. Third-Party Services

Our app uses the following third-party services:

9.1 Firebase (Google LLC)

Purpose: Authentication, database, hosting, analytics, crash reporting, security verification
Services Used:
- Firebase Authentication (user sign-in)
- Cloud Firestore (database)
- Firebase Storage (photo storage)
- Firebase Analytics (usage analytics)
- Firebase Crashlytics (crash reporting)
- Firebase App Check (security verification)
Data Collected: User data, location data, usage data, crash reports, device information, IP address (for security and approximate geolocation; not used for tracking or advertising)
Data Location: All data stored in EU region (europe-west1, Belgium)
Data transfers: Firebase Analytics and Crashlytics data may be processed by Google outside the EU. Where such transfers occur, we rely on appropriate safeguards (e.g. Standard Contractual Clauses) as set out in Google Cloud/Firebase terms and privacy documentation.
Privacy Policy: firebase.google.com/support/privacy
Data Processing Agreement: Automatically incorporated via Google Cloud Terms of Service (GDPR compliant)

9.2 Apple Sign-In

Purpose: User authentication
Data Collected: Email, name (if you choose to share)
Privacy Policy: apple.com/legal/privacy

9.3 Google Sign-In

Purpose: User authentication (alternative to Apple Sign-In)
Data Collected: Email address, name, profile picture (if you choose to share)
Privacy Policy: policies.google.com/privacy

9.4 Apple Maps (MapKit)

Purpose: Displaying maps, trophy locations, and location-based features in the App
Data Collected: Map interactions may be processed by Apple according to their policies; we do not receive your Apple ID through MapKit for map display
Terms: Apple Maps Terms of Service
Privacy Policy: apple.com/legal/privacy

10. Contact Us

If you have questions, concerns, or requests regarding this privacy policy or your personal data (including exercising your GDPR rights—access, rectification, erasure, restriction, portability, objection, or withdrawal of consent), please contact us:

Email: support@getstryked.com
In-App: Settings > About > Contact Support

Response Time: We aim to respond to all privacy inquiries within 48 hours.

Data Protection: We have not designated a Data Protection Officer. For all privacy and data protection requests, please use the contact details above.

Data breach notification: In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours of becoming aware of it (GDPR Article 33) and will inform affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34). For questions about our incident process, contact support@getstryked.com.

For EU Users – Complaints:

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

11. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal bases under GDPR:

Consent (Article 6(1)(a)):
- Behavioral Analysis only: Firebase Analytics and Crashlytics (usage insights and crash reports)
Behavioral Analysis is off by default. You can enable or withdraw this consent in Settings > Account Management > Privacy & Consent. Location and account security are not withdrawable optional consent.
Contract Performance (Article 6(1)(b)):
- On-device location processing for trophy validation and visit detection
- Core game features and functionality
- User account management and authentication
- Demographic profile (age range, gender, family situation) required to activate free trophy categories (Section 1.3.1)
- Snapventure photo storage and sharing
- Leaderboard and statistics display
- Partner reward unlock and redemption verification (Section 1.7)
- Automated anti-cheat restrictions where necessary for fraud prevention (GDPR Article 22(2)(a)), with human appeal
This processing is necessary to provide the services you have requested when using the app.
Legitimate Interest (Article 6(1)(f)):
- Anti-spoofing and fraud prevention to maintain fair gameplay
- Security measures and device integrity verification
- Anti-spoofing analysis: Trust score logging (49-hour TTL), device integrity checks, and teleport detection using static trophy locations (not your raw GPS history)
- Aggregated visit-speed statistics: For partner locations, we only store visit-speed in aggregated, anonymous form (time buckets per partner and trophy per day, such as 0–3 minutes, 3–8 minutes, 8–15 minutes, 15–30 minutes, 30+ minutes), without any user identifiers or exact timestamps. These statistics are intended to help partners understand general visitor flows and cannot be traced back to individual users.
- Preventing abuse and protecting user data
These activities are necessary to protect the integrity of the game and the interests of all users.
Legal Obligation (Article 6(1)(c)):
- Retaining purchase records as required by tax and accounting laws (typically 7 years)
- Compliance with data protection regulations
- Responding to legal requests or court orders

Special Category Data: Precise location is processed on-device for core gameplay under contract (Article 6(1)(b)) and, where applicable, legitimate interest for fraud prevention (Article 6(1)(f)). Optional analytics uses separate consent (Article 6(1)(a)).