Privacy Policy

This Privacy Policy explains how Indies At War (“Indies At War”, “we”, “us”, “our”) collects, uses, shares, and protects personal data when you visit our website, create an account, participate in leaderboards, download or play our games, subscribe to our newsletter, or purchase merchandise. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable laws. Users outside the EU/EEA may have mandatory rights under their local laws; where applicable, we will honor those rights.

1. Data Controller

The data controller is Indies At War. You can contact us at support@indiesatwar.com. We have not appointed a Data Protection Officer. For privacy queries, use the address above.

2. Categories of Personal Data

• Account data: email address, username/alias, password (hashed), and profile preferences (such as chosen display flag or avatar). Flags represent historical nations within the game and do not reflect your real-world location.
• Gameplay and community data: scores, waves, session durations, timestamps, leaderboard position, badges/titles, and any user-generated profile information you submit. Usernames and top scores are publicly visible on leaderboards.
• Device and usage data: IP address, browser and device type, operating system, referral URLs, and basic diagnostics collected through server logs and strictly necessary cookies.
• Store and transaction data (if you purchase): order details, items, amount, currency, status, and delivery information. Payment card data is processed securely by our payment processor and never stored by us.
• Communications data: messages you send to support, feedback, and your newsletter subscription preferences (including double-opt-in status).

3. Purposes and Legal Bases

We process personal data for the following purposes and legal bases under GDPR:

• Provide and operate the site and games (create accounts, authenticate users, record gameplay, show leaderboards) — Article 6(1)(b) contract.
• Operate the store (process orders, arrange printing/fulfilment, handle customer service) — Article 6(1)(b) contract.
• Security and fraud prevention (monitor abuse/cheating, protect accounts, maintain logs) — Article 6(1)(f) legitimate interests.
• Communications (transactional emails such as verification, resets, service notices) — Article 6(1)(b) and 6(1)(f).
• Marketing communications (newsletter) — Article 6(1)(a) consent. You can withdraw consent at any time, e.g., via the unsubscribe link.
• Compliance (tax, accounting, legal requests) — Article 6(1)(c) legal obligation.

4. Cookies and Similar Technologies

We use strictly necessary cookies to operate login sessions, remember preferences, and protect against abuse. If we introduce analytics or advertising cookies, we will request your consent via a cookie banner and provide controls to change your preferences. You can also manage cookies in your browser settings, though essential features (for example, authentication) may not work without them.

5. Sharing of Personal Data

We do not sell personal data. We share data only with:

• Service providers (processors): e.g., hosting, authentication, email delivery, payment processing, and print-on-demand fulfilment, acting under our instructions and subject to appropriate safeguards.
• Payment processors: to complete transactions; payment credentials are processed by the processor and are not stored by us.
• Fulfilment partners: to manufacture and deliver merchandise you order.
• Public display: usernames/aliases and scores you submit for leaderboards are visible to site visitors.
• Legal and safety: if required by law or necessary to protect our rights, users, or the public.

Current categories include: hosting/infrastructure, authentication/session management, email delivery (e.g., transactional or newsletter), payment processing, and print-on-demand/fulfilment. Vendors may be located outside the EEA; see Section 7 on transfers.

6. Data Retention

We keep personal data only as long as necessary for the purposes described above. When you delete your account, we erase or irreversibly anonymise personal data from active systems immediately, subject to:

• Backups and logs: limited remnants may persist in automated backups and security logs for up to 90 days for operational and security purposes. These are inaccessible in normal operations and are automatically purged.
• Transactions and tax records: order and payment records are retained for up to 10 years to comply with accounting and tax laws. Where possible, links to your account are anonymised.

7. International Transfers

If personal data is transferred outside the European Economic Area, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) and take additional measures where required to protect your data. Where a destination benefits from an adequacy decision (e.g., the United Kingdom), we rely on that decision; otherwise, we use SCCs or equivalent safeguards.

8. Your Rights

Subject to conditions and limitations under GDPR, you have the right to request access, rectification, erasure, restriction, and data portability, and to object to processing based on legitimate interests. Where processing is based on consent (e.g., newsletter), you may withdraw consent at any time without affecting prior processing.

You can manage most data through your account. To exercise your rights, contact support@indiesatwar.com. You also have the right to lodge a complaint with a supervisory authority. In Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD). You may also contact your local authority within the EEA/UK.

9. Security

We use reasonable technical and organisational measures to protect personal data, including encryption in transit, restricted access, and minimisation practices. No system can be guaranteed fully secure; please use a strong, unique password and keep your credentials safe.

10. Children’s Data

Our services are not directed to children under 13. If you are between 13 and 16 and reside in the EEA/UK, you should only use the services with parental/guardian consent where required by local law. We do not knowingly collect personal data from children under 13. If you believe a child has provided personal data to us, contact us to request deletion.

11. Automated Decision-Making

We do not conduct automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top indicates the latest revision. Material changes will be communicated in a reasonable manner (for example, via the website or by email, where appropriate).

13. Contact

If you have questions about this policy or how we handle personal data, contact support@indiesatwar.com.

Cookie Summary

We use cookies and local storage only to support authentication, security, store functionality, and basic site preferences. We do not use analytics or advertising cookies at this time. If we introduce them in the future, we will obtain your consent and provide clear controls to manage preferences.

• Strictly necessary:login/session cookies, CSRF and security cookies, load balancing, and commerce-related cookies (e.g. loot cart, Stripe checkout, shipping country, and order tokens).
• Functionality:preferences stored in local storage (e.g. whether you accepted cookies, UI settings).
• Analytics/Performance:not currently used. If introduced, they will only be set with your prior consent.
• Marketing:not currently used. If introduced, they will only be set with your prior consent.

Service Providers (Overview)

Depending on the features you use, we may engage trusted providers for hosting/infrastructure, authentication, email delivery, payment processing, and print-on-demand fulfilment. These providers act on our behalf under data-processing agreements and appropriate transfer safeguards where required. Details are available on request at support@indiesatwar.com.