← Back to the world mapLegal

Privacy Policy

Last updated: 28 April 2026

This policy describes what data Billionaires War (the “Service”) collects, how it is used, with whom it is shared, and your rights over it.

1. Who we are

The data controller of the Service is the operator of billionaireswar.com. For any privacy question, contact billionaireswar@proton.me.

2. What data we collect

  • Social-provider profile. When you sign in with a social provider (X / Twitter, Facebook, YouTube, Instagram, TikTok), we receive a stable provider user-id, your handle (e.g. @username), public display name, and your profile picture URL. From Google we additionally receive a verified email address; from Twitter, Facebook, Instagram and TikTok we currently do not receive email.
  • Account profile. From the social data above we create a Billionaires War account: display name (editable), avatar URL (editable), empire color (editable), and the list of social accounts you have linked.
  • Game data. Countries you own, total amount spent, purchase history (amount, country, timestamp), recent activity, attack intents.
  • Payment data. Card number, CVC and expiry are entered into Stripe's widget directly — we never see them. We receive from Stripe a payment-intent id, the amount charged, the last four digits of the card, the country of the card, and a status (succeeded / failed). We do not receive a token usable to charge you again unilaterally.
  • Operational logs. Like any web service we collect server logs (IP, user agent, request path, status, duration). These are kept for at most 30 days for debugging and abuse-prevention.

3. How we use it

  • To create your account and authenticate you across visits.
  • To run the game: render your avatar on the map, update the leaderboard, broadcast realtime activity, validate purchases.
  • To process payments via Stripe and reconcile our records with theirs.
  • To prevent abuse, fraud, and automated play.
  • To respond to legal requests and to comply with tax / accounting obligations.

4. Legal basis

Under the GDPR our legal bases are: contract (we cannot run the game without storing your account and purchases), legitimate interest (anti-abuse, security logs), consent (analytics — see below), and legal obligation (retaining payment records for accounting / tax).

5. Sharing

  • Stripe — payment processing.
  • MongoDB Atlas — managed database hosting.
  • Google Analytics / Google Tag Manager — only if analytics consent is given. We use GTM with cookieless mode by default.
  • The social providers you sign in with see standard OAuth metadata (which app you logged into, when).
  • We do not sell or rent personal data.

6. Cookies & local storage

  • accessToken (localStorage) — your session. Created on login, removed on logout.
  • currentUser (localStorage) — a cached snapshot of your profile, refreshed on login and on profile edits.
  • locale (localStorage) — the language you picked.
  • oauth2_origin, oauth2_color, oauth2_link_user (HTTP cookies, signed, 10-minute lifetime) — short-lived state for the OAuth flow only.
  • Stripe cookies — set by Stripe's hosted widget, governed by their policy.

7. Retention

  • Account data: until you delete your account (or after 12 months of inactivity, whichever is first).
  • Payment records: 6 years (Spanish tax law).
  • Server logs: 30 days.
  • Analytics events: as configured in GTM, typically 14 months.

8. Your rights

Under the GDPR you can: access your data, rectify it, erase it, object to processing, restrict processing, and export it (data portability). Write to billionaireswar@proton.me to exercise any of these rights. We respond within 30 days.

9. International transfers

Some of our processors (Stripe, Google) may process data outside the EEA. We rely on Standard Contractual Clauses for these transfers.

10. Children

The Service is not intended for users under 18. We do not knowingly collect data from children. If you are a parent and believe your child has registered, contact us and we will delete the account.

11. Security

Passwords are not stored: we rely on the social provider for authentication. Your session token is signed (HMAC) with a server secret; cookies tied to OAuth are signed and short-lived. Card data lives only inside Stripe.

12. Changes

We may update this policy. The “Last updated” date at the top reflects the most recent revision. Material changes will be highlighted on the home screen for at least 7 days.

13. Contact

For privacy questions, deletion, or any data-protection complaint, contact billionaireswar@proton.me. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).

See also our Terms of Service.