Privacy Policy
Effective: April 2026. Compliant with the DPDP Act 2023 (India) and the GDPR (EU).
1. Data Fiduciary (Controller)
The entity responsible for processing personal data, acting as Data Fiduciary under the DPDP Act 2023 and as Controller under the GDPR, is:
Scafa Investments LLC
Represented by: Jens Scafarti (Managing Member)
9830 Bahama Dr
Cutler Bay, FL 33189-1568
United States
Email: info@scafa-investments.com
Website: mapraiders.com
For privacy-related queries and grievance redressal, please write to: contact@mapraiders.com.
2. Overview of Collected Data
When you use MapRaiders, we collect and process the following categories of personal data:
| Data Category | Specific Data | Purpose |
|---|---|---|
| Account Data | Email address, username, hashed password (or Google OAuth ID) | Registration, authentication, account management |
| GPS Location Data | Latitude, longitude, timestamp, speed, accuracy | Territory claiming, game mechanics, anti-cheat |
| Game Activity Data | Claimed territories, quest progress, duel results, clan membership, statistics, experience points | Game operation, leaderboards, game balance |
| User-Generated Content | Quests, echos (voice messages), challenges, artefacts, chat messages | Game features, community interaction |
| Technical Data | Device type, operating system, app version, IP address (anonymised) | Troubleshooting, security, compatibility |
Additional Optional Data
- Photos: Collected when you voluntarily submit photos for quest verification or profile images
- Audio: Collected when you record audio echos (voice messages at locations such as your local mohalla park or chai stall)
- Push Notification Token: Device identifier for push notifications via Expo
3. Legal Basis for Processing
We process your personal data under the following legal bases:
3.1 Under the DPDP Act 2023 (for Indian Data Principals)
- Section 6 - Consent: For processing of GPS location data, audio recordings, photos, and other voluntarily provided data. Consent is free, specific, informed, unconditional, unambiguous, and given through a clear affirmative action.
- Section 7 - Legitimate Uses: For processing necessary to deliver the service you have requested, to maintain security, and to prevent fraud or cheating.
3.2 Under the GDPR (for users in the EU/EEA, including Indian users travelling abroad)
- Article 6(1)(a) Consent: For collection and processing of GPS location data. You may withdraw this consent at any time by disabling location sharing in your device settings or by deleting your account.
- Article 6(1)(b) Contract: For processing account data and game activity data necessary to provide the gaming service.
- Article 6(1)(f) Legitimate Interest: For processing technical data to ensure security, stability, and anti-cheat measures.
4. GPS Location Data - Detailed Information
GPS location data is particularly sensitive because it can reveal where you live, work, or spend your time. We take the protection of this data very seriously.
4.1 Collection
Location data is collected while you actively use the app (foreground) or have explicitly enabled background location tracking. Without active GPS permission on your device, no location tracking takes place.
Background Location Tracking: When enabled, the app collects your location even with the screen off, allowing you to claim territories while walking through your mohalla, jogging in Lodhi Garden, or cycling along Marina Beach. You can disable background location tracking at any time. The app continues to function without it. Territories are then claimed only when the app is open.
4.2 Use
Your GPS data is used exclusively for:
- Territory Claiming: Determining which grid squares you claim through your movement
- Game Mechanics: Quests, duels, echo placement, artefact interaction
- Anti-Cheat: Detection of GPS spoofing and unrealistic movement patterns (e.g., teleporting from Delhi to Chennai)
4.3 Storage Duration
Detailed GPS route and movement data is stored for a maximum of 90 days and is then automatically deleted. Aggregated data (e.g., claimed territories) is retained for the duration of your account, as it is essential for game operations.
4.4 No Advertising Tracking
Your GPS data is never used for advertising, profiling, location analytics for third parties, or any purpose unrelated to gameplay. We do not share GPS data with advertisers, telecom operators, or tracking services.
5. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Until account deletion |
| GPS route data (detailed) | 90 days, then automatic deletion |
| Territory data (aggregated) | Until account deletion |
| Game activity data | Until account deletion |
| User-generated content | Until account deletion or manual deletion |
| Technical data / Server logs | 30 days |
Upon account deletion, all personal data is permanently erased within 30 days, unless retention is required by law. This satisfies Section 8(7) of the DPDP Act 2023 (erasure once purpose is no longer being served).
6. Data Sharing and Third-Party Service Providers
6.1 Google Sign-In
When you register or sign in via Google Sign-In, MapRaiders receives only your email address and display name from Google. No additional Google data is collected. Google's Privacy Policy also applies.
6.2 Hosting and Infrastructure
Our servers are operated by Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany), a German hosting provider that processes data exclusively in Germany and the EU. A Data Processing Agreement under GDPR Article 28 is in place with Hetzner. For Indian users, this means your data is stored in a jurisdiction with adequate data protection standards.
6.3 No Sale of Personal Data
We do not sell, rent, or transfer your personal data to third parties for advertising, marketing, or analytics purposes. No advertising SDKs or third-party tracking tools are used in the app.
6.4 Google Maps
We use Google Maps Platform (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) to display the game map. When the map loads, technical data (IP address, map region, device information) is transmitted to Google servers. No personal player data (name, email, game progress) is shared with Google. Google's Privacy Policy applies.
6.5 Push Notifications (Expo)
We use Expo (650 Industries Inc., USA) to deliver push notifications. When you enable push notifications, a device-specific push token is transmitted to our server and Expo servers. Expo forwards the message to Google Firebase Cloud Messaging (FCM) or Apple Push Notification Service (APNs). You can disable push notifications at any time in app or device settings.
6.6 Camera and Microphone Access
The app accesses your camera when you take photos for quest verification or profile pictures. Microphone access takes place when you record audio echos (voice messages at locations). These recordings are stored on our servers and may be heard by other players. You can revoke camera and microphone permissions at any time in your device settings.
6a. Data Transfers to Other Countries
MapRaiders uses service providers located outside India:
- Hetzner Online GmbH (Germany): Server hosting. Germany is recognised as a country with strong data protection laws (GDPR).
- Google LLC (USA): Google Maps and Google Sign-In. Limited technical data and login identifiers.
- Expo / 650 Industries Inc. (USA): Device-specific push tokens.
The Indian government has not yet notified specific restricted countries under Section 16 of the DPDP Act 2023. Transfers are based on contractual safeguards and your consent.
6b. Automated Decision-Making
MapRaiders uses an automated anti-cheat system that analyses GPS movement patterns, speed, and sensor data to detect GPS spoofing and cheating. When violations are detected, the system may automatically take action (e.g., claim rejection, temporary restriction, account suspension).
You have the right to request review by a human, to express your viewpoint, and to challenge any decision. To request human review, write to contact@mapraiders.com.
7. Advertising
MapRaiders contains no advertisements and uses no ad trackers. We do not set cookies for advertising purposes. There is no ad tracking, no retargeting, and no profiling for advertising partners.
8. Your Rights as a Data Principal / Data Subject
Whether you are a Data Principal under the DPDP Act 2023 or a Data Subject under the GDPR, you have the following rights, which you may exercise at any time.
Right to Access (Section 11 DPDP / Article 15 GDPR)
You may request a summary of personal data being processed, the processing activities undertaken, and the identities of any other Data Fiduciaries with whom your data has been shared.
Right to Correction and Erasure (Section 12 DPDP / Articles 16, 17 GDPR)
You may request correction of inaccurate data and erasure of personal data once the purpose of processing has been fulfilled. You can change your username directly in app settings.
Right to Grievance Redressal (Section 13 DPDP)
You may raise a grievance with us as Data Fiduciary. We will respond within a reasonable period. If not resolved, you may approach the Data Protection Board of India.
Right to Nominate (Section 14 DPDP)
You may nominate another individual to exercise your rights in case of your death or incapacity.
Right to Data Portability (Article 20 GDPR)
You have the right to receive your personal data in a structured, commonly used, machine-readable format. Write to us and we will provide your data as a JSON export.
Right to Object (Article 21 GDPR)
You have the right to object to processing based on legitimate interests.
Withdrawal of Consent
If processing is based on your consent (in particular GPS data), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing. You can disable GPS permission at any time in your device settings.
Right to Lodge a Complaint
If you believe processing of your personal data violates the law, you may lodge a complaint with the Data Protection Board of India (once notified by the Central Government), or with a GDPR supervisory authority if you are in the EU. Indian consumers may also approach the National Consumer Helpline at 1915.
Contact for all requests: contact@mapraiders.com. We typically respond within 30 days.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data, in line with Section 8(5) of the DPDP Act 2023 and GDPR Article 32:
- Encrypted data transmission (TLS/HTTPS) between app and server
- Encrypted password storage (bcrypt hashing)
- Authentication via JWT tokens with limited validity
- Regular security updates of server software
- Access restrictions to personal data limited to authorised operators
- Servers located exclusively in German/EU data centres (Hetzner)
10. Protection of Children
MapRaiders is intended for users 18 years and older. Users between 16 and 18 require verifiable parental or guardian consent in line with Section 9 of the DPDP Act 2023. We do not knowingly process personal data of children below 16. We do not undertake tracking, behavioural monitoring, or targeted advertising directed at children. If we become aware that a child below 16 has created an account, we will delete that account and the associated data immediately.
11. Changes to This Policy
We may update this Privacy Policy to reflect legal changes (such as future DPDP Rules notified by MeitY) or changes in app functionality. The current version is always available at mapraiders.com/en-in/privacy.html. For material changes, we will notify you via in-app notification.
Last updated: April 2026