Privacy Policy
Last updated: 2026-05-28
Kaffekullen Interactive ("we", "our", "us", or "the operator") is responsible for the personal data processed in connection with Orbitarion ("the game", "the service"). This Privacy Policy describes what data we collect, how we use it, who we share it with, and what rights you have over your data.
This policy applies to all players worldwide, with EU-specific rights detailed in Section 8 (Your Rights).
By using Orbitarion, you acknowledge that you have read and understood this policy.
1. Who we are
Kaffekullen Interactive is operated from Sweden. We are the data controller responsible for processing your personal data under the EU General Data Protection Regulation (GDPR).
| Operating name | Kaffekullen Interactive |
| Country of operation | Sweden |
| Contact email | [email protected] |
| Community | discord.gg/xSRSe9gpgy |
There is no dedicated Data Protection Officer (DPO), as the scale of our operations does not require one under GDPR Article 37. The contact above is the single point of contact for all privacy matters.
2. Information we collect
2.1 Account information
When you create an Orbitarion account, we collect:
- Email address — used for authentication, account recovery, and (with your consent) newsletter communications
- Authentication tokens — if you sign in with Google or Apple, we receive an OAuth/identity token and basic profile information (name, email) from the provider. We never receive or store your provider password
- Account creation timestamp
- Optional display name — your chosen player name, separate from your real-world name
2.2 Game data
During gameplay, we collect and store:
- Your planet name, race selection, and alliance membership
- All in-game actions (fleet movements, attacks, scans, research orders, defense builds, trade deliveries)
- Battle results and combat logs (your planet's view of any battle you participated in)
- Game scores, rankings, and Commander Career statistics
- In-game communications including alliance announcements and any messages sent through alliance channels
2.3 Subscription data
If you purchase a Premium Commander subscription:
- We receive a subscription receipt and entitlement state from RevenueCat (our subscription manager)
- We do NOT receive your payment card number, banking details, or any other financial information — those remain with Apple App Store or Google Play Store
- We record subscription tier, start date, and expiry/renewal date to deliver premium features
2.4 Technical data
We automatically collect:
- Device type and operating system version
- App version
- Crash reports and performance data (function-level error traces)
- IP address (for security, fraud prevention, and approximate geographic region)
- Advertising identifier (IDFA on iOS, AAID on Android) if you have not opted out, used for ad delivery and frequency capping
2.5 Communications data
If you contact us at [email protected], we receive and retain your email content and any attachments. We use this data only to respond to your request.
Discord interactions are governed by Discord's own Privacy Policy. We do not control Discord's data handling.
3. Newsletter and marketing communications
By creating an Orbitarion account with a verified email address, you may receive occasional emails from us about:
- Season announcements (new seasons starting, Speed Round schedules)
- Major game updates and feature releases
- Survey requests and community-focused communications
We do not send unrelated marketing, sell your email address, or share it with third-party advertisers.
Unsubscribing
Every newsletter email contains a clear unsubscribe link. Unsubscribing is honored permanently — we will not re-add your email to the newsletter list afterward. You can also email [email protected] requesting removal from all communications.
Newsletter vs. transactional emails
Transactional emails (password reset, account verification, subscription receipts, account closure notices) are not covered by newsletter unsubscribe preferences. These emails are necessary to operate your account and are sent through Resend (our transactional email service).
Newsletter delivery is handled by Loops.so. Your email and unsubscribe preferences are stored there in addition to our database.
4. How we use your information
We use your information to:
| Purpose | What we do |
|---|---|
| Provide the game | Create accounts, authenticate logins, process gameplay actions, maintain game state |
| Deliver subscriptions | Activate Premium Commander features for paying subscribers, restore purchases across devices |
| Send push notifications | Notify you (opt-in) of in-game events like attacks, fleet arrivals, alliance activity |
| Send newsletter | Communicate game updates to account holders (opt-out anytime) |
| Prevent abuse | Detect cheating, multi-accounting, bot activity, and other rule violations per our Terms of Service |
| Improve the game | Use aggregated crash reports, performance data, and bug reports to fix issues and improve quality |
| Customer support | Respond to your support requests, account recovery, and complaints |
| Comply with law | Respond to legitimate legal requests; preserve data when required |
5. Legal basis for processing (GDPR)
Under the EU General Data Protection Regulation, we process personal data on the following legal bases:
| Processing activity | Legal basis (GDPR Article 6) |
|---|---|
| Account creation and authentication | Performance of contract (Art. 6(1)(b)) |
| Game state and in-game actions | Performance of contract (Art. 6(1)(b)) |
| Subscription processing | Performance of contract (Art. 6(1)(b)) |
| Transactional email delivery | Performance of contract (Art. 6(1)(b)) |
| Push notifications | Consent (Art. 6(1)(a)) — opt-in per category |
| Newsletter | Legitimate interest for account holders, with opt-out (Art. 6(1)(f)). Withdrawable anytime |
| Crash reports and performance data | Legitimate interest in operating a stable service (Art. 6(1)(f)) |
| Fraud and abuse prevention | Legitimate interest in protecting players (Art. 6(1)(f)); legal obligation in some cases (Art. 6(1)(c)) |
| Personalized advertising | Consent (Art. 6(1)(a)), where required by your jurisdiction |
| Responding to legal requests | Legal obligation (Art. 6(1)(c)) |
You may withdraw any consent at any time. Withdrawing consent does not affect the lawfulness of processing that occurred before withdrawal.
6. Data sharing and subprocessors
We do not sell your personal information to anyone, under any circumstances.
We use the following subprocessors to operate Orbitarion. Each subprocessor processes data only for the purposes described and is bound by data processing terms compatible with GDPR:
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Database, authentication, real-time game state | Account data, game data, technical data | EU (Frankfurt) |
| Cloudflare | CDN, DNS, static site hosting (support, stats, tools, admin) | IP address, request metadata | Global edge |
| RevenueCat | Subscription management, entitlement state | Account ID, subscription receipts | US |
| Apple App Store | iOS subscription billing | Payment processing (not visible to us) | Per Apple |
| Google Play Store | Android subscription billing | Payment processing (not visible to us) | Per Google |
| Google Sign-In | OAuth authentication (optional) | Email, name, OAuth token | US |
| Apple Sign-In | OAuth authentication (optional) | Email, name, OAuth token | US |
| Firebase Cloud Messaging | Push notifications | Device token, notification payload | US |
| Loops.so | Newsletter delivery | Email, unsubscribe preferences | US |
| Resend | Transactional emails (password reset, verification) | Email, message content | EU/US |
| AdMob (Google) | Ad delivery for free users | Advertising identifier, ad interaction signals | Global |
We may also share data with law enforcement if legally required to do so, in response to a valid legal request (court order, subpoena, or equivalent).
7. International data transfers
Several of our subprocessors are based outside the European Economic Area (EEA), primarily in the United States. When we transfer personal data outside the EEA, we rely on appropriate safeguards approved by the European Commission, primarily Standard Contractual Clauses (SCCs) as established under GDPR Article 46.
US-based subprocessors are also typically certified under the EU-US Data Privacy Framework where applicable.
You can request a list of which subprocessors handle your data and what safeguards apply by emailing [email protected].
8. Your rights
Under the GDPR (and similar laws in other jurisdictions), you have the following rights regarding your personal data:
| Right | What you can do |
|---|---|
| Right of access (Art. 15) | Request a copy of the personal data we hold about you |
| Right to rectification (Art. 16) | Request correction of inaccurate or incomplete data |
| Right to erasure (Art. 17) | Request deletion of your data ("right to be forgotten") |
| Right to restriction (Art. 18) | Request that we limit processing in certain circumstances |
| Right to portability (Art. 20) | Request your data in a structured, machine-readable format |
| Right to object (Art. 21) | Object to processing based on legitimate interest, including direct marketing |
| Right to withdraw consent (Art. 7) | Withdraw any consent you previously gave |
| Right not to be subject to automated decisions (Art. 22) | We do not make solely-automated decisions with legal effect on you, but you retain this right |
To exercise any of these rights, email [email protected] from the address associated with your account. We will respond within 30 days as required by GDPR.
Deleting your account
You can request account deletion at any time by emailing [email protected] or following the in-app Delete Account flow. We will delete your account and associated personal data within 30 days of the request, except:
- Data we are required to retain by law (e.g. for fraud investigation, tax records)
- Aggregated or anonymized data that no longer identifies you (e.g. season statistics where your planet is removed but the season's existence is preserved)
- Hall of Fame records, which may persist anonymously after deletion
After deletion, your in-game presence (planet, fleet, alliance membership) is permanently removed and cannot be recovered.
Lodging a complaint with a supervisory authority
If you are in the EU and believe we have mishandled your personal data, you have the right to lodge a complaint with a supervisory authority. The relevant authority for Sweden is:
Integritetsskyddsmyndigheten (IMY)
Postal address: Box 8114, 104 20 Stockholm, Sweden
Web: imy.se
Email: [email protected]
You also have the right to lodge a complaint with the supervisory authority in your country of residence.
9. Data retention
We retain personal data only for as long as necessary to fulfill the purposes described in this policy:
| Data type | Retention period |
|---|---|
| Account information | While your account is active + up to 30 days after deletion request |
| Game data (active seasons) | Duration of the season + 1 year after season end for archive purposes |
| Game data (ended seasons) | Indefinitely in archived/anonymized form on stats.orbitarion.com |
| Subscription records | 7 years (Swedish bookkeeping law requirements) |
| Communications (email support) | 2 years after last contact |
| Crash reports and performance data | 90 days |
| Push notification tokens | While valid (revoked tokens removed automatically) |
| IP addresses (security logs) | 90 days |
| Newsletter subscription record | While subscribed + unsubscribe record kept permanently to honor the opt-out |
Hall of Fame records and season-end leaderboards may be retained indefinitely in a form that includes your chosen planet name but not your real-world identity. You can request anonymization of these records by contacting support.
10. Children's privacy
The minimum age to create an Orbitarion account is 13 years old. This is in line with applicable laws in Sweden, the United States (Children's Online Privacy Protection Act, COPPA), and most other jurisdictions where Orbitarion is available.
Some jurisdictions impose higher minimum ages. Check your local laws — if your country requires age 16 (for example, under GDPR member-state options before Sweden's lowered age was set), you must meet your local minimum to use the service.
App store age ratings (Apple, Google) are determined by the platforms and are separate from this minimum account age. Local content ratings may also apply.
We do not knowingly collect data from children under 13. If you are a parent or guardian and believe your child has provided personal information to us, please contact [email protected] and we will delete the data and the associated account.
11. Advertising
The free version of Orbitarion displays ads delivered through Google AdMob. Premium Commander subscribers do not see ads.
Advertising partners (AdMob and its network) may collect:
- Your advertising identifier (IDFA on iOS, AAID on Android), if not opted out
- Ad interaction signals (impressions, clicks)
- Technical metadata for ad delivery and frequency capping
You can opt out of personalized advertising at any time:
- iOS: Settings → Privacy & Security → Tracking → Allow Apps to Request to Track (turn off)
- Android: Settings → Google → Ads → Reset advertising ID / Opt out of Ads Personalization
Opting out does not remove ads — it just makes them non-personalized.
12. Cookies and similar technologies
The Orbitarion mobile app does not use browser cookies — it is a native mobile application. However, we use:
- Device storage (AsyncStorage / equivalent) to store authentication tokens and game state for offline access
- Advertising identifiers (IDFA/AAID) for ad delivery, as described in Section 11
- Browser cookies on our web properties (orbitarion.com, support.orbitarion.com, stats.orbitarion.com, tools.orbitarion.com) for essential session and analytics purposes
Web properties use minimal cookies. We do not use third-party tracking cookies for advertising on our websites.
13. Security
We implement appropriate technical and organizational measures to protect your data:
- All data transmission uses HTTPS/TLS encryption
- Row Level Security (RLS) ensures that you can only access your own player data
- Authentication uses OAuth tokens or password hashing (bcrypt) — passwords are never stored in plaintext
- Database access is restricted to operational staff (currently one individual) under audit logging
- Subprocessors are required to maintain SOC 2 or equivalent compliance
No system is 100% secure. If we become aware of a personal data breach that is likely to result in risk to your rights, we will notify the relevant supervisory authority within 72 hours as required by GDPR, and notify affected players as appropriate.
14. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we use, or legal requirements.
When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Post a notice in the app and/or send an email to affected users
- For significant changes, ask for your renewed consent where required
Continued use of Orbitarion after changes constitutes acceptance of the updated policy.
15. Contact
For privacy questions, data subject requests, or any other privacy-related matter:
- Email: [email protected]
- Discord: discord.gg/xSRSe9gpgy
We aim to respond to all privacy-related emails within 5 business days and to complete data subject requests within 30 days as required by GDPR.
Documentation reflects Orbitarion v2.0. Last updated: 2026-05-28.