Privacy Policy

Last updated: 9 February 2026

1. Introduction

Heartbeat Stacker ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use the Heartbeat Stacker mobile application (the "App").

This policy is compliant with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as supplemented by the Data (Use and Access) Act 2025.

2. Data Controller

The data controller responsible for your personal data is Heartbeat Stacker. For data protection enquiries, please contact us at: support@heartbeatstacker.app

3. Data We Collect

3.1 Information You Provide

• Mobile phone number (for account authentication via SMS OTP)
• Display name (optional, set by you)
• Date of birth confirmation (age verification that you are 18 or over)
• Payout details (bank sort code, account number, and account name; or PayPal email address — provided voluntarily when claiming prizes)

3.2 Information Collected Automatically

• Device information: brand, model, operating system version, build ID (used to generate a device fingerprint for anti-fraud purposes)
• Game telemetry: tap events, timestamps, block positions, scores (used for gameplay verification and anti-cheat enforcement)
• IP address (collected during game sessions for anti-fraud analysis)
• App usage data: session duration, tournament participation

3.3 Information from Third Parties

• Google AdMob: advertising identifiers and ad interaction data (see Section 7)

4. How We Use Your Data

We process your personal data for the following purposes:

• To authenticate your identity and manage your account (legal basis: contractual necessity)
• To verify your age as 18 or over, as required for prize competitions under UK law (legal basis: legal obligation)
• To operate tournaments, record scores, and distribute prizes (legal basis: contractual necessity)
• To detect and prevent fraud, cheating, bot usage, and multiple account abuse (legal basis: legitimate interest in maintaining competition integrity)
• To process prize payouts to your nominated bank account or PayPal (legal basis: contractual necessity)
• To display anonymised leaderboard rankings (legal basis: legitimate interest)
• To serve advertisements through Google AdMob (legal basis: consent, where required)

5. Legal Bases for Processing

Under UK GDPR, we rely on the following legal bases:

• Contract: Processing necessary to provide our game service, manage your account, operate tournaments, and process prize payouts.
• Legitimate Interest: Processing for fraud prevention, anti-cheat enforcement, competition integrity, and anonymised leaderboard display. We have assessed that these interests do not override your fundamental rights and freedoms.
• Legal Obligation: Age verification to comply with UK prize competition requirements.
• Consent: Where required for marketing communications or non-essential advertising tracking. You may withdraw consent at any time.

6. Data Retention

• Account data (phone number, display name, preferences): retained until you request account deletion.
• Game session data (scores, play logs, telemetry): retained for 12 months from submission, then automatically deleted.
• Payout records and financial data: retained for 6 years after the relevant tax year, as required by HMRC record-keeping obligations.
• Fraud investigation data (flagged sessions, integrity flags): retained for 24 months from the date of flagging.
• Device fingerprints on the blocked devices list: retained indefinitely to prevent re-offending.

7. Third-Party Data Processors

We share your data with the following third-party processors, each of which operates under a data processing agreement:

7.1 Twilio (SMS Verification)

Twilio Inc. processes your phone number to send OTP verification codes. Twilio is based in the United States and data transfers are protected by Standard Contractual Clauses (SCCs) with the UK Addendum. Twilio's privacy practices are detailed at twilio.com/legal/privacy.

7.2 Supabase (Database and Authentication)

Supabase Inc. hosts our database and authentication infrastructure. Your account data, game sessions, and scores are stored on Supabase's servers. Data transfers outside the UK are protected by appropriate safeguards including SCCs.

7.3 Google AdMob (Advertising)

Google LLC operates our in-app advertising through AdMob. AdMob may collect device identifiers and ad interaction data to serve relevant advertisements. Google's data practices are governed by their privacy policy at policies.google.com/privacy. You can manage your ad preferences through your device settings.

8. International Data Transfers

Some of our third-party processors are based outside the United Kingdom. Where personal data is transferred internationally, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses approved by the Information Commissioner's Office (ICO) and the UK International Data Transfer Addendum.

9. Your Rights

Under UK GDPR, you have the following rights:

• Right of Access: You may request a copy of the personal data we hold about you.
• Right to Rectification: You may request correction of inaccurate or incomplete data.
• Right to Erasure: You may request deletion of your personal data (subject to our legal retention obligations).
• Right to Data Portability: You may request your data in a structured, machine-readable format.
• Right to Object: You may object to processing based on legitimate interest.
• Right to Restrict Processing: You may request that we limit how we use your data.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at support@heartbeatstacker.app. We will respond within one month as required by UK GDPR.

10. Children's Data

Heartbeat Stacker is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a person under 18, we will delete that data promptly. If you believe we have inadvertently collected data from a minor, please contact us immediately.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption of data in transit and at rest, access controls, and regular security assessments.

12. Cookies and Similar Technologies

The App does not use browser cookies. We may use device-local storage for essential functionality such as session persistence. Advertising partners (Google AdMob) may use device identifiers for ad personalisation, which you can control through your device settings.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the App. The "Last updated" date at the top indicates the most recent revision. Your continued use of the App after any changes constitutes acceptance of the updated policy.

14. Complaints

If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk

15. Contact Us

For any questions about this Privacy Policy or our data practices, please contact:

Email: support@heartbeatstacker.app