Prospectour Privacy Policy

Effective date: 14 July 2026 Last updated: 14 July 2026

This policy explains what personal data Prospectour collects, why, the legal basis for using it, who we share it with, how long we keep it, and the rights you have. It reflects how the app actually works.

1. Who we are

Prospectour ("Prospectour", "we", "us", "our") is a location-based idle-mining mobile game for iOS and Android. The data controller responsible for your personal data is [PLACEHOLDER — legal entity name and registered address].

For any privacy question, or to exercise your rights, contact our Data Protection Officer at [PLACEHOLDER — DPO name and contact email].

We process personal data in line with the UK GDPR and the Data Protection Act 2018 (and, for users in the EEA, the EU GDPR).

2. Age requirement

Prospectour is rated 18+ and is intended only for adults. We do not knowingly collect personal data from anyone under 18. If you believe someone under 18 has created an account, contact us and we will delete it. See also Section 12.

3. What we collect and why

Data Why we collect it Legal basis
Email address To create and secure your account and to contact you about it. Stored encrypted (AES-256-GCM) with a one-way blind index for lookup Art. 6(1)(b) performance of a contract
Password To authenticate you. Stored only as a one-way Argon2id hash, never in plain text Art. 6(1)(f) legitimate interest (account security)
Sign-in with Google / Apple If you choose these, we receive a verified identifier and email from the provider to create or match your account. We never receive your Google or Apple password Art. 6(1)(b) performance of a contract
Precise location (GPS) Core gameplay — to let you claim and own real-world map "squares" near you, and as an anti-cheat speed check. Used only while the app is in the foreground. We keep only your single most-recent fix (no location history) and purge it after ~24 hours of inactivity Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interest (anti-cheat)
Claimed-square coordinates The map squares you own are part of your game state; they indicate places near where you have played Art. 6(1)(b) performance of a contract
Coarse location (weather) To show in-game weather, we send an approximate location (rounded to ~11 km, with no account identifier) to our weather provider Art. 6(1)(f) legitimate interest (game feature)
Device identifier Referral anti-fraud only. Stored as a one-way HMAC index — the raw device ID is never stored Art. 6(1)(f) legitimate interest (fraud prevention)
Purchase records To deliver in-app purchases and to meet accounting and tax obligations Art. 6(1)(b) contract; Art. 6(1)(c) legal obligation
Referral graph & activity days To run the referral reward feature and calculate rewards Art. 6(1)(b) performance of a contract
Advertising & device identifiers Used by our ad partner to serve ads (see Section 4). Personalised advertising is used only with your consent Art. 6(1)(a) consent (personalised ads); Art. 6(1)(f) legitimate interest (non-personalised ads)
IP address Security and abuse-prevention logs only, kept briefly Art. 6(1)(f) legitimate interest (security)
Crash & diagnostic data App version, OS, device model and stack traces to fix bugs. Personal data is scrubbed before sending — no account ID, email, or location Art. 6(1)(f) legitimate interest (reliability)

We do not intentionally collect any special-category (sensitive) data. Because precise location can infer sensitive information (for example, proximity to a place of worship), we treat it as high-risk and minimise it as described above.

We do not sell your personal data.

4. Advertising

Prospectour shows optional rewarded video ads (you choose to watch one for an in-game boost). Ads are served by Google AdMob, provided by Google. To serve ads, AdMob and its partners may collect and process device information and advertising identifiers.

5. Who we share data with

We use a small number of processors and partners. We do not sell your data.

Recipient Role What they receive Safeguard
Fly.io Processor — hosting, managed database, backups All stored data, on an encrypted volume Data Processing Agreement in place; region pinned to London, UK (lhr)
Sentry (Sentry GmbH) Processor — crash & error diagnostics Crash/error reports: app version, OS and device model, stack traces — no account ID, email, or precise location (personal data is scrubbed before sending) EU data residency (ingest in Germany); DPA available
Open-Meteo Weather provider Coarsened approximate location only (~11 km), with no account identifiers Public keyless API; no PII sent
Google (AdMob) Advertising partner Device and advertising identifiers, subject to your consent (Section 4) Governed by Google's policies
Apple / Google App stores & payment processors Purchase transactions you make Governed by their own terms and privacy policies

6. International transfers

Our own processing is kept in the UK: hosting, database and backups are pinned to the London, UK (lhr) region, and our diagnostics processor stores data in the EEA.

Some third-party partners you interact with — Google (AdMob), Apple, and the app stores — operate global infrastructure and may process data outside the UK/EEA under their own safeguards (such as the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or an adequacy decision). Their handling of your data is governed by their own privacy policies, linked above.

7. How long we keep data

Data Retention
Live location fix Most-recent fix only; purged after ~24 hours of inactivity
Ad records ~30 days
Security / audit logs (incl. IP) ~180 days
Purchase records ~6 years, pseudonymised (UK accounting requirements)
Account data (email, balances, claims, referrals) Until you delete your account (see Section 9)

8. How we protect your data

Your email and live location are encrypted at rest with AES-256-GCM; passwords are hashed with Argon2id; all traffic is over HTTPS/TLS; access to production data is role-restricted, requires multi-factor authentication, and is audited. Encryption keys are managed so that destroying a key renders the related data unrecoverable ("crypto-shredding").

9. Your rights (UK / EU GDPR)

Under the UK GDPR (and EU GDPR, if you are in the EEA) you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing based on our legitimate interests. Where we rely on your consent (for example, personalised ads), you can withdraw it at any time without affecting processing that already happened.

To delete your account and personal data, you can either:

To exercise any other right, contact our DPO (Section 1). We respond within one month.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or, if you are in the EEA, your local data protection authority.

10. California privacy rights (CCPA / CPRA)

If you are a California resident, you have the right to:

We do not sell your personal information for money. Under California law, allowing our advertising partner to use identifiers for personalised (cross-context behavioural) advertising may be considered "sharing." You can opt out of this at any time by declining the ad-consent prompt, turning off App Tracking Transparency on iOS, or resetting your advertising ID on Android — this is our "Do Not Sell or Share My Personal Information" mechanism. We do not knowingly sell or share the personal information of anyone under 16 (and the app is 18+).

The categories of personal information we collect, our purposes, and the parties we disclose it to are described in Sections 3 to 5. To make a request, contact us (Section 12); we will verify your request through your account and respond within the timeframes California law requires.

11. Automated decisions

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing.

12. Children

Prospectour is not directed at children and is rated 18+. We do not knowingly collect data from anyone under 18. See Section 2.

13. Changes to this policy

We may update this policy. We will post the new version here and update the "Last updated" date. We will notify you in-app of material changes.

14. Contact

Controller: [PLACEHOLDER — legal entity name and registered address] Data Protection Officer: [PLACEHOLDER — DPO name and contact email] Account deletion: https://prospectour.co.uk/delete-account Supervisory authority: Information Commissioner's Office (ICO), ico.org.uk