Privacy Policy
Last updated February 19, 2026
This Privacy Notice for Nikolai Iakubovskii ("we," "us," or "our"), describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:
- Download and use our mobile application (MistyWay), or any other application of ours that links to this Privacy Notice
- Visit our website at mistyway.app
- Engage with us in other related ways, including any sales, marketing, or events
Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at [email protected].
Summary of Key Points
- What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use.
- Do we process any sensitive personal information? We process health data (step counts) with your explicit consent.
- Do we collect any information from third parties? We receive authentication data from Firebase (Google/Apple Sign-In) and subscription data from app stores.
- How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.
- Do we transfer data internationally? Yes. Some of our service providers are based outside the EEA. We use appropriate safeguards for such transfers.
- How do we keep your information safe? We have adequate organizational and technical processes and procedures in place to protect your personal information.
- What are your rights? Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information.
- How do you exercise your rights? The easiest way to exercise your rights is by contacting us at [email protected].
1. What Information Do We Collect?
Personal information you disclose to us
We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.
Account Information. Email address, username, display name, and character selection (avatar choice).
Guest Accounts. You may use the Service without registering. In this case, we generate an anonymous identifier linked to your device. You can upgrade to a full account at any time.
Sensitive information (health data)
With your explicit consent, we process the following health-related data:
- Step count — your daily steps, sourced from Apple HealthKit (iOS), Health Connect, Google Fit, or the device's native step counter (Android)
- Calculated metrics — we derive distance, estimated calories burned, and active time from your step count on our servers. These are never read from your device's health store.
We do not access heart rate, sleep, weight, or any other health categories. Health data is stored on our servers and is not shared with any third party.
Payment data
We do not directly collect or store payment card details. All purchases are processed by the Apple App Store or Google Play Store. We receive only transaction identifiers, product IDs, and subscription status from these platforms.
Information automatically collected
We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity but may include:
- Device data — device model, operating system, language, app version
- Device identifier — a unique device ID used for guest account recovery and push notification delivery
- Usage data — feature interactions and in-app events (via PostHog analytics)
- Log data — IP address, request timestamps, error logs (via Sentry)
- Location — timezone (for notification scheduling); we do not track GPS location
User-generated content
If you use social features, we may process:
- Parallax notes — short messages (up to 280 characters) you leave on the in-game map, visible to your friends
- Friend connections — your friend list and friend requests
- Referral codes — codes you generate to invite other users
2. How Do We Process Your Information?
We process your personal information for the following purposes:
- To create, authenticate, and manage your user account
- To deliver core gameplay — converting your real-world steps into in-game progress
- To manage subscriptions and in-app purchases
- To send push notifications (gameplay events, friend activity, subscription status) — you can disable these in the app settings
- To respond to support requests
- To monitor and fix technical issues (error tracking)
- To improve the Service through anonymized usage analytics
- To prevent fraud, abuse, and enforce our Terms
3. What Legal Bases Do We Rely On?
If you are located in the EU or UK, we rely on the following legal bases under the GDPR:
- Consent (Art. 6(1)(a)) — for processing health data (step counts) and sending push notifications
- Performance of a Contract (Art. 6(1)(b)) — to provide the Service, manage your account, and process purchases
- Legitimate Interests (Art. 6(1)(f)) — for analytics, error tracking, and fraud prevention, where these interests are not overridden by your rights
- Legal Obligations (Art. 6(1)(c)) — to comply with applicable laws
4. When and With Whom Do We Share Your Personal Information?
We share data with the following third-party service providers who process data on our behalf:
| Provider | Purpose | Data Region |
|---|---|---|
| Amazon Web Services (AWS) | Infrastructure hosting, database | EU (Frankfurt) |
| Google Firebase | Authentication, push notifications (FCM) | US |
| Sentry | Error monitoring | EU (Germany) |
| PostHog | Product analytics | US |
| Adapty | Subscription management | US |
| Apple App Store | iOS payment processing | US |
| Google Play Store | Android payment processing | US |
We do not sell your personal data. We do not share your health data (step counts, distance, calories) with any third party.
5. International Data Transfers
Our servers are located in the EU (AWS Frankfurt, Germany). However, some of our service providers (Firebase, PostHog, Adapty, Apple, Google) process data in the United States.
For transfers outside the EEA, we rely on:
- The European Commission's adequacy decisions, where available
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The service provider's participation in recognized data protection frameworks
6. Cookies and Tracking Technologies
Our website (mistyway.app) does not use cookies.
Our mobile app uses the following tracking technologies:
- PostHog — product analytics to understand feature usage. You can opt out by contacting us.
- Sentry — crash and error reporting for app stability.
- Device identifiers — for account recovery and push notification delivery.
7. Push Notifications
We use Firebase Cloud Messaging (FCM) to send push notifications. Types of notifications include:
- Daily goal achievements and game progress
- Friend activity (friend requests, reactions)
- Subscription status updates (trial expiry, renewal)
- Weekly quest reminders
You can manage notification preferences in the app settings, including per-type controls and quiet hours. You can also disable notifications entirely through your device's system settings.
8. How Do We Handle Your Social Logins?
You can register and log in using Google Sign-In or Apple Sign-In (both via Firebase Authentication). When you do, we receive your name and email address from the provider. We do not receive or store your social media passwords.
9. How Long Do We Keep Your Information?
We keep your personal information for as long as your account is active. Specific retention periods:
- Account data — until you delete your account
- Health data — until you delete your account
- Error logs — 90 days
- Push notification logs — 30 days
- After account deletion — all personal data is permanently erased within 30 days
10. How Do We Keep Your Information Safe?
We have implemented appropriate technical and organizational measures, including:
- Encrypted database connections (TLS/SSL)
- HTTPS for all API communication
- JWT-based authentication with token signing
- Rate limiting and bot protection
- Input validation on all API endpoints
However, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure.
11. Do We Collect Information from Minors?
The Service is intended for users aged 13 and older. We do not knowingly collect personal data from children under 13. If you are between 13 and 16 years old and located in the EU, you must have your parent or guardian's consent to use the Service.
If we become aware that we have collected data from a child under 13, we will delete that information promptly. If you believe a child under 13 has provided us with personal data, please contact us at [email protected].
12. What Are Your Privacy Rights?
Depending on your location, you may have the following rights under applicable law (including the GDPR and US state privacy laws):
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your personal data
- Restriction — request that we limit processing of your data
- Data portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — withdraw your consent at any time (e.g., for health data processing) without affecting the lawfulness of processing before withdrawal
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
Account deletion: You can delete your account directly from the app settings or via mistyway.app/delete-account. Deletion removes all your data, including health records, friend connections, achievements, and subscription history.
13. Right to Lodge a Complaint
If you are located in the EU/EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD):
www.aepd.es
C/ Jorge Juan, 6, 28001 Madrid, Spain
14. Data Breach Notification
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay via email and/or in-app notification, in accordance with Article 34 of the GDPR.
15. Controls for Do-Not-Track Features
We do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.
16. US Residents' Specific Rights
If you are a resident of California or another US state with applicable privacy legislation, you may have additional rights, including the right to know what personal information we collect, the right to delete it, and the right to opt out of "sales" of personal information. We do not sell personal information. To exercise your rights, contact us at [email protected].
17. Do We Make Updates to This Notice?
We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Last updated" date. If we make material changes, we will notify you via email or in-app notification at least 30 days before the changes take effect.
18. How Can You Contact Us?
If you have questions or comments about this notice, you may email us at [email protected] or contact us by post at:
Nikolai Iakubovskii
Calle Emilio Tuya, 37
Gijon, Asturias 33202
Spain
19. How Can You Review, Update, or Delete Your Data?
You may review and update your information in the app settings. To delete your account and all associated data, visit mistyway.app/delete-account or contact us at [email protected].