Privacy Policy
Effective: April 2026 — GDPR (General Data Protection Regulation) Compliant
1. Data Controller
The entity responsible for data processing under GDPR is:
Scafa Investments LLC
Represented by: Jens Scafarti (Managing Member)
9830 Bahama Dr
Cutler Bay, FL 33189-1568
United States
Email: info@scafa-investments.com
Website: mapraiders.com
For privacy-related inquiries, please contact: contact@mapraiders.com
2. Overview of Collected Data
When using MapRaiders, we collect and process the following personal data:
| Data Category | Specific Data | Purpose |
|---|---|---|
| Account Data | Email address, username, hashed password (or Google OAuth ID) | Registration, authentication, account management |
| GPS Location Data | Latitude, longitude, timestamp, speed, accuracy | Territory claiming, game mechanics, anti-cheat |
| Game Activity Data | Claimed territories, quest progress, duel results, clan membership, statistics, experience points | Game operation, leaderboards, game balance |
| User-Generated Content | Quests, echos (voice messages), challenges, artifacts, chat messages | Game features, community interaction |
| Technical Data | Device type, operating system, app version, IP address (anonymized) | Troubleshooting, security, compatibility |
Additional Optional Data
- Photos: Collected when you voluntarily submit photos for quest verification or profile images
- Audio: Collected when you record audio echos (voice messages at locations)
- Push Notification Token: Device identifier for push notifications via Expo
3. Legal Basis for Processing
We process your personal data based on the following legal grounds under GDPR Article 6(1):
- Article 6(1)(a) — Consent: For collection and processing of GPS location data. You provide consent by enabling location sharing on your device and using the app. You may withdraw this consent at any time by disabling location sharing in your device settings or deleting your account.
- Article 6(1)(b) — Contract: For processing account data and game activity data necessary to provide the gaming service.
- Article 6(1)(f) — Legitimate Interest: For processing technical data to ensure security, stability, and anti-cheat measures in the game.
4. GPS Location Data — Detailed Information
GPS location data is particularly sensitive because it can reveal your whereabouts and movement patterns. We take the protection of this data very seriously:
4.1 Collection
Location data is collected while you actively use the app (foreground) or have explicitly enabled background location tracking. Without active GPS permission on your device, no location tracking occurs.
Background Location Tracking: When you enable background location tracking, the app collects your location even with the screen off, allowing you to claim territories while walking, running, or cycling. You can disable background location tracking at any time in your device settings or app settings. The app continues to function without background location tracking—territories are claimed only when the app is open.
4.2 Use
Your GPS data is used exclusively for:
- Territory Claiming: Determining which grid squares you claim through your movement
- Game Mechanics: Quests, duels, echo placement, artifact interaction
- Anti-Cheat: Detection of GPS spoofing and unrealistic movement patterns
4.3 Storage Duration
Detailed GPS route and movement data is stored for a maximum of 90 days and then automatically deleted. Aggregated data (e.g., claimed territories) is retained for the duration of your account, as it is essential to game operations.
4.4 No Advertising Tracking
Your GPS data is never used for advertising, profiling, location analytics for third parties, or any purpose unrelated to gameplay. We do not share GPS data with advertisers or tracking services.
5. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Until account deletion |
| GPS route data (detailed) | 90 days, then automatic deletion |
| Territory data (aggregated) | Until account deletion |
| Game activity data | Until account deletion |
| User-generated content | Until account deletion or manual deletion |
| Technical data / Server logs | 30 days |
Upon account deletion, all personal data is permanently deleted within 30 days, unless legal retention obligations apply.
6. Data Sharing and Third-Party Service Providers
6.1 Google Sign-In
When you register or sign in via Google Sign-In, MapRaiders receives only your email address and display name from Google. No additional Google data is collected. Google's Privacy Policy also applies.
6.2 Hosting and Infrastructure
Our servers are operated by Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany), a German hosting provider that processes data exclusively in Germany/EU. A Data Processing Agreement under GDPR Article 28 is in place with Hetzner.
6.3 No Sale of Personal Data
We do not sell, rent, or transfer your personal data to third parties for advertising, marketing, or analytics purposes. No advertising SDKs or third-party tracking tools are used in the app.
6.4 Google Maps
We use Google Maps Platform (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) to display the game map. When the map loads, technical data (IP address, map region, device information) is transmitted to Google servers. No personal player data (name, email, game progress) is shared with Google. The legal basis is GDPR Article 6(1)(b) (contract fulfillment—map display is required for gameplay). Google's Privacy Policy applies.
6.5 Push Notifications (Expo)
We use Expo (650 Industries Inc., USA) to deliver push notifications. When you enable push notifications, a device-specific push token is transmitted to our server and Expo servers. Expo forwards the message to Google Firebase Cloud Messaging (FCM) or Apple Push Notification Service (APNs). You can disable push notifications at any time in app settings or device settings. The legal basis is GDPR Article 6(1)(a) (consent).
6.6 Camera and Microphone Access
The app accesses your camera when you take photos for quest verification or profile pictures. Microphone access occurs when you record audio echos (voice messages at locations). These recordings are stored on our servers and can be viewed/heard by other players. You can revoke camera and microphone permissions at any time in your device settings. The legal basis is GDPR Article 6(1)(a) (consent).
6a. Data Transfers to Third Countries
MapRaiders uses service providers located in the United States:
- Google LLC (Google Maps, Google Sign-In): IP address, map region, email, and name (for social login). Google LLC is certified under the EU-U.S. Data Privacy Framework (adequacy decision by EU Commission, July 10, 2023).
- Expo / 650 Industries Inc. (Push notifications): Device-specific push token. Transfer is based on Standard Contractual Clauses under GDPR Article 46(2)(c).
All other data (account data, GPS data, game content) is processed and stored exclusively on servers in Germany/EU (Hetzner).
6b. Automated Decision-Making
MapRaiders uses an automated anti-cheat system that analyzes GPS movement patterns, speed, and sensor data to detect GPS spoofing and cheating. When violations are detected, the system may automatically take action (e.g., claim rejection, temporary restrictions, account suspension).
Under GDPR Article 22(2)(a), this automated decision-making is necessary for contract fulfillment (fair gameplay). You have the right to request review by a human, to express your viewpoint, and to challenge the decision. To request human review, contact contact@mapraiders.com.
7. Advertising
MapRaiders contains no advertisements and uses no ad trackers. We do not set cookies for advertising purposes. No ad tracking, retargeting, or profiling for advertising partners occurs.
8. Your Rights as a Data Subject
Under GDPR, you have the following rights, which you can exercise at any time:
Article 15 GDPR — Right to Access
You have the right to request access to your personal data we hold, including information about processing purposes, data categories, and recipients.
Article 16 GDPR — Right to Rectification
You have the right to correct inaccurate personal data. You can change your username directly in app settings.
Article 17 GDPR — Right to Erasure
You have the right to request deletion of your personal data, unless legal retention obligations prevent this. Account deletion is available through app settings or by contacting us via email.
Article 18 GDPR — Right to Restrict Processing
You have the right to request restriction of processing of your personal data, for example if the accuracy of your data is disputed.
Article 20 GDPR — Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format. Contact us by email, and we will provide your data as a JSON export.
Article 21 GDPR — Right to Object
You have the right to object to processing of your personal data on grounds relating to your particular situation, to the extent that processing is based on GDPR Article 6(1)(f).
Withdrawal of Consent
If processing is based on your consent (particularly GPS data), you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal. You can disable GPS permission at any time in your device settings.
Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection authority if you believe processing of your personal data violates GDPR. The appropriate authority is the data protection authority of your country. For EU citizens, you can find supervisory authorities at: edpb.ec.europa.eu.
Contact for all requests: contact@mapraiders.com. We typically respond within 30 days.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data under GDPR Article 32:
- Encrypted data transmission (TLS/HTTPS) between app and server
- Encrypted password storage (bcrypt hashing)
- Authentication via JWT tokens with limited validity
- Regular security updates of server software
- Access restrictions to personal data limited to operators
- Servers located exclusively in German/EU data centers (Hetzner)
10. Protection of Minors
MapRaiders is intended for users 16 years and older. Users under 18 years require parental consent. We do not knowingly collect personal data from children under 16 years. If we become aware that a child under 16 has created an account without parental consent, we will immediately delete that account and associated data.
11. Changes to This Privacy Policy
We may update this Privacy Policy to reflect legal changes or changes to app functionality. The current version is always available at mapraiders.com/en/privacy.html. For material changes, we will notify you via in-app notification.
Last updated: April 2026