Privacy Policy — Siete o Muerte
Last updated: 2026-04-25
This is the privacy policy for the Siete o Muerte mobile app, published by agile turtles (the operator). It explains what data we collect, why, where it goes, and what control you have. Plain English first, legal terms second.
Short version
- You don't have to give us anything to play. The app creates an anonymous device-tied account so your stats and purchases survive reinstalls. No email, no name, no permissions beyond what the platform requires.
- If you add an email (Settings → "Save your progress"), it's only used to identify you across devices and resend your sign-in code.
- Gameplay happens on your device for solo and local pass-and-play modes. Nothing about those games leaves the device.
- Online multiplayer sends your moves and game state to our server (Hetzner, EU) so other players can see them.
- We never sell your data. We don't run ads. We don't share with marketers.
- You can request deletion of your account and all server-side data by emailing support@agileturtles.gr.
What we collect, and why
When you install the app
| What | Why | Where it's stored |
|---|---|---|
| Anonymous account ID (random UUID) | So your stats survive reinstalls and you can play online without signing up | On your device + on our server (users table) |
| Display name (optional, you set it) | Shown to opponents in online lobbies | On our server |
| Avatar choice (optional) | Same — visible to online opponents | On our server |
| App preferences (sound, haptics, language, reduce motion) | To make the app behave the way you want | On your device only (MMKV) |
When you play a game
| What | Why | Where it's stored |
|---|---|---|
| Game state (cards, scores, turns) — for solo & local | Drives the round; never sent anywhere | On your device only |
| Game state — for online | Server is the authority; needed for fair play across devices | On our server (games + game_events tables); deleted 30 days after game end |
| Achievement progress + lifetime stats | Powers the achievements system and your profile | On your device + on our server (mirrored) |
When you opt in to email
| What | Why | Where it's stored |
|---|---|---|
| Email address | To identify you across devices and send the sign-in code | On our server |
| Sign-in code (6 digits, expires in 10 min) | Sent via email to verify it's you | On our server (hashed); discarded after use |
When you buy Pro
| What | Why | Where it's stored |
|---|---|---|
| Receipt / entitlement state | So we know you have Pro and can keep it across devices | RevenueCat (our IAP processor) + on our server (prounlockedat field). We never see your card number. |
Third parties we use
We deliberately keep this list short. As of 2026-04-25:
- Apple App Store / Google Play — handle the actual purchase. Their privacy policies apply: Apple, Google.
- RevenueCat (privacy) — our in-app-purchase layer. Receives your anonymous account ID and a purchase event. Does not receive your email, name, or gameplay data.
- Resend (privacy) — sends your sign-in email when you opt in. Receives only your email address and the 6-digit code.
- Hetzner Online GmbH (EU/Falkenstein) — hosts our server. Standard infrastructure provider; processes traffic only.
We do not use:
- Analytics SDKs that track individuals (no Google Analytics, no Facebook SDK, no Amplitude, no Mixpanel, no Segment)
- Advertising SDKs of any kind
- Crash reporting tied to identity
- Any "marketing automation" platform
How we secure your data
- All traffic to our server uses TLS 1.3 (Let's Encrypt).
- Sign-in codes are hashed (SHA-256) before storage. The plaintext code only exists in transit (email + the verify request).
- Your anonymous device ID is a random UUID — not derivable from your IMEI, MAC, advertising ID, or any device identifier. We don't see those.
- Server access is restricted to the founder and the deployment automation. The server lives in the EU.
Retention
- Anonymous accounts persist while you keep the app installed. If you uninstall and reinstall on the same device with the same device-stored UUID, they're rejoined. Otherwise a new anonymous account is created.
- Email-linked accounts persist until you ask us to delete them.
- Online game state is kept for 30 days after the game ends, then purged.
- Sign-in codes are deleted on use or after 10 minutes, whichever is first.
- Daily Postgres backups are kept for 14 days, then rotated out.
Your rights (GDPR + general)
You have the right to:
- Access the data we hold about you
- Export your stats, achievements, and account info
- Correct anything wrong (currently: email us)
- Delete your account and everything on the server side. Local on-device data clears when you delete the app.
To exercise any of these, email support@agileturtles.gr from the address linked to your account (or include your anonymous account ID, which you can read in Settings → About).
We respond within 30 days. There's no fee.
Children
The app is rated 4+ on iOS and Everyone on Google Play. We don't knowingly collect data from anyone under 13. If you believe a child has registered an email-linked account, email us and we'll delete it promptly.
Changes to this policy
We'll update the date at the top whenever this changes. Material changes (new third parties, new data categories) are announced in-app on next launch via a one-time dialog.
Contact
- Email: support@agileturtles.gr
- Operator: agile turtles, Athens, Greece
For legal questions specific to a jurisdiction, please use the email above. We answer in English, Spanish, or Greek.