Privacy Policy
StepWars ("we", "our", or "us") is a mobile fitness game that turns your real-world step count into live competitive battles. This Privacy Policy explains what information we collect when you use the StepWars app (iOS and Android), why we collect it, how it is used, and the choices you have.
By creating an account or using StepWars, you agree to the practices described in this policy. If you do not agree, please do not use the app.
01.Who We Are
StepWars is developed and operated by Niket Mishra, an individual developer based in India.
- Developer: Niket Mishra
- App name: StepWars
- Contact email: niket@stepwars.site
- Website: https://stepwars.site
- Country of operation: India
02.Data We Collect
We collect the minimum data necessary to operate the game. The table below details every category of data we process.
| Category | Specific data | Source |
|---|---|---|
| Account identity | Firebase UID, display name, chosen avatar, country (optional), in-game title | You provide it at sign-up |
| Authentication | Google account email and profile picture (used only for sign-in; not stored on our servers) | Google Sign-In |
| Health & fitness | Step count only (no other health metrics) | Apple HealthKit (iOS) / Android Health Connect |
| Game progression | XP, gems, coins, rating, win/loss record, rank tier, win streak, step sync history | Generated by gameplay |
| Social & clan data | Clan name, clan membership, friend list, in-game chat messages, challenge history | Your in-app actions |
| Battle data | Match results, steps recorded per battle, opponent UIDs, timestamps | Generated by gameplay |
| Push notifications | FCM device token (to send battle alerts, war updates, friend challenges) | Your device |
| Technical / logs | App crash reports, server error logs (no personal identifiers retained beyond 30 days) | Automated |
We do not collect: precise GPS location, contacts, photos, microphone input, browsing history, or any financial information.
03.Health & Fitness Data
We only read your step count. We do not access heart rate, sleep, nutrition, menstrual health, blood glucose, or any other health category. We never write health data back to HealthKit or Health Connect.
Step data is used solely to determine your score in active clan wars and 1v1 battles. Specifically:
- On iOS, we read step count via Apple HealthKit using the
HKQuantityTypeIdentifierStepCountpermission. Manually entered steps are excluded. - On Android, we read step count via Android Health Connect using the
android.permission.health.READ_STEPSpermission. Manually entered records are identified and excluded. - Step counts are transmitted to our backend servers over HTTPS to compute your battle and war scores.
- Aggregated step totals are stored in our database and displayed on your profile and leaderboards.
Health data is never used for advertising, sold to third parties, or shared with any party other than our backend servers for the sole purpose of running the game. This complies with Apple's HealthKit guidelines and Google's Health Connect data use policy.
You can revoke health permission at any time in your device settings (iOS: Settings → Privacy & Security → Health → StepWars; Android: Health Connect app → App permissions → StepWars). Revoking permission means steps will no longer sync but your account and game data remain intact.
04.How We Use Your Data
We use the data we collect exclusively to operate, improve, and protect StepWars:
- Run the game — authenticate you, sync steps, calculate battle scores, manage clan wars, distribute rewards (gems, XP, coins).
- Display leaderboards — show your rank relative to other players (global, friends, clan). Your display name and avatar are visible to other players; your email is never shown.
- Send push notifications — battle start/end alerts, 5-minute warnings, friend challenges, war results. You can disable these in your device notification settings at any time.
- Detect cheating — flag abnormally high step submissions (e.g., more than 12,000 steps per hour) to protect fair play. Flagged syncs are reviewed but do not penalise you unless a clear pattern of manipulation is found.
- Improve the app — aggregate, anonymised crash and performance data helps us fix bugs and optimise the experience.
- Comply with legal obligations — respond to lawful requests from courts or regulators as required by applicable law.
We do not use your data for advertising, profiling for marketing purposes, or any automated decision-making that produces legal or similarly significant effects on you.
05.Third-Party Services
StepWars uses the following third-party infrastructure. Each provider processes data only as necessary to deliver their service and is bound by their own privacy policy.
| Service | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| Google Firebase Auth | Sign-in and identity management | Firebase UID, email (for auth only) | firebase.google.com |
| Firebase Realtime Database | Live step sync during active battles | Step counts, match state | firebase.google.com |
| Firebase Cloud Messaging | Push notifications | FCM device token | firebase.google.com |
| Google Sign-In | OAuth authentication | Google account email and name | policies.google.com |
| Supabase (PostgreSQL) | Primary game database (profiles, matches, clans, leaderboards) | All game data listed in Section 2 | supabase.com |
| Render | Backend API server hosting | Request logs (IP address, endpoint, timestamp) | render.com |
| Apple HealthKit | Read step count on iOS | Step count only | apple.com |
| Android Health Connect | Read step count on Android | Step count only | policies.google.com |
No advertising networks, analytics SDKs (e.g. Mixpanel, Amplitude), or social tracking pixels are included in StepWars.
06.Data Sharing & Selling
We do not sell, rent, or trade your personal data to any third party. Ever.
We share data only in the following limited circumstances:
- With other players (in-game): Your display name, avatar, country flag, rank, rating, and win/loss record are visible to other players on leaderboards, in clan war views, and on your public profile. Your email address is never shown.
- With infrastructure providers: As listed in Section 5, solely to operate the service.
- Legal requirements: If required by Indian law or a valid court order, we may disclose data to competent authorities. We will notify you unless legally prohibited from doing so.
- Business transfers: If StepWars is acquired or merged, your data may transfer to the new owner subject to the same privacy protections. We will notify you in advance.
07.Data Retention
We retain your data for as long as your account is active. Specific retention periods:
- Account and game data — kept for the lifetime of your account and deleted within 30 days of account deletion request.
- Step sync records — retained for 90 days to support anti-cheat auditing, then automatically deleted.
- Battle and war history — retained indefinitely for leaderboard and reward purposes, but anonymised after account deletion (your UID is replaced with a placeholder).
- In-game chat messages — retained for 30 days, then automatically purged.
- Server logs — retained for 30 days for debugging, then deleted.
- Push notification tokens — deleted immediately when you sign out or revoke notification permission.
08.Security
We implement industry-standard technical and organisational measures to protect your data:
- All data in transit is encrypted using TLS 1.2 or higher (HTTPS).
- Database access is restricted to the backend API; no direct public access to Supabase.
- Firebase Security Rules restrict Realtime Database access to authenticated users and only to their own match data.
- Every API endpoint requires a valid Firebase ID token; unauthenticated requests are rejected.
- Step submissions include anomaly detection — values exceeding physiological thresholds are flagged and not credited.
- Environment secrets (database credentials, service account keys) are never stored in source code or version control.
No method of transmission over the internet is 100% secure. If you discover a security vulnerability, please report it to niket@stepwars.site and we will respond promptly.
09.Your Rights
Regardless of where you are located, you have the following rights over your personal data:
- Access — request a copy of the personal data we hold about you.
- Correction — ask us to correct inaccurate or incomplete data.
- Deletion — request deletion of your account and all associated personal data. We will action this within 30 days. Aggregate or anonymised data derived from your activity may be retained.
- Portability — request your data in a structured, machine-readable format (JSON).
- Withdraw consent — you may revoke health data permission at any time in device settings. You may disable push notifications in device settings. Neither action deletes your account.
- Objection — object to any processing of your data that you believe is not justified.
To exercise any of these rights, email us at niket@stepwars.site with the subject line "Privacy Request". We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.
Account deletion: You can also delete your account directly within the app via Profile → Settings → Delete Account. This initiates immediate deletion of your personal data from our servers.
Indian users (DPDPA 2023): As a resident of India, you have rights under the Digital Personal Data Protection Act, 2023, including the right to access, correct, and erase your personal data, and the right to nominate a representative. Contact us at the email above to exercise these rights.
EEA / UK users (GDPR): If you are located in the European Economic Area or United Kingdom, you have additional rights under GDPR, including the right to lodge a complaint with your local supervisory authority.
10.Children's Privacy
StepWars is not directed at children under the age of 13. We do not knowingly collect personal data from anyone under 13 years old. If you are a parent or guardian and believe your child has created an account, please contact us at niket@stepwars.site and we will delete the account and all associated data promptly.
Users between 13 and 18 should use the app only with the consent of a parent or guardian.
11.Changes to This Policy
We may update this Privacy Policy from time to time. When we do:
- The "Last updated" date at the top of this page will be revised.
- For material changes (changes that significantly affect your rights or how we use your data), we will notify you via a push notification or an in-app banner at least 7 days before the change takes effect.
- Continued use of StepWars after the effective date constitutes your acceptance of the updated policy.
We encourage you to review this page periodically.
12.Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:
- Name: Niket Mishra
- Email: niket@stepwars.site
- Website: https://stepwars.site
- Country: India
We aim to respond to all privacy-related enquiries within 30 days.