Legal · privacy

Privacy policy

Draft for Play Store / Health Connect submission. Effective date set on publication. Last updated: 2026-05-20.

Hexhold is a free Android app and web service operated by Hexhold, based in Romania. This policy explains what data we collect, why, and your rights as an EU/EEA resident under the GDPR. For all data-related contact, reach us at support@hexhold.app.

Plain-language summary

We collect the minimum data needed to run a gaming app whose central mechanic uses your real-world wellness activity (sleep, walking, heart rate) to boost the XP your gaming sessions earn. We never sell your data. You can delete your account and all associated data at any time.

1. What we collect

CategoryExamplesSource
AccountEmail, username, country, sign-in provider tokens (Steam, FACEIT, Discord if used)You / OAuth provider
Health & fitnessStep count, distance walked, exercise session metadata, heart rate samples, sleep durationAndroid Health Connect (with your explicit permission)
Gaming activitySteam match history (Dota 2: match IDs, outcomes, hero, MMR-adjacent stats; playtime). FACEIT match data if connected.Steam Web API, FACEIT API
In-app behaviorXP earned, hexes claimed, crew membership, season participation, crew chat messagesHexhold servers
Device + diagnosticsCrash reports, app version, device model class, OS versionAnonymized telemetry (Sentry or equivalent)
Push tokensFirebase Cloud Messaging registration IDYou (when you consent to notifications)

We do NOT collect:

  • Precise real-world location (the app uses a synthetic world; GPS is not read)
  • Phone contacts / address book
  • Photos / camera / microphone
  • Financial information (the app is free; no payments)
  • Browsing history outside of Hexhold

2. Why we collect it

DataPurpose
Account & sign-inIdentify you across sessions; allow you to sign in
Steps, distance, exercise, HR, sleepCompute your boost multiplier — the core game mechanic in which real-world wellness increases the XP your gaming earns
Gaming activityCompute XP from matches you played (the game's primary reward); display match summaries
In-app behaviorRun the game (XP balances, crew leaderboards, season standings)
DiagnosticsIdentify crashes and bugs; improve stability
Push tokensSend you the post-match notification you opted into

3. Health Connect — special note

Hexhold requests the following Android Health Connect permissions:

  • READ_STEPS
  • READ_DISTANCE
  • READ_EXERCISE
  • READ_HEART_RATE
  • READ_SLEEP

These are used only to compute your boost multiplier and unlock daily streak progress. You may revoke any permission at any time via Android Settings → Health Connect → App permissions, with no loss of account access. Revoking a permission disables only the corresponding XP source.

We do not transmit raw Health Connect data to third parties. The data is processed by our server (Supabase, EU region) to compute aggregate signals (boost active yes/no; daily total steps; sleep duration). Raw heart-rate series are retained for up to 90 days for anti-cheat plausibility checks, then deleted.

For the full per-permission justification we submitted to Google, see the Health Connect data-usage page.

4. Sharing

We share your data only with the following processors:

  • Supabase (Postgres database, auth, edge functions; EU region) — our backend infrastructure
  • Firebase Cloud Messaging (Google) — push notifications (only the FCM token is shared; never your health or gaming data)
  • Steam, FACEIT, Discord — OAuth sign-in (only the authentication handshake; we do not push your data to them)
  • Crash analytics provider (Sentry or equivalent) — anonymized crash reports

We do not sell your data. We do not share your data with advertisers. We have no advertising in v1.

5. Retention

  • Account data: retained while your account is active. Deleted within 30 days of an account-deletion request.
  • Health data: aggregated daily totals retained for the life of the account. Raw HR series ≤ 90 days. You may request full deletion at any time.
  • Gaming data: retained for the life of the account (required for leaderboard integrity).
  • Crash reports: retained for 90 days.

6. Your rights (GDPR)

If you live in the EU/EEA you have the right to:

  • Access the data we hold about you
  • Request correction or deletion
  • Request a portable export (machine-readable)
  • Withdraw consent at any time
  • Lodge a complaint with your national data-protection authority (in Romania: ANSPDCP)

Email support@hexhold.app to exercise any of these rights. We respond within 30 days.

7. Children

Hexhold is not intended for users under 16. We do not knowingly collect data from anyone under 16. If we learn that we have, we delete it.

8. Security

Data is encrypted in transit (HTTPS / TLS) and at rest (Supabase-managed encryption). Authentication uses industry-standard OAuth flows. We do not store passwords (sign-in is via email magic-link or third-party OAuth).

9. Changes to this policy

We will notify users in-app of material changes and update the "Last updated" date above. Prior versions are preserved in our public git repository.

10. Contact