Privacy Policy

Last updated: February 26, 2026 | Version 3.0

1. Introduction

THORVA ("we", "us", "our") is an independent developer building privacy-first apps. This Privacy Policy applies to all apps published by THORVA, including STRIKA: Precision Challenge. It explains what data we collect, why we collect it, the legal basis for processing, and how you can control it.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

The data controller for all THORVA apps is the developer. For privacy inquiries, contact us at [email protected].

2. Information We Collect

We collect minimal data necessary for our apps to function. The sections below describe each category in detail.

2.1 Advertising (Google AdMob)

Our apps display interstitial ads served by Google AdMob to support ongoing development.

Before any personalized ads are shown, we request your consent via Google's User Messaging Platform (UMP) in compliance with GDPR and the IAB Transparency & Consent Framework (TCF).

Based on your choice, ads work as follows:

Consent granted (personalized ads): AdMob may use your advertising identifier and limited device information to show ads relevant to your interests.
Consent declined (non-personalized ads): If you do not consent, we show non-personalized ads (NPA). These ads do not use personal data for targeting — only contextual and non-identifying information is used.

When you consent to personalized ads, Google AdMob may collect:

Advertising identifier (AAID on Android, IDFA on iOS)
Device and app information (OS version, app version)
Ad interaction data (impressions, taps)

For non-personalized ads, only contextual and non-identifying data is used by Google.

To keep the experience unobtrusive, ads are rate-limited: no more than a few per session, with minimum intervals between impressions. New users are not shown ads during their first sessions.

For more information on how Google processes ad data, see Google's Privacy Policy.

2.2 Crash Reporting (Firebase Crashlytics)

Our apps automatically collect technical data about crashes and errors using Firebase Crashlytics. This helps us identify and fix stability issues quickly.

Crash reporting is enabled by default to ensure app stability and a reliable user experience. The legal basis for this processing is legitimate interest (Article 6(1)(f) GDPR) — we have a legitimate interest in maintaining a stable, functional application.

When crash reporting is active, the following technical data may be collected:

Device model and OS version
App version and build number
Stack trace (technical error information)
A hashed (anonymized) installation identifier

Crash reports do not contain directly identifying personal data such as your name, email address, or location.

You can disable crash reporting at any time in Settings > Ads & Privacy.

2.3 Analytics (Firebase Analytics)

Our apps use Firebase Analytics to understand how features are used and to improve the user experience.

Analytics is disabled by default. It is only activated after you give explicit consent. You will be presented with a contextual opt-in prompt after completing your first attempt in the app. You are free to accept or decline.

The legal basis for this processing is consent (Article 6(1)(a) GDPR). Analytics data is only collected if you explicitly opt in.

When enabled, analytics may collect:

Anonymous usage events (e.g. screens viewed, features used)
Session duration and frequency
General device information (device type, OS version)

Analytics does not collect names, email addresses, or any other directly identifying personal information.

You can change your analytics preference at any time in Settings > Ads & Privacy. If you withdraw consent, analytics collection stops immediately.

2.4 Account & Game Data

If you create an account or use the app as a guest, we collect the following data necessary for app functionality:

Data Type	Purpose	Stored Where	Retention
User ID	Identify your account and game progress	Supabase (cloud)	Until account deletion
Email (Google sign-in only)	Account identification when you sign in with Google	Supabase Auth	Until account deletion
Display Name (optional)	Show your chosen name on leaderboards	Supabase	Until account deletion
Game Scores	Track your best scores and show leaderboards	Supabase	Until data deletion
Game Attempts	Calculate daily averages and history	Supabase	Until data deletion
Drawing Snapshots	Show your past drawings in history view	Supabase	Until data deletion
App Logs	Debug errors and improve the app	Supabase	30 days (auto-deleted)

2.5 What We Do NOT Collect

Location data (GPS, network location)
Contacts or address book
Photos or media files
Payment information (the app has no in-app purchases)
Biometric data
Third-party tracking SDKs beyond those listed in this policy

3. Guest Users

You can use our apps without creating an account. As a guest:

We assign you an anonymous identifier stored on your device
Your scores and game data are still saved to our servers
You can delete all your data at any time from Settings
If you sign in with Google later, your guest data can be migrated to your account

4. Legal Basis for Processing (GDPR)

We process personal data based on the following legal grounds under the GDPR:

Legal Basis	Applies To
Consent (Article 6(1)(a))	Firebase Analytics (opt-in), personalized advertising (AdMob consent via UMP)
Legitimate Interest (Article 6(1)(f))	Crash reporting (Firebase Crashlytics), non-personalized advertising, basic app functionality and error logging
Contractual Necessity (Article 6(1)(b))	Account data and game data necessary to provide the service you requested (scores, leaderboards, game progress)

Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your rights and freedoms. You can object to processing based on legitimate interest at any time (see Section 8).

5. Data Sharing

We share data only with service providers necessary for our apps to function:

Google AdMob — serves ads within our apps (personalized or non-personalized based on your consent)
Firebase Crashlytics (Google) — receives crash reports to help us fix bugs
Firebase Analytics (Google) — receives anonymous usage data (only if you opt in)
Supabase — database and authentication provider; stores your app data and account
Google (if you use Google sign-in) — authenticates your identity

We do not sell, rent, or share your data with data brokers or any other third parties.

6. International Data Transfers

Your data may be processed in:

European Union: Supabase servers
United States: Firebase Crashlytics, Firebase Analytics, and Google AdMob (Google)

Where data is transferred outside the EU/EEA, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission, to ensure your data receives an adequate level of protection.

7. Data Security

We protect your data using:

Encrypted connections (HTTPS/TLS) for all data transfers
Row-Level Security (RLS) in our database — you can only access your own data
Secure authentication via Supabase Auth
Hashed user identifiers in logs (your actual ID is not stored in plain text)

8. Data Retention

Game data (scores, attempts, snapshots): Kept until you delete it or your account
Display name: Kept until you change it or delete your account
App logs: Automatically deleted after 30 days
Crash reports: Retained by Firebase for 90 days
Analytics data: Retained while your consent is active; if you withdraw consent, collection stops immediately (existing data is retained by Google per their retention policies)
Ad data: Retained by Google per their data retention policies
Account data: Deleted when you delete your account

9. Your Rights (EU Users)

Under the GDPR and similar privacy laws, you have the right to:

Access: Request a copy of the data we hold about you
Rectification: Correct inaccurate or incomplete data
Erasure ("Right to be Forgotten"): Request deletion of all your data
Restriction: Request that we limit how your data is processed
Portability: Receive your data in a structured, machine-readable format
Withdraw Consent: Revoke consent for analytics or personalized ads at any time, without affecting the lawfulness of prior processing
Object: Object to processing based on legitimate interest (e.g. crash reporting)

9.1 How to Exercise Your Rights

Delete Your Data: Go to Settings > Ads & Privacy > Delete My Data

Delete Your Account: Go to Settings > Ads & Privacy > Delete Account (for signed-in users)

Contact Us: Email [email protected] for data access requests, portability requests, or any other privacy-related questions. We will respond within 30 days.

10. Managing Your Preferences

You are in control of your privacy settings. All preferences can be managed in Settings > Ads & Privacy within the app:

Advertising consent: Tap "Manage Ad Consent" to re-open the Google UMP consent form and change your ad personalization preferences at any time.
Analytics: Toggle analytics on or off. When disabled, no usage data is collected.
Crash reporting: Toggle crash reporting on or off. When disabled, no crash data is sent to Firebase Crashlytics.

Changes take effect immediately. Disabling a feature stops future data collection for that feature but does not retroactively delete data already collected. To request deletion of previously collected data, contact us at [email protected].

11. Children's Privacy

Our apps are not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

Updating the "Last updated" date at the top of this page
Showing a notice in our apps for major changes

We encourage you to review this policy periodically.

13. Contact

For privacy questions, data requests, or concerns:

Email: [email protected]