Privacy Policy — Cumbrian Wars

Cumbrian Wars is developed and operated by tomm.dev, based in the United Kingdom. This policy explains what personal data we collect when you use Cumbrian Wars, why we collect it, and your rights under UK data protection law (UK GDPR and the Data Protection Act 2018).

01

Who this applies to

This policy applies to all players of Cumbrian Wars, available on iOS and Android. You must be at least 13 years old to create an account. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has created an account, please contact us at [email protected] and we will delete it promptly.

02

What data we collect

Data	Why we collect it
Email address	To create and authenticate your account, and to contact you about your account if needed
Password	Stored as a one-way bcrypt hash — we cannot read your password
IP address	Logged on login to detect multi-account abuse and protect fair play
Game data	Your in-game name, faction, turf, army stats, gold, combat history, and other gameplay state needed to run the game

We do not collect your real name, phone number, location, payment information, or any other personal data. We do not run advertising or third-party analytics.

03

How we use your data

We use your data solely to:

Operate and maintain your game account
Enforce the game rules (including detecting accounts that violate the one-account-per-player rule)
Respond to support requests you send us

We do not sell, rent, or share your personal data with any third party for marketing purposes.

04

Third-party services

We use the following services to operate the game. Each has its own privacy policy.

Service	Purpose
DigitalOcean	Hosts our game server and database (data stored on a server in the EU)
Resend	Sends transactional emails from [email protected]
Cloudflare	Provides DNS, DDoS protection, and SSL for cumbrianwars.com

No other third-party SDKs, analytics tools, or advertising networks are used in the app.

05

Data retention

We keep your account data for as long as your account is active. At the end of each game season (an “Age”), all player data and game logs are wiped as part of the season reset — this is a core part of the game design.

IP address logs are retained for the duration of the current season only. If you request account deletion, we will delete your data within 30 days.

06

Security

Your password is stored as a bcrypt hash. All connections to our server use TLS (HTTPS). We use unique random identifiers (UUIDs) for accounts to prevent enumeration. Authentication tokens are invalidated when you log out.

We take reasonable steps to protect your data, but no internet service can guarantee absolute security.

07

Your rights

Under UK GDPR you have the right to:

Access the personal data we hold about you
Correct inaccurate data
Erase your data (“right to be forgotten”)
Object to or restrict our processing of your data
Withdraw consent at any time (where we rely on consent)
Lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk

To exercise any of these rights, email [email protected]. Account deletion requests are handled manually — we aim to process them within 30 days.

08

Legal basis for processing

We process your data on the following bases under UK GDPR:

Contract performance — processing necessary to provide the game service you signed up for (account management, gameplay)
Legitimate interests — IP logging to detect rule-breaking and protect fair play for all players

09

Contact

If you have any questions about this policy or your data, contact us at:
[email protected]

10

Changes to this policy

We may update this policy from time to time. If we make material changes, we will update the “Last updated” date at the top. Continued use of the game after changes are posted constitutes acceptance of the updated policy.