Privacy Policy

Last updated: March 29, 2026

At Survival of Races, accessible from www.survivalofraces.com, one of our main priorities is the privacy of our visitors and players. This Privacy Policy document describes how we collect, use, store, share, and protect information, including data obtained through Google OAuth authentication.

If you have additional questions or require more information about our Privacy Policy, do not hesitate to contact us at [email protected].

Consent

By using our website or game client, you hereby consent to our Privacy Policy and agree to its terms. If you do not agree with this policy, please do not use our services.

Information We Collect

Account Registration Data

When you create an account using Google Sign-In, we access the following data from your Google account:

We request the following Google OAuth scopes:

• openid — Enables secure OpenID Connect authentication
• email — Access your email address
• profile — Access your basic profile information (display name)

Game Data

When you play Survival of Races, we collect and store:

• In-game actions (city building, troop movements, battles, trades)
• Game statistics (wins, losses, rankings)
• Device information (platform type: desktop, Android, iOS)

Log Files

Our servers follow standard logging procedures. Log files may include internet protocol (IP) addresses, browser type, date and time stamps, and referring/exit pages. These are not linked to personally identifiable information and are used for analyzing trends and administering the service.

Google User Data: Access, Use, Storage, and Sharing

This section specifically addresses how we handle data obtained through Google APIs, in compliance with the Google API Services User Data Policy.

Data Accessed

We access only the minimum Google user data required for authentication:

• Email address — Retrieved from the Google id_token JWT during OAuth login
• Display name (given_name) — Retrieved from the Google id_token JWT during OAuth login
• Profile picture URL — Retrieved from the Google id_token JWT but not permanently stored

We do not access your Google contacts, Google Drive files, Gmail messages, calendar events, or any other Google service data.

Data Usage

Google user data is used exclusively for:

1. Authentication — Your email address identifies your account so you can log in across devices
2. Account creation — On first login, your display name is used to generate an initial username
3. Session management — A JWT (JSON Web Token) is issued after authentication to maintain your login session

We do not use your Google user data for:

• Advertising or marketing purposes
• Profiling or behavioral targeting
• Selling or monetizing in any way
• Training machine learning or AI models

Data Sharing

We do not sell, trade, rent, or share your Google user data with any third parties.

Your Google email and display name are used solely within our own infrastructure (server_auth and server_game services). No external services, analytics platforms, advertising networks, or other third parties receive your Google user data.

Data Storage & Protection

Client-side storage:

• Authentication tokens (JWT) are stored locally in an encrypted SQLite database on your device
• Temporary OAuth values (state, nonce, PKCE code verifier) are stored only during the login process and deleted immediately after authentication completes or fails

Server-side storage:

• Your email and username are stored in our database (Redis) as part of your game account record
• Data is protected by access controls and is not publicly accessible
• JWT tokens are signed using HS256 with a server-side secret key
• Authentication uses PKCE (Proof Key for Code Exchange) to prevent authorization code interception

Security measures:

• OAuth 2.0 with PKCE flow for secure authentication
• State and nonce validation to prevent CSRF and replay attacks
• Platform-specific Google client IDs (desktop, Android, iOS) for isolation
• Authorization codes are exchanged server-side; Google tokens are never exposed in client applications
• JWT sessions expire after 7 days (auth server) and 48 hours (game server)

Data Retention & Deletion

Retention:

• Your game account data (including email and username) is retained as long as your account exists
• JWT authentication tokens expire automatically (7 days for auth, 48 hours for game sessions)
• Temporary OAuth data (state, nonce, code verifier) is deleted immediately after the login attempt

Deletion:

• You may request complete deletion of your account and all associated data by contacting us at [email protected]
• Upon receiving a deletion request, we will remove your account data including your email, username, and all game data from our servers within 30 days
• You can also perform a local factory reset within the game client to clear all locally stored data from your device
• After account deletion, your email will no longer be associated with any account in our system

How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the game and website
• Authenticate your identity and manage your game session
• Store your game progress and statistics
• Communicate with you regarding your account or support requests
• Analyze usage trends to improve the game experience
• Detect and prevent fraud or abuse

Cookies

Our website may use cookies for basic functionality such as session management. We do not use cookies for advertising or third-party tracking purposes.

Third-Party Services

Our game client communicates only with our own servers (server_auth and server_game) and with Google’s OAuth endpoints during authentication. We do not integrate with third-party advertising networks, analytics services, or data brokers.

CCPA Privacy Rights (Do Not Sell My Personal Information)

Under the CCPA, California consumers have the right to:

• Request that we disclose the categories and specific pieces of personal data we have collected
• Request that we delete any personal data we have collected
• Request that we do not sell personal data

We do not sell any personal data. If you would like to exercise any of these rights, please contact us at [email protected]. We will respond within one month.

GDPR Data Protection Rights

Every user is entitled to the following:

• The right to access — You may request copies of your personal data
• The right to rectification — You may request that we correct any inaccurate information or complete any incomplete information
• The right to erasure — You may request that we erase your personal data, under certain conditions
• The right to restrict processing — You may request that we restrict the processing of your personal data, under certain conditions
• The right to object to processing — You may object to our processing of your personal data, under certain conditions
• The right to data portability — You may request that we transfer the data we have collected to another organization, or directly to you, under certain conditions

If you make a request, we have one month to respond. Contact us at [email protected].

Children’s Information

Survival of Races does not knowingly collect any Personal Identifiable Information from children under the age of 13. If you believe that a child has provided us with personal information, please contact us immediately at [email protected] and we will promptly remove such information from our records.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last updated” date. You are advised to review this Privacy Policy periodically for any changes.

Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Email: [email protected]

Sergio Terrazas

CEO, Owner and Developer

Survival Of Races