Privacy Policy

1. Who We Are

Phoenix Labs Inc. ("we", "us", "our") is the developer and operator of MovnRise — a gamified fitness application available for Android. Our registered office is in Sweden.

Phoenix Labs Inc. is the data controller for all personal data processed in connection with the MovnRise app and this website (movnrise.se).

Contact: support@movnrise.se

2. Data We Collect

Category	Data	Source
Account	Username, email address, hashed password, registration date	Provided by you at sign-up
Activity	Daily step counts, workout distance/type/duration, calories, elevation	Your device sensors via the app
Location	GPS coordinates used for route tracking and hex-territory mapping. Only collected while a route or territory session is active.	Device GPS (with your permission)
Profile	Country/region, equipped items, rank, achievement data	App usage and your choices
Payments	Subscription tier. Payment card data is handled entirely by Stripe — we never see or store full card numbers.	Stripe (third-party processor)
Technical	Device OS version, app version, crash logs, server error logs, FCM push token	Automatically on app use
Website	Browser type, pages visited, referrer URL, IP address (used for security only)	Automatically on site visit

We do not collect biometric data, health records, or any sensitive personal data beyond what is listed above.

3. How We Use Your Data

Run the app — calculating step counts, SP/SC rewards, leaderboard rankings, quests, and achievements
Account management — login, password resets, email verification
Leaderboards & competition — displaying your username and rank publicly on in-app and website leaderboards
Push notifications — activity reminders, quest completions, market sales (opt-out available in app settings)
Payments — processing subscriptions via Stripe
Security & anti-cheat — detecting fraudulent step counts or impossible activity (GPS pace validation, motion sensor analysis)
Service improvement — aggregated, anonymised analytics to understand feature usage
Legal obligations — retaining transaction records as required by Swedish and EU law

We do not use your data for advertising, profiling for third-party purposes, or automated decision-making that produces legal effects on you.

4. Legal Basis for Processing (GDPR)

Processing Purpose	Legal Basis
Providing app features (steps, quests, leaderboards)	Contract (Art. 6(1)(b) GDPR)
Payment processing & subscription management	Contract (Art. 6(1)(b))
Security, anti-cheat, fraud prevention	Legitimate interests (Art. 6(1)(f))
Push notifications (opt-in)	Consent (Art. 6(1)(a))
Analytics & improvement (anonymised)	Legitimate interests (Art. 6(1)(f))
Retaining transaction records	Legal obligation (Art. 6(1)(c))

5. Who We Share Data With

We do not sell your personal data. We share data only with the following service providers, under contractual data processing agreements:

Stripe (stripe.com) — payment processing. Subject to Stripe's own privacy policy and PCI-DSS compliance.
Firebase / Google — push notification delivery (FCM tokens only). No activity or profile data is shared.
Server hosting provider — our servers are hosted within the EU. The hosting provider has access to server infrastructure but not to individual user records.

We may disclose data if required by Swedish or EU law, court order, or to protect the rights and safety of our users.

Leaderboard data (username, rank, country flag) is visible publicly on movnrise.se and in-app. You can request your username be anonymised by contacting us.

6. Data Retention

Active accounts: Data is kept for as long as your account is active.
Deleted accounts: Account and personal data is deleted within 30 days of a deletion request. Anonymised aggregate statistics (e.g. total community steps) may be retained indefinitely.
Payment records: Kept for 7 years as required by Swedish accounting law (Bokföringslagen).
Server/error logs: Automatically purged after 90 days.
Inactive accounts: Accounts with no login for 24 months may be automatically deleted after a 30-day email warning.

7. Security

We take security seriously. Our measures include:

Passwords stored as bcrypt hashes — never in plain text
All data transmitted over HTTPS/TLS
Authentication tokens with expiry and server-side invalidation
Anti-cheat and rate-limiting on all API endpoints
Servers located within the EU

In the event of a data breach that poses risk to your rights, we will notify affected users and the Swedish Data Protection Authority (Integritetsskyddsmyndigheten, IMY) within 72 hours of becoming aware of it, as required by GDPR Article 33.

8. Your Rights

Under GDPR, EU/EEA residents have the following rights:

Access — request a copy of the personal data we hold about you
Rectification — correct inaccurate or incomplete data
Erasure ("right to be forgotten") — request deletion of your account and personal data
Portability — receive your data in a machine-readable format (JSON/CSV)
Restriction — ask us to pause processing while a dispute is resolved
Objection — object to processing based on legitimate interests
Withdraw consent — at any time for consent-based processing (e.g. push notifications), without affecting prior lawful processing

To exercise any of these rights, email us at support@movnrise.se with the subject line "Data Request". We will respond within 30 days. We may ask you to verify your identity before acting on the request.

You also have the right to lodge a complaint with the Swedish supervisory authority: Integritetsskyddsmyndigheten (IMY) at imy.se.

9. Cookies & Tracking

This website uses the following types of cookies and local storage:

Name	Type	Purpose	Duration
`cookie_consent`	Functional	Remembers your cookie consent choice	Until cleared
Session cookies	Strictly necessary	Maintain login state in the app web panel	Session / token expiry

We do not use third-party advertising cookies or tracking pixels. Google Fonts is loaded from Google's CDN — see Google's privacy policy for their data practices.

You can manage or clear cookies through your browser settings at any time. Declining cookies will not prevent you from using the MovnRise website, but some features (such as staying logged in) may not work.

10. Children's Privacy

MovnRise is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data without parental consent, please contact us and we will delete it promptly.

Users aged 13–16 in the EU require parental consent to create an account under Article 8 of GDPR.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via in-app notification or email at least 14 days before the changes take effect. Continued use of MovnRise after the effective date constitutes acceptance of the updated policy.

The "Last updated" date at the top of this page always reflects the most recent revision.

12. Contact & Data Requests

For any privacy-related questions, data requests, or concerns:

Email: support@movnrise.se
Subject line for data requests: "Data Request – [your username]"
Company: Phoenix Labs Inc., Sweden
Website: movnrise.se

We aim to respond to all privacy requests within 30 days as required by GDPR Article 12.

Table of Contents