Last updated: March 2026
Joseba Oses (hereinafter, "the Developer") is committed to protecting the privacy of Breach Arena users. This Privacy Policy describes how your data is collected, used, stored, and shared when using the application.
When creating a Breach Arena account, we collect the following data: • Player ID (auto-generated) — Unique account identifier • Friend code (6 characters) — Allows other players to add you • Username (chosen by you) — Public name on leaderboards and duels • Authentication method — Account type (guest, email, or Google) • Email — Only if you register with email or Google Sign-In • Password hash (bcrypt) — Email registration only, we never store plain text • Linked OAuth provider — Only if you link your Google account • Creation date and last login — Internal activity tracking
We store the following statistics on the server linked to your account: • ELO score and competitive rank • Level and experience points (XP) • Virtual currencies (Data and Credits) • Games played, wins, losses, and draws • Best score, total daemons completed, and All Clears • Total duels and current loss streak • Acquired and equipped cosmetic inventory
1v1 Duels: Matrix seed, difficulty, moves performed (cell coordinates), score, daemons completed, time spent, ELO change, and XP awarded. Retention: indefinite. Daily Challenge: Date, matrix index, score, daemons completed, time, and consecutive day streak. Retention: indefinite. Weekly Tournament: Score per matrix, day, and attempt number. Retention: 90 days after tournament ends (automatic deletion). Friendships: Linked player IDs, request status, and match history between friends.
• FCM Token (Firebase Cloud Messaging) — To send push notifications. Stored on the server. • Google Advertising ID (GAID) — Processed by Google AdMob to serve ads. Not stored by us. • Device model and OS version — Processed by Google AdMob. Not stored by us.
Breach Arena does not collect: • Location or geolocation • Phone contacts • Photos, files, or multimedia content • Biometric data • Browsing history • Health or financial data
The following data is saved on your device (localStorage) and is never sent to the server except through explicit API calls: • JWT session token — Deleted on logout • Player ID and auth method — Deleted on logout • Registered FCM token — Deleted on logout • Local statistics (matches, score) — Manual deletion • Daily challenge progress — Daily reset • Currency cache — Synced with server • Equipped cosmetics — Synced with server • Unlocked achievements — Manual deletion • Blitz attempts today — Daily reset • Ads watched counter today — Daily reset
Firebase Authentication (Google): For user authentication (anonymous registration and Google Sign-In). Shared with Google: email and profile (only if you link your account), identity token, IP address, and device type. Google AdMob: To display optional rewarded ads (rewarded video). Processes: advertising ID, device model, impressions, and interactions. Ads are always optional (maximum 8 per day with 5-minute cooldown). No banners are shown. Firebase Cloud Messaging (FCM): To send push notifications about game events: rival completed a duel, friend request, daily challenge available, streak at risk, rank up, and tournaments. Global opt-in/opt-out and 9 individual preferences. MongoDB Atlas: Game data storage (accounts, matches, rankings). Encrypted at rest (AES-256) and in transit (TLS).
Breach Arena does not use cookies. Authentication is handled via JWT tokens stored in localStorage.
• Player account and statistics — Service execution (necessary to play) • Email and password — Consent (voluntary registration) • Google Sign-In — Consent (voluntary linking) • Push notifications — Consent (explicit opt-in) • Personalized ads (AdMob) — Consent (GDPR) / Legitimate interest (outside EEA) • Anti-cheat (move validation) — Legitimate interest (game integrity) • Match data and rankings — Service execution
• Player account — Until you request deletion • Game statistics — While the account exists • Duel history — Indefinite • Daily results — Indefinite • Tournament records — 90 days after completion (automatic deletion) • FCM token — Until logout or deregistration • JWT token — 90 days (automatic expiration) • localStorage — Until you clear app data
You can exercise the following rights by contacting us via email: • Access — Request a copy of your data • Rectification — Edit username in the app; other data via email • Erasure — Request account and data deletion • Portability — Request data export in JSON format • Objection — Disable notifications in the app; disable personalized ads in Android settings • Restriction — Request via email Controls available in the app: • Username editable from profile • Notifications toggleable globally or by type • Google Sign-In linkable/unlinkable • Ads are always optional • Logging out deletes local tokens and deregisters push Response time: 30 calendar days.
• Encryption in transit — HTTPS (TLS) on all communications • Encryption at rest — AES-256 on MongoDB Atlas • Authentication — JWT signed with server secret • Passwords — Hashed with bcrypt (never plain text) • Anti-cheat — Server-side validation of moves and scores • Android permissions — Only INTERNET (no access to camera, contacts, location, etc.) • Session tokens — Expire after 90 days
Breach Arena is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If a parent or guardian becomes aware that a minor has provided personal data without consent, they can contact us to request its deletion. Content rating: PEGI 3 / Everyone (no violence or sensitive content, but minimum age of 13 is required due to data collection and advertising).
• MongoDB Atlas — Server cluster region • Firebase / Google Cloud — Google servers (may be located in the US or other regions) • Google AdMob — Google's global infrastructure Transfers to the US are covered under Google's EU-U.S. Data Privacy Framework (DPF).
We will notify material changes to this policy through: • Push notification in the app (if enabled) • Visible notice on the home screen • Updated last revision date on this page Continued use of the app after notification constitutes acceptance of the changes.
For any questions about privacy or data protection, write to: me@joseba.dev