Privacy Policy (CatchMe)

Effective: 29 April 2026

TL;DR

  • CatchMe is a real-world GPS multiplayer game — while a match is running, the other players in your lobby see your location (according to the rules of your role and game mode).

  • We need continuous, background location access — the app keeps tracking even when you swipe it away from recents, otherwise the match would freeze.

  • The app does not use traditional account login — your identity is just a random player ID stored on your device.

  • Match replays are stored after each match. They are not public; only people you share the link with (or who were in the match) can open them in the app. You can delete your replays at any time from the in-app match history.

  • For crash diagnostics we use Sentry, including a privacy-masked session replay on a sample of sessions and on every error session — see Section 3.8.

  • Only join lobbies with people you trust; you can leave at any time.

  • Apple App Store and Google Play handle all payments — we never see or store your card data.

1. Data Controller and Contact

Controller: Burcz Alex E.V. (Hungarian sole proprietor / egyéni vállalkozó), registered seat: 9072 Nagyszentjános, József Attila utca 69, Hungary, Hungarian tax ID: 90898918-1-28.

We have not appointed a separate Data Protection Officer; for any privacy-related question please use the address above.

2. Scope

This policy covers the CatchMe (a.k.a. CATCH ME) mobile app (Android and iOS) and the marketing/landing pages we operate at catchmegame.app. Gameplay features live in the mobile app. A web-based replay viewer may launch in the future; if and when it does, this policy will be updated to describe it.

3. What We Collect

3.1 Account / identity data

  • Chosen player name, avatar, optional profile photo (only if you upload one).

  • The app does not use traditional authentication (no email/password, no social sign-in). Your identity is a randomly generated player ID stored on your device; the server identifies your requests by that player ID.

  • A short-lived session token issued by the server when you join a game, used to authorize your gameplay actions for the duration of that match and cleared when you leave or the match ends. This prevents someone who learns your player ID (e.g. from a replay) from acting on your behalf.

  • Device push token, app language, app version, basic device identifier for the session.

3.2 Location data — the key category

  • During an active match we continuously collect precise GPS coordinates from your device's OS location services, including in the background and even when the app has been removed from recents.

  • Each location sample is sent together with speed, accuracy, and the OS-reported activity type (still / on-foot / walking / running / on-bicycle / in-vehicle). Activity type comes from the OS Activity Recognition API; we use it for movement filtering, anti-cheat and game logic.

  • Outside a lobby/match we do not collect continuous location. Collection starts when you join a lobby and stops when you leave or the match ends.

  • Other players in your lobby will see your location during that match (see Section 6). This is the core game mechanic, not a side effect.

  • We also use these coordinates for anti-cheat / GPS-spoofing detection (e.g. physically impossible movement speeds) on a legitimate-interest basis.

  • Location processing additionally depends on your operating-system location permission, which you can withdraw at any time in your device settings — revoking it will prevent you from playing.

3.3 Match history

  • Match timestamps, durations, teams, who caught whom, results, delivery events (pickup/drop-off in delivery mode).

3.4 Match replay (position trace) — post-match only

  • For every match we save a position trace (GPS coordinates with timestamps) for each player, plus their player name, avatar, team, role (Catcher / Runner), collectibles state, package pickup/drop-off events and the play-area shape.

  • Replay records are stored in our PostgreSQL database hosted on DigitalOcean Managed Databases (EU region). The mobile app fetches the records from this database when a participant opens a replay.

  • Replays are not listed publicly, not searchable and not indexed by search engines. There is currently no web replay viewer — viewing only happens inside the mobile app, from your local match history. The replay is identified by a random 22-character share code; anyone who has that code can fetch the replay through the app, so treat replay share codes as private links.

  • Replays are not live. The replay identifier is only revealed to participants after the match ends — not even the players themselves know it during play, so the replay system cannot be used to spy on a match in progress.

  • You can delete any of your replays directly from the in-app match history. Deletion is permanent and immediate: the position trace and all related data are removed from our database, and the replay becomes unviewable for everyone, including the other participants. For older matches no longer eligible for in-app deletion (e.g. after a reinstall or a long absence), deletion is handled on request — see Section 12.

3.5 Chat messages

  • Team chat, lobby chat and host DMs are delivered in real time to the recipients in the same lobby.

  • Chat is ephemeral: messages are only kept while the lobby/match is active and are discarded as soon as it ends. We do not store chat history long-term.

3.6 Camera / photo library and profile photo storage

  • The camera / photo library is accessed only when you choose a profile photo. We don't read other photos on your device.

  • iPhone HEIC images are converted to JPEG locally on your device before upload — we never receive the original HEIC.

  • Uploaded profile photos are kept only for the duration of the match, served only to other players in the same lobby through an authenticated request, and discarded when the match ends. We do not host them on a public URL or on third-party object storage. A copy is embedded into the match replay record (see 3.4) so the replay viewer can render avatars; deleting the replay deletes that copy too.

3.7 Push tokens

  • FCM (Android) / APNs (iOS) tokens and notification language for match and system notifications.

3.8 Diagnostics, analytics & session replay

  • Sentry for crash and error tracking — captures stack trace, device model, OS version, app version, the breadcrumb leading to the crash, and tags such as platform / native flag.

  • Sentry Session Replay (privacy-masked). Sentry also records a short replay of your in-app screens for diagnostics. We sample 10% of all sessions and 100% of sessions that hit an error. We run Sentry replay with text masking and media blocking turned on: every text node — including player names, lobby codes, chat content and any other on-screen text — is replaced with a placeholder, and images / avatars are blocked, before the recording leaves your device. Sentry receives only the layout and interaction skeleton, never the readable content of your screens. Sentry processes this on its US infrastructure (ingest.us.sentry.io); transfers rely on EU Standard Contractual Clauses and/or the EU–US Data Privacy Framework.

  • Firebase Analytics (Google) for basic gameplay analytics (which screens you visit, where errors happen). Aggregated, no marketing or ad targeting.

  • Server-side logs. Our backend logs request metadata (IP address, user-agent, timestamps, HTTP status codes) for security, anti-abuse and operational debugging.

3.9 In-app purchases (IAP)

  • Apple App Store / Google Play receipts (purchase identifiers), validated through RevenueCat. We never see or store your card data — that is handled exclusively by Apple and Google.

3.10 Local, on-device data (does not leave your phone)

The app stores some state in your device's local storage (Capacitor Preferences and the WebView's localStorage). This data does not leave your device until/unless you take an action that uploads it (e.g. starting a match, sending a chat message).

  • Player ID, player name, avatar reference (so you don't have to re-enter your details every time).

  • The current session token, kept locally so the app can reconnect to an active match without re-handshaking from scratch.

  • App language, theme (light/dark/auto), last-used game mode.

  • Active lobby info, draft game configuration, enabled-collectibles preferences.

  • Saved play-area shapes you created, cached map road-pool used for placing collectibles.

  • Personal replay history list (links and identifiers needed to open and delete your past replays) — the actual position data lives on the server, not on the device.

  • UI dismissal flags (e.g. which DMs you've already seen, transit-stops toggle).

  • A small Sentry replay buffer (already masked) kept locally before being sent (only when sampled).

Clearing the app's data, uninstalling the app, or using the in-app "Delete all my data" option removes all of this from the device.

4. Legal Bases (GDPR Art. 6)

PurposeLegal basisOperating your player profile and matches; sharing location with other players in your lobby; storing and serving match replaysContract (Art. 6(1)(b))Bug-fixing, anti-cheat / anti-spoofing, security, server-side logs, sampled session-replay diagnostics, abuse preventionLegitimate interest (Art. 6(1)(f))Tax records of IAPLegal obligation (Art. 6(1)(c)) and contractNon-essential analytics and marketing push (if any)Consent (Art. 6(1)(a)) — withdrawable any time

Precise location is treated as strictly necessary to provide the game under contract performance, and is tied to active matches. Location processing also depends on your OS-level location permission, which you can withdraw at any time.

5. OS Permissions We Request

  • Location (foreground) — to know where you are during a match.

  • Location (background — "Always" on iOS / "Allow all the time" on Android) — to keep the match running while the screen is off, another app is in the foreground, or the app has been swiped away from recents.

  • Activity Recognition — to detect movement state (still / walking / vehicle).

  • Notifications — for match invites, host messages and round events.

  • Camera / Photos — only when you pick or take a profile photo.

You can revoke any of these permissions at any time in your OS settings; matches will then stop working when the app is in the background.

6. Sharing Your Location With Other Players — Important

CatchMe is a multiplayer "tag" game. When you join a lobby, the host and every other player in that lobby get access to your location for the duration of the match, according to the following rules:

  • Catchers see Runner positions revealed at round-end intervals (configurable, typically every 2–5 minutes).

  • Runners receive only the distance to the nearest Catcher team.

  • On Normal difficulty Catchers also see live distance to Runner teams; on Hard mode this is disabled.

  • If a player leaves the play area or strays too far from teammates, their exact position is revealed to all opposing players as a penalty.

  • In delivery mode, your pickup/drop-off positions are tied to GPS coordinates and are therefore exposed when you collect/deliver a package.

Live position sharing is limited to the duration of the match. When the match ends, live sharing stops. The full position trace is then preserved as a post-match replay (Section 3.4) — accessible only inside the mobile app from your match history (or by anyone who has the replay's random share code). You can delete the replay (and therefore the full position trace) from your in-app match history at any time.

There is no way to play without sharing location with the other players in your lobby. If you don't want to share, don't join the lobby. Only play with people you trust.

7. Background Location

The game must run location even when your screen is off, another app is in the foreground, or you swipe the app away from recents — otherwise a match would freeze. CatchMe runs an Android foreground service with a persistent notification (and the equivalent Always background mode on iOS). The native background-location plugin handles this directly; if Android removes the JS layer to save memory, the native location service keeps reporting positions until the match ends.

We therefore request "Allow all the time" on Android and "Always" on iOS. You can revoke this permission at any time in your OS settings; matches will then stop working when the app is in the background.

8. Recipients / Third Parties

  • Apple Inc. — App Store, IAP, APNs (push).

  • Google LLC — Google Play, IAP, Firebase Cloud Messaging (push), Firebase Analytics.

  • RevenueCat, Inc. — IAP receipt validation and subscription state.

  • Functional Software, Inc. (Sentry) — error tracking and privacy-masked session replay (US infrastructure).

  • DigitalOcean, LLC — application backend hosting and Managed PostgreSQL database (EU region) holding player profiles, match history, replays and other game state.

  • Cloudflare, Inc. — CDN/edge delivery for the marketing website only. Game data and profile photos are not stored on Cloudflare object storage.

  • Map tiles — own self-hosted PMTiles service at map.catchmegame.app (no third-party map provider sees your location; CatchMe does not use Google Maps, Mapbox, etc.).

  • Live updates — the app supports over-the-air JS bundle updates (@capawesome/capacitor-live-update): between full App Store / Play releases the client can fetch a newer JS bundle from our server. The check sends only your current bundle version; no personal data is exchanged.

9. International Data Transfers

The application backend and the managed PostgreSQL database (DigitalOcean EU) are physically located in the EU. The corporate operators of those services and the other US-based processors above (Apple, Google, RevenueCat, Sentry, Cloudflare) may process some data outside the EEA; transfers rely on the EU Standard Contractual Clauses and/or the EU–US Data Privacy Framework.

10. Retention

  • Replay (position trace + names + avatars): stored in our database until you delete it from the in-app match history, or until you request deletion via Section 12. The same record is the only place the GPS samples for a match live — there is no separate raw-GPS retention period.

  • Match history (results, who caught whom): for the lifetime of your player profile or until you request deletion.

  • Chat messages: ephemeral — only retained while the lobby/match is active and discarded immediately afterwards.

  • Profile photo: held only for the duration of the match, plus an embedded copy inside the corresponding replay record (subject to the replay retention rule above).

  • Session tokens: cleared when you leave a game or the match ends.

  • Replay deletion credentials (the per-replay key needed to delete a recording): delivered to participants and kept on our server for up to 30 days as a fallback delivery channel, then automatically purged.

  • Sentry crash reports & masked session replays: kept by Sentry for 90 days by default, then deleted.

  • Server-side request logs (IP, user-agent): up to 90 days for security and abuse investigations.

  • Firebase Analytics events: per Google's defaults (commonly up to 14 months for event-level data, then aggregated).

  • IAP receipts: as required by Hungarian tax law (typically 8 years).

11. Children

CatchMe is not directed to children under 13 (under 16 where local law requires). We do not knowingly collect data from such children. If you are a parent or guardian and become aware that your child has created a player profile, write to [email protected] and we will delete their data. COPPA, GDPR-K (Art. 8), and Apple's / Google's policies for minors apply.

12. Your Rights

Under the GDPR you have the right to: access, rectification, erasure ("right to be forgotten"), restriction, data portability, objection, and to withdraw consent.

How to exercise your rights:

  • In-app (preferred): open the app menu and tap "Delete all my data". This deletes every replay you can still delete from your device, unregisters this device from push notifications, clears all locally stored data, and reloads the app as if freshly installed. You can also delete individual replays from Match History.

  • By email: for older replays no longer eligible for in-app deletion, server-side request logs tied to your player ID, or any other server-side data not reachable through the in-app path, write to [email protected] with your player ID and, where relevant, the share code, game ID, or other corroborating info.

How we verify your identity. Because CatchMe doesn't collect names or emails, when you contact us by email we ask for your player ID and any additional details that confirm you were part of the match in question (share code, game ID, lobby code, match time, or teammate names). This protects your data from being acted on by someone else who happens to know your player ID. If we genuinely can't link the request to a participant (per GDPR Art. 11(2)), we'll let you know what extra information would help us proceed.

You can lodge a complaint with the Hungarian DPA — NAIH, www.naih.hu, 1055 Budapest, Falk Miksa utca 9-11 — or with the DPA of your EU country of residence.

13. Security

We apply reasonable technical and organizational measures: encrypted transport (HTTPS/TLS), authenticated server access, role-based admin permissions, and server-side logging.

Each gameplay session is authenticated by a short-lived token bound to your player ID; without it, the server will not act on behalf of your account. Each replay has its own deletion key, issued only to the participants of that match — without that key, even someone who knows the replay's share link cannot delete it. Once a replay is deleted, it is unrecoverable.

We apply rate limits across all API endpoints to protect against abuse. Replay share links use long random codes — treat them like private invites.

The app does not use traditional user authentication: identity is a player ID stored on your device. Treat your lobby invite codes carefully — anyone who gets a lobby invite can join that lobby. Don't post lobby codes publicly and don't share invites with strangers.

No system is 100% secure.

14. Changes to this Policy

For material changes we will notify you inside the app before the change takes effect.

15. Contact

Burcz Alex E.V., 9072 Nagyszentjános, József Attila utca 69, Hungary — [email protected].

16. Apple App Store — App Privacy / Nutrition Label

The App Store "App Privacy" label points to the categories above (Location, Identifiers, Purchases, User Content, Diagnostics). The detailed explanation lives in this policy.

17. Google Play — Data Safety

The Play Store "Data Safety" section reports the same categories (location, account info, messages, purchases, diagnostics). Full detail is here.

This website uses cookies to improve user experience, analyze traffic, and collect anonymous statistics.
Details