Privacy Policy

Privacy Policy

Last updated: 7 February 2026

1. Introduction

This Privacy Policy explains how BattleStats ("we", "us", "our", the "Service"), accessible at battlestats.co.uk, collects, uses, stores, and protects personal data when you use our website and related services. We are committed to protecting your privacy and handling your data transparently and in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

The data controller responsible for your personal data is the Operator of this Service. If you have any questions about this Privacy Policy or our data practices, please contact us.

3. Data We Collect

We collect the following categories of personal data:

  • Account Information: When you register, we collect your username, email address, and a securely hashed password. We never store plaintext passwords.
  • Game Profile Data: Information you voluntarily provide about your in-game profile, such as chief level, furnace level, hero rosters, building levels, and other game-related configuration data.
  • Gift Code Registration: If you use the gift code service, we collect your in-game Furnace ID (FID), which is a numeric identifier used by the game. We may also store your in-game nickname and level as returned by the game's public API.
  • Usage Data: Standard server logs including IP address, browser type, pages visited, and timestamps. This data is used solely for security, performance monitoring, and debugging.
  • Cookies: We use essential cookies and local storage for authentication (JWT tokens) and user preferences (e.g. language selection). We do not use advertising or tracking cookies.

4. How We Use Your Data

We use your personal data for the following purposes:

  • Service Provision: To provide, maintain, and improve the Service, including generating hero lineup recommendations, battle simulations, and gift code redemption services.
  • Authentication: To verify your identity and manage your account access.
  • Communication: To respond to your enquiries or notify you of important changes to the Service.
  • Security: To detect, prevent, and address technical issues, abuse, or unauthorised access.

5. Legal Basis for Processing

We process your personal data under the following legal bases:

  • Consent: By registering an account or submitting your FID, you consent to the collection and processing of your data as described herein.
  • Legitimate Interest: For security monitoring, fraud prevention, and improving the Service.
  • Contractual Necessity: To provide the services you have requested by creating an account.

6. Data Storage and Security

Your data is stored in encrypted databases on secure servers. Passwords are hashed using bcrypt with a cost factor of 12. Authentication tokens are signed using JWT and expire after 30 days. We implement industry-standard security measures to protect against unauthorised access, alteration, disclosure, or destruction of your personal data.

7. Data Sharing

We do not sell, trade, or rent your personal data to third parties. We may share data only in the following limited circumstances:

  • Gift Code API: When you register for gift code redemption, your FID is sent to CenturyGame's public gift code API solely for the purpose of verifying your account and redeeming codes on your behalf. We do not control CenturyGame's data practices.
  • Legal Requirements: If required by law, regulation, or legal process.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you services. You may request deletion of your account and all associated data at any time by contacting us. Upon receiving a valid deletion request, we will delete your data within 30 days.

9. Your Rights

Under the UK GDPR, you have the following rights:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate data.
  • Right to Erasure: Request deletion of your personal data.
  • Right to Restrict Processing: Request limitation of how we process your data.
  • Right to Data Portability: Request your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interest.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, please contact us. We will respond to your request within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. Children's Privacy

The Service is not intended for children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected personal data from a child under 13, we will take steps to delete such data promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated revision date. Continued use of the Service after changes constitutes acceptance of the revised policy.

12. Contact

For any questions or concerns regarding this Privacy Policy, please use our contact form.