PRIVACY POLICY

This Privacy Policy describes how Brawn Design, LLC ("we," "us," or "our") collects, uses, and shares information about you when you use our Scavenger Hunt mobile application (the "App").

By using the App, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the App.

1. Information We Collect

1.1 Information You Provide Directly

Account Information

• Email address (required for registration and verification)
• Display name (username you choose)
• Profile photo/avatar (optional)
• Password (stored securely using industry-standard hashing)

Age Verification

• Date of birth (collected during registration for age verification only)
• Your date of birth is used solely to verify you meet the minimum age requirement and is not stored in our systems after verification.

User-Generated Content

• Photos you submit for scavenger hunt challenges
• Chat messages you send in league conversations, including message edits and replies
• Chat interactions: read receipts (which messages you have viewed), emoji reactions, and poll votes
• Hunt suggestions you submit
• Ratings and reviews of hunts
• Display name change history

Engagement and Preferences

• Notification preferences (hunt activity, chat notifications, new hunt announcements) stored on our servers to control which notifications you receive
• Participation streaks and engagement metrics
• Cosmetic items you own or select (avatar frames, badges, confetti effects)
• Score pass balances

Payment Information

• When you make in-app purchases, we collect transaction records including purchase tokens, order IDs, and transaction amounts
• We do not directly process or store your credit card information; payments are processed through Apple App Store or Google Play Store

1.2 Information Collected Automatically

Device Information

• Device type (iOS or Android)
• Operating system version
• App version
• Unique device identifiers

Location Information

• With your permission, we access your device's precise geographic location (GPS coordinates) to enable location-based features such as finding nearby hunts. Your GPS coordinates are used only on your device for distance calculations and sorting and are not transmitted to or stored on our servers. Location data is held only in temporary device memory for the duration of your browsing session
• Hunt records may contain location metadata (place names and coordinates) entered by hunt creators to describe where hunts take place; this is not derived from your device location

Usage Information

• App interactions and feature usage
• Crash reports and performance data
• Analytics events (pages viewed, features used)

Push Notification Tokens

• Device tokens for Firebase Cloud Messaging (FCM) to deliver push notifications
• Topic subscriptions for leagues, teams, and chat notifications

1.3 Information from Third Parties

Authentication Providers

• If you sign in using Google Sign-In or Apple Sign-In, we receive basic profile information (such as name, email address, and profile photo) from those services as authorized by your account settings

2. How We Use Your Information

We use the information we collect to:

Provide and Improve the App

• Create and manage your account
• Enable you to participate in scavenger hunts and leagues
• Process and display your photo submissions
• Facilitate team collaboration and league chat
• Send push notifications about hunt activities, team updates, and messages
• Improve app performance and fix bugs

AI-Powered Features and Third-Party AI Processing

Your photo submissions are processed using third-party artificial intelligence services (currently xAI/Grok) for automated analysis and scoring. This processing is governed by a Data Processing Addendum (DPA) between us and xAI, available at https://x.ai/legal/data-processing-addendum.

• Transmission to AI Services: Your photos and associated challenge descriptions are transmitted to xAI for automated analysis and scoring
• Purpose: AI analysis evaluates how well your submitted photos match challenge requirements and generates scores
• Legal Basis: AI scoring is performed under contractual necessity (GDPR Article 6(1)(b)) — it is an essential function of the service you signed up for. Scoring cannot be provided without AI processing.
• Data Processing Agreement: xAI processes your photos as a data processor acting on our instructions. Under our DPA, xAI is contractually obligated to process your data only for the purpose of providing the scoring service, implement appropriate security measures, and assist with data subject rights requests
• No Use for Model Training: xAI does not use API inputs (including photos submitted for analysis) or outputs for internal AI training, model fine-tuning, or developing new products or services. Under xAI's Enterprise Terms, “xAI shall not use any User Content for any of its internal AI or other training purposes (such as training its machine learning models), including developing new products or services based on User Content.”
• Data Retention by xAI: Submitted data (photos, prompts, and responses) is automatically deleted by xAI within 30 days, unless: (a) legally required to be retained (e.g., court order), (b) flagged for safety, compliance, moderation, or potential violations of xAI's terms or acceptable use policy, or (c) otherwise agreed in writing. This is governed by the DPA and xAI's privacy policy (https://x.ai/legal/privacy-policy).
• Essential Function: AI processing is a core feature of the App required for challenge scoring; the photo submission features cannot function without AI processing

Location-Based Services

• Show you hunts near your current location using on-device distance calculations
• Enable location-based hunt filtering and sorting (processed locally on your device; your coordinates are not sent to our servers)

Communications

• Send you important account-related notifications
• Respond to your inquiries and support requests
• Send league invitation emails on behalf of other users

Analytics and Improvement

• Understand how users interact with the App
• Analyze trends and usage patterns
• Improve our services and develop new features

Safety and Security

• Detect and prevent fraud, abuse, and security incidents
• Enforce our Terms of Service and community guidelines
• Moderate chat content and handle user reports
• Maintain moderation records including warnings, appeals, and content reports

Advertising

• Display advertisements within the App (banner ads, interstitial ads, and rewarded video ads)
• Measure ad performance and effectiveness
• Google AdMob may collect device advertising identifiers (IDFA on iOS, GAID on Android) and use cookies or similar technologies to serve ads
• Ad Personalization: Where required by law (including in the EEA/UK), we will obtain your consent before serving personalized advertisements. You may choose to receive only non-personalized ads. If you do not consent to personalized ads, you will still see ads, but they will not be tailored to your interests. You can change your ad personalization preferences at any time through the App's settings under Settings > Notifications > Privacy > Ad Preferences.

3. How We Share Your Information

3.1 With Other Users

• Your display name and profile photo are visible to other users in your leagues and teams
• Your chat messages are visible to other members of the league
• Your photo submissions and scores may be visible to team members and league participants
• Leaderboards displaying your team's performance are visible to league members

3.2 With Service Providers

We share information with third-party service providers who perform services on our behalf:

• Google Firebase: Account data, user content, analytics events, crash reports for backend infrastructure
• xAI (Grok): Submission photos and challenge descriptions for AI-powered image analysis, governed by our Data Processing Addendum with xAI (https://x.ai/legal/data-processing-addendum). xAI processes your photos as a data processor on our behalf. For more information on xAI's data practices, see xAI's privacy policy
• SendGrid: Email addresses for sending invitation emails
• Google AdMob: Device identifiers and ad interaction data for displaying advertisements

3.3 For Legal Reasons

We may disclose your information if required to do so by law or in response to valid requests by public authorities.

3.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

4. Data Storage and Security

4.1 Where We Store Your Data

Your data is stored on servers operated by Google Firebase, primarily located in the United States.

4.2 Security Measures

We implement appropriate technical and organizational measures to protect your information, including:

• Encryption of data in transit (HTTPS/TLS)
• Secure password hashing
• Firebase App Check to prevent unauthorized API access
• Multi-factor authentication for administrative access

4.3 International Data Transfers

Your personal data may be transferred to and processed in countries other than your country of residence. Specifically:

• Google Firebase: Your data is stored and processed in the United States. Google LLC is certified under the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. For transfers not covered by the DPF, Google relies on Standard Contractual Clauses (SCCs) approved by the European Commission.
• xAI (Grok): Photos submitted for AI scoring are transmitted to xAI in the United States. We have entered into a Data Processing Addendum (DPA) with xAI that includes Standard Contractual Clauses for the transfer of personal data from the EEA/UK to the United States. xAI does not use submitted data for model training, and submitted data is automatically deleted within 30 days unless retention is legally required or flagged for safety/compliance purposes.
• SendGrid (Twilio): Email addresses used for invitations are processed by SendGrid in the United States. Twilio (SendGrid's parent company) is certified under the EU-U.S. Data Privacy Framework.
• Google AdMob: Ad-related data is processed by Google in accordance with Google's DPF certification described above.

These transfer mechanisms ensure that your data receives an adequate level of protection as required by the General Data Protection Regulation (GDPR) and the UK GDPR.

If you have questions about international data transfers, contact us at privacy@brawndesign.com.

5. Data Retention

We retain your information for as long as your account is active or as needed to provide you services:

• Account information: Until account deletion
• Photo submissions: Until account deletion
• Chat messages: 90 days (rolling window). Anonymized messages from deleted accounts remain subject to this same 90-day window and are permanently deleted after that period.
• Transaction records: 7 years (for legal/tax compliance)

Account Deletion

When you request account deletion:

• Your account enters a 30-day grace period during which you can cancel the deletion
• After 30 days, your personal data is permanently deleted

6. Your Rights and Choices

6.1 Access and Export Your Data

You can request a copy of your personal data by contacting us.

6.2 Delete Your Account

You can request deletion of your account through the App settings.

6.3 Manage Permissions

You can control app permissions through your device settings:

• Location: Enable or disable location access
• Camera: Enable or disable camera access
• Notifications: Enable or disable push notifications

6.4 Advertising Preferences

• Personalized ads: Where we rely on consent for personalized advertising (such as in the EEA/UK), you will be asked for your preference when you first use the App. You can update your choice at any time in the App's settings under Settings > Notifications > Privacy > Ad Preferences
• Device-level controls: You can also limit ad tracking through your device settings:
  • iOS: Settings > Privacy & Security > Tracking
  • Android: Settings > Privacy > Ads
• Opt out of interest-based ads: Even outside of GDPR regions, you can opt out of interest-based advertising by adjusting your device's ad settings as described above

7. Children's Privacy

The App is not intended for children under the age of 16. We do not knowingly collect personal information from children under this age. If we learn that we have collected personal information from a child under 16, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, please contact us at support@brawndesign.com.

8. Your State Privacy Rights

8.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect about you and how it is used
• Request deletion of your personal information
• Opt out of the sale of your personal information — We do not sell your personal information
• Opt out of sharing for cross-context behavioral advertising — We share device identifiers and ad interaction data with Google AdMob for advertising purposes, which may constitute "sharing" under the CPRA. You can opt out of this sharing by adjusting your device's ad tracking settings (see Section 6.4) or by contacting us
• Non-discrimination for exercising your privacy rights

To exercise these rights, contact us at support@brawndesign.com or privacy@brawndesign.com. We will respond to verifiable consumer requests within 45 days.

8.2 EEA/UK Residents (GDPR)

If you are in the European Economic Area or United Kingdom, you have additional rights including:

• Access your personal data
• Rectification of inaccurate data
• Erasure (right to be forgotten)
• Data portability — receive your data in a machine-readable format
• Object to processing based on legitimate interests
• Lodge a complaint with your local data protection authority

Our legal bases for processing include: contract performance (providing the App, including AI-powered scoring), legitimate interests (analytics, security, advertising), and consent (location data, personalized advertising where applicable).

To exercise your GDPR rights, contact us at privacy@brawndesign.com. We will respond to your request within one month. In complex cases, this period may be extended by an additional two months, in which case we will notify you.

9. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users in accordance with applicable law. For users in the EEA/UK, we will notify the relevant data protection authority within 72 hours of becoming aware of a breach that is likely to result in a risk to your rights and freedoms, and we will notify you directly without undue delay if the breach is likely to result in a high risk. For users in the United States, we will provide notification in accordance with applicable state breach notification laws.

10. Tracking Technologies

The App uses the following tracking technologies:

• Firebase Analytics: Collects anonymized usage events, session data, and device identifiers to help us understand how the App is used. This data is processed by Google.
• Firebase Crashlytics: Collects crash reports and device state information when the App encounters errors.
• Firebase Performance Monitoring: Collects app performance metrics including startup time and network request latency.
• Google AdMob: Uses device advertising identifiers (IDFA on iOS, GAID on Android) and similar technologies to serve and measure advertisements. See Section 6.4 for information on managing ad tracking.

These technologies function similarly to cookies used on websites. You can limit the use of device advertising identifiers through your device settings (see Section 6.4).

11. Do Not Track

The App does not respond to "Do Not Track" browser signals. However, you can manage your privacy preferences through the App's settings and your device's privacy controls.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last Updated" date and notify you through the App for significant changes.

13. Contact Us

If you have questions about this Privacy Policy, please contact us:

Brawn Design, LLC
Email: support@brawndesign.com

P.O. Box 127
Clinton, MI 49236

For data protection inquiries in the EEA/UK, contact: privacy@brawndesign.com