Privacy Policy

Effective: 2026-05-24 · Last updated: 2026-05-24

Introduction

This privacy policy explains how Barnes Technology Limited ("Barnes Technology Limited", "Barnes Technology", "Park Attack", "we", "us", "our"), a company registered in England and Wales under company number 17177553, trading as Park Attack, collects, uses, and protects your personal data when you use the Park Attack mobile application (the "App"). Park Attack is a theme park day-planning app that routes you to the lowest-cost ride next using live wait times and GPS walking distance.

This policy is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Barnes Technology Limited (trading as Park Attack) is the data controller for the personal data described here.

Data We Collect

We only collect data that is necessary to run the App. Data is grouped by the service provider that processes it:

• Firebase Authentication (Google LLC): when you sign in, we collect your email address, display name, photo URL, the Apple or Google sign-in provider ID, your anonymous Firebase UID (issued before you sign in), your IP address transiently during authentication, and sign-in timestamps. This is used to identify your account across devices.
• Cloud Firestore (Google LLC): we store your wishlists (the rides you want to target, including ride preferences and planned visit dates) persistently in Firebase Firestore, active session documents, session history, notification preferences, complimentary pass records, and entitlement state. Wishlist data syncs across your devices and is included in data exports and deletions. This data is linked to your Firebase UID.
• Firebase Crashlytics (Google LLC): when the App crashes, we receive the crash stack trace, your device model, OS version, App version, and non-personally-identifiable breadcrumb logs leading up to the crash. We use this solely to diagnose and fix defects.
• Firebase Performance Monitoring (Google LLC): we receive anonymised network request traces, screen render traces, device model, and OS version. We use this solely to measure and improve App performance.
• RevenueCat (RevenueCat Inc.): when you make a purchase, RevenueCat is issued an anonymous app user ID which is mapped to your Firebase UID after you sign in. RevenueCat also processes your purchase receipts, subscription status, transaction timestamps, and country code. RevenueCat is used to manage subscription entitlements and never processes your payment card details directly.
• GPS Location (expo-location): during an active session only, the App reads your device's latitude and longitude in the foreground to calculate walking distance to the next ride. Location readings are processed on-device for routing. The most recent readings may be written to the session document for resume and routing integrity but are never used for advertising, tracking, or shared with third parties.
• Push Notification Token (@react-native-firebase/messaging): if you opt in to wait-time notifications, we receive your device's push notification token. This is used solely to deliver the notifications you've requested.
• Customer.io, Inc. (Marketing Communications): if you opt in to marketing communications via the Account tab, we share your Firebase Auth UID, email address (if signed in), marketing consent flags, marketing interaction events (opens, clicks, unsubscribes), and wishlist lifecycle events (rides added, removed, and completed) with Customer.io for the purpose of sending personalised marketing emails, push notifications, and in-app messages. Customer.io processes this data in its European Union region (app-eu.customer.io). All marketing channels default to off. You can revoke consent at any time in the Account tab or via the unsubscribe link in any marketing email.

Lawful Bases (UK GDPR Art. 6)

We process your personal data under the following lawful bases:

• Contract: authentication, wishlist storage, session routing, purchase processing, and session history are necessary to provide the service you've signed up for.
• Legitimate interest: crash diagnostics, performance monitoring, and fraud prevention are necessary for us to keep the App working reliably and securely. We have balanced this against your rights.
• Consent: GPS location access, push notifications, and marketing communications (via Customer.io) are only processed after you explicitly grant permission. You can withdraw consent at any time via your device settings or the Account tab.
• Legal obligation: purchase records may be retained as required by UK tax and accounting law.

Third-Party Processors

The following processors handle your data on our behalf under data processing agreements:

• Google LLC (Firebase Authentication, Firestore, Crashlytics, Performance, Messaging) — policies.google.com/privacy
• RevenueCat Inc. (subscription management) — revenuecat.com/privacy
• Apple Inc. (App Store in-app purchases) — apple.com/legal/privacy
• Google LLC (Play Store in-app purchases) — play.google.com/about/play-terms
• Customer.io, Inc. (marketing communications — EU region) — customer.io/legal/privacy-policy

International Transfers

Some of our processors (Google LLC, RevenueCat Inc., Apple Inc.) are based in the United States. Where personal data is transferred outside the UK, we rely on Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (UK IDTA) to ensure your data receives equivalent protection to that required by UK GDPR.

Data Retention

• Account data (profile, wishlists, preferences) is retained until you request deletion via the Account tab.
• Session history is retained while your subscription is active, then for 30 days after cancellation, after which it is deleted.
• Crashlytics data is retained for 90 days.
• Performance Monitoring data is retained for 30 days.
• Purchase records may be retained for up to 6 years where required by UK tax and accounting law.

Your Rights (UK GDPR Art. 15–22)

You have the following rights over your personal data:

• Right of access — request a copy of the data we hold about you.
• Right to rectification — ask us to correct inaccurate data.
• Right to erasure ("right to be forgotten") — ask us to delete your data.
• Right to restriction — ask us to limit how we process your data.
• Right to data portability — receive your data in a machine-readable format.
• Right to object — object to processing based on legitimate interest.

You can exercise your access and portability rights immediately via the App: open the Account tab → Download my data. To delete your account and all associated data, use Account tab → Delete my account. When you exercise your right to erasure, our account deletion endpoint deletes your profile from Customer.io before removing your Firestore data, so no marketing-related personal data remains with the processor. For any other request, email support@parkattack.app and we will respond within one month.

Children's Privacy

Park Attack is not directed at children under 13. We do not knowingly collect personal data from children under 13. Where applicable, parental consent is required. If you believe a child has provided us with personal data without consent, please contact support@parkattack.app and we will delete it promptly.

Changes to This Policy

We may update this policy from time to time. We will update the "Last updated" date at the top of this page, and for material changes we will also notify you via an in-app banner. Continued use of the App after a change constitutes acceptance of the updated policy.

Contact & Data Protection

Data Controller: Barnes Technology Limited (company number 17177553), trading as Park Attack, United Kingdom.
Also known as: Barnes Technology, Park Attack.
Email: support@parkattack.app

If you are unhappy with how we have handled your data, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.