Privacy Policy
1. Who We Are
Echo Crawler is a mobile game published by wmkc, based in Israel. This privacy policy applies to the Echo Crawler mobile application on Android (Google Play) and iOS (Apple App Store), and to the website at echo-crawler.wmkc.net.
Data controller: wmkc
Contact: privacy@wmkc.net
Website: wmkc.net
2. Data We Collect
Echo Crawler stores game data locally on your device. When you sign in with Google and enable cloud save, your data is also stored on Firebase servers. Additional data is collected by Firebase Analytics (when consented) and Crashlytics to help improve the game.
A. Data Stored Locally on Your Device
All game data is stored on your device using AES-256 encrypted local files. This data never leaves your device unless you explicitly opt into cloud save.
| Category | Examples | Purpose |
|---|---|---|
| Game progress | Dungeon level, endless mode best score, completed regions | Track player progression |
| Stats & achievement counters | Enemies defeated, ads watched, currencies earned/spent, abilities picked, runs completed | Achievement tracking and player stats |
| Currencies & balances | Gold, Gems, Souls, Essence, Ash | In-game economy |
| Equipment & inventory | Owned gear, equipped items, upgrade levels | Gameplay |
| Settings & preferences | Audio volume, haptics, language | User preferences |
| Purchase history | Product ID, price, timestamp | Purchase verification |
| Daily reward timestamps | Last claim date per reward type | Prevent duplicate claims |
| Lucky Draw state | Board layout, cards drawn, draw counts | Daily Lucky Draw feature |
| Chest guarantee counters | Opens since last guaranteed rarity drop | Guarantee system (pity timer) |
| Ad bypass state | Remove Ads flag, Skip Ads token balance, temporary ad-free expiry | Ad bypass features |
| Consent preference | Personalized ads consent choice | GDPR compliance |
| Region detection | Country code derived from device locale | Geo-restriction compliance |
wmkc cannot access, view, or retrieve any locally stored data. It exists only on your device. Uninstalling the app or clearing app data permanently deletes it.
B. Data Managed by Third-Party Services
| Service | Data | When | User Control |
|---|---|---|---|
| Firebase Authentication | Google account identifier (UID, email) | When you sign in with Google | Sign out via Settings → Cloud Save; delete cloud data via Settings → Cloud Save → Delete Cloud Data |
| Firebase Cloud Firestore | Cloud save data (progress, currencies, equipment, settings) | When you sign in and cloud save is active | Delete via Settings → Cloud Save → Delete Cloud Data, or contact privacy@wmkc.net |
| Firebase Analytics | App usage events (session duration, run outcomes, purchases), device model, OS version, country | Only when you have granted consent | Withdraw consent via the analytics toggle in Settings → Privacy; data retained per Google's retention policy |
| Firebase Crashlytics | Crash logs, stack traces, device state, OS version, app version, anonymized user ID | When the app crashes and crash reporting is enabled | Disabled if first-launch consent is declined; independently toggle via crash reporting in Settings → Privacy; user ID cleared on sign-out |
| Firebase Cloud Messaging | Device push token (stored in Firestore under your account) | When push notifications are enabled and you are signed in | Disable notifications in device settings; token deleted when cloud data is deleted |
| Google AdMob | Ad interaction data, device advertising ID, IP address | When rewarded ads are shown | Reset or delete advertising ID in device settings; in-app consent controls personalization |
| Google Play / Apple App Store | Purchase transaction records | When you make an in-app purchase | Managed by Google/Apple |
C. Data We Do Not Collect
Echo Crawler does not collect: names, contact lists, precise location data, photos, camera or microphone data, health or fitness data, browsing history, user-generated content, or financial information (all payments are processed by Google Play / Apple). Your Google account email is only accessed when you explicitly sign in for cloud save and is used solely for authentication purposes.
D. Website
This website (echo-crawler.wmkc.net) does not use cookies, tracking pixels, analytics services, or any other tracking technologies. No data is collected from visitors to this website.
3. How We Use Data
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Local game data | Core gameplay functionality | Contractual necessity (Art. 6(1)(b)) |
| Cloud save data | Back up and restore progress across devices | Consent (user opts in) |
| Analytics data | Understand app usage, improve features, monitor performance | Consent (first-launch prompt + Settings toggle) |
| Crash reports | Identify and fix bugs and stability issues | Consent (first-launch prompt + Settings toggle) |
| Push notification tokens | Send game updates and event notifications | Consent (user opts in via device settings) |
| Ad interaction data | Serve rewarded video ads; personalize if consented | Legitimate interest / Consent |
| Purchase records | Fulfill purchases, handle refunds, prevent fraud | Contractual necessity / Legal obligation |
| Consent preference | Remember ad personalization choice | Legal obligation (GDPR) |
| Region detection | Enforce geo-based monetization restrictions | Legal obligation |
4. Third-Party Services
| Service | Purpose | Privacy Policy |
|---|---|---|
| Firebase Authentication | User identity for cloud save | firebase.google.com/support/privacy |
| Firebase Cloud Firestore | Cloud save storage | firebase.google.com/support/privacy |
| Firebase Analytics | App usage analytics | firebase.google.com/support/privacy |
| Firebase Crashlytics | Crash reporting | firebase.google.com/support/privacy |
| Firebase Cloud Messaging | Push notifications | firebase.google.com/support/privacy |
| Google AdMob | Opt-in rewarded video ads | policies.google.com/privacy |
| Google Play Billing | In-app purchases (Android) | policies.google.com/privacy |
| Apple StoreKit | In-app purchases (iOS) | apple.com/legal/privacy |
AdMob may use the following data for ad serving: device advertising identifier, IP address, device type, operating system version, and app interaction data. When you have not consented to personalized ads (or are in the EEA/UK and have denied consent), only non-personalized ads are served.
Firebase Analytics is consent-gated: event collection is only active when you have granted consent via the first-launch prompt or the analytics toggle in Settings → Privacy. When consent is denied or withdrawn, analytics collection is fully disabled — no events are logged or transmitted.
Firebase Crashlytics is also disabled if you decline the first-launch consent prompt. You can independently re-enable or disable crash reporting at any time via the crash reporting toggle in Settings → Privacy.
Note: Firebase services (Analytics, Crashlytics, Cloud Messaging, Auth, Firestore) are currently available on Android. On iOS, these features will be enabled in a future update. This policy will apply to both platforms once available.
5. Advertising & Consent
All ads in Echo Crawler are opt-in rewarded video ads. The game never shows interstitial, banner, or forced ads. You always choose whether to watch an ad in exchange for an in-game reward.
On first launch, all users are shown a consent prompt for usage data and crash report collection. Your consent choice controls whether Firebase Analytics and Crashlytics are enabled. You can change each independently at any time via the toggles in Settings → Privacy.
For ad personalization, users in the EEA/UK will be shown a separate consent prompt (via Google's User Messaging Platform) before personalized ads are served. When personalized ads are not consented to, only non-personalized ads are shown.
The "Remove Ads" in-app purchase permanently removes all ad prompts and automatically grants all ad-gated rewards without showing ads.
6. Children's Privacy
Echo Crawler is not directed at children under 16. The game contains paid randomized items (loot boxes), which under PEGI guidelines requires a minimum rating of PEGI 16. wmkc does not knowingly collect personal information from children under 16.
If a parent or guardian believes their child has provided personal information through a third-party service used by the game, they should contact the relevant platform (Google or Apple) directly.
7. Data Retention
- Local device data: Retained until you uninstall the app or clear app data. wmkc has no access to this data.
- Cloud save data (Firestore): Retained until you delete your account via the in-app deletion option or request deletion by contacting privacy@wmkc.net.
- Firebase Authentication: Account data retained until you delete your account. Anonymous accounts may be automatically cleaned up after extended inactivity.
- Firebase Analytics: Event data retained for 14 months per Google's default retention policy.
- Firebase Crashlytics: Crash data retained for 90 days. User ID association is cleared when you sign out.
- Ad interaction data: Retained by Google AdMob per Google's data retention policies.
- Purchase records: Retained by Google Play / Apple App Store per their respective policies. The local copy is deleted when the app is uninstalled.
8. Your Rights
EEA, UK, and Israel
Under the GDPR and Israeli Privacy Protection Law (as amended by Amendment 13, effective August 14, 2025), you have the right to:
- Access — Request information about what data is processed about you
- Rectification — Request correction of inaccurate data
- Erasure — Request deletion of your data (see the Data Deletion page)
- Restriction — Request that processing be restricted
- Portability — Request a copy of your data in a portable format
- Object — Object to processing based on legitimate interest
- Withdraw consent — Withdraw consent for personalized ads and analytics at any time via Settings → Privacy
To request a copy of your data, email privacy@wmkc.net with your Player ID (found in Settings → Cloud Save). Please send the request from the email address associated with your account so we can verify your identity. We need your Player ID to locate your data on our servers.
For data stored on Firebase servers (cloud save), you can exercise these rights directly via the Delete Cloud Data option in Settings → Cloud Save, or by contacting privacy@wmkc.net. See the Data & Account Deletion page for instructions.
California (CCPA/CPRA)
Under the California Consumer Privacy Act, you have the right to know what personal information is collected, delete your personal information, and opt out of the sale or sharing of your personal information.
wmkc does not sell or share personal information as defined by the CCPA. Ad personalization is consent-based and can be controlled via the in-game consent prompt or device advertising settings.
9. Data Security
- All locally stored game data is encrypted using AES-256 encryption.
- Cloud save data is transmitted over encrypted connections (HTTPS/TLS) and stored in Firebase Cloud Firestore with Google's enterprise-grade security infrastructure.
- Firebase Authentication uses industry-standard security practices for identity management.
- In-app purchase transactions are processed entirely by Google Play / Apple App Store. wmkc never receives or stores payment card details.
In the event of a data breach affecting your personal data, wmkc will notify affected users and relevant authorities within the timeframes required by applicable law, including 72 hours under Israel's Privacy Protection Law (Amendment 13).
10. International Data Transfers
Firebase services (Authentication, Firestore, Analytics, Crashlytics, Cloud Messaging) and Google AdMob may process data on Google servers located outside your country of residence, including the United States. Google maintains appropriate safeguards for such transfers (Standard Contractual Clauses, adequacy decisions). For details, see Firebase's privacy documentation.
11. Changes to This Policy
wmkc may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. For significant changes, a notice may be provided within the game. Continued use of the game after changes constitutes acceptance of the updated policy.
12. Contact
For privacy-related inquiries or to exercise your data rights:
- Email: privacy@wmkc.net
- Website: wmkc.net
- Data Deletion: echo-crawler.wmkc.net/data-deletion
If you are in the EEA and believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection authority. In Israel, complaints can be filed with the Privacy Protection Authority (PPA).