Privacy Policy

1. Data we collect

Account data: email address, username, avatar choice and authentication identifiers (managed by Supabase Auth; Google sign-in shares your email and basic profile with us).

Gameplay data: characters, items, points, battles, expeditions, streaks, achievements and related telemetry needed to operate the game and prevent cheating.

Wallet data (optional): if you link a wallet, we store its public address. If you use the Celo daily check-in, we store the public address, transaction hash and check-in day. We never receive or store private keys.

Technical data: IP address and request metadata used for security, rate limiting and abuse prevention; basic device/browser information.

2. What we do NOT collect

No payment card data, no government ID, no precise location, no contact lists. We do not sell personal data.

3. How we use data

To operate the game and save your progress; to secure accounts (captcha, rate limiting, anti-abuse); to verify optional wallet ownership; to credit on-chain check-in rewards; to fix bugs and improve the game (error monitoring); and to comply with legal obligations.

4. Public information

Your username, level, achievements and (if linked) a truncated wallet address may appear on public profiles and leaderboards. Blockchain transactions you make (e.g. check-ins) are public on the Celo network by design.

5. Subprocessors

We rely on: Supabase (authentication and database), Vercel (hosting and analytics), Cloudflare (Turnstile captcha), Redis hosting (rate limiting/caching), Sentry (error monitoring), and Thirdweb (wallet infrastructure). Each receives only the data needed for its function.

6. Cookies

We use first-party cookies strictly for authentication sessions (httpOnly) and basic preferences such as language. We do not use third-party advertising cookies.

7. Retention and deletion

Account and gameplay data are kept while your account exists. You may request deletion of your account and personal data via our community channels (Discord/Telegram, linked in the footer) or X @thooonv; we will remove personal data within 30 days, except records we must keep for security or legal reasons. On-chain records cannot be deleted by anyone.

8. Your rights

Depending on your jurisdiction (e.g. GDPR, LGPD), you may have rights of access, correction, portability, deletion and objection. Contact us through the channels above to exercise them.

9. Children

Thooon is not directed at children under 13 and we do not knowingly collect their data. If you believe a child under 13 has an account, contact us and we will delete it.

10. Changes

We may update this Policy. Material changes will be announced in-game or on our channels, with the "last updated" date revised above.