POLICY

Privacy Policy

How Landwars handles your data

TL;DR. We collect the minimum needed to run multiplayer matches, prevent cheating, and let you sign in. We don't sell your data. You can play as a guest with no account. You can delete your account and your data at any time by emailing hello@landwars.fun.

1. Who we are

Landwars (the "Service") is an online multiplayer territory game operated by the team behind landwars.fun. The data controller for the purposes of the EU General Data Protection Regulation (GDPR) and the Cyprus Law 125(I)/2018 on the Protection of Natural Persons with regard to the Processing of Personal Data is established in the Republic of Cyprus. The contact address for all privacy-related correspondence is hello@landwars.fun.

2. Scope

This policy covers personal data processed when you visit landwars.fun, create an account, play matches, chat with other players, or contact us. It does not cover third-party websites linked from the Service; their privacy policies apply when you visit them.

3. What we collect and why

3.1 Guest accounts

You can play without registering. A guest account stores a randomly generated identifier and your in-game progress (XP, inventory, achievements, match history) on our servers. We do not collect your name, email, or wallet for guest play. The guest identifier is bound to your browser's local storage.

3.2 Registered accounts

When you upgrade a guest account or sign in with a third-party provider, we additionally collect:

Email + password (if you choose email sign-in): the email is used to identify your account and for security notifications; the password is stored as a one-way bcrypt hash.
OAuth profile data (Google, Discord, future providers): a stable provider ID, your verified email, and optionally your display name and avatar. We do not request access to your contacts, calendar, or any other data the provider may offer.
Wallet public key (if you sign in with Solana via Sign-In With Solana): only the public key — never a private key, seed phrase, or transaction signing capability beyond the one-time sign-in message.

3.3 Gameplay data

During and after matches we process:

Inputs you send to the server (movement, boost, chat messages) — required to run the simulation.
Match outcomes (score, captures, kills, deaths, duration) — used for ranking, leaderboards, achievements, and rewards.
Performance and diagnostic telemetry (frame rate, tick latency, error logs) — used to detect bugs, abuse, and capacity issues. Diagnostic logs are scrubbed of identifying content where reasonable.

3.4 Network metadata

Like every networked service we receive your IP address and User-Agent on each request. We use these to: route you to the nearest regional match host, rate-limit abuse, and investigate fraud or attacks. Raw IP logs are retained for up to 30 days and then aggregated or deleted.

3.5 Chat

Messages you send in match chat are processed by our servers to deliver them to other players in the same match and to enforce content rules. Chat messages may be retained for moderation review for up to 30 days after a match ends and then deleted, except where retention is required to investigate a specific abuse report.

3.6 Payments

When you purchase in-game items, payment is processed by an external payment processor (currently Stripe, App Store, Google Play, or — for crypto — your wallet provider). We receive a transaction reference and the items you purchased; we do not receive or store your full card number, CVV, or bank credentials.

4. Legal bases for processing (GDPR Art. 6)

Processing	Legal basis
Running matches you join	Performance of contract (Art. 6(1)(b))
Account creation, authentication, password reset	Performance of contract (Art. 6(1)(b))
Fraud and abuse prevention, security logging	Legitimate interest (Art. 6(1)(f))
Aggregated analytics on usage	Legitimate interest (Art. 6(1)(f))
Service announcement emails (e.g. major changes)	Legitimate interest (Art. 6(1)(f)), opt-out
Optional marketing / newsletters	Consent (Art. 6(1)(a))
Tax / accounting records related to purchases	Legal obligation (Art. 6(1)(c))

5. Who we share data with

We do not sell, rent, or trade your personal data. We share it only with the following categories of processors, each bound by contract to handle it only on our behalf:

Hosting and database: Fly.io (application hosting), MongoDB Atlas (auth/user data), Cloudflare (DNS, edge caching, DDoS protection), SpacetimeDB (real-time match state).
Authentication providers: Google, Discord, and any other identity provider you actively choose to sign in with.
Payment processors: Stripe, Apple, Google Play, and — for crypto purchases — your chosen wallet's RPC providers.
Email delivery: our transactional email provider (for password resets, security notifications, account confirmations).
Anti-abuse: bot-detection and reputation services for known abusive IPs (no personal content shared, only IP and behavioural signals).

We may also disclose data when required by a binding legal order from a competent court or authority, or to protect the rights, property, or safety of Landwars, our players, or others. We will challenge orders we believe are overbroad or unlawful.

6. International transfers

Our infrastructure spans multiple regions, including the European Economic Area, the United Kingdom, the United States, and Asia. Transfers outside the EEA are protected by the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914) or an equivalent mechanism, plus supplementary measures where we judge them necessary. You can request the specific safeguards in place for a given transfer by contacting hello@landwars.fun.

7. Retention

Active accounts: retained for as long as the account is in use.
Guest accounts: deleted after 180 days of inactivity.
Match data and chat: aggregated or deleted after 30 days, except where moderation review or legal obligation requires longer retention.
Diagnostic logs / IP logs: up to 30 days, then aggregated or deleted.
Purchase / billing records: retained for the period required by Cyprus tax law (currently 6 years).
Account deletion requests: personal identifiers are removed within 30 days; statistical match records may be retained in aggregated, non-identifying form.

8. Your rights

Under GDPR and the Cyprus Law 125(I)/2018 you have the right to:

Access your personal data and receive a copy.
Rectify inaccurate or incomplete data.
Erase your data ("right to be forgotten"), subject to legal-retention exceptions noted above.
Restrict or object to processing based on legitimate interest.
Portability — receive your data in a structured, machine-readable format.
Withdraw consent at any time for processing based on consent (does not affect prior lawful processing).
Lodge a complaint with the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus (www.dataprotection.gov.cy) or with the supervisory authority of your habitual residence in the EU.

To exercise any of these rights, email hello@landwars.fun from the address associated with your account. We respond within 30 days; for complex requests we may extend by a further 60 days and will tell you why.

9. Security

We use TLS for all client-server traffic, bcrypt for password storage (cost ≥ 12), short-lived JWTs for session authentication, and per-instance database isolation for live matches. Wallet sign-ins are verified by ed25519 signature with single-use nonces, never by storing your private key. No security model is perfect; please report vulnerabilities to hello@landwars.fun and we will respond.

10. Children

Landwars is not directed at children under 14 (the age of digital consent under Cyprus implementation of GDPR Art. 8(1), Law 125(I)/2018 §7). Players under 14 must have a parent or legal guardian register and consent on their behalf. We do not knowingly collect data from children under 14 without that consent. If you believe a child under 14 has registered without consent, email hello@landwars.fun and we will delete the account.

11. Cookies and similar technologies

We use a small number of first-party storage mechanisms, all strictly necessary for the Service to function:

localStorage for your authentication tokens, language preference, and graphics settings.
sessionStorage for OAuth handoff state during sign-in.
Short-lived cookies for CSRF protection during OAuth flows.

We do not use third-party advertising cookies or cross-site tracking. Because all stored data is strictly necessary for the Service you requested, we do not display a separate cookie banner.

12. Automated decision-making

We use automated systems for matchmaking (placing you in a balanced match) and anti-cheat (flagging suspicious play patterns). These systems can result in temporary match bans pending human review. They are not used to make decisions that produce legal or similarly significant effects within the meaning of GDPR Art. 22. You may request human review of any automated decision by emailing hello@landwars.fun.

13. Changes to this policy

We may update this policy when the Service changes or when the law requires. We will publish the new version at landwars.fun/privacy with the updated date below, and — for material changes — notify registered accounts by email or in-game banner at least 14 days before the change takes effect.

14. Contact

For any question, request, or complaint about this policy or how we handle your data: hello@landwars.fun.

Last updated: 2026-05-12 · Effective: 2026-05-12
Governing law: Republic of Cyprus