Privacy Policy

1. Introduction

NATIONCLASH ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the NATIONCLASH platform ("the Service"). We process your data based on the lawful bases described in this policy, including contract performance (providing the Service), legitimate interest (security and abuse prevention), and legal obligation (financial record keeping).

2. Information We Collect

2.1 Information You Provide

• Account information: When you register, we collect your username and password (stored as a secure bcrypt hash — we never store your plaintext password).
• Country selection: The country you choose to represent on the leaderboard.

2.2 Information Collected Automatically

• Session data: We generate a secure session token stored in a cookie ("nationclash_session") that expires after 7 days. This is used solely for authentication.
• IP address: Temporarily stored in memory for rate-limiting purposes to prevent abuse. IP addresses are not persisted to any database and are automatically pruned from memory.
• Transaction records: When you purchase credits, we store the transaction amount, credit quantity, and Polar transaction ID for record-keeping and to prevent duplicate processing.
• Gameplay data: Equipment purchases, strikes, and leaderboard rankings associated with your account.

2.3 Information We Do NOT Collect

• We do not collect your email address (unless you contact us directly).
• We do not collect your real name, phone number, or physical address.
• We do not collect or store any payment card numbers, bank details, or financial information. All payment processing is handled entirely by Polar (our Merchant of Record), and we never have access to your payment details.
• We do not use tracking pixels, analytics cookies, or third-party advertising trackers.

3. How We Use Your Information

We use the information we collect to:

• Create and maintain your account.
• Authenticate your sessions and protect against unauthorized access.
• Process credit purchases and maintain transaction history.
• Operate the leaderboard, equipment system, and strike mechanics.
• Enforce rate limits and prevent abuse of the platform.
• Respond to support inquiries.
• Comply with legal obligations.

4. How We Share Your Information

We do not sell your personal information. We share data only in the following cases:

• Polar (payment processor): When you initiate a purchase, transaction data is shared with Polar to process the payment. Polar acts as the Merchant of Record and has its own Privacy Policy.
• Public leaderboard: Your username, selected country, and military power score are displayed publicly on the leaderboard. This is core to the Service's functionality.
• Activity feed: Your purchases and strikes are shown in the public activity feed with your username.
• Legal requirements: We may disclose information if required by law, court order, or governmental regulation.

5. Cookies

We use a single, essential cookie ("nationclash_session") for authentication. This cookie contains a cryptographically secure session token and expires after 7 days. We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. Because this cookie is strictly necessary for the Service to function, it does not require consent under most privacy regulations.

6. Data Security

We implement the following security measures to protect your data:

• Passwords are hashed using bcrypt with 12 rounds of salting.
• Session tokens are cryptographically generated and stored securely.
• Rate limiting protects against brute-force attacks (10 attempts per 15 minutes per IP).
• CSRF protection is enforced via origin header checking.
• Polar webhook signatures are verified using HMAC-SHA256 with timing-safe comparison.
• Database connections use encrypted channels.

While we take reasonable precautions, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

• Account data is retained for as long as your account is active.
• Transaction records are retained indefinitely for legal and accounting purposes.
• Session data expires automatically after 7 days and is purged from the database.
• Rate-limiting data (IP addresses) is stored in memory only and is automatically pruned (not persisted).

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of your account and associated personal data. Note that transaction records may be retained for legal compliance.
• Data portability: Request your data in a structured, machine-readable format.
• Objection: Object to our processing of your personal data in certain circumstances.

To exercise any of these rights, contact us at support@nationclash.com. We will respond within 30 days.

9. Children's Privacy

NATIONCLASH is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a user under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at support@nationclash.com.

10. International Data Transfers

Your data may be processed and stored in countries other than your own. Our database infrastructure is hosted in the United States. Payment data is processed by Polar, which maintains its own data transfer safeguards as described in their Privacy Policy. Where applicable, we rely on Standard Contractual Clauses and adequacy decisions for international data transfers. We take reasonable steps to ensure your data is treated securely and in accordance with this policy.

11. Third-Party Links

The Service may contain links to third-party websites (e.g., Polar's checkout). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at support@nationclash.com. For data protection inquiries from EU residents, this is also the designated point of contact. We will respond within 30 days as required by applicable law.