Privacy policy

When you create an account we collect your email address, display name, and the unique identifier your auth provider (Google, password) returns. When you make a purchase we route payment through Stripe and store a Stripe customer id and last-four card metadata — never the full card number. When you scan a Hitbox NFC tag we record the chip's public identity, the timestamp, and the user uid that performed the scan.

To operate the platform: authenticate you, attribute purchases and trades, run the recommendation feed, and contact you about drops you've opted into. We do not sell personal information.

Hitbox uses Firebase (Google) for authentication, database, storage, and Cloud Functions; Stripe for payments; and analytics providers as disclosed in the cookie banner. Each processor is bound by a data-processing agreement and may not use your information for unrelated purposes.

Account-bound records are kept while your account is active and for a reasonable period after closure to fulfill legal, accounting, and dispute-resolution obligations. Audit logs of administrative actions are retained for seven years.

You can request access, correction, or deletion of your information by emailing privacy@hitbox.app. Where required by law (GDPR, CCPA, equivalents) we honor regional rights including data portability and objection to certain processing.

We'll post material changes here and notify active accounts by email. Continued use after a change constitutes acceptance.