Privacy Policy

1. Introduction

This Privacy Policy describes how PrizeTrail ("we," "our," or "us") collects, uses, and protects your information when you use our mobile application and related services (collectively, the "Service").

By using PrizeTrail, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

2.1 Personal Information

• Account Information: Display name, date of birth, email address, password, and account credentials
• Profile Data: Step goals, notification preferences, profile privacy settings (public/private), selected avatar, distance unit preference (miles/kilometers), and app settings
• Authentication Data: Encrypted login credentials, session tokens, and email verification status
• Health Data: Step count
• Payout Information: If you are a premium subscriber requesting cash rewards, we collect your PayPal email address or Cash App handle (cashtag) for the purpose of processing payouts. This information is stored securely and used solely for reward fulfillment.

2.2 Health and Fitness Data

• Step Count: Daily, weekly, and monthly step measurements from HealthKit and device motion sensors
• Step History: Historical step data for analytics, personal records, and Shadow Runner pace personalization
• Personal Best: Your highest recorded daily step count
• Activity Data: Walking distance, step goals, and achievement progress
• Usage Patterns: App interaction data, feature usage, and session duration

2.3 Rewards and Game Data

• Points and Credits: Earned step points, bonus points, and credit balances. Points and credits refer to the PrizeTrail in-game currencies only.
• Challenge Progress: Completed challenges, streaks, and achievement status
• Daily Streak Data: Consecutive days of meeting step goals and streak milestones
• Quest Progress: Active and completed quests, milestone achievements, and quest rewards
• Spin Activity: Wheel spin history, reward claims, and spin protection recovery data
• Subscription Status: Premium membership status, subscription type, and billing information
• Level and XP Data: Current user level, total XP, and XP breakdown by source (steps, spins, challenges, tournaments, quests, friend races, streaks, achievements)
• Badge Data: Earned badges, badge types, rarity, and the source and date of each badge earned
• Booster Data: Active booster type, activation time, expiration time, and multiplier values
• In-App Purchase History: Step point package purchases, booster purchases, and transaction records
• Order History: Gift card and cash reward purchase records, order status, and fulfillment details

2.4 Competitive and Social Data

• Tournament Data: Tournament participation, entry fees, rankings, results, wins, and prize earnings
• Tournament Statistics: Total tournaments entered, wins, second place finishes, third place finishes, and step points earned from tournaments
• Friend Race Data: Race creation, participation, wager amounts, race duration, step counts during races, race results, and prize pool distribution
• Friend Race Statistics: Total races, wins, losses, step points wagered, and step points won
• Shadow Runner Data: Race difficulty, duration, your step count, opponent step count, race outcomes, and cumulative race statistics (total races, wins, losses)
• Friends Data: Friend list, friend request history, friend codes, blocked users, and friendship timestamps
• Activity Feed Data: Activity events posted to the social feed (step milestones, challenge completions, quest progress, tournament wins, badge earnings, streak milestones, gift card redemptions, race wins)
• Referral Data: Referral code, referral history, reward amounts, and referral status
• Leaderboard Data: Your display name, avatar, scores, and rankings on various leaderboards (daily steps, monthly steps, tournament wins, friends leaderboard)
• Profile Information: Public profile data including display name, avatar, level, achievements, and statistics that you choose to share
• Privacy Settings: Your preferences for profile visibility (public or private)

2.5 Technical Information

• Device Information: Device type, operating system version, unique identifiers, and device model
• App Analytics: Crash reports, performance data, feature usage, and screen view tracking
• Network Information: IP address, connection type, and connectivity status
• Push Notification Token: Firebase Cloud Messaging (FCM) token for delivering push notifications
• Remote Configuration: Feature flags and configuration values fetched from Firebase Remote Config to customize your app experience

2.6 Camera Data

• QR Code Scanning: When you use the QR code scanner to add friends, the app accesses your device camera temporarily to read QR codes. No images or video are stored, recorded, or transmitted. Camera data is processed locally on your device in real-time and discarded immediately after scanning.

3. How We Use Your Information

3.1 Core App Functionality

• Track and display your step count and activity data
• Calculate and award step points based on your activity
• Manage your credit balance and reward redemptions
• Process prize wheel spins and outcomes through secure server-side validation
• Process gift card orders and cash reward payouts

3.2 Challenges, Levels, and Progress

• Track daily, weekly, and monthly challenge completion
• Manage daily streaks and milestone achievements
• Update quest progress, unlock rewards, and award badges at quest checkpoints
• Calculate and display XP earnings and user level progression
• Track badge collection and display earned badges on your profile
• Display personal statistics and records

3.3 Tournaments and Competition

• Manage tournament entry, participation, and rankings
• Calculate and distribute tournament prizes
• Display tournament standings and leaderboards
• Track tournament history and statistics
• Populate tournaments with AI bot participants when needed for competitive gameplay

3.4 Friend Races

• Create, join, and manage friend race competitions
• Synchronize real-time step data between race participants
• Process wagers, calculate prize pools, and distribute winnings
• Track friend race history and statistics

3.5 Shadow Runner

• Calculate personalized Shadow Runner opponent pace based on your step history
• Track race progress and real-time step data during Shadow Runner races
• Record and display Shadow Runner race statistics

3.6 Social Features

• Manage friend requests, friend codes, and friend connections
• Display your rankings on global, category-specific, and friends-only leaderboards
• Show public profile information to other users and friends (based on your privacy settings)
• Post and display activity events on the social activity feed visible to friends
• Enable QR code scanning for adding friends
• Process block and unblock actions between users
• Enable competitive features and social comparisons

3.7 Referral Program

• Generate and manage unique referral codes
• Track referral usage and distribute rewards to both referrer and new user
• Enforce referral caps and prevent referral abuse

3.8 Personalization

• Customize step goals, avatar selection, and app preferences
• Provide personalized challenge recommendations
• Display relevant achievements and milestones
• Adjust distance displays based on your unit preference (miles or kilometers)

3.9 Communication

• Send push notifications about challenge progress, achievements, and streak reminders
• Alert you to tournament updates, results, and friend race invitations
• Notify you of friend requests, friend race starts, and order completions
• Provide important account and security information
• Share updates about app features and policies (with consent)
• Display in-app banners and splash screen messages for announcements

3.10 Promotions and Boosters

• Administer periodic promotions offering increased step point earning rates
• Apply promotional multipliers to eligible step point earnings
• Communicate promotional opportunities through in-app announcements
• Manage timed booster activations and apply booster multipliers to rewards

3.11 Fraud Prevention and Security

• Analyze step data patterns using server-side fraud detection to identify manipulation, including velocity analysis, dormant account spikes, and composite scoring
• Verify premium subscription status server-side for sensitive operations
• Validate spin wheel outcomes, gift card purchases, and reward redemptions through Cloud Functions
• Rate-limit sensitive operations to prevent abuse
• Store security-critical data (premium status, spin counts, timestamps) in encrypted device Keychain storage to prevent local tampering

4. Data Sharing and Disclosure

4.1 We Do Not Sell Your Data

4.2 Information Visible to Other Users

Depending on your privacy settings, certain information may be visible to other PrizeTrail users:

• Always Visible: Your display name, avatar, and scores on leaderboards when you participate
• Public Profiles: If your profile is set to public, other users may view your level, achievements, badges, tournament statistics, and activity data
• Private Profiles: If your profile is set to private, only your display name, avatar, and leaderboard scores are visible to other users
• Tournament Participation: Your display name, avatar, and step count are visible to other tournament participants during active tournaments
• Friend Races: Your display name, avatar, and real-time step count are visible to other friend race participants during active races
• Friends: Your friends can view your activity feed events, your ranking on the friends leaderboard, and your profile information (subject to your privacy settings)
• Friend Codes: Your friend code, when shared, allows others to send you a friend request

4.3 Service Providers

We may share data with trusted third-party service providers who assist us in operating the app:

• Cloud Infrastructure: Firebase (Google) for data storage, authentication, real-time synchronization, Cloud Functions for server-side processing, Remote Config for dynamic settings, Cloud Messaging for push notifications, and analytics
• Subscription Management: RevenueCat for cross-platform subscription verification, entitlement management, and purchase processing
• Payment Processing: Apple App Store and Google Play Store for subscription billing, in-app purchase processing, and payment verification
• Advertising: Google AdMob (primary) and Unity Ads (fallback) to display ads to free users. These services may collect device identifiers, ad interaction data, and usage information for ad personalization and measurement. Premium users are ad-free and no ad-related data is shared for them.
• Analytics: Firebase Analytics for aggregated usage data, screen view tracking, and app improvement
• Customer Support: Support ticket management and communication

4.4 Legal Requirements

We may disclose your information if required by law, legal process, or to:

• Comply with court orders, subpoenas, or regulatory requests
• Protect our rights, property, or safety
• Investigate potential violations of our Terms of Service
• Prevent fraud or illegal activities

4.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of the transaction. We will notify users of any such change in ownership.

5. Data Security

5.1 Security Measures

We implement industry-standard security measures to protect your information:

• Encryption: Data is encrypted in transit and at rest
• Access Controls: Limited access to personal data on a need-to-know basis
• Authentication: Secure login systems and session management with Firebase Authentication
• Regular Updates: Security patches and system updates
• Server-Side Validation: Critical operations (spins, purchases, prize distribution) are validated by Cloud Functions to prevent client-side manipulation
• Keychain Storage: Sensitive data such as premium status, spin counts, and security timestamps are stored in encrypted iOS Keychain rather than standard storage to prevent tampering
• Fraud Detection: Multi-tiered server-side fraud analysis including velocity checks, pattern detection, and composite scoring to protect the integrity of the reward system

5.2 Health Data Protection

Health and fitness data receives additional protection:

• HealthKit data remains on your device unless explicitly shared through app features
• Encrypted transmission of health data to our servers
• Step data used for fraud validation is processed server-side with strict access controls
• Compliance with applicable health data protection regulations
• HealthKit data is never used for advertising purposes or shared with ad networks

5.3 Payout Information Protection

If you provide payout information (PayPal email or Cash App handle) for cash rewards:

• This information is stored securely in our database with access restricted to authorized personnel
• Payout information is used solely for processing your cash reward requests
• You may update or remove your payout information at any time through app settings

6. Your Rights and Choices

6.1 Data Access and Control

• View Your Data: Access your personal information through app settings
• Update Information: Modify your profile, goals, avatar, payout details, and preferences
• Export Data: Request a copy of your personal data
• Delete Account: Permanently delete your account and associated data through the in-app account deletion feature or by contacting support

6.2 Profile Privacy Settings

• Public Profile: Choose to make your profile, level, badges, and statistics visible to other users
• Private Profile: Limit visibility so only your display name and avatar appear on leaderboards
• Change Settings: Update your privacy preferences at any time in app settings

6.3 Communication Preferences

• Push Notifications: Control notification types and frequency in app settings, including streak reminders, tournament alerts, friend race invitations, friend requests, and order updates
• Marketing Communications: Opt out of promotional emails and messages
• Data Processing: Withdraw consent for certain data processing activities

6.4 HealthKit Permissions

• Health Data Access: Manage HealthKit permissions through iOS Settings
• Data Sharing: Control what health data is shared with PrizeTrail
• Revoke Access: Remove PrizeTrail's access to HealthKit data at any time

6.5 Camera Permissions

• Camera Access: The QR code scanning feature requests camera access only when you choose to scan a friend code. You may deny or revoke camera permissions at any time through your device settings without affecting other app functionality.

6.6 Advertising Preferences

• Ad Personalization: You may limit ad tracking through your device settings (iOS: Settings > Privacy > Tracking)
• Ad-Free Option: Premium subscribers do not see any advertisements and no ad-related data is collected or shared for their accounts

6.7 Social Feature Controls

• Friend Management: Remove friends, block users, or unblock users at any time
• Activity Feed: Your activity events are posted based on your actions; you control your profile visibility through privacy settings
• Friend Code: You may regenerate your friend code at any time

7. Data Retention

7.1 Active Accounts

We retain your data while your account is active and as needed to provide services. Specific retention periods by data type:

• Step History: Retained for 1 year
• Spin History: Retained for 3 months
• Challenge History: Retained for 6 months
• Achievement History: Retained for 2 years
• Order History: Retained for 3 years (for financial and legal records)
• Analytics Data: Retained for 1 month
• Error Logs: Retained for 1 week
• Tournament History and Statistics: Retained while account is active
• Friend Race History and Statistics: Retained while account is active
• Shadow Runner Statistics: Retained while account is active
• Quest Completion Records: Retained while account is active
• Badge Collection: Retained while account is active
• Level, XP, and Streak Data: Retained while account is active
• Activity Feed Posts: Retained while account is active, subject to periodic cleanup

7.2 Account Deletion

When you delete your account:

• Personal data is permanently deleted within 30 days
• Leaderboard entries are removed
• Tournament history and statistics are deleted
• Friend connections, friend race history, and activity feed posts are removed
• Shadow Runner statistics are deleted
• Badges, XP, and level data are deleted
• Referral history is removed
• Payout information (PayPal email, Cash App handle) is deleted
• Some data may be retained for legal compliance, financial record-keeping, or fraud prevention as required by law
• Aggregated, anonymized data may be retained for research purposes

7.3 Inactive Accounts

Accounts inactive for 2+ years may be deleted after appropriate notice.

8. Children's Privacy

PrizeTrail is not intended for individuals under 18 years of age. We do not knowingly collect personal information from individuals under 18. If we become aware that we have collected such information, we will take steps to delete it promptly.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including the United States where our cloud infrastructure providers operate. We ensure appropriate safeguards are in place to protect your data during international transfers.

10. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of significant changes through one or more of the following:

• In-app notifications
• Announcement banners within the app
• Email notifications (if you have provided an email address)
• Prominent notice on our website or app

Continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

11. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us:

• Email: support@prizetrail.app
• Website: www.prizetrail.app

For data protection inquiries, please include "Privacy" in your subject line.

12. Region-Specific Rights

12.1 California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act, including the right to know what personal information we collect and how it is used, the right to delete personal information, and the right to opt-out of the sale of personal information. We do not sell personal information.

12.2 European Residents (GDPR)

European residents have rights under the General Data Protection Regulation, including the right to access, rectify, erase, restrict processing, data portability, and to object to processing of personal data.

To exercise these rights, please contact us using the information provided above.