Privacy Policy
This Privacy Policy describes how XpandR ("we", "us", "our") collects, uses, and protects your personal data when you use the XpandR mobile application (the "App") and the xpandr.app website (the "Site").
We are committed to complying with the General Data Protection Regulation (GDPR, EU 2016/679) and the Swiss Federal Act on Data Protection (revFADP).
1. Data controller
The data controller is:
- Name: Sébastien Masle
- Address: Rue du lac 22, 1020 Renens, Switzerland
- Email: legal@xpandr.app
For any question regarding your personal data, please contact us at the email above.
2. Data we collect
2.1 Data collected through the Site (xpandr.app)
When you subscribe to our beta testers list on our site, we collect:
- Your email address
- Your consent to receive communications regarding the beta program (with timestamp)
- Your locale (browser language)
- Your IP address (for automated submission protection purposes, kept temporarily)
2.2 Data collected through the App
When you use the App, we collect the following categories of data:
Account data
- Unique identifier (UID) generated by Firebase Authentication
- Display name (displayName) of your choice
- Email address (only if you sign in with a Google account)
- Notification preferences
Geolocation data
- Real-time GPS position during your activity sessions (running/walking)
- History of your routes and the geographic cells you cross
- This collection is continuous during an active session, including when the App runs in the background (
ACCESS_BACKGROUND_LOCATIONpermission)
Game activity data
- Activity sessions (duration, distance, GPS points, timestamps)
- Captured cells and controlled districts
- Personal and team statistics
- Team membership
Technical data
- Device model and operating system version (via Firebase)
- Technical device identifiers (FCM token stored in hashed form)
- Crash data and errors (via Firebase Crashlytics)
- Anonymized usage events (via Firebase Analytics)
Data you provide voluntarily
- Reports (category, message, context) if you use the built-in reporting feature
2.3 Data we do NOT collect
For the record, we do not collect:
- Photos taken with your device
- Content from your contacts, SMS, or other apps
- Health data (heart rate, calories, etc.)
- Financial or banking data
3. Purposes and legal basis for processing
Pursuant to Article 6 of the GDPR, we process your data for the following purposes:
| Purpose | Legal basis |
|---|---|
| Provide the game service (cell capture, teams, leaderboards) | Performance of contract (Terms) |
| Authenticate your identity | Performance of contract |
| Send you game notifications (according to your preferences) | Consent |
| Send you beta program communications (via the Site) | Consent |
| Analyze App usage to improve it | Legitimate interest |
| Detect and prevent fraud, cheating, and abuse | Legitimate interest |
| Respond to your requests and reports | Legitimate interest / Legal obligation |
| Comply with our legal obligations | Legal obligation |
4. Hosting and data location
Data generated by the App is stored on Google Cloud Platform infrastructure in the europe-west6 (Zurich, Switzerland) region:
- Database: Firebase Firestore (Zurich)
- Application server: Google Cloud Run (Zurich)
Emails collected through the Site are stored with Brevo (Sendinblue SAS), based in France (European Union).
5. International transfers (outside Switzerland / outside EU)
Although our primary infrastructure is in Zurich, certain third-party services we use are operated by Google LLC from the United States:
- Firebase Authentication (identity management)
- Firebase Analytics (usage analysis)
- Firebase Crashlytics (crash reports)
- Firebase Cloud Messaging (push notifications)
- Firebase App Check (anti-abuse security)
- Google Maps Platform (map display)
- Google Sign-In (Google account login)
These transfers to the United States are governed by the Standard Contractual Clauses (SCCs) approved by the European Commission, as well as Google's adherence to the EU-U.S. Data Privacy Framework.
6. Sub-processors and data recipients
We use the following sub-processors, who act on our instructions:
| Sub-processor | Service | Location |
|---|---|---|
| Google LLC / Google Cloud EMEA Limited | Hosting (Firebase, Cloud Run, FCM, Auth, Analytics, Crashlytics, App Check, Maps) | Zurich (CH) + United States |
| Sendinblue SAS (Brevo) | Beta program email list management | France (EU) |
| Cloudflare, Inc. | Site hosting, DNS, CDN protection | Global network |
We do not sell or rent your personal data to third parties. We only share your data with the sub-processors listed above, or when required by law.
7. Retention period
- Account data and game data: retained as long as your XpandR account is active. If you delete your account, your personal data is erased within 30 days, except for data required to comply with legal obligations.
- GPS data and activity history: retained as long as your account is active (they are part of the game experience: statistics, leaderboards, progression).
- Anonymous accounts (without Google Sign-In): automatically cleaned up after a prolonged period of inactivity.
- Crash and analytics data: retained according to Google's default durations (generally 14 months for Analytics).
- Beta program emails: retained until you unsubscribe, or for a maximum of 24 months after the last contact.
- Reports and moderation logs: retained for 24 months to allow for the handling of potential disputes.
8. Your rights
In accordance with the GDPR and the revFADP, you have the following rights:
- Right of access: obtain a copy of the data we hold about you
- Right to rectification: correct inaccurate data
- Right to erasure ("right to be forgotten"): request the deletion of your account and data
- Right to restriction of processing
- Right to data portability: receive your data in a structured format
- Right to object to processing based on legitimate interest
- Right to withdraw consent at any time, for processing based on consent
- Right to lodge a complaint with a supervisory authority (Federal Data Protection and Information Commissioner in Switzerland, or the authority of your country of residence in the EU)
To exercise these rights, write to us at legal@xpandr.app. We will respond within one month.
9. Security
We implement technical and organizational measures to protect your data:
- Encrypted communications (HTTPS/TLS end-to-end)
- Restrictive Firestore rules: no direct client access to the database, everything goes through our authenticated server
- Firebase Authentication + signed tokens
- Firebase App Check to prevent abusive use from unauthorized clients
- Device token pseudonymization (SHA-256 hashed)
- Primary hosting in Switzerland (
europe-west6)
10. Minors
The App is intended for persons aged 16 or older. We do not knowingly collect data from minors under 16. If you believe a child has provided us with data, please contact us at legal@xpandr.app so that we can delete it.
11. Cookies
Our Site (xpandr.app) does not use tracking cookies, analytics, or advertising. Only strictly necessary technical cookies (e.g., for form session management) may be used.
The App does not use third-party cookies.
12. Changes
We may update this policy to reflect technical, legal, or service changes. Any material change will be notified to you (by email or through the App) at least 30 days before it takes effect. The date of the last update appears at the top of this document.
13. Contact
For any question regarding this policy or your data:
Email: legal@xpandr.app
Address: Rue du lac 22, 1020 Renens, Switzerland
This policy is governed by Swiss law and the GDPR for users residing in the European Union.