Privacy Policy
Effective: 11.05.2026
This Privacy Policy ("Policy") explains what personal information Outrun the Dead ("we", "us", "our", "the Service") collects when you use our mobile application and the related website at outrunthedead.com, how we use that information, who we share it with, and the rights and choices you have. It is written to address the General Data Protection Regulation ("GDPR") and UK GDPR, the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), Brazil's Lei Geral de Proteção de Dados ("LGPD"), Mexico's Federal Law on Protection of Personal Data Held by Private Parties ("LFPDPPP"), and other applicable laws.
If you do not agree with this Policy, do not install or use the Service.
1. Controller / responsible party
The data controller (GDPR), business (CCPA), and controlador (LGPD) of personal data processed in connection with the Service is:
- Naitsmania AS
- Cappelens gate 10, 3717 Skien, Norway
- Email: support@naitsmania.no (subject line "Privacy" for fastest routing)
For users in the European Economic Area or the United Kingdom, our representative under Article 27 GDPR is Stian Michael Årsnes.
2. What we collect and why
The table below summarizes the categories of personal data we process, the purposes of processing, and (for EU/UK users) the legal bases.
2.1 Account and profile
- What: Email address (or Apple/Google identifier if you sign in with those providers), display name, optional gender, optional age, profile preferences (runs per week, preferred time, target heart-rate range, language).
- Why: Create and maintain your account; personalize the in-game experience; deliver the service you signed up for.
- Legal basis (EU/UK): Performance of a contract (Article 6(1)(b) GDPR).
- Sensitive data: If you choose to provide age, we do not treat age as a special category; we use it only to tone-gate AI content (teen vs. adult phrasing).
2.2 Runs (GPS, motion, steps)
- What: Foreground and background location coordinates during active runs, motion sensor data, step count.
- Why: Record distance, pace, and route; render the post-run map; gate "personal best" and other achievements; detect stationarity to suppress GPS drift.
- Legal basis (EU/UK): Performance of a contract.
- Permissions: Background location is requested only after you have started a run, and we use it only while a run is active.
2.3 Heart rate
- What: Heart-rate samples read from Bluetooth chest straps, Apple Watch, Apple Health, or Health Connect (Android), only while a run is active.
- Why: Drive the in-game audio engine and threat level; record effort intensity alongside the run so you can review it.
- Legal basis (EU/UK): Explicit consent (Article 9(2)(a) GDPR — heart rate is health-related). You give consent by granting the relevant operating-system permission.
- Special-category note: Heart rate is health data. We do not share heart rate with advertisers, analytics providers, or any third party other than the secure backend that stores your run history.
2.4 Voice and speech
- What: Microphone audio is transcribed on your device by Apple's SFSpeechRecognizer or Android's SpeechRecognizer. We transmit only the resulting text transcript to our servers.
- Why: Let you talk to your AI companion instead of typing.
- Legal basis (EU/UK): Consent (you grant the microphone permission); performance of a contract.
2.5 Avatar photos
- What: A single photo you select when generating an avatar.
- Why: Generate a stylized in-game avatar via the fal.ai image-generation API. The photo is transmitted to fal.ai once and is not retained on our servers after the request completes.
- Legal basis (EU/UK): Consent (you choose to upload).
2.6 Companion chat content
- What: Text and transcribed voice messages exchanged with your in-game AI companion.
- Why: Generate AI replies (Anthropic's Claude API) and optional voice clips (ElevenLabs).
- Legal basis (EU/UK): Performance of a contract.
- AI training: Per our agreements with these providers, your prompts and outputs are not used to train their models.
2.7 Group features and in-app interactions
- What: Your display name, current survival status, recent run summaries (distance, duration, achievement flags), and any chat or nudges you send other group members. When you join a group, this information is visible to other members of that group.
- Why: Operate the social/group mechanics of the Service.
- Legal basis (EU/UK): Performance of a contract; legitimate interest in operating a working social product (Article 6(1)(f)).
- What other users see: Display name, avatar, broad survival status, distance/duration of recent runs, and anything you post in group chat or send as a nudge. Other users do not see your email address, heart rate, or precise GPS coordinates.
2.8 Subscriptions and purchases
- What: A pseudonymous RevenueCat identifier, which subscription product you bought, when it renews, and whether it is active.
- Why: Manage Premium and Ad-Free Supporter access; restore purchases across devices; recover entitlements after reinstall.
- Legal basis (EU/UK): Performance of a contract; legal obligation (tax and record-keeping retention).
- What we do not see: We do not see your full payment card or any billing details. Apple and Google process payments and tell us only that a purchase occurred.
2.9 Push notifications
- What: A push token issued by Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM).
- Why: Deliver in-game notifications (survival reminders, group events, redemption warnings, "your story video is ready", post-attack callouts).
- Legal basis (EU/UK): Consent. You grant the system permission when first prompted, and may withdraw consent at any time in OS settings or the in-app Profile screen.
- Content of notifications: Notifications may include short narrative beats, the names of your group members, and the names of in-game items. They never include heart rate, location, or financial information.
2.10 Advertising (free tier only)
- What: Device advertising identifier (IDFA on iOS, AAID on Android), approximate device characteristics, ad interactions. Subscription users do not see ads, and no advertising identifier is shared.
- Why: Monetize the free tier through Google AdMob; cap ad frequency; prevent fraud.
- Legal basis (EU/UK): Consent (granular consent via the in-app "App Tracking Transparency" prompt on iOS and the equivalent on Android). If you decline tracking, you will still see ads, but they will not be personalized.
- "Sale" / "sharing" disclosure (CCPA/CPRA): Sharing device identifiers and ad-interaction data with AdMob for behavioral advertising may constitute "sharing" or "selling" personal information under California law. California residents can opt out at any time — see Section 9.
2.11 Crash reports and diagnostics
- What: Stack traces, OS/device model, app version, and a pseudonymous installation identifier.
- Why: Detect and fix bugs.
- Legal basis (EU/UK): Legitimate interest (Article 6(1)(f)) in maintaining a functioning product.
2.12 Local storage on your device
-
What: A small amount of state (preferences,
cached profile data, audio settings) is stored on your
device via the operating system's standard preference
storage (
SharedPreferenceson Android,NSUserDefaultson iOS). This is local-only and not transmitted by us. - Why: Remember your preferences across launches.
2.13 What we do not collect
- Your contacts, calendar, or photo library beyond the photos you explicitly pick.
- Health data other than heart rate (we do not read sleep, body composition, blood oxygen, etc.).
- Browsing history outside the Service.
- Biometric identifiers (face data, fingerprints).
3. Service providers and processors
We share data with the following providers acting as processors (or in some cases independent controllers). Each receives only the data necessary for its function.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Backend, auth, storage | USA / EU |
| Anthropic (Claude API) | AI text generation | USA |
| ElevenLabs | AI voice generation | USA |
| fal.ai | Image / video generation | USA |
| Google AdMob | Advertising (free tier only) | Worldwide |
| RevenueCat | Subscription management | USA |
| Firebase / Google Cloud | Push, crash reporting | USA / EU |
| Apple App Store / Google Play | Payment processing | Worldwide |
Each provider operates under its own privacy policy. The links above describe their commitments and our agreements; in particular, we have entered into data-processing agreements where required, and we rely on Standard Contractual Clauses (Module 2 or 3, as appropriate) under Article 46 GDPR for transfers of EU/UK personal data outside the EEA/UK. Brazilian transfers rely on the equivalent mechanism under Article 33 LGPD.
4. International transfers
Your personal data may be transferred to and processed in countries outside your country of residence, including the United States. Where such transfers involve personal data of EU/UK residents, we rely on:
- The European Commission's Standard Contractual Clauses (Decision 2021/914), and where applicable, the UK Information Commissioner's International Data Transfer Addendum.
- Supplementary measures (encryption in transit and at rest, scoped access controls) as recommended by the European Data Protection Board.
For LGPD transfers, we rely on the controller-processor agreements, contractual safeguards, and (where applicable) the user's consent.
5. Automated decision-making and profiling
The Service uses algorithmic and AI-driven systems to generate parts of your in-game experience (story beats, companion replies, voice clips, avatars, threat-level adjustments). These systems:
- Do not produce legal or similarly significant decisions about you.
- Do not affect your access to credit, employment, housing, insurance, or any other real-world outcome.
- Are part of the entertainment functionality you signed up for.
You are not subject to a decision based solely on automated processing within the meaning of Article 22 GDPR. If you have concerns about how AI-driven personalization affects your in-game experience, contact us.
6. Retention
- Account, profile, run history: Retained while your account is active. Deleted within 30 days after you delete your account (subject to a brief backup-rotation window of up to 90 days, after which deletion is final).
- Companion chat history: Retained while your account is active so the AI has context. You can clear it in-app at any time; cleared messages are deleted immediately from primary storage.
- Voice prompts and avatar photos: Not retained after the AI request completes.
- Crash reports and diagnostic data: Up to 90 days.
- Subscription records: Retained as required by tax and consumer-protection law (typically 5–10 years depending on jurisdiction).
- Push tokens: Retained until they become invalid or you disable notifications.
- Group membership history: Retained while you are in a group; deleted within 30 days of you leaving the group.
7. Your rights — General
Regardless of where you live, you may contact us at support@naitsmania.no to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data (most fields are editable in-app).
- Delete your account and associated personal data.
- Export your data in a structured, machine-readable format.
- Object to or restrict certain processing.
- Withdraw consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
We respond to verified requests within 30 days (extendable by 60 days for complex requests, as permitted by GDPR Article 12). We may need to verify your identity before acting on a request to prevent fraudulent access.
8. EU / UK residents — additional rights
If you are in the EEA, UK, or Switzerland, you have the rights set out above under Articles 15–22 GDPR, plus:
- The right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is maintained at edpb.europa.eu. UK residents may contact the Information Commissioner's Office at ico.org.uk.
- The right to be informed, in plain language, of how your data is being used (this Policy is intended to satisfy that right).
9. California (US) residents — CCPA / CPRA
If you are a California resident, the CCPA/CPRA gives you the following rights with respect to personal information we collect about you:
- Right to know what personal information we collect, the sources, the purposes, and the categories of third parties we disclose it to.
- Right to delete personal information we collect.
- Right to correct inaccurate personal information.
- Right to opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising.
- Right to limit use of sensitive personal information.
- Right to non-discrimination for exercising your rights — we will not deny service or charge a different price.
9.1 Categories collected (CCPA format)
- Identifiers: email, account ID, device IDs (IDFA/AAID), IP address (transient).
- Customer records: display name, age (optional), preferences.
- Internet / network activity: in-app interactions, ad interactions, crash diagnostics.
- Geolocation: precise GPS during active runs.
- Sensory: on-device microphone transcripts; uploaded avatar photos (transient).
- Health-related: heart rate during runs.
- Inferences: achievement flags, in-game character state.
9.2 Sale / sharing
We do not "sell" personal information for money. We "share" device identifiers and ad-interaction data with Google AdMob for cross-context behavioral advertising to free-tier users. To opt out, decline the App Tracking Transparency prompt on iOS, disable personalized ads in your Android settings, or subscribe to a paid tier.
9.3 How to exercise your California rights
Email support@naitsmania.no with the subject line "California Privacy Request." You may also designate an authorized agent. We honor Global Privacy Control signals where technically feasible.
10. Brazil residents — LGPD
If you are in Brazil, the LGPD gives you rights similar to those in Section 7, plus:
- Confirmation of the existence of processing.
- Anonymization, blocking, or deletion of unnecessary or excessive data.
- Information about public and private entities with which we have shared your data.
- Information about the possibility of denying consent and the consequences.
- Revocation of consent.
To exercise these rights or contact our Data Protection Officer (Encarregado), email support@naitsmania.no with "LGPD Request" in the subject line. You may also lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).
11. Mexico residents — LFPDPPP
If you are in Mexico, you have ARCO rights (Acceso, Rectificación, Cancelación, Oposición) over your personal data. To exercise them, email support@naitsmania.no with "Mexico Privacy Request" in the subject line. You may also lodge a complaint with the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI).
12. Children's privacy
The Service is not directed at children under 13 (or under 16 in the EEA / under 18 in some Latin American jurisdictions where local law requires). We do not knowingly collect personal data from children under those ages. The app's content (zombie peril, survival themes) is rated for teens and older. If you believe a child has provided personal data to us without parental consent, contact us at support@naitsmania.no and we will delete it. We comply with the U.S. Children's Online Privacy Protection Act ("COPPA") to the extent applicable.
13. Security
We use industry-standard safeguards: TLS in transit, encryption at rest with our cloud providers, Row-Level Security policies for per-user data isolation, scoped API keys, and audit logging of administrative access. No internet-connected system is perfectly secure, and we cannot guarantee absolute security.
If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by GDPR, and notify affected users without undue delay where the breach is likely to result in a high risk.
14. "Do Not Track" and Global Privacy Control
Our app does not respond to browser-based "Do Not Track" signals (the app is not a website). For California residents, we honor the Global Privacy Control signal where technically feasible. For all users, paid-tier subscription stops the sharing of advertising identifiers regardless of OS-level consent.
15. Changes to this Policy
We may update this Policy from time to time. We will notify you of material changes through an in-app notice or other reasonable means and update the "Effective" date above. Your continued use of the Service after the new Policy takes effect means you accept the revised Policy.
16. Contact
- General privacy questions: support@naitsmania.no
- California requests: subject line "California Privacy Request"
- Brazil / LGPD: subject line "LGPD Request"
- Mexico / ARCO: subject line "Mexico Privacy Request"
- EU / UK requests: subject line "GDPR Request"