HEXTRAIL PRIVACY POLICY
Effective date: May 7, 2026
HexTrail is a real-world location game. We collect only what we need to make the game work. We do not sell your data. We do not share it with advertisers.───────────────────────────1. WHO WE ARE
HexTrail is operated by HexTrail, reachable at [email protected]. Our app lets players walk, run, or ride the Burke-Gilman Trail in Seattle to capture hexagonal territory tiles in a shared real-world game.
───────────────────────────2. WHAT DATA WE COLLECT
Location data
HexTrail requires precise GPS location to function. We use your location to determine which hexagonal tiles you are physically present in, to validate captures, and to display your position on the trail map. Location is collected while the app is in use during an active session. We do not collect location data in the background when the app is closed.
Anonymous player identity
When you first open HexTrail, we create an anonymous account for you. This gives you a unique player ID so your captured tiles are associated with you. By default, no email, real name, or phone number is collected.
Display name (optional)
You may optionally choose a public display name that appears on the leaderboard alongside your captured tiles. You can change or clear it at any time from the in-app menu.
Optional sign-in identity (Google or Apple)
You may optionally sign in with Google or Apple to save your progress so it survives reinstalls and device changes. When you do, we receive and store the verified email address provided by the identity provider, linked to your existing player ID. With Apple, you may choose to share your real email or use Apple's private relay address — either is fine. Sign-in is fully optional. The game works indefinitely without it. Email addresses received through sign-in are used only to identify your account; we do not send marketing.
Gameplay data
We store the tiles you capture, when you captured them, and when their protection expires. This data is necessary for the game to function.
Device token for push notifications
If you grant notification permission, we store your device's push notification token alongside your player ID. You can revoke notification permission at any time in your device settings.
Session data
When you complete a session, we store aggregate session statistics — hexes captured, distance, duration, and mode. This powers your session summary and leaderboard ranking.
───────────────────────────3. WHAT WE DO NOT COLLECT
Your real name or phone number
Your email address, unless you choose to sign in with Google or Apple
Payment information of any kind
Contacts, photos, or any other device data
Background location when the app is closed
Advertising identifiers or tracking identifiers
Posts, friends, or any other social media data — even if you sign in with Google or Apple, we receive only your verified email and (optionally, with Apple) a name
───────────────────────────
4. HOW WE USE YOUR DATA
To operate the game — tile ownership, protection timers, leaderboard rankings, and session summaries
To send gameplay notifications — tile takeover alerts and protection expiry reminders if you have granted permission
To preserve your progress across reinstalls and devices, when you have signed in with Google or Apple
To improve the app — aggregate, anonymized usage patterns help us understand how the trail is being used
───────────────────────────
5. DATA SHARING
We do not sell your data. We do not share your data with advertisers. We share data only with these service providers:
Supabase — our database and authentication provider. Stores player IDs, tile ownership records, display names, and device tokens. supabase.com/privacy
Firebase (Google) — used to deliver push notifications via Firebase Cloud Messaging. firebase.google.com/support/privacy
Mapbox — provides the map tiles and trail rendering in the app. mapbox.com/legal/privacy
Google Sign-In — used only if you choose to sign in with Google, to verify your identity. policies.google.com/privacy
Sign in with Apple — used only if you choose to sign in with Apple, to verify your identity. apple.com/legal/privacy
───────────────────────────
6. DATA RETENTION
If you have signed in with Google or Apple, your account, captured tiles, display name, and history are preserved across reinstalls and device changes for as long as your account is active.
If you have not signed in, your account is anonymous and tied to your app install. Uninstalling HexTrail makes your previous tiles and history unrecoverable, and a new anonymous account is created on reinstall. We may delete inactive anonymous accounts after 12 months of inactivity.───────────────────────────7. YOUR RIGHTS
Delete your data — email [email protected] and we will delete your account and all associated data within 30 days, regardless of whether you signed in. You can also visit https://privacy.hextrail.app/#delete for full instructions.
Sign out or unlink — open the in-app overflow menu → "Save my progress" → sign out. You can also revoke HexTrail at any time from your Apple ID settings (appleid.apple.com) or your Google Account (myaccount.google.com → Security → Third-party apps).
Revoke location permission — go to device Settings → HexTrail → Location → Never.
Revoke notification permission — go to device Settings → HexTrail → Notifications → turn off.
Access your data — email us and we will provide a copy of data associated with your player ID.
───────────────────────────
8. CHILDREN'S PRIVACY
HexTrail is not directed at children under 13. We do not knowingly collect personal information from children under 13. Contact [email protected] if you believe a child under 13 has used our app.
───────────────────────────9. CALIFORNIA PRIVACY RIGHTS (CCPA)
For users who have not signed in, HexTrail uses anonymous authentication and does not collect personal identifiers such as names or email addresses. For users who choose to sign in with Google or Apple, we collect only the verified email address (and, optionally with Apple, a name) supplied by the identity provider, used solely to identify your account. We do not sell personal information. Contact [email protected] with any questions or to exercise your CCPA rights.
───────────────────────────10. SECURITY
We use row-level security policies on our database to ensure players can only read and write their own data. We use HTTPS for all data in transit. Sign-in with Google and Apple uses industry-standard OAuth 2.0 / OpenID Connect — your provider password is never seen by HexTrail. If you believe there is a security issue, contact [email protected].
───────────────────────────11. CHANGES TO THIS POLICY
We may update this Privacy Policy as the app evolves. We will update the effective date at the top when material changes are made.
Changes in this version (May 7, 2026): Added optional Google and Apple sign-in for saving progress across reinstalls. Clarified that display names are optional and publicly visible. Added Google Sign-In and Sign in with Apple to the list of service providers. Updated retention policy to reflect that signed-in accounts persist across reinstalls.───────────────────────────Questions? Email [email protected] or visit hextrail.app
_____________________________

DELETE YOUR ACCOUNT AND DATA

You can request deletion of your HexTrail account and all associated data at any time, free of charge.How to request
Email [email protected] from the email address linked to your account (if you signed in with Google or Apple).
If you play anonymously and have no email linked, email us with your in-app display name (if set) and the approximate date you started playing, so we can locate your player record.What gets deleted (within 30 days)
- Your player account and any linked Google or Apple identity
- All hexes you have captured (returned to the unclaimed pool)
- Your display name and leaderboard entries
- Your session history and statistics
- Your push notification device tokens
What we may retain
Anonymized, aggregated game-event logs that no longer reference your player ID, kept for game-balance and trail-usage analysis. We may also retain records required to comply with legal obligations.
We will reply to confirm when deletion is complete.Questions? Email [email protected]