Privacy Policy

Effective 2026-05-09 · last updated 2026-05-09

This Privacy Policy explains what data Pathogen Run ("the game", "we", "us") collects, how we use it, and the choices you have. The game is published on Google Play; this policy is written to satisfy the Google Play User Data Policy and the Google AdMob / Google Mobile Ads SDK requirements. Author and data controller: Stanislav Zhilin <[email protected]>.

1. Data we collect

The game collects the minimum data needed to run, secure, and improve it:

• Device & technical info — device model, OS version, language, coarse region (from IP), app version, screen resolution, and approximate amount of available memory. Used for crash diagnostics and compatibility.
• Advertising identifier (AAID) — Google Advertising ID, accessed through the Google Mobile Ads SDK so AdMob and its certified partners can serve, frequency-cap, and measure two specific ad placements: (a) an optional rewarded video shown when you choose to use the "last chance" continue after a run ends, and (b) a full-screen interstitial shown between runs (typically every 1–2 runs). You can reset or delete the AAID at any time via Android Settings → Privacy → Ads.
• App activity / gameplay telemetry — aggregate run length, deaths, pathogen choice, boss completions, settings toggled, crash and ANR reports. Used for balancing, bug fixes, and product analytics.
• Purchase history — non-payment metadata about in-app purchases (which SKU, when, refund status), received from Google Play Billing. We never see card numbers.
• Diagnostic uploads — logs you voluntarily submit via the in-game "send report" flow.

2. Data we do not collect

• No name, email address, phone number, or contacts list.
• No precise (GPS) location.
• No microphone, camera, or photos / media access.
• No SMS, calendar, or call-log access.

3. How we use the data

• To run the game on your device and sync progress to Google Play Games Services.
• To detect, prevent, and fix crashes, bugs, and abuse.
• To balance gameplay difficulty, boss tuning, and economy via aggregate analytics.
• To serve, cap, and measure the rewarded "last chance" ad and the between-runs interstitial via Google AdMob (see §5).
• To process in-app purchases via Google Play Billing.

We do not sell your personal data. We do not share personal data with third parties for their own marketing. Sharing your Google Advertising ID with Google AdMob and its certified partners for personalized advertising in the two ad placements described in §5 may qualify as "sharing" under the California CCPA / CPRA — see §5 for how to opt out.

4. Legal bases (EEA / UK)

If you are in the EEA or UK, our legal bases under the GDPR are:

• Contract — to provide the game and process purchases you initiate.
• Legitimate interests — security, crash reporting, fraud prevention, and aggregate analytics that do not identify you.
• Consent — for personalized advertising and for optional analytics. You may withdraw consent at any time via the in-game Privacy menu and the Google UMP consent dialog shown on first launch.

5. Advertising — Google AdMob & partners

The free version of Pathogen Run shows two — and only two — ad formats, both served by Google AdMob (Google Mobile Ads SDK):

• Rewarded video — shown only if you tap the optional "last chance" continue button when a run ends. Skipping or ignoring it costs you nothing.
• Full-screen interstitial — shown between runs at most once per 1–2 runs, never during gameplay.

AdMob and its certified ad partners may collect and process the following to deliver, cap, and measure these ads:

• The Google Advertising ID (AAID) and resettable identifiers.
• Coarse IP-based location and approximate region.
• Device and ad-event information (impressions, clicks, viewability).

AdMob is governed by Google's Privacy Policy and Advertising technologies policy. A list of certified third-party ad partners is available at Google's Ad partners list.

EEA / UK / Switzerland: on first launch, we present a Google User Messaging Platform (UMP) consent dialog. You can choose between personalized and non-personalized ads, and you can change your choice later via the in-game Privacy menu.

California (CCPA / CPRA): We do not sell your personal information. Sharing your advertising identifier with AdMob for cross-context behavioral advertising in the two placements above may qualify as "sharing" under the CCPA / CPRA. To opt out, enable "Limit ad tracking" in Android Settings → Privacy → Ads, or select "non-personalized ads" in the in-game Privacy menu — both are honored as a Global Privacy Control / opt-out signal.

6. Other third-party SDKs

• Google Play Services (required for distribution on Google Play) — handles app updates, security checks, and Google Sign-In if you opt into Play Games Services.
• Google Play Billing — processes in-app purchases.
• Firebase Crashlytics — crash and ANR diagnostics; receives the installation ID, stack traces, and device info. No payload contents.
• Google Analytics for Firebase — pseudonymous gameplay events tied to a Firebase installation ID. IP addresses are truncated.

7. Data retention

• Crash reports: 90 days, then aggregated.
• Aggregate analytics: up to 24 months.
• Diagnostic uploads: 90 days.
• Purchase history: as required by tax and consumer-protection law (typically 7 years).

8. Your rights

Subject to your jurisdiction (GDPR, UK GDPR, CCPA / CPRA, LGPD, and others), you may have the right to access, correct, delete, port, restrict, or object to the processing of personal data tied to your device, and to withdraw consent. To exercise any of these rights, email [email protected] with the subject line "Pathogen Run · privacy request" and include your Google Advertising ID or Firebase installation ID (visible in the in-game Privacy menu).

You may also lodge a complaint with your local data-protection authority.

9. Data deletion

To request deletion of all data tied to your device or installation, email [email protected] with the subject line "Pathogen Run · data deletion". A self-serve deletion link is also available at https://pathogenrun.com/privacy#delete, as required by Google Play's account-deletion policy. We will action verified requests within 30 days.

10. Children

Pathogen Run is not directed at children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal data from children. If you believe a child has provided us data, contact [email protected] and we will delete it. The game does not participate in Google Play's "Designed for Families" program; advertising is set to non-personalized for any account flagged as a child by Google's Family policy. For accounts that Google's Family policy flags as belonging to a child, we call the Google Mobile Ads SDK with setTagForChildDirectedTreatment(true) and setTagForUnderAgeOfConsent(true) so that AdMob serves only non-personalized ads and the rewarded "last chance" placement is disabled entirely.

11. International transfers

Data processed by Google services (AdMob, Firebase, Play Billing, Play Services) may be transferred to and processed in the United States and other jurisdictions. Google relies on Standard Contractual Clauses and the EU–US Data Privacy Framework where applicable.

12. Security

We use industry-standard transport encryption (TLS) for all network calls and rely on Google Cloud / Firebase access controls for stored telemetry. No system is perfectly secure; if we become aware of a breach affecting your data we will notify you and the relevant authorities without undue delay — and within 72 hours of becoming aware of a notifiable personal-data breach where GDPR / UK GDPR applies.

13. Marketing website (this site)

Separately from the game itself, this marketing website (pathogenrun.com) uses two analytics tools:

• Cloudflare Web Analytics — cookieless, anonymized aggregate visit counts and Core Web Vitals. Runs without consent because it stores nothing on your device and does not identify you.
• Google Analytics 4 via Google Tag Manager (container GTM-MJFD8CNK) — opt-in only. Disabled by default; runs only after you click Accept all in the Site Preferences banner. When enabled, it sets first-party cookies _ga and _ga_* and reports page views plus Core Web Vitals (LCP, CLS, INP, FCP, TTFB) so we can detect performance regressions. Retention follows the GA property setting (default 14 months, rolling). The third-party processor is Google LLC; transfers out of the EEA / UK are covered by Google's Standard Contractual Clauses. We do not enable Google Signals, demographics, or any advertising-related GA features — banner copy reflects that: "we do not use marketing tools".

You can withdraw consent at any time by clicking Site preferences in the page footer and choosing Necessary only. That clears any pending GA signals on the next page load. Choices persist in your browser only (localStorage key pathogenrun-consent-v1); we do not see or store them server-side.

14. Changes to this policy

Material changes will be announced in the in-game patch notes and on this page at least 14 days before they take effect. The "last updated" date at the top reflects the most recent revision. Previous versions are available on request via the contact email below.

15. Contact

Author / data controller: Stanislav Zhilin · [email protected]