Privacy Policy

Last updated: May 1, 2026 · XPTracker Inc.

XPTracker is a real-life RPG game. This policy explains what data we collect, why we collect it, how we protect it, and what rights you have. We keep it plain. If something isn't clear, email us at privacy@xptracker.io.

1. Who We Are

XPTracker is operated by XPTracker Inc.. References to "we," "us," or "our" mean XPTracker Inc.. The app is available on iOS (App Store), Android (Google Play), and web (xptracker.io). By using XPTracker you agree to this policy.

2. Age Requirement

XPTracker is intended for users who are 13 years of age or older. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has created an account, contact us immediately at privacy@xptracker.io and we will delete the account and all associated data.

3. Data We Collect

Account data (when you create an account):

Email address
Display name (chosen by you)
Date account was created
Authentication provider (email/password or Google Sign-In)

Game data (automatically, as you play):

Character class, level, XP, day count
Quests completed (count and type — not content you write)
Boss defeats, items collected, panels unlocked
Guild membership and role
Timestamps of saves and logins

Public profile data (visible to other users):

Display name, character class, level, XP
Guild name and rank
Hall of Heroes entry (if you choose to immortalize — see Section 7)

Payment data (when you purchase a plan):

Purchase type (monthly subscription or lifetime) and date
We do NOT store credit card numbers. Payment processing is handled by Apple (App Store), Google (Google Play), or Stripe (web) — see Section 5.

Usage analytics (automatically, on all platforms):

Screens visited, features used, time in app
Error logs (crash reports, performance events)
Funnel events (e.g., sign-up started, paywall viewed, purchase completed)

Device data (automatically):

Device type (iOS/Android/web), OS version, app version
IP address (used for abuse prevention — not stored long-term)

4. How We Use Your Data

To run the game (save progress, sync across devices, display leaderboards)
To provide customer support
To detect and prevent cheating and abuse
To improve the app (usage analytics, crash reports)
To send transactional emails (email verification, account changes — never marketing without consent)
To fulfill purchases and manage subscriptions
To operate the Guild Master Partner Program (see Section 6)

We do not sell your personal data. We do not use your data to train AI models.

5. Third-Party Services

We share data with the following services only as necessary to operate the app:

Supabase — database, authentication, file storage. Data is stored on servers operated by Supabase Inc. (US). Supabase Privacy Policy
Apple (App Store) — processes iOS in-app purchases. Apple receives purchase receipt data. Apple Privacy Policy
Google (Google Play) — processes Android in-app purchases and Google Sign-In. Google Privacy Policy
Stripe — processes web payments. Stripe receives payment card data directly; we never see or store it. Stripe Privacy Policy

We do not share your data with advertisers, data brokers, or any other third parties not listed above.

6. Guild Master Partner Program

Some guild leaders are approved as Guild Master Partners. If you make your first in-app purchase while actively in a guild whose leader is an approved partner, we permanently associate your account with that partner for the purpose of compensating them for bringing you to the app. This association is:

Based on guild membership at the time of your first purchase
Permanent — it does not change if you later leave the guild
Used only to calculate partner compensation — it is never shown to other users
Not a "sale" of your personal data under CCPA — no personal data is disclosed to the partner beyond aggregate counts visible in their dashboard

Partners see: a count of attributed users, whether those users have active subscriptions, and aggregate earnings — not names, emails, or any identifying information about individual users.

7. Hall of Heroes — Permanent Data

    Special notice: If you choose to "Immortalize" your character and enter the Hall of Heroes, your display name, character class, level, XP, day count, and achievement data become a permanent public record. This record is retained even if you later delete your account. Before immortalizing, you will be asked to give explicit consent to this permanent retention and to our use of this data as described in our Terms of Service (including for physical merchandise). Do not immortalize if you do not consent.
  

8. Data Retention

Account data: Retained until you delete your account, then deleted within 30 days (except Hall of Heroes entries — see above).
Game data: Retained for the life of your account. Deleted with your account.
Usage analytics: Rolling 90-day retention. Automatically purged.
Error/crash logs: Rolling 30-day retention.
Payment records: Retained for 7 years (tax and legal compliance).
Hall of Heroes entries: Permanent — see Section 7.

9. Your Rights

Depending on where you live, you may have the following rights regarding your personal data:

Access: Request a copy of the data we hold about you.
Correction: Request that we correct inaccurate data.
Deletion: Request deletion of your account and data. In-app: Settings → Delete Account. Or email us. Note: Hall of Heroes entries cannot be deleted after immortalization (you consented at that moment).
Portability: Request your game data in a machine-readable format.
Opt-out of analytics: Coming in a future update. Currently analytics are required for the app to function.

EU/EEA users (GDPR): Our lawful basis for processing is (a) contract performance for running the game, (b) legitimate interest for analytics and abuse prevention, and (c) explicit consent for Hall of Heroes permanent retention. Data is transferred to the US under Supabase's standard contractual clauses.

California users (CCPA): We do not sell your personal information. The Guild Master Partner association described in Section 6 does not constitute a "sale" under CCPA because no personal data is disclosed to partners. You have the right to know what data we collect and to request deletion.

To exercise any of these rights, email privacy@xptracker.io. We will respond within 30 days.

10. Security

We use Supabase Row Level Security (RLS) to ensure that users can only access their own data. Payment processing is handled entirely by Apple, Google, or Stripe — we never transmit or store payment card data. Financial data (partner earnings, payout records) is accessible only via server-side Edge Functions using restricted keys — no direct client access.

No security system is perfect. If you discover a security vulnerability, please report it responsibly to security@xptracker.io.

11. Physical Activity Disclaimer

    XPTracker's quests are in-game content suggestions. They are not professional fitness, medical, psychological, or life-coaching advice. Some quests involve physical activity. Before starting any new physical activity, consult a qualified healthcare professional, especially if you have any existing health conditions. XPTracker is not responsible for any injury, harm, or adverse outcome resulting from activities you choose to perform.
  

12. Changes to This Policy

We may update this policy as the app evolves. If we make material changes, we will notify you via in-app notice or email at least 14 days before the change takes effect. The "Last updated" date at the top of this page will always reflect the current version. Continued use of the app after a policy change constitutes acceptance.

13. Contact

Questions about this privacy policy:
Email: privacy@xptracker.io
Website: xptracker.io