This Policy explains what we collect, why we collect it, and how we keep it safe.
What we collect
- Account: email, password (hashed), gender, age-confirmation flag.
- Profile (optional): first / last name, nickname, phone number, date of birth, profile picture, bio.
- Payments: M-Pesa transaction codes, amounts, timestamps. We never see or store your M-Pesa PIN.
- Usage: which categories you open, your progress per category, last-seen timestamp.
- Technical: IP address and user-agent on login (for security audits), session cookies.
Why we collect it
- To deliver the product you paid for (game content, progress tracking).
- To process payments securely via IntaSend / Safaricom M-Pesa.
- To prevent fraud, abuse, and bot signups.
- To send essential account emails (welcome, 2FA codes, login alerts, payment receipts).
- To aggregate anonymous usage stats — visible to admins only, never sold.
Who we share it with
We don't sell your data. Limited sharing:
- Payment processors: IntaSend / Safaricom — to complete transactions.
- Email provider: a third-party SMTP relay — to deliver transactional emails (welcome, OTP, password reset, payment receipts).
- Authorities: only when legally compelled.
Cookies
We use cookies for: session login (mandatory), CSRF protection (mandatory), and to remember dismissed announcements and the cookie banner itself. We don't use third-party tracking cookies.
Your rights
- Access — see your data at any time on the Profile page.
- Correction — edit your profile directly.
- Deletion — email no-reply@breathehaus.com to request account deletion.
- Portability — request an export of your data.
Security
Passwords are hashed using industry-standard algorithms. Optional two-factor authentication (TOTP or email OTP). Sessions expire on a configurable timer. Payment callbacks pass cryptographic verification before being trusted.
Contact
For any privacy question, email no-reply@breathehaus.com.