PRIVACY POLICY
Effective 2026-05-25 · BaseStriker contributors ("we", "us") at
basestriker.xyz.
BaseStriker is an on-chain arcade game. This policy explains what data we collect when you play, why we collect it, how long we keep it, and how you can ask us to delete it. We try to collect as little as possible.
1. What we collect
- Wallet address (public). The 0x-prefixed EVM address you connect with. It is already public on the Base blockchain; we use it to record your level progress, leaderboard rank, daily-mission progress, and to credit shop purchases to the right player.
- Gameplay metrics. Level reached, score, run duration, frame-by-frame input timestamps, run seed, enemy kill count, and damage taken. Used to verify scores are physically possible (replay-based anti-cheat) and to compute lifetime POINTS.
- IP address. Stored transiently and only used for per-IP rate limiting at the score-attestation API. Not linked to wallets in our database, deleted after 14 days.
- Server logs. Request method, path, status code, response time. Used for debugging and abuse detection. Rotated after 30 days.
2. What we do NOT collect
- Real names, postal addresses, phone numbers, government IDs.
- Email addresses (unless you voluntarily contact us via the support inbox).
- Private keys, seed phrases, or wallet passwords — we never see them. All transaction signing happens on your device, in your wallet of choice.
- Behavioural ad-tracking. No Google Analytics, no Facebook Pixel, no Hotjar, no third-party advertising SDKs.
- Biometric, location, or contact-list data.
3. Where it lives
Our backend is a single Node.js process backed by an SQLite database on a hosted Linux server. Nightly backups are encrypted at rest. The on-chain layer (the Base network) is, by design, fully public — anything you sign with your wallet, including USDC payments to our treasury, is permanently visible to anyone with a Base RPC node.
4. Retention
- Per-run metrics: 24 months rolling, then aggregated into anonymous statistics.
- IP addresses: 14 days.
- Server logs: 30 days.
- Wallet → leaderboard entries: kept indefinitely as part of the public leaderboard. You can request anonymisation; see Section 6.
- On-chain transactions: forever, by the design of the blockchain. We have no power to delete these.
5. Sharing
We do not sell your data. We do not share it with advertisers, data brokers, or marketing partners. We may share data with:
- Infrastructure providers — hosting (server provider), TLS issuer (Let's Encrypt), CDN (if any). They process traffic on our behalf and are bound by their own privacy policies.
- Law enforcement — only in response to a valid legal request that is enforceable in our operating jurisdiction.
- Successor entities — if BaseStriker is acquired, merged, or transferred, your data may transfer with it. We will publish a notice on this page at least 30 days in advance.
6. Your rights (GDPR, UK GDPR, CCPA, etc.)
- Access — request a JSON dump of every row tied to your wallet address. Free, fulfilled within 30 days.
- Erasure — request anonymisation of off-chain records. We will replace your wallet address with a random handle on our side. On-chain history cannot be erased.
- Portability — same as Access; the dump is plain JSON, machine-readable.
- Rectification — request correction of inaccurate off-chain data.
- Objection / restriction — disconnect your wallet and stop playing. We collect nothing further once you stop.
- Complaint — you may lodge a complaint with your local data protection authority.
To exercise any of these rights, email hello@basestriker.xyz from a wallet you can prove ownership of (we may ask you to sign a challenge message).
7. Cookies & local storage
We do not set tracking cookies. The Service uses your browser's localStorage to remember:
- Audio settings (SFX on/off, volume).
- Current level and lifetime POINTS (cached for offline display; the server is the source of truth).
- Shop inventory and TRY-FREE flags.
- Last-connected wallet address (for auto-reconnect convenience).
Clearing your browser site data resets all of the above. None of it is sent to advertisers.
8. Children
BaseStriker is intended for players aged 13 and over. We do not knowingly collect data from anyone younger. If you believe a child has connected a wallet to our service, contact us at hello@basestriker.xyz and we will anonymise the record.
9. International transfers
Our servers are physically located in the European Union. If you access the Service from outside the EU, your data is transferred to and processed in the EU. The EU has been deemed an adequate jurisdiction under the UK GDPR and most other privacy regimes.
10. Security
We use industry-standard practices: TLS 1.2+ on all endpoints, HSTS, encrypted backups, isolated database, principle-of-least-privilege server access. No system is perfectly secure; in the event of a personal-data breach affecting players, we will notify the relevant supervisory authority within 72 hours and post a notice on this page.
11. Changes
We may update this policy when the law changes or when we add a feature that changes the data flow. Updates appear here with a revised "Effective" date. Material changes will be highlighted on the landing page for at least 14 days.
12. Contact
Privacy questions, access requests, deletion requests: hello@basestriker.xyz.