Privacy Policy

Last updated: 2 April 2026

1. Introduction

Heartbeat Stacker ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use the Heartbeat Stacker mobile application (the "App").

This policy is compliant with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as supplemented by the Data (Use and Access) Act 2025.

2. Data Controller

The data controller responsible for your personal data is Heartbeat Stacker. For data protection enquiries, please contact us at: support@heartbeatstacker.app

3. Data We Collect

3.1 Information You Provide

• Mobile phone number (for account authentication via SMS OTP)
• Display name (optional, set by you)
• Date of birth confirmation (age verification that you are 18 or over)
• Payout details (bank sort code, account number, and account name; or PayPal email address — provided voluntarily when claiming prizes). These details are encrypted at rest using AES-256-GCM encryption and are only decrypted at the point of payment processing.
• Identity verification data (for prizes above £25): government-issued photo ID (passport or UK driving licence) and liveness check image, collected at point of prize claim through Didit (see Section 7.4)

3.2 Health & Biometric Data (Special Category — Optional)

Heart rate data and step count data constitute “special category data” under Article 9 of UK GDPR, as they relate to your physical health. We only process this data with your explicit consent, which you provide by opting in via the Health Data toggle in Settings.

If you choose to connect Apple Health (iOS) or Google Health Connect (Android), we may access:

• Step count for the last 24 hours (read-only) — used to verify the daily exercise threshold (8,000 steps) for bonus game entries
• Heart rate (read-only) — a single BPM reading captured at the start of each game session to determine your heart rate zone score bonus (up to +20%)

We do not store your raw health data on our servers. For step count claims, we only record a claim record containing: the date of the claim, your step count at time of claim, and the number of bonus entries granted. For heart rate, we only record: whether heart rate bonus was active for a game session, the BPM value used, and the bonus multiplier applied. No continuous heart rate history is stored. Health data access is entirely optional and the app functions normally without it. You can disconnect health data at any time in the Settings screen.

Legal basis: Explicit consent under Article 9(2)(a) of UK GDPR. You may withdraw this consent at any time by disabling Health Data in Settings, after which we will no longer access your health data. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. A Data Protection Impact Assessment (DPIA) has been completed for this processing activity in accordance with Article 35 of UK GDPR.

3.3 Information Collected Automatically

• Device information: brand, model, operating system version, build ID (used to generate a device fingerprint for anti-fraud purposes)
• Game telemetry: tap events, timestamps, block positions, scores (used for gameplay verification and anti-cheat enforcement)
• IP address (collected during game sessions for anti-fraud analysis)
• App usage data: session duration, tournament participation

3.4 Information from Third Parties

• Google AdMob: advertising identifiers and ad interaction data (see Section 7)

4. How We Use Your Data

We process your personal data for the following purposes:

• To authenticate your identity and manage your account (legal basis: contractual necessity)
• To verify your age as 18 or over, as required for prize competitions under UK law (legal basis: legal obligation)
• To operate tournaments, record scores, and distribute prizes (legal basis: contractual necessity)
• To detect and prevent fraud, cheating, bot usage, and multiple account abuse (legal basis: legitimate interest in maintaining competition integrity)
• To process prize payouts to your nominated bank account or PayPal (legal basis: contractual necessity)
• To display anonymised leaderboard rankings (legal basis: legitimate interest)
• To serve advertisements through Google AdMob (legal basis: consent, where required)
• To verify daily exercise goals for bonus game entries, using step count data from Apple Health or Google Health Connect (legal basis: consent — opt-in only)
• To apply heart rate zone score bonuses during gameplay, using heart rate data from Apple Health or Google Health Connect (legal basis: consent — opt-in only)
• To send push notifications about tournament updates, winner announcements, score alerts, and other app-related communications (legal basis: consent — you may enable or disable notifications at any time)

5. Legal Bases for Processing

Under UK GDPR, we rely on the following legal bases:

• Contract: Processing necessary to provide our game service, manage your account, operate tournaments, and process prize payouts.
• Legitimate Interest: Processing for fraud prevention, anti-cheat enforcement, competition integrity, and anonymised leaderboard display. We have assessed that these interests do not override your fundamental rights and freedoms.
• Legal Obligation: Age verification to comply with UK prize competition requirements.
• Consent: Where required for marketing communications or non-essential advertising tracking. You may withdraw consent at any time.
• Explicit Consent (Article 9(2)(a)): Processing of special category health data (step count and heart rate) is based on your explicit, informed consent given when you enable Health Data in Settings. This consent is separate from your general use of the App and may be withdrawn at any time without affecting your ability to play.

6. Data Retention

• Account data (phone number, display name, preferences): retained until you request account deletion.
• Game session data (scores, play logs, telemetry): retained for 12 months from submission, then automatically deleted.
• Payout records and financial data: retained for 6 years after the relevant tax year, as required by HMRC record-keeping obligations.
• Exercise bonus claim records (date, step count, entries granted): retained for 12 months, then automatically deleted. No raw health data is stored.
• Heart rate bonus records (session BPM, bonus multiplier applied): retained as part of game session data for 12 months, then automatically deleted. No continuous heart rate history is stored.
• Fraud investigation data (flagged sessions, integrity flags): retained for 24 months from the date of flagging.
• Device fingerprints on the blocked devices list: retained indefinitely to prevent re-offending.
• Identity verification data: processed and retained by Didit in accordance with their data retention policies. Heartbeat Stacker does not store identity documents.
• Push notification tokens: retained until you disable notifications or delete your account. Used solely to deliver tournament updates, winner notifications, and other app-related alerts.

7. Third-Party Data Processors

We share your data with the following third-party processors, each of which operates under a data processing agreement:

7.1 Twilio (SMS Verification)

Twilio Inc. processes your phone number to send OTP verification codes. Twilio is based in the United States and data transfers are protected by Standard Contractual Clauses (SCCs) with the UK Addendum. Twilio's privacy practices are detailed at twilio.com/legal/privacy.

7.2 Supabase (Database and Authentication)

Supabase Inc. hosts our database and authentication infrastructure. Your account data, game sessions, and scores are stored on Supabase's servers. Data transfers outside the UK are protected by appropriate safeguards including SCCs.

7.3 Google AdMob (Advertising)

Google LLC operates our in-app advertising through AdMob. AdMob may collect device identifiers and ad interaction data to serve relevant advertisements. Google's data practices are governed by their privacy policy at policies.google.com/privacy. You can manage your ad preferences through your device settings.

7.4 Didit (Identity Verification)

For prizes above £25, Didit performs identity and age verification for prize winners. When claiming a prize above this threshold, you will be asked to verify your identity through Didit, which involves photographing a government-issued photo ID and completing a liveness check. Didit processes and retains these documents in accordance with their privacy policy. Heartbeat Stacker does not store copies of your identity documents; they are held and processed solely by Didit. For prizes of £25 or below, phone number verification (completed at registration) is accepted as sufficient verification and no additional identity documents are required.

7.5 Apple HealthKit / Google Health Connect (Health Data)

If you opt in to the health data features, the App reads your step count and/or heart rate data directly from Apple HealthKit (iOS) or Google Health Connect (Android). This data is processed locally on your device and is not shared with any third party. For step count: only the exercise bonus claim record (date, step count, entries granted) is sent to our server. For heart rate: only the BPM reading used at game start, the resulting bonus multiplier, and whether the bonus was active are recorded as part of the game session. No raw health data, continuous heart rate history, or health data beyond these specific data points is transmitted to or stored by Heartbeat Stacker, Apple, Google, or any other third party beyond what these platform health services already hold.

7.6 Expo Push Notifications

If you grant notification permissions, the App registers a push notification token with Expo's push notification service (operated by 650 Industries, Inc.). This token is used to deliver tournament updates, winner notifications, score alerts, and other app-related communications. The token is stored on our servers alongside your account and is sent to Expo's push service when a notification is dispatched. Expo's push service forwards the notification to Apple Push Notification Service (APNs) or Google Firebase Cloud Messaging (FCM) as appropriate for your device. No message content is stored by Expo beyond the time needed for delivery. You can disable push notifications at any time through your device settings or the App.

7.7 Wise (Prize Payouts)

For bank transfer prize payouts, we use Wise (Wise Payments Limited, authorised by the FCA) to process payments to your nominated UK bank account. When you claim a prize via bank transfer, your sort code, account number, and account name are shared with Wise to create the payment. Your payout details are encrypted at rest in our database and are only decrypted at the point of payment processing. Wise processes this data in accordance with their privacy policy at wise.com/gb/legal/privacy-policy. Wise is based in the United Kingdom and European Economic Area.

8. International Data Transfers

Some of our third-party processors are based outside the United Kingdom. Where personal data is transferred internationally, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses approved by the Information Commissioner's Office (ICO) and the UK International Data Transfer Addendum.

9. Your Rights

Under UK GDPR, you have the following rights:

• Right of Access: You may request a copy of the personal data we hold about you.
• Right to Rectification: You may request correction of inaccurate or incomplete data.
• Right to Erasure: You may request deletion of your personal data (subject to our legal retention obligations).
• Right to Data Portability: You may request your data in a structured, machine-readable format.
• Right to Object: You may object to processing based on legitimate interest.
• Right to Restrict Processing: You may request that we limit how we use your data.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at support@heartbeatstacker.app. We will respond within one month as required by UK GDPR.

10. Children's Data

Heartbeat Stacker is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a person under 18, we will delete that data promptly. If you believe we have inadvertently collected data from a minor, please contact us immediately.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS) and at rest (AES-256-GCM for financial data such as bank account details), access controls, and regular security assessments.

12. Cookies and Similar Technologies

The App does not use browser cookies. We may use device-local storage for essential functionality such as session persistence. Advertising partners (Google AdMob) may use device identifiers for ad personalisation, which you can control through your device settings.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the App. The "Last updated" date at the top indicates the most recent revision. Your continued use of the App after any changes constitutes acceptance of the updated policy.

14. Complaints

If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk

15. Contact Us

For any questions about this Privacy Policy or our data practices, please contact:

Email: support@heartbeatstacker.app