← BACK TO GAME

PRIVACY POLICY

1. Information We Collect

When you create a FORMA-FIGHT account, we collect and store the following data on our server:

• Callsign — your chosen display name, visible to other players in-game. This serves as your account identifier.
• Password — your password is hashed using PBKDF2 with 100,000 iterations of SHA-256 and a cryptographically random salt before storage. We never store or have access to your plaintext password.
• Account statistics — level, XP, total kills, games played, games won, best kill streak, highest peak size, total food eaten, and prestige level.
• Progression data — permanent skill tree allocations, loadout configuration, permanent skill points earned, and Star Credits balance.
• Cosmetics — owned cosmetic items and currently equipped cosmetics (color, trail, skin, kill effect).
• Achievements — which achievements you have earned and when they were completed.
• Daily challenges — your current daily challenge assignments, progress, and completion status.
• Login streak — your last login date and consecutive login day count, used for daily rewards.
• Match history — the last 10 matches you played, including shape used, kills, peak size, food eaten, survival time, and XP earned. Older match records are automatically deleted.
• Friends list — friend relationships and pending friend requests you have sent or received.

A local copy of your account data is also cached in your browser's localStorage for faster loading. This mirrors the data stored on the server.

We do not collect email addresses, real names, phone numbers, physical addresses, or any other personally identifiable information beyond your chosen callsign.

2. Information We Do Not Collect

• Chat messages — in-game chat messages are relayed between players in real time but are not logged, stored, or monitored on the server. Messages exist only during the active session.
• Lobby chat — lobby chat messages are held in memory (up to 50 recent messages) for display to players in the lobby. They are not written to any database and are lost when the server restarts.
• Gameplay telemetry — we do not record or replay your in-game actions, movement, or inputs.

3. How We Use Your Data

All collected data is used solely for gameplay purposes:

• Your callsign is displayed to other players during matches, on the leaderboard, and in friend lists.
• Your password hash is used only to authenticate your login. It is never transmitted to other players or third parties.
• Account statistics and progression data are used to track your progress, calculate leaderboard rankings, determine skill tree and loadout state, and award achievements and daily rewards.
• Match history is displayed to you in your account profile for your reference.
• Friends list data is used to show you your friends and their online status.

We do not sell, rent, share, or use your data for marketing, advertising, profiling, or any purpose beyond operating the game.

4. IP Addresses

Your IP address is used ephemerally for the following operational purposes:

• Rate limiting — to prevent abuse of login attempts (10 per minute), lobby creation (5 per minute), and chat messaging (3 per 10 seconds). Rate limit counters are held in server memory and automatically expire. They are cleaned up every 5 minutes.
• WebSocket connections — your IP is visible to the server during your active connection, as is standard for any web service.

IP addresses are not written to any database, log file, or permanent storage by the game server. They exist only in server memory during your session and in short-lived rate limit counters.

5. Cookies & Tracking

FORMA-FIGHT does not set any cookies. We do not use analytics trackers, advertising pixels, or any first-party tracking scripts. Your session is authenticated using an in-memory token that is not stored in a cookie.

6. Third-Party Services

The game loads the following external resources:

• PixiJS (via cdn.jsdelivr.net) — the WebGL rendering engine used to display the game. jsDelivr is a public open-source CDN.
• Google Fonts (via fonts.googleapis.com and fonts.gstatic.com) — the Orbitron and Rajdhani typefaces used in the user interface.
• Cloudflare — the game's production infrastructure uses Cloudflare for tunneling and DDoS protection. Cloudflare Web Analytics may be present (via static.cloudflareinsights.com) as part of this infrastructure.

These third-party services may collect IP addresses, browser information, or other data per their own privacy policies. We have no control over their data practices. You can review their policies here:

• jsDelivr Privacy Policy
• Google Privacy Policy
• Cloudflare Privacy Policy

7. Data Retention

• Account data is stored indefinitely as long as your account exists.
• Match history is limited to your 10 most recent matches. Older records are automatically deleted.
• Session tokens expire after 24 hours and are held only in server memory.
• Rate limit counters expire within minutes and are held only in server memory.

8. Your Rights & Data Deletion

You have the right to delete your account and all associated data at any time. Account deletion is available directly within the game's settings menu. When you delete your account, the following data is permanently removed from our database:

• Your account record (callsign, password hash, all statistics, skill tree, cosmetics, achievements, daily challenges, and login streak)
• Your match history
• Your friend relationships and pending friend requests

This deletion is immediate and irreversible. We do not retain backups of deleted account data.

Under the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), you have the right to access, correct, and delete your personal data. Since we do not collect email addresses, the account deletion feature described above serves as the primary mechanism for exercising your right to erasure. If you need additional assistance, please contact us.

9. Children's Privacy

FORMA-FIGHT is not directed at children under the age of 13. You must be at least 13 years old to create an account, and if you are under 18, you must have parental or guardian consent. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has created an account, we will delete it.

10. Data Security

We take reasonable measures to protect your data:

• Passwords are hashed with PBKDF2 (100,000 iterations, SHA-256) using a unique cryptographically random salt per account.
• The production site is served over HTTPS with HSTS enabled.
• Security headers (Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) are set on all responses.
• API endpoints that access account data require session authentication.

However, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

11. Changes to This Policy

This policy may be updated from time to time. Changes are effective immediately upon posting. The "Last updated" date at the top of this page will be revised accordingly. Continued use of the game after changes constitutes acceptance of the updated policy.

12. Contact

For questions about this privacy policy or to exercise your data rights, reach us on our Discord server.