Este documento ainda está disponível apenas em inglês. Tradução pro português vem junto com a versão Steam do jogo. O chrome do site já está em português — a preferência fica salva entre as páginas.

Data handling · LGPD / GDPR

Privacy Policy — O Espólio de Avaris

Effective date: to be set on commercial release (Steam launch day). Last updated: 2026-04-19

IMPORTANT — TEMPLATE NOTICE (REMOVE BEFORE LAUNCH): This file is a working draft prepared by the developer and not yet reviewed by a qualified attorney. Before publishing the game on Steam (or any other commercial channel), this document must be reviewed against Brazilian LGPD (Law 13.709/2018), European GDPR (Regulation 2016/679), California CCPA/CPRA, and Steam's own Privacy & Subscriber Agreement requirements.

1. Who is the data controller?

Controller: Luis Matias — individual developer ("the Author"). Official website: https://avaris.games

Contact for privacy matters:

• Email: luishenriquematias@gmail.com
• Jurisdiction: Curitiba — PR, Brazil.
• Postal address: available upon formal legal request (court order, regulatory authority, or documented business correspondence). The Author is an individual developer; the residential address is not published for personal-safety reasons, consistent with LGPD Art. 9 principles of data minimization.

If you are in Brazil, the contact above also serves as the LGPD "Encarregado de Proteção de Dados (DPO)" contact.

2. What data do we collect?

2.1 When you log in with Google (optional)

The game offers an optional Google Sign-In so you can save your progress to the cloud. If you choose to log in, we receive from Google and store in our database (Firebase / Firestore) the following:

• Your Google account unique identifier (UID).
• Your email address (as reported by Google).
• Your display name (as reported by Google).
• Your profile photo URL (as reported by Google).

You are NOT required to log in to play the game. If you skip login, none of the data above is collected.

2.2 Save data (when logged in)

When you play while logged in, we automatically upload your game save state to our database. That includes:

• The floor and route you have reached.
• The composition of your team (classes, levels, stats, equipment).
• Game flags (e.g. whether you completed a route).

No sensitive personal data is present in the save state — it is purely game progress.

2.3 Achievements and counters (when logged in)

Separately from your save, we also upload your achievement vitrine to our database so that trophies you earned on one device remain visible on another:

• The list of achievements you have unlocked and when you first unlocked each one.
• Numeric counters tracking progress toward cumulative achievements (for example, how many ghost squads you have surpassed).

This data is not used for matchmaking, leaderboards, or public display. It is strictly your personal progress record and is only read by you when you log in. It is deleted when you delete your account (section 4).

2.4 Bug reports (when you submit one)

The in-game "Report a bug" form sends us, when you submit it:

• The description you wrote.
• A screenshot of the current game window at the time you submitted.
• A snapshot of the current game state (same kind of data as save data).
• The URL the game was running at.
• The floor label you were on.
• Your browser user-agent string and viewport size.
• If you were logged in: your UID, email, and display name.
• The game version (build hash).

The screenshot may incidentally include anything visible in the game window (including overlays or HUD, but not other open windows, tabs, or system content).

2.5 "Ghost squads" shared with other players

When you finish the campaign (Sub-5), your team is submitted to a shared pool called "Victorious Teams". Subsequent players may encounter your team as the final boss. The data submitted is:

• A team name (a procedurally generated tag; not your real name).
• The composition of your team (classes, levels, stats, equipment).
• Your Google UID (so we can credit your "legacy" page back to you).
• The route you took.
• The game version.

Other players see the team composition and an anonymized tag. They do NOT see your email, your UID, or your display name.

2.6 Cookies and analytics on the marketing site (avaris.games)

The marketing site (the landing page, press kit, privacy, and legal pages served at avaris.games) is separate from the game application (avaris.games/play). On the marketing site:

• Strictly necessary browser storage is always used. This covers your language preference (pt / en), your consent choice itself, and session state. No consent is required for this, and none of it is transmitted to us.
• Optional analytics — if you click "Accept all" on the consent banner, we load Google Analytics 4 (GA4) via gtag.js (measurement ID G-VX07ZDH5CV). GA4 sets cookies named _ga and _ga_* under the avaris.games domain for at most 2 years. The data collected is limited to anonymized page views, referrers, approximate country-level location (derived from IP and immediately discarded after geolocation), and coarse device/browser info. IP anonymization is enabled; Google Signals and ad personalization signals are both explicitly disabled. We use this data solely to understand how visitors find the site.
• If you click "Only necessary", no analytics scripts are loaded and no analytics cookies are set. This is the default until you choose — we implement Google's Consent Mode v2 (advanced mode) with all optional storage set to "denied" on page load and no gtag.js request made.
• You can change your choice at any time via the "Cookies" link in the footer of every marketing page. Revoking clears prior analytics consent and stops further collection immediately.

The game application (/play) does not use Google Analytics, Tag Manager, or any advertising cookies. It uses only the Firebase SDK (auth and Firestore) as described in sections 2.1–2.5, plus Sentry for error monitoring if you are logged in (see section 2.4 and the consent flow in the Options menu).

2.7 Pre-launch mailing list (landing page opt-in)

On the marketing site, we offer an optional form — labeled "Notify me at launch" (or equivalent in Portuguese) — that you can use to receive a single email the day the game is released on Steam. If you choose to submit this form, we store in our database (Firebase / Firestore, collection mailingList) the following:

• The email address you typed.
• A lowercase copy of the same email (for deduplication and export).
• An explicit consent flag (the form rejects the submission unless you ticked the consent checkbox yourself — no pre-checked boxes).
• A creation timestamp.
• The language (pt or en) you had selected at the time.
• The source of the opt-in (hard-coded to landing-wishlist).
• A status field (defaults to active; used internally to flag unsubscriptions or bounces).
• An optional free-text message (up to 500 characters) that you may choose to write. This field is never required, is only stored if you actually typed something, and is read only by the Author — it is never published, displayed in-game, shared, or forwarded. The only way we would ever quote a message publicly is if we contact you first and obtain your explicit, specific consent to do so.

The document ID in Firestore is the SHA-256 hash of the lowercase email — this gives us automatic deduplication (you cannot be added twice) and a mild protection if the ID list were ever to be exposed.

Purpose. We will use your email solely to send you one email on Steam launch day telling you the game is out. We will not use it for any other purpose without obtaining separate, specific consent from you first. In particular, we will not:

• Send you periodic newsletters;
• Send you marketing from third parties;
• Sell, rent, or otherwise share the list with anyone;
• Transfer it to any mailing provider (Mailchimp, Buttondown, etc.) except as strictly necessary to send that single launch email, and only with the minimum data required.

How to unsubscribe. You can ask to be removed at any time — even before the launch email is sent — by writing to luishenriquematias@gmail.com with the subject "Unsubscribe" and the email address you used. We will remove you within 15 days (LGPD Art. 18 §3) and confirm by email. The launch email itself will also include a one-click unsubscribe link.

Note on the game app (/play). This mailing list is offered ONLY on the marketing landing page. The in-game experience does NOT ask for an email address for marketing purposes, and no in-game action will add you to this list.

2.8 What we do NOT collect

We do not collect: payment information (handled entirely by Steam or the platform where you purchased the game), IP addresses (beyond transient server logs retained by our infrastructure providers — see section 4), location data, contacts, device identifiers beyond those listed, or any biometric data.

3. Why do we collect it? (Legal basis)

4. Where does the data live? Who else sees it?

Data is processed and stored by our infrastructure provider, Google Cloud Platform / Firebase. This means your data is transmitted to and stored on Google servers, and Google is a data sub-processor under LGPD and GDPR. Google's terms are available at: https://firebase.google.com/terms and https://cloud.google.com/terms.

Server locations may include the United States, Europe, and other regions depending on Firebase's routing. By using the cloud features of the game, you consent to this international transfer under LGPD Art. 33 and GDPR Chapter V.

We do not sell your data to any third party. We do not share it with advertisers. The only third party with access is Google (as our infrastructure provider) and, where legally compelled, law enforcement.

Internally, only the Author ("admin") has read access to bug reports and ghost squads. Other users cannot read your bug reports; only aggregate ghost-squad data is visible to other players (per section 2.5).

5. How long do we keep the data?

• Google account data, saves & achievements: as long as you have a logged account associated with the game, plus up to 30 days after you delete your account, to allow for accidental-deletion recovery.
• Bug reports: up to 24 months after submission, then deleted or anonymized.
• Ghost squads: until you delete them (see section 6) or for 36 months of inactivity, whichever comes first. After 10 uses, a squad is "retired" (no longer appears in new games) but is still visible in your personal Legacy page.

6. Your rights

Under LGPD (Art. 18) and GDPR (Chapters III), you have the right to:

1. Access — get a copy of the data we have about you.
2. Correction — ask us to correct inaccurate data.
3. Deletion — ask us to delete your data.
4. Portability — get your data in a structured, machine-readable format.
5. Object — to specific processing activities.
6. Withdraw consent — at any time (this will disable cloud features).

How to exercise these rights

1. Inside the game: Open the "Options · Account" section. The "Delete my account and data" button deletes, in a single action: your user document, your save, your achievements record, every ghost squad you submitted, and every bug report you filed. It then signs you out and revokes your Google authentication with the game.

2. By email: Write to luishenriquematias@gmail.com with the subject line "PRIVACY REQUEST — " (where <type> is one of: access, correction, deletion, portability, objection, withdrawal). Include the email address associated with your Google account. We will reply within 15 days (LGPD) / 30 days (GDPR).

Timeline

In-game deletion takes effect immediately for your user doc, saves, achievements, ghost squads, and bug reports. Backups held by our infrastructure provider (Firebase) are purged within 30 days.

7. Children

The game carries a preliminary age rating of 16+ (IARC questionnaire pending formal submission on Steam) due to psychological horror, implied violence, and corporate-dystopia themes. We do not knowingly collect data from children under 13 (COPPA) / 16 (GDPR) without parental consent. If you believe a child under these ages has submitted data to us, please contact luishenriquematias@gmail.com and we will delete it.

8. Security

We rely on Google Cloud / Firebase's industry-standard encryption at rest and in transit. Access is controlled by Firebase Security Rules (see docs/FIRESTORE_RULES.md in the source tree). No system is perfectly secure — in the unlikely event of a breach affecting personal data, we will notify affected users within 72 hours as required by GDPR Art. 33 and LGPD Art. 48.

9. Changes to this policy

We may update this policy occasionally. The "Last updated" date at the top will reflect the change. Significant changes will be announced via an in-game notification on the next launch. Continued use of the cloud features after a change constitutes acceptance; if you do not accept, you can play offline or delete your account (section 6).

10. Governing law & jurisdiction

This policy is governed by Brazilian law. For users in the European Union, UK, or other jurisdictions with stricter consumer-protection regimes, local mandatory rules apply in addition. Any dispute shall be resolved by the courts of the Author's domicile in Brazil, without prejudice to the consumer's right to sue in their own jurisdiction where required by law.

Quick summary (non-legal)

• You can play completely offline. No data leaves your device.
• If you log in with Google, we store your email + saves in Firebase so you can continue on another device.
• If you finish the campaign, your team is shared (anonymized) with other players as a "ghost boss". You can delete it any time.
• Bug reports include a screenshot of the game — please don't put personal info in the description field.
• "Delete my account and data" in Options does exactly that. No questions asked.