Birus — Privacy Policy
Last updated: 2026-05-15
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. WHO WE ARE
━━━━━━━━━━━━━
Birus is a real-time location-based game ("the App"). The controller for
the purposes of GDPR and applicable data protection law is the operator of
birus.app ("we", "us").
Contact: privacy@birus.app
2. WHAT WE COLLECT AND WHY
━━━━━━━━━━━━━━━━━━━━━━━━━━
2.1 Location data (approximate)
If you grant location permission, your device converts your GPS coordinates
into a geohash — a short alphanumeric code representing an area of roughly
600m × 1200m. This conversion happens ENTIRELY ON YOUR DEVICE. We never
receive your latitude or longitude; we only receive the geohash.
If you deny location permission, we estimate your geohash from your IP
address (city-level precision, ~5km radius). This estimate is used solely
to assign you to a game area and is not stored.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — necessary to
provide the core function of the game. You can revoke permission at any
time in your device settings; this will activate the IP-based fallback.
2.2 Pseudonymous session identifier
Each session is assigned a random UUID ("playerId") stored locally on your
device. This ID is used to:
- Maintain your team assignment (virus or cure) across sessions
- Enforce fair-play rules (tap rate limits, anti-bot detection)
- Allow reconnection without re-verification
We do not link this ID to any personal identity. If you clear your app
data, a new ID is generated.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
2.3 Device integrity token
On Android, we request a Play Integrity token from Google's servers. On
iOS, we use Apple's App Attest. These tokens are used solely to verify that
requests come from a genuine, unmodified copy of the app. They are validated
and immediately discarded — never stored or associated with your identity.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — fraud prevention.
2.4 Tap counters
We store per-geohash counters (e.g., "cell u4pruv has 12 virus taps and 8
cure taps"). These counters contain no personal data — they are totals
across all players in an area.
We also store pseudonymous tap totals per playerId (e.g., total taps, virus
taps, cure taps). These counters are used for gameplay statistics and are
not linked to your name, email, precise location, or any account.
2.5 Push notification data
If you enable push notifications, we store your push notification token
(APNs on iOS or FCM on Android), platform type, language, timezone, current
team, primary game cell, and the time you last opened the App. This data is
used only to send relevant gameplay notifications, apply quiet hours, and avoid
sending repeated notifications to inactive players.
Push notification data is stored against your pseudonymous playerId, not your
name, email, or account. It expires after 90 days unless refreshed by the App.
You can disable push notifications in your device settings.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — gameplay notifications
and anti-spam controls.
2.6 Web analytics
On the web version, we use a privacy-friendly analytics service hosted at
analytics.siege.zone to understand aggregate traffic and gameplay events. This
helps us diagnose problems and improve the App. We do not use this analytics
data for advertising, cross-site profiling, or selling user data.
2.7 What we do NOT collect
- We do not collect your name, email, phone number, or any account data.
- We do not collect precise GPS coordinates.
- We do not use advertising identifiers (IDFA, GAID).
- We do not use analytics for advertising or cross-site profiling.
- We do not share any data with third parties for marketing.
- We do not build user profiles.
3. HOW LONG WE KEEP DATA
━━━━━━━━━━━━━━━━━━━━━━━━
- Geohash tap counters: Territory is permanent and only changes when the
opposing team overtaps.
- Pseudonymous per-player tap counters: retained for gameplay statistics unless
the game data is reset.
- Session IDs in server memory: removed when the session ends or the server
restarts; persisted in Redis with a 30-day TTL.
- Push notification tokens and delivery metadata: expire after 90 days unless
refreshed by the App.
- Device integrity tokens: never persisted (validated and discarded immediately).
- IP addresses used for geolocation: not logged; used in-memory only for the
duration of the request.
4. YOUR RIGHTS (GDPR)
━━━━━━━━━━━━━━━━━━━━━
Because we do not collect directly identifying personal data, most GDPR
subject rights (access, rectification, erasure) are limited in practice —
there is no data we can attribute to your real-world identity without your
local playerId.
If you believe we hold identifiable data about you, contact us at
privacy@birus.app and we will investigate within 30 days.
You have the right to lodge a complaint with your national supervisory
authority (e.g., AEPD in Spain, ICO in the UK, CNIL in France).
5. INTERNATIONAL TRANSFERS
━━━━━━━━━━━━━━━━━━━━━━━━━━
The server is currently hosted in the EU. If you access the App from
outside the EU, minimized pseudonymous geohash/session data travels to EU
infrastructure. We limit this transfer to the data needed for gameplay and
fraud prevention.
6. CHILDREN
━━━━━━━━━━━
Birus is not directed specifically to children under 13. We do not ask for a
child's name, email address, phone number, date of birth, or account details.
If a parent or guardian believes a child has used the App and wants us to
review or delete data linked to a local playerId, they can contact
privacy@birus.app.
7. CHANGES TO THIS POLICY
━━━━━━━━━━━━━━━━━━━━━━━━━
We may update this policy. The "Last updated" date at the top will change.
Continued use of the App after changes constitutes acceptance.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Birus — Data Protection Impact Assessment (DPIA)
GDPR Article 35 — Summary for public transparency
Last updated: 2026-03-12
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
WHY A DPIA IS CONDUCTED
Birus involves processing of location data on a large scale (GDPR Art. 35
criterion: "systematic monitoring of a publicly accessible area" and
"large-scale processing of special categories"). Although our technical
design minimises this risk significantly, we have conducted a DPIA as a
precautionary measure.
DESCRIPTION OF PROCESSING
Purpose: Operating a real-time location-based game.
Nature: Approximate location (geohash, ~600m) derived on-device; never
transmitted as raw coordinates.
Scope: Potentially large number of players globally.
Context: Consumer mobile app; voluntary participation.
NECESSITY AND PROPORTIONALITY
The geohash is the minimum granularity required for the game to function.
Precision 6 (~600m) is sufficient to place players in game cells without
revealing their exact position. GPS coordinates are never sent to the server.
RISKS IDENTIFIED AND MITIGATIONS
Risk 1: Re-identification from geohash
Residual risk: LOW. A precision-6 geohash covers ~0.72 km². In any
populated area, multiple players will share the same cell.
Mitigation: Globe view suppresses cells with fewer than 5 players
(MIN_PLAYERS_FOR_GLOBE_CELL). Server stores aggregated counters and
pseudonymous per-player counter totals; no per-player location history.
Risk 2: Inference of home/work location from session pattern
Residual risk: LOW. Session IDs are random UUIDs with no linkage to
device identity. Server-side session state expires in 30 days. Tap totals
are counter-only. No IP logging.
Mitigation: Session IDs not linked to device fingerprints. Player
location not logged server-side.
Risk 3: Device attestation tokens revealing device identity
Residual risk: NEGLIGIBLE. Tokens are single-use, validated, and
immediately discarded. We store only a boolean (attested: true/false).
Mitigation: Token handling reviewed; no persistence in any storage layer.
Risk 4: IP address used for GeoIP fallback
Residual risk: LOW. IP is used only in-memory for the duration of the
HTTP request. It is not logged, stored, or associated with a session ID.
Mitigation: No IP logging in application layer. Log truncation recommended
at load balancer level.
Risk 5: Push notification tokens and delivery metadata
Residual risk: LOW. Push tokens are stored only for players who enable
notifications and are linked to a pseudonymous playerId.
Mitigation: 90-day expiry, device-level opt-out, quiet hours, and delivery
suppression for inactive players.
OVERALL RISK ASSESSMENT: LOW
The combination of on-device geohash conversion, pseudonymous session IDs,
single-use attestation tokens, limited push token retention, and minimal
counter-only storage results in a processing operation that poses low risk to
data subjects.
CONCLUSION
The DPIA concludes that the processing is necessary, proportionate, and
adequately mitigated. No prior consultation with the supervisory authority
is required under GDPR Art. 36.
Contact for questions: privacy@birus.app