Cardio Critters
← Back to home

Privacy & Data Processing Policy

Last updated: June 25, 2026 Effective from: June 25, 2026 Version: 1.0

Part I — Privacy Policy

1. Who we are (Data Controller)

Cardio Critters (“the App”, “we”) is a running game with a virtual pet, developed and operated by Santiago Moreno Benavides, a natural person and independent developer residing in Colombia, acting as the Data Controller of the personal data.

  • Privacy / Habeas Data email: [email protected]
  • Contact person for data matters: Santiago Moreno Benavides (the developer). Because the service is operated by a natural person, no formal DPO is appointed: the Controller is directly the point of contact.
  • Website: https://cardiocritters.com
  • Official channel for privacy and Habeas Data rights: the email address above.

This policy explains what personal data we collect, for what purpose, with whom we share it, how long we keep it, and what rights you have over it. It applies to the iOS app (and future Android versions), the public landing page, and the admin backoffice.

2. Guiding principle

We designed Cardio Critters around the principle of data minimization: we collect strictly what is needed for the game to work and for your virtual pet to respond to your physical activity. In particular:

  • Your GPS route never leaves your phone. We use location only, and in real time on the device, to compute the distance and pace of your run. We do not send or store the coordinates, the route, or the map of your run on our servers — we only keep aggregated metrics (total distance, duration, pace, estimated calories).
  • We do not use third-party advertising or analytics SDKs (no trackers, no advertising identifiers, no profiling for marketing purposes).
  • We do not sell your personal data to anyone.
  • We do not process payments within the app: the game economy (“energy”) is virtual and earned by running; there are no real-money purchases or card data.

3. Data we collect

3.1. Account and identity data

Managed through our authentication provider Clerk (see §6):

  • Email address (required to create the account).
  • Password — managed and stored by Clerk in encrypted form; we never see or store your password.
  • Display name.
  • Phone numberonly if you enable two-factor authentication (2FA) via SMS.
  • Authentication metadata (session state, email verification, MFA factors).

Internally, our backend only stores an internal identifier (usr_…) and the Clerk reference; the rest of the identity lives in Clerk.

3.2. Profile and preference data

  • Selected avatar, short bio (optional).
  • Language (locale) and time zone (timezone) — the latter is needed to correctly compute streaks and the pet's daily decay.
  • App settings: notifications on/off, reminder time, units (metric/imperial).

3.3. Physical activity data (sensitive data)

We treat the following as sensitive health/fitness data:

  • For each run: distance, duration, pace, estimated calories, date and time.
  • Derived/cumulative data: total kilometers, number of runs, energy generated, streaks, best distance.
  • Precise location (GPS): location permission is requested (including in the background so tracking isn't interrupted while you run) and is processed exclusively on your device to measure the run. We do not transmit or retain the trace or the coordinates.

3.4. Game and progress data

  • Pet(s), their states (hunger, mood, health), level and XP.
  • Inventory, buffs, missions, achievements, energy wallet.

3.5. Technical and notification data

  • Push notification token (Firebase Cloud Messaging registration token) and the device platform (iOS/Android, for delivery/observability purposes only).
  • “Last active” marker (last_active_at).
  • Minimal server logs: as a matter of policy, our logs and our event log do not contain identifiable personal data — only the internal identifier usr_…, the action, and the latency. The IP address is transiently processed by the edge infrastructure (Cloudflare) to deliver and protect the service from abuse; we do not store it in our game database.

3.6. Data we do NOT collect

  • GPS coordinates / routes / maps of your runs (they never leave the device).
  • Card or payment data (there are no real-money purchases).
  • Heart rate or other HealthKit/wearable data (not implemented in this version).
  • Advertising identifiers (IDFA, AAID) or data for advertising or profiling.

4. Purposes of processing

We use your data to:

  1. Provide the core service: create and maintain your account, compute the energy/XP from your runs, keep your virtual pet alive, and sync your progress across sessions and devices.
  2. Game functionality: streaks, missions, achievements, virtual shop, inventory, and in-game notifications.
  3. Notifications: run reminders, pet status alerts, ready missions, and rewards (you can turn them off).
  4. Security and abuse prevention: authentication, fraud/idempotency control, integrity of the game economy.
  5. Support and operational communication with you.
  6. Compliance with legal obligations and handling of rights requests.
  7. Product improvement based on aggregated, non-identifiable data (we do not use individual analytics with trackers).

We do not process your data for targeted advertising, nor do we transfer it to third parties for commercial purposes.

5. Legal basis for processing (GDPR / equivalent laws)

PurposeLegal basis (GDPR art. 6 / sensitive data art. 9)
Create and operate your account and the gamePerformance of a contract (art. 6.1.b)
Processing of physical activity / health dataExplicit consent (art. 9.2.a) given at sign-up
Push notificationsConsent (revocable in OS/app settings)
Security, fraud preventionLegitimate interest (art. 6.1.f)
Legal compliance and handling of rightsLegal obligation (art. 6.1.c)

6. Who we share data with (Processors / third parties)

We share data only with providers acting as Data Processors under contract, and only as needed to operate:

ProviderFunctionData processedLocation
Clerk, Inc.Authentication and identityEmail, password (encrypted), phone (if 2FA), name, session metadataUSA
Cloudflare, Inc.Hosting, database (D1), storage (KV/R2), CDN, edge securityAll account and game data; transient IPGlobal edge network (USA and others)
Google (Firebase Cloud Messaging)Push notification deliveryDevice token; notification content (no PII)USA
Apple, Inc. (APNs)Push delivery to iOS devicesDevice token; notification content (no PII)USA

We may also disclose data when required by law, a court order, or a competent authority, or to protect the rights, safety, and integrity of the service.

7. International transfers

Your data may be processed outside your country (mainly in the USA and across our providers' global edge network). When this happens, we rely on valid transfer mechanisms such as the European Commission's Standard Contractual Clauses (SCCs), adequacy decisions, and/or your informed consent. For users in Colombia, transfers are carried out in accordance with Law 1581 of 2012 and its implementing decrees.

8. Data retention

  • We keep your data while your account is active.
  • When you request deletion, we first apply a soft delete (the account is marked as deleted and becomes inaccessible) and then a permanent purge of the data we are not required to keep for legal or security reasons.
  • System event logs (without PII) and aggregated data may be kept for a limited time for auditing, security, and statistics.

9. Security

We apply reasonable technical and organizational measures: encryption in transit (HTTPS/TLS), delegated token-based authentication (JWT), managed storage on edge infrastructure, least-privilege access for administrative access (super_admin role), and a strict zero-PII policy in logs and notifications. No system is 100% infallible; in the event of a security breach affecting your data, we will notify the competent authority and the affected users within the applicable legal timeframes.

10. Your rights

Depending on your jurisdiction, you have the right to:

  • Access your data and obtain a copy.
  • Rectify / update inaccurate data.
  • Erase / delete your data (“right to be forgotten”).
  • Restrict or object to certain processing.
  • Portability of your data.
  • Withdraw consent at any time (without affecting the lawfulness of prior processing).
  • Lodge a complaint with the competent supervisory authority.

How to exercise them: write to [email protected] stating your request and a means to verify your identity. We will respond within the legal timeframes (see Part II for Colombia's timeframes; generally up to 30 days under GDPR/equivalents).

11. Minors

The content of Cardio Critters is suitable for all audiences (it contains no inappropriate material). However, the App is not designed for or directed at children: because it requires creating an account and processes physical activity (sensitive) data, the following rules apply:

  • We do not knowingly collect personal data from children under 13 (in line with COPPA). The App is not oriented toward that group.
  • Minors (ages 13 to 17) may only use the App and create an account with the involvement and authorization of a parent or legal guardian, especially for consent to the processing of physical activity data.
  • If we detect an account belonging to a child under 13, or to a teenager without valid authorization from their legal guardian, we will delete it. If you are a parent or guardian and believe a minor has provided us data, write to the email above and we will proceed with its deletion.

12. Changes to this policy

We may update this policy. We will publish the current version at https://cardiocritters.com/legal/privacy with its “Last updated” date. If the changes are substantial, we will notify you by reasonable means (in-app notification or email) and, where the law requires, we will request your consent again.

13. Contact

Santiago Moreno Benavides — independent developer and Data Controller · [email protected] · https://cardiocritters.com

Part II — Personal Data Processing Policy

(Colombian regime — Law 1581 of 2012, Decree 1377 of 2013 and related rules)

This Part II is the Information Processing Policy required of every Controller by the Colombian Habeas Data regime. If the Controller is not domiciled in Colombia but offers the service there, it applies equally.

1. Data Controller

  • Controller: Santiago Moreno Benavides (natural person — independent developer)
  • Country: Colombia
  • Email (electronic contact address and official Habeas Data channel): [email protected]
  • Website: https://cardiocritters.com
  • Handling of requests, inquiries, and complaints: directly by the Controller, via the email indicated.

Note: as this is a natural person, an electronic address (email) is designated as the means of contact, as permitted by the Habeas Data regime; no physical address is published.

2. Definitions (art. 3, Law 1581)

Data Subject: the natural person whose personal data is being processed (the user). Sensitive data: data affecting privacy or whose misuse may lead to discrimination (here, the physical activity and health data). Processing: any operation on personal data (collection, storage, use, circulation, deletion). Processor: the party that processes data on behalf of the Controller (see Part I §6).

3. Data processed

Those described in Part I §3: identification and contact data (email, name, optional phone), profile and preference data, sensitive physical activity data, game/progress data, and technical device data. We reiterate that GPS geolocation is not stored on servers; it is only processed on the device.

4. Purposes

Those described in Part I §4. The processing of sensitive data (physical activity/health) is carried out with the Data Subject's prior, express, and informed authorization and is optional: the Data Subject is not required to authorize the processing of sensitive data, although without it the core game function (measuring runs and keeping the pet alive) cannot operate.

5. Rights of the Data Subject (art. 8, Law 1581)

  1. Know, update, and rectify their data.
  2. Request proof of the authorization granted.
  3. Be informed about the use given to their data.
  4. File complaints with the Superintendence of Industry and Commerce (SIC) for violations.
  5. Revoke the authorization and/or request deletion of the data where applicable.
  6. Access their personal data free of charge.

6. Procedure for inquiries and complaints

  • Channel: [email protected] (official Habeas Data channel).
  • Inquiries: handled within a maximum of ten (10) business days; if not possible, the Data Subject is informed and it is handled within the following five (5) business days.
  • Complaints: maximum term of fifteen (15) business days from the day after receipt; if not possible, the subject is informed and it is resolved within the following eight (8) business days. Incomplete complaints may be returned for correction within the five (5) days following receipt.

7. Authorization

The Controller obtains the Data Subject's authorization at the time of registration through express acceptance. The authorization is recorded with date/time and the version of the accepted document, as proof that it was granted.

8. Security measures and Processors

See Part I §6 and §9. Processors handle data under contract and in accordance with this policy.

9. Validity of the policy and databases

This policy is in force as of June 25, 2026. Data is retained while the account is active and for the applicable legal timeframes (see Part I §8). Any substantial change will be communicated through the channels indicated.