Privacy Policy for Idle Hunter

At Idle Hunter ("we", "our", or "us"), we are committed to protecting your privacy and ensuring that your personal data is handled in a safe and transparent manner. Idle Hunter is owned and operated by KZR Production AB (Org.nr 559311-8903), a company registered in Sweden. This Privacy Policy explains how we collect, use, and protect your personal data when you play our browser-based game, in compliance with the General Data Protection Regulation (GDPR).

1. Data Controller

The entity responsible for processing your personal data is:

• Company: KZR Production AB
• Org.nr: 559311-8903
• Country: Sweden
• Contact Email: Privacy@idlehunter.com

For any questions regarding your data or your rights under GDPR, please contact us at the email address above.

2. The Data We Collect and Why

We only collect the absolute minimum data required to run the game securely and fairly. We do not use your data for marketing or sell it to third parties.

A. Email Address

Why we collect it: To create and manage your player account, verify your identity, secure your progress, and allow you to reset your password if forgotten.

Legal Basis (GDPR Art. 6(1)(b)): Performance of a Contract. Providing an email is necessary for us to fulfill our service to you and maintain your account.

B. IP Address

Why we collect it: To prevent cheating, specifically to detect and block users from running multiple instances or automated accounts simultaneously, ensuring a fair gaming environment for all players.

Legal Basis (GDPR Art. 6(1)(f)): Legitimate Interest. We have a legitimate security and operational interest in protecting the integrity and economy of our game against abuse.

3. Data Retention

Email Address: Your email address is stored for as long as your account remains active. If you request the deletion of your account, your email address will be permanently removed from our databases.

IP Address: IP logs used for multi-instance monitoring are kept for a limited period and are automatically deleted or anonymized after 30 days, unless required longer to investigate a specific breach of our terms.

4. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We only share data with essential infrastructure providers necessary to run the game:

• Hosting & Database Providers: Our web frontend is hosted by Lovable Cloud (utilizing Cloudflare's edge network), and our backend databases and user authentication are managed via Supabase. All core player data servers are located within the EU/EEA.
• Payment Processing: We use Stripe to handle subscription payments. When you make a purchase, your transaction data is processed directly by Stripe under their own privacy policy. We do not store your credit card details on our servers. Stripe may collect your IP address and set cookies strictly necessary to securely process payments and prevent fraud.
• External Media (Twitch): We embed live streams from Twitch on our platform. When you view a page with an embedded Twitch stream, Twitch may collect your IP address and place tracking or advertising cookies on your device. This data processing is governed entirely by Twitch's own Privacy Policy.
• Email Services: We use Supabase Auth's built-in email delivery system solely to deliver account verification and password reset emails.

5. Your Rights Under GDPR

As a user residing in the EU/EEA, you hold the following rights regarding your personal data:

• Right of Access: You have the right to request a copy of the personal data we hold about you.
• Right to Rectification: You can request that we correct any inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): You can request that we delete your account and all associated personal data.
• Right to Restriction of Processing: You can request that we limit how we process your data under certain circumstances.
• Right to Object: You have the right to object to our processing of your IP address based on our legitimate interest.

To exercise any of these rights, please contact us at Privacy@idlehunter.com. We will respond to your request within 30 days.

6. Lodging a Complaint

If you believe that our processing of your personal data infringes GDPR, you have the right to lodge a complaint with a supervisory authority. In Sweden, this is Integritetsskyddsmyndigheten (IMY) (www.imy.se).

7. Cookies

We use a small number of cookies. We group them into two categories:

Strictly Necessary (no consent required)

• Authentication session: set by our login system to keep you signed in.
• Stripe: fraud prevention and secure payment processing when you visit a checkout page.
• Referral attribution (ih_ref): remembers which player invited you so credit is applied at signup. Expires after 30 days.
• Consent preference (ih_consent): records your choice on the cookie banner so we don't ask again. Expires after 6 months.

Optional — only loaded after you click "Accept"

• Twitch: when you accept, we embed live streams from our partnered streamers. Twitch may then set its own tracking and advertising cookies, governed by Twitch's Privacy Policy. If you click "Reject non-essential", no Twitch content is loaded.

You can change your choice at any time from the Settings page.