Privacy Policy

Kurdbits, registered with the Dutch Chamber of Commerce (KvK) under number 96243554, is the data controller for personal data processed via bitwar.app. Postal address and contact details are listed in the Imprint. For any data-protection request, write to info@kurdbits.com.

Account data: username (callsign), email address, hashed password, preferred language, account creation timestamp.
Gameplay data: chosen country, base coordinates (you pick these on a map), combat history, mine dispatches, mission progress, daily-claim history.
Device + technical data: IP address, user agent, FCM push token (Android only, when you grant notification permission), web-push subscription endpoint (browser only, when you grant permission), session cookie (PHPSESSID), locale cookie, optional remember-me cookie.
Payment data: handled directly by Stripe — we never see or store your card details. Stripe shares with us only the customer ID, the tier purchased, and the invoice status.

Performance of contract (Art. 6(1)(b) GDPR): account creation, login, gameplay state, payment processing, customer support.
Legitimate interest (Art. 6(1)(f) GDPR): fraud prevention, abuse mitigation, server security logs, anonymous service-improvement metrics.
Consent (Art. 6(1)(a) GDPR): push notifications (Android + browser). You can revoke at any time in Settings or in your OS notification panel.

Stripe Inc. / Stripe Payments Europe Ltd — payment processing for diamond purchases and premium subscriptions. Stripe is a Standard Contractual Clauses (SCC) adherent.
Google LLC (Firebase Cloud Messaging) — Android push notification delivery. Google is GDPR-compliant via SCCs and the EU-US Data Privacy Framework.
Hosting: servers within the Netherlands.

Account data: as long as your account exists. After you delete your account, account-identifying fields (email, username) are wiped within 30 days; gameplay records (combat history, leaderboard rank) are anonymised (replaced with a generic placeholder) but retained because they are referenced by other players' battle reports.
Push tokens: deleted automatically when invalid (the push service returns 404/410), or when you log out / uninstall.
Payment records: kept for 7 years for tax compliance, as required by Dutch law (Algemene wet inzake rijksbelastingen, art. 52).
Server logs: 14 days for security/fraud purposes, then deleted.

Under GDPR you have the right to: access your data, correct inaccurate data, request deletion, request portability (export your data), withdraw consent, and object to processing. To exercise any of these, email info@kurdbits.com; we respond within one month. You can also delete your account directly from Settings → Delete account — that triggers the same erasure flow.
You have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

We use only strictly-necessary cookies: PHPSESSID (session), locale (language preference), and an optional bw_rt remember-me cookie if you tick "Stay signed in". No analytics, no advertising, no third-party trackers. Strictly-necessary cookies do not require consent under EU rules.

bitwar.app is not directed at children under 13. By registering you confirm you are at least 13 years old (or 16 if your country requires that under GDPR Article 8).

We may update this policy as the game evolves. The "Last updated" date at the top reflects the most recent change. Material changes are announced via in-app message.