Privacy Policy

Who we are

BitDuel is operated by Fintasys ("we", "us"), based in Japan. We are the data controller responsible for the personal information described below. You can reach us at support@fintasys.com for any privacy question, access request, or data-deletion request.

What we collect

When you use BitDuel we process the following categories of personal information:

• Account identifier — a Firebase-generated user ID. By default this is an anonymous ID; if you link a Google or Apple account, the identifier from that provider is also stored.
• Profile data you provide — display name, unique handle (e.g. name#1234), and an optional profile photo.
• Gameplay data — duels played, per-game scores, win/loss/draw outcomes, timestamps, and aggregated statistics.
• Social data — friends list, friend requests, duel invites, and chat messages exchanged with opponents inside an active duel.
• Push-notification tokens — a device-level Firebase Cloud Messaging token used to deliver your-turn / new-message notifications.
• Diagnostic data — crash reports (Crashlytics) and product-interaction events (Firebase Analytics, e.g. duel_started, duel_completed) used to detect bugs and understand which features are used.
• Service logs — IP address, user-agent, and timestamps captured by Google Cloud when your device communicates with our backend.
• Advertising data — when ads are shown (mobile only), Google AdMob processes a device advertising identifier, IP address, and ad-interaction events to serve and measure full-screen ads. See Advertising below.

What we don't collect

We don't collect your real name, email address, phone number, precise location, contacts, or device sensors. If you choose to link a Google or Apple account, the identity provider supplies its own identifier — we do not receive your password or any wider profile beyond what is needed to keep you signed in.

How we use it and our legal basis

• Performance of the service (legal basis: contract, APPI Art. 17 "use for purpose of utilization") — matchmaking, score tracking, friends, chat, account management.
• Security and abuse prevention (legitimate interest) — Firebase App Check device attestation, rate limiting, score-validation on the server, and abuse logging.
• Push notifications (consent given via the OS prompt) — letting you know it's your turn or a friend has messaged you. You can revoke this at any time in your device's notification settings.
• Diagnostics (legitimate interest, opt-out available in Settings) — Crashlytics and Firebase Analytics to find bugs and improve gameplay.
• Advertising (legitimate interest; consent where required) — showing full-screen ads via Google AdMob to support the free game. See Advertising below.

We do not sell your personal information and do not share it with data brokers.

Who we share with

• Google Firebase — our infrastructure provider. Firebase Authentication, Firestore, Cloud Functions, Cloud Storage, Cloud Messaging, Crashlytics, and Analytics all run on Google Cloud. Their handling is governed by the Google Cloud Data Processing Addendum.
• Other players — your public display name, handle, profile photo (if set), gameplay record, and chat messages you send inside an active duel are visible to your opponent.
• Google AdMob — our advertising provider on mobile. AdMob receives the data described under Advertising to serve and measure ads, governed by the Google Privacy & Terms.
• Legal authorities — only when compelled by a valid legal request applicable to Fintasys in Japan.

Advertising

To keep BitDuel free, the mobile apps show occasional full-screen (interstitial) ads through Google AdMob. To serve and measure these ads, AdMob may process a device advertising identifier, IP address, coarse device information, and your interactions with the ad. We do not give AdMob your display name, handle, email, or gameplay history.

Where required by law (for example, in the EEA, UK, and Switzerland), we limit AdMob to non-personalized ads unless you consent to personalized ads. You can reset or limit your advertising identifier at any time in your device settings (Settings → Privacy → Tracking / Ads on iOS, Settings → Google → Ads on Android). The web version of BitDuel does not show ads.

International transfers

Our backend runs on Google Cloud. Data may be processed in Google Cloud regions outside your home country, including the United States. Where these transfers leave the EEA, UK, or Switzerland, Google relies on Standard Contractual Clauses for the transfer; Fintasys relies on Google as the primary processor.

How long we keep it

We retain your account and gameplay history for as long as your account exists. When you delete your account in Settings → Delete account, we scrub your profile, handle, friends list, chat messages, and stats from our active database within a few minutes. Encrypted backups managed by Google Cloud may retain a copy for up to 30 days before they rotate out. Service logs (IP, timestamps) roll out of Google Cloud's standard log retention within 30 days.

Your rights

Subject to your local law, you have the right to:

• Access the personal information we hold about you;
• Correct or update inaccurate data (you can edit your display name in Settings);
• Delete your account and the data associated with it (Settings → Delete account, or by emailing support@fintasys.com);
• Withdraw consent for push notifications or diagnostics at any time (in-app Settings, OS notification settings);
• Receive a portable copy of your data (email us and we will send a JSON export of your profile and gameplay history);
• Lodge a complaint with your local supervisory authority (e.g. the Personal Information Protection Commission in Japan, or your national data-protection authority in the EEA/UK).

California residents (CCPA / CPRA)

We do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA. California residents have the rights described above (access, deletion, correction) and can exercise them by emailing support@fintasys.com. We will not discriminate against you for exercising these rights.

Children

BitDuel is not directed at children under 13 (or under 16 in EEA countries that apply the higher GDPR age of digital consent). We do not knowingly collect data from such children. If you believe a child has signed up, please email support@fintasys.com and we will delete the account.

Security

All traffic between your device and our backend is encrypted in transit (TLS). Firebase App Check attests that requests originate from a genuine BitDuel installation. Server-side rules and scheduled jobs block unauthorized reads, writes, and score-tampering attempts.

Changes

We may update this policy from time to time. Material changes will be announced in-app before they take effect. The "Last updated" date above always reflects the latest revision.

Contact

For privacy questions, data-access requests, or data-deletion requests, email support@fintasys.com. We aim to respond within 30 days.