Privacy Policy

Effective: 2026-04-14 · Last updated: 2026-04-14

Introduction

This privacy policy explains how ParkAttack Limited ("ParkAttack", "we", "us", "our"), a company registered in the United Kingdom, collects, uses, and protects your personal data when you use the ParkAttack mobile application (the "App"). ParkAttack is a theme park day-planning app that routes you to the lowest-cost ride next using live wait times and GPS walking distance.

This policy is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. ParkAttack Ltd is the data controller for the personal data described here.

Data We Collect

We only collect data that is necessary to run the App. Data is grouped by the service provider that processes it:

• Firebase Authentication (Google LLC): when you sign in, we collect your email address, display name, photo URL, the Apple or Google sign-in provider ID, your anonymous Firebase UID (issued before you sign in), your IP address transiently during authentication, and sign-in timestamps. This is used to identify your account across devices.
• Cloud Firestore (Google LLC): we store your wishlists (the rides you want to target), active session documents, session history, notification preferences, complimentary pass records, and entitlement state. This data is linked to your Firebase UID.
• Firebase Crashlytics (Google LLC): when the App crashes, we receive the crash stack trace, your device model, OS version, App version, and non-personally-identifiable breadcrumb logs leading up to the crash. We use this solely to diagnose and fix defects.
• Firebase Performance Monitoring (Google LLC): we receive anonymised network request traces, screen render traces, device model, and OS version. We use this solely to measure and improve App performance.
• RevenueCat (RevenueCat Inc.): when you make a purchase, RevenueCat is issued an anonymous app user ID which is mapped to your Firebase UID after you sign in. RevenueCat also processes your purchase receipts, subscription status, transaction timestamps, and country code. RevenueCat is used to manage subscription entitlements and never processes your payment card details directly.
• GPS Location (expo-location): during an active session only, the App reads your device's latitude and longitude in the foreground to calculate walking distance to the next ride. Location readings are processed on-device for routing. The most recent readings may be written to the session document for resume and routing integrity but are never used for advertising, tracking, or shared with third parties.
• Push Notification Token (@react-native-firebase/messaging): if you opt in to wait-time notifications, we receive your device's push notification token. This is used solely to deliver the notifications you've requested.

Lawful Bases (UK GDPR Art. 6)

We process your personal data under the following lawful bases:

• Contract: authentication, wishlist storage, session routing, purchase processing, and session history are necessary to provide the service you've signed up for.
• Legitimate interest: crash diagnostics, performance monitoring, and fraud prevention are necessary for us to keep the App working reliably and securely. We have balanced this against your rights.
• Consent: GPS location access and push notifications are only processed after you explicitly grant permission. You can withdraw consent at any time via your device settings.
• Legal obligation: purchase records may be retained as required by UK tax and accounting law.

Third-Party Processors

The following processors handle your data on our behalf under data processing agreements:

• Google LLC (Firebase Authentication, Firestore, Crashlytics, Performance, Messaging) — policies.google.com/privacy
• RevenueCat Inc. (subscription management) — revenuecat.com/privacy
• Apple Inc. (App Store in-app purchases) — apple.com/legal/privacy
• Google LLC (Play Store in-app purchases) — play.google.com/about/play-terms

International Transfers

Some of our processors (Google LLC, RevenueCat Inc., Apple Inc.) are based in the United States. Where personal data is transferred outside the UK, we rely on Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (UK IDTA) to ensure your data receives equivalent protection to that required by UK GDPR.

Data Retention

• Account data (profile, wishlists, preferences) is retained until you request deletion via the Account tab.
• Session history is retained while your subscription is active, then for 30 days after cancellation, after which it is deleted.
• Crashlytics data is retained for 90 days.
• Performance Monitoring data is retained for 30 days.
• Purchase records may be retained for up to 6 years where required by UK tax and accounting law.

Your Rights (UK GDPR Art. 15–22)

You have the following rights over your personal data:

• Right of access — request a copy of the data we hold about you.
• Right to rectification — ask us to correct inaccurate data.
• Right to erasure ("right to be forgotten") — ask us to delete your data.
• Right to restriction — ask us to limit how we process your data.
• Right to data portability — receive your data in a machine-readable format.
• Right to object — object to processing based on legitimate interest.

You can exercise your access and portability rights immediately via the App: open the Account tab → Download my data. To delete your account and all associated data, use Account tab → Delete my account. For any other request, email support@parkattack.app and we will respond within one month.

Children's Privacy

ParkAttack is not directed at children under 13. We do not knowingly collect personal data from children under 13. Where applicable, parental consent is required. If you believe a child has provided us with personal data without consent, please contact support@parkattack.app and we will delete it promptly.

Changes to This Policy

We may update this policy from time to time. We will update the "Last updated" date at the top of this page, and for material changes we will also notify you via an in-app banner. Continued use of the App after a change constitutes acceptance of the updated policy.

Contact & Data Protection

Data Controller: ParkAttack Limited, United Kingdom.
Email: support@parkattack.app

If you are unhappy with how we have handled your data, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.