PRIVACY POLICY

This Privacy Policy describes how Brawn Design, LLC ("we," "us," or "our") collects, uses, and shares information about you when you use our Scavenger Hunt mobile application (the "App").

By using the App, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the App.

1. Information We Collect

1.1 Information You Provide Directly

Account Information

• Email address (required for registration and verification)
• Display name (username you choose)
• Profile photo/avatar (optional)
• Password (stored securely using industry-standard hashing)

Age Verification

• Date of birth (collected during registration for age verification only)
• Your date of birth is used solely to verify you meet the minimum age requirement and is not stored in our systems after verification.

User-Generated Content

• Photos you submit for scavenger hunt challenges
• Chat messages you send in league conversations
• Hunt suggestions you submit
• Ratings and reviews of hunts

Payment Information

• When you make in-app purchases, we collect transaction records including purchase tokens, order IDs, and transaction amounts
• We do not directly process or store your credit card information; payments are processed through Apple App Store or Google Play Store

1.2 Information Collected Automatically

Device Information

• Device type (iOS or Android)
• Operating system version
• App version
• Unique device identifiers

Location Information

• With your permission, we collect your precise geographic location (GPS coordinates) to enable location-based features such as finding nearby hunts
• Location data may be stored in hunt records to show where hunts are located

Usage Information

• App interactions and feature usage
• Crash reports and performance data
• Analytics events (pages viewed, features used)

Push Notification Tokens

• Device tokens for Firebase Cloud Messaging (FCM) to deliver push notifications
• Topic subscriptions for leagues, teams, and chat notifications

1.3 Information from Third Parties

Authentication Providers

• If you sign in using Google Sign-In or Apple Sign-In, we receive basic profile information (such as name, email address, and profile photo) from those services as authorized by your account settings

2. How We Use Your Information

We use the information we collect to:

Provide and Improve the App

• Create and manage your account
• Enable you to participate in scavenger hunts and leagues
• Process and display your photo submissions
• Facilitate team collaboration and league chat
• Send push notifications about hunt activities, team updates, and messages
• Improve app performance and fix bugs

AI-Powered Features and Third-Party AI Processing

Your photo submissions are processed using third-party artificial intelligence services (currently xAI/Grok) for automated analysis and scoring. This processing is governed by a Data Processing Addendum (DPA) between us and xAI, available at https://x.ai/legal/data-processing-addendum.

• Transmission to AI Services: Your photos and associated challenge descriptions are transmitted to xAI for automated analysis and scoring
• Purpose: AI analysis evaluates how well your submitted photos match challenge requirements and generates scores
• Legal Basis: AI scoring is performed under contractual necessity (GDPR Article 6(1)(b)) — it is an essential function of the service you signed up for. Scoring cannot be provided without AI processing.
• Data Processing Agreement: xAI processes your photos as a data processor acting on our instructions. Under our DPA, xAI is contractually obligated to process your data only for the purpose of providing the scoring service, implement appropriate security measures, and assist with data subject rights requests
• No Use for Model Training: xAI does not use API inputs (including photos submitted for analysis) or outputs for internal AI training, model fine-tuning, or developing new products or services. Under xAI's Enterprise Terms, “xAI shall not use any User Content for any of its internal AI or other training purposes (such as training its machine learning models), including developing new products or services based on User Content.”
• Data Retention by xAI: Submitted data (photos, prompts, and responses) is automatically deleted by xAI within 30 days, unless: (a) legally required to be retained (e.g., court order), (b) flagged for safety, compliance, moderation, or potential violations of xAI's terms or acceptable use policy, or (c) otherwise agreed in writing. This is governed by the DPA and xAI's privacy policy (https://x.ai/legal/privacy-policy).
• Essential Function: AI processing is a core feature of the App required for challenge scoring; the photo submission features cannot function without AI processing

Location-Based Services

• Show you hunts near your current location
• Enable location-based hunt filtering and sorting

Communications

• Send you important account-related notifications
• Respond to your inquiries and support requests
• Send league invitation emails on behalf of other users

Analytics and Improvement

• Understand how users interact with the App
• Analyze trends and usage patterns
• Improve our services and develop new features

Safety and Security

• Detect and prevent fraud, abuse, and security incidents
• Enforce our Terms of Service and community guidelines
• Moderate chat content and handle user reports

Advertising

• Display advertisements within the App (banner ads, interstitial ads, and rewarded video ads)
• Measure ad performance and effectiveness
• Google AdMob may collect device advertising identifiers (IDFA on iOS, GAID on Android) and use cookies or similar technologies to serve ads
• Ad Personalization: Where required by law (including in the EEA/UK), we will obtain your consent before serving personalized advertisements. You may choose to receive only non-personalized ads. If you do not consent to personalized ads, you will still see ads, but they will not be tailored to your interests. You can change your ad personalization preferences at any time through the App's settings under Settings > Privacy > Ad Preferences.

3. How We Share Your Information

3.1 With Other Users

• Your display name and profile photo are visible to other users in your leagues and teams
• Your chat messages are visible to other members of the league
• Your photo submissions and scores may be visible to team members and league participants
• Leaderboards displaying your team's performance are visible to league members

3.2 With Service Providers

We share information with third-party service providers who perform services on our behalf:

• Google Firebase: Account data, user content, analytics events, crash reports for backend infrastructure
• xAI (Grok): Submission photos and challenge descriptions for AI-powered image analysis, governed by our Data Processing Addendum with xAI. xAI processes your photos as a data processor on our behalf. For more information on xAI's data practices, see xAI's privacy policy
• SendGrid: Email addresses for sending invitation emails
• Google AdMob: Device identifiers and ad interaction data for displaying advertisements

3.3 For Legal Reasons

We may disclose your information if required to do so by law or in response to valid requests by public authorities.

3.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

4. Data Storage and Security

4.1 Where We Store Your Data

Your data is stored on servers operated by Google Firebase, primarily located in the United States.

4.2 Security Measures

We implement appropriate technical and organizational measures to protect your information, including:

• Encryption of data in transit (HTTPS/TLS)
• Secure password hashing
• Firebase App Check to prevent unauthorized API access
• Multi-factor authentication for administrative access

4.3 International Data Transfers

Your personal data may be transferred to and processed in countries other than your country of residence. Specifically:

• Google Firebase: Your data is stored and processed in the United States. Google LLC is certified under the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. For transfers not covered by the DPF, Google relies on Standard Contractual Clauses (SCCs) approved by the European Commission.
• xAI (Grok): Photos submitted for AI scoring are transmitted to xAI in the United States. We have entered into a Data Processing Addendum (DPA) with xAI that includes Standard Contractual Clauses for the transfer of personal data from the EEA/UK to the United States. xAI does not use submitted data for model training, and submitted data is automatically deleted within 30 days unless retention is legally required or flagged for safety/compliance purposes.
• SendGrid (Twilio): Email addresses used for invitations are processed by SendGrid in the United States. Twilio (SendGrid's parent company) is certified under the EU-U.S. Data Privacy Framework.
• Google AdMob: Ad-related data is processed by Google in accordance with Google's DPF certification described above.

These transfer mechanisms ensure that your data receives an adequate level of protection as required by the General Data Protection Regulation (GDPR) and the UK GDPR.

If you have questions about international data transfers, contact us at privacy@brawndesign.com.

5. Data Retention

We retain your information for as long as your account is active or as needed to provide you services:

• Account information: Until account deletion
• Photo submissions: Until account deletion
• Chat messages: 90 days (rolling window). Anonymized messages from deleted accounts remain subject to this same 90-day window and are permanently deleted after that period.
• Transaction records: 7 years (for legal/tax compliance)

Account Deletion

When you request account deletion:

• Your account enters a 30-day grace period during which you can cancel the deletion
• After 30 days, your personal data is permanently deleted

6. Your Rights and Choices

6.1 Access and Export Your Data

You can request a copy of your personal data by contacting us.

6.2 Delete Your Account

You can request deletion of your account through the App settings.

6.3 Manage Permissions

You can control app permissions through your device settings:

• Location: Enable or disable location access
• Camera: Enable or disable camera access
• Notifications: Enable or disable push notifications

6.4 Advertising Preferences

• Personalized ads: Where we rely on consent for personalized advertising (such as in the EEA/UK), you will be asked for your preference when you first use the App. You can update your choice at any time in the App's settings under Settings > Privacy > Ad Preferences
• Device-level controls: You can also limit ad tracking through your device settings:
  • iOS: Settings > Privacy & Security > Tracking
  • Android: Settings > Privacy > Ads
• Opt out of interest-based ads: Even outside of GDPR regions, you can opt out of interest-based advertising by adjusting your device's ad settings as described above

7. Children's Privacy

The App is not intended for children under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children under these ages. If we learn that we have collected personal information from a child below these ages, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, please contact us at support@brawndesign.com.

8. Your State Privacy Rights

8.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect about you and how it is used
• Request deletion of your personal information
• Opt out of the sale of your personal information — We do not sell your personal information
• Non-discrimination for exercising your privacy rights

To exercise these rights, contact us at support@brawndesign.com or privacy@brawndesign.com.

8.2 EEA/UK Residents (GDPR)

If you are in the European Economic Area or United Kingdom, you have additional rights including:

• Access your personal data
• Rectification of inaccurate data
• Erasure (right to be forgotten)
• Data portability — receive your data in a machine-readable format
• Object to processing based on legitimate interests
• Lodge a complaint with your local data protection authority

Our legal bases for processing include: contract performance (providing the App, including AI-powered scoring), legitimate interests (analytics, security, advertising), and consent (location data, personalized advertising where applicable).

9. Do Not Track

The App does not respond to "Do Not Track" browser signals. However, you can manage your privacy preferences through the App's settings and your device's privacy controls.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last Updated" date and notify you through the App for significant changes.

11. Contact Us

If you have questions about this Privacy Policy, please contact us:

Brawn Design, LLC
Email: support@brawndesign.com

P.O. Box 127
Clinton, MI 49236

For data protection inquiries in the EEA/UK, contact: privacy@brawndesign.com