Data handling · LGPD / GDPR

Privacy Policy — O Espólio de Avaris

Effective date: to be set on commercial release (Steam launch day). Last updated: 2026-04-19

IMPORTANT — TEMPLATE NOTICE (REMOVE BEFORE LAUNCH): This file is a working draft prepared by the developer and not yet reviewed by a qualified attorney. Before publishing the game on Steam (or any other commercial channel), this document must be reviewed against Brazilian LGPD (Law 13.709/2018), European GDPR (Regulation 2016/679), California CCPA/CPRA, and Steam's own Privacy & Subscriber Agreement requirements.

1. Who is the data controller?

Controller: Luis Matias — individual developer ("the Author"). Official website: https://avaris.games

Contact for privacy matters:

Email: luishenriquematias@gmail.com
Jurisdiction: Curitiba — PR, Brazil.
Postal address: available upon formal legal request (court order, regulatory authority, or documented business correspondence). The Author is an individual developer; the residential address is not published for personal-safety reasons, consistent with LGPD Art. 9 principles of data minimization.

If you are in Brazil, the contact above also serves as the LGPD "Encarregado de Proteção de Dados (DPO)" contact.

2. What data do we collect?

2.1 When you log in with Google (optional)

The game offers an optional Google Sign-In so you can save your progress to the cloud. If you choose to log in, we receive from Google and store in our database (Firebase / Firestore) the following:

Your Google account unique identifier (UID).
Your email address (as reported by Google).
Your display name (as reported by Google).
Your profile photo URL (as reported by Google).

You are NOT required to log in to play the game. If you skip login, none of the data above is collected.

2.2 Save data (when logged in)

When you play while logged in, we automatically upload your game save state to our database. That includes:

The floor and route you have reached.
The composition of your team (classes, levels, stats, equipment).
Game flags (e.g. whether you completed a route).

No sensitive personal data is present in the save state — it is purely game progress.

2.3 Bug reports (when you submit one)

The in-game "Report a bug" form sends us, when you submit it:

The description you wrote.
A screenshot of the current game window at the time you submitted.
A snapshot of the current game state (same kind of data as save data).
The URL the game was running at.
The floor label you were on.
Your browser user-agent string and viewport size.
If you were logged in: your UID, email, and display name.
The game version (build hash).

The screenshot may incidentally include anything visible in the game window (including overlays or HUD, but not other open windows, tabs, or system content).

2.4 "Ghost squads" shared with other players

When you finish the campaign (Sub-5), your team is submitted to a shared pool called "Victorious Teams". Subsequent players may encounter your team as the final boss. The data submitted is:

A team name (a procedurally generated tag; not your real name).
The composition of your team (classes, levels, stats, equipment).
Your Google UID (so we can credit your "legacy" page back to you).
The route you took.
The game version.

Other players see the team composition and an anonymized tag. They do NOT see your email, your UID, or your display name.

2.5 What we do NOT collect

We do not collect: payment information (handled entirely by Steam or the platform where you purchased the game), IP addresses (beyond transient server logs retained by our infrastructure providers — see section 4), location data, contacts, device identifiers beyond those listed, or any biometric data.

3. Why do we collect it? (Legal basis)

Data	Purpose	Legal basis (LGPD)	Legal basis (GDPR)
Google account data	Authenticate you and attribute your saves	Art. 7, V (execução de contrato)	Art. 6(1)(b) — performance of contract
Save state	Provide cloud save functionality you opted into	Art. 7, V	Art. 6(1)(b)
Bug reports	Diagnose and fix defects	Art. 7, IX (legítimo interesse)	Art. 6(1)(f) — legitimate interest
Ghost squads	Provide the multiplayer meta-feature you opted into by finishing the campaign	Art. 7, V	Art. 6(1)(b)

4. Where does the data live? Who else sees it?

Data is processed and stored by our infrastructure provider, Google Cloud Platform / Firebase. This means your data is transmitted to and stored on Google servers, and Google is a data sub-processor under LGPD and GDPR. Google's terms are available at: https://firebase.google.com/terms and https://cloud.google.com/terms.

Server locations may include the United States, Europe, and other regions depending on Firebase's routing. By using the cloud features of the game, you consent to this international transfer under LGPD Art. 33 and GDPR Chapter V.

We do not sell your data to any third party. We do not share it with advertisers. The only third party with access is Google (as our infrastructure provider) and, where legally compelled, law enforcement.

Internally, only the Author ("admin") has read access to bug reports and ghost squads. Other users cannot read your bug reports; only aggregate ghost-squad data is visible to other players (per section 2.4).

5. How long do we keep the data?

Google account data & saves: as long as you have a logged account associated with the game, plus up to 30 days after you delete your account, to allow for accidental-deletion recovery.
Bug reports: up to 24 months after submission, then deleted or anonymized.
Ghost squads: until you delete them (see section 6) or for 36 months of inactivity, whichever comes first. After 10 uses, a squad is "retired" (no longer appears in new games) but is still visible in your personal Legacy page.

6. Your rights

Under LGPD (Art. 18) and GDPR (Chapters III), you have the right to:

Access — get a copy of the data we have about you.
Correction — ask us to correct inaccurate data.
Deletion — ask us to delete your data.
Portability — get your data in a structured, machine-readable format.
Object — to specific processing activities.
Withdraw consent — at any time (this will disable cloud features).

How to exercise these rights

Inside the game: Open the "Options · Account" section. The "Delete my account and data" button deletes, in a single action: your user document, your save, every ghost squad you submitted, and every bug report you filed. It then signs you out and revokes your Google authentication with the game.
By email: Write to luishenriquematias@gmail.com with the subject line "PRIVACY REQUEST — " (where <type> is one of: access, correction, deletion, portability, objection, withdrawal). Include the email address associated with your Google account. We will reply within 15 days (LGPD) / 30 days (GDPR).

Timeline

In-game deletion takes effect immediately for your user doc, saves, ghost squads, and bug reports. Backups held by our infrastructure provider (Firebase) are purged within 30 days.

7. Children

The game carries a preliminary age rating of 12+ (IARC questionnaire pending formal submission on Steam). We do not knowingly collect data from children under 13 (COPPA) / 16 (GDPR) without parental consent. If you believe a child under these ages has submitted data to us, please contact luishenriquematias@gmail.com and we will delete it.

8. Security

We rely on Google Cloud / Firebase's industry-standard encryption at rest and in transit. Access is controlled by Firebase Security Rules (see docs/FIRESTORE_RULES.md in the source tree). No system is perfectly secure — in the unlikely event of a breach affecting personal data, we will notify affected users within 72 hours as required by GDPR Art. 33 and LGPD Art. 48.

9. Changes to this policy

We may update this policy occasionally. The "Last updated" date at the top will reflect the change. Significant changes will be announced via an in-game notification on the next launch. Continued use of the cloud features after a change constitutes acceptance; if you do not accept, you can play offline or delete your account (section 6).

10. Governing law & jurisdiction

This policy is governed by Brazilian law. For users in the European Union, UK, or other jurisdictions with stricter consumer-protection regimes, local mandatory rules apply in addition. Any dispute shall be resolved by the courts of the Author's domicile in Brazil, without prejudice to the consumer's right to sue in their own jurisdiction where required by law.

Quick summary (non-legal)

You can play completely offline. No data leaves your device.
If you log in with Google, we store your email + saves in Firebase so you can continue on another device.
If you finish the campaign, your team is shared (anonymized) with other players as a "ghost boss". You can delete it any time.
Bug reports include a screenshot of the game — please don't put personal info in the description field.
"Delete my account and data" in Options does exactly that. No questions asked.