← Back to Home

Privacy Policy

Last updated: February 25, 2026

1. Introduction

Welcome to Children of Titan ("we", "us", "our"). We operate the website childrenoftitan.com and the associated browser-based game (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service, in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

Children of Titan

Email: privacy@childrenoftitan.com

If you have any questions about how we process your data, or if you wish to exercise your rights, contact us at the address above. We currently do not have a designated Data Protection Officer (DPO) as our processing activities do not meet the threshold requiring one under Article 37 GDPR, but our privacy team handles all data-related inquiries.

3. Information We Collect

3.1 Account Information

When you register, we collect your email address, username, and a hashed password. We never store your password in plain text.

3.2 Wallet Information

If you connect a cryptocurrency wallet, we store your public wallet address. We never have access to your private keys or seed phrases.

3.3 Gameplay Data

We collect data generated through gameplay, including base configurations, resource balances, troop compositions, fleet movements, alliance memberships, research progress, achievements, and transaction histories within the game.

3.4 Automatically Collected Data

When you access our Service, we may automatically collect device information (browser type, operating system), IP address, access times, pages viewed, and referring URLs through cookies and similar technologies.

3.5 Data We Do Not Collect

We do not collect special category data (racial/ethnic origin, political opinions, religious beliefs, health data, biometric data) or financial information beyond public wallet addresses.

4. Legal Basis for Processing

Under Article 6(1) of the GDPR, we process your personal data based on the following legal grounds:

PurposeData UsedLegal Basis
Account creation & authenticationEmail, username, hashed passwordContract performance (Art. 6(1)(b))
Two-factor authenticationEmail, 2FA tokensContract performance (Art. 6(1)(b))
Gameplay & game stateAll gameplay dataContract performance (Art. 6(1)(b))
Wallet connection & blockchain featuresPublic wallet addressConsent (Art. 6(1)(a))
Leaderboards & public profilesUsername, game stats, allianceLegitimate interest (Art. 6(1)(f))
Analytics & Service improvementDevice info, IP, usage patternsConsent (Art. 6(1)(a)) via cookie banner
Anti-cheat & fraud preventionIP, gameplay patterns, account dataLegitimate interest (Art. 6(1)(f))
Email communications (security alerts)Email addressContract performance (Art. 6(1)(b))
Legal complianceAs requiredLegal obligation (Art. 6(1)(c))

Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time (see Section 10).

5. Cookies & Tracking Technologies

We use cookies and similar technologies categorized as follows:

5.1 Strictly Necessary Cookies

Required for authentication, session management, security (CSRF protection), and cookie consent preferences. These cannot be disabled as the Service cannot function without them. No consent required (Art. 5(3) ePrivacy Directive exemption).

5.2 Analytics Cookies

Help us understand how players use the Service (pages visited, session duration, feature usage). Only set after you give consent via our cookie banner.

5.3 Functional Cookies

Remember your preferences (language, UI settings, theme). Only set after you give consent via our cookie banner.

We do not use marketing or advertising cookies. You can withdraw cookie consent at any time through our cookie settings banner or your browser settings. Withdrawing consent does not affect the lawfulness of processing based on consent before withdrawal.

6. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information. We may share data with:

  • Hosting & infrastructure providers — servers, databases, CDN (under Data Processing Agreements per Article 28 GDPR)
  • Email service providers — for transactional emails such as verification and security alerts (under DPAs)
  • Analytics providers — only if you consent to analytics cookies (under DPAs)
  • Other players — your username, game stats, alliance membership, and leaderboard rankings are publicly visible within the game
  • Blockchain networks — public wallet addresses are inherently visible on-chain when you perform blockchain transactions
  • Legal authorities — when required by law, regulation, court order, or legal process

All third-party service providers are contractually bound to process data only on our instructions and to implement appropriate technical and organizational security measures.

7. International Data Transfers

Our servers and some service providers may be located outside the European Economic Area (EEA) or the United Kingdom. When we transfer personal data outside these regions, we ensure adequate protection through one or more of the following safeguards:

  • Adequacy decisions — the European Commission has determined the destination country ensures an adequate level of data protection (Art. 45 GDPR)
  • Standard Contractual Clauses (SCCs) — EU-approved contractual terms that bind the data recipient to protect your data (Art. 46(2)(c) GDPR)
  • EU-U.S. Data Privacy Framework — for transfers to certified U.S. organizations, where applicable

You may request a copy of the safeguards in place by contacting us at the email in Section 2.

8. Data Security

We implement appropriate technical and organizational measures in line with Article 32 GDPR, including:

  • Passwords hashed with industry-standard algorithms (never stored in plain text)
  • Two-factor authentication (2FA) available for all accounts
  • Encrypted connections (TLS/HTTPS) for all data in transit
  • Secure, httpOnly session cookies with CSRF protection
  • Regular security reviews and dependency updates
  • Access controls limiting staff access to personal data on a need-to-know basis

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (Art. 33 GDPR) and, where required, inform affected users without undue delay (Art. 34 GDPR).

9. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy:

  • Account data — retained while your account is active, deleted within 30 days of an account deletion request
  • Gameplay data — retained while your account is active; anonymized aggregate statistics may be retained indefinitely for game balancing
  • Server logs & IP data — retained for up to 90 days for security and anti-fraud purposes
  • Analytics data — retained in anonymized/aggregated form
  • Legal holds — data may be retained longer if required by law or for legitimate anti-fraud or legal defense purposes

10. Your Rights

10.1 Rights Under GDPR (EEA & UK Residents)

Under the GDPR, you have the right to:

  • Access (Art. 15) — obtain a copy of the personal data we hold about you
  • Rectification (Art. 16) — correct inaccurate or incomplete data
  • Erasure (Art. 17) — request deletion of your personal data ("right to be forgotten")
  • Restriction (Art. 18) — restrict processing in certain circumstances
  • Data Portability (Art. 20) — receive your data in a structured, machine-readable format
  • Object (Art. 21) — object to processing based on legitimate interest, including profiling
  • Withdraw Consent (Art. 7(3)) — withdraw consent at any time, without affecting the lawfulness of processing before withdrawal
  • Automated Decision-Making (Art. 22) — not be subject to decisions based solely on automated processing that significantly affect you

10.2 Rights Under CCPA (California Residents)

If you are a California resident, you additionally have the right to:

  • Know what personal information is collected, used, and shared
  • Request deletion of your personal information
  • Opt out of the sale of personal information (we do not sell your data)
  • Non-discrimination for exercising your privacy rights

10.3 How to Exercise Your Rights

Contact us at privacy@childrenoftitan.com with your request. We will verify your identity and respond within 30 days (extendable by 60 days for complex requests, with notice). There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive.

11. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with a data protection supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

We would appreciate the chance to address your concerns before you contact a supervisory authority — please reach out to us first at privacy@childrenoftitan.com.

12. Automated Decision-Making & Profiling

We may use automated systems to detect cheating, exploits, or fraudulent behavior (e.g., bot detection, unusual gameplay patterns). These systems may result in temporary restrictions on your account pending manual review.

We do not use fully automated decision-making that produces legal or similarly significant effects on you without human involvement. Any account suspension or ban resulting from automated detection is reviewed by a human before becoming permanent. You have the right to contest such decisions and request human review by contacting us.

13. Children's Privacy

Our Service is not intended for individuals under the age of 16 in the EEA (or the applicable age of digital consent in your member state, which may be as low as 13), or under 13 in other jurisdictions. We do not knowingly collect personal information from children below these ages. If we learn we have collected data from a child without valid parental consent, we will delete it promptly. Parents or guardians who believe their child has provided us with personal data should contact us immediately.

14. Third-Party Services

Our Service may integrate with third-party wallet providers (e.g., WalletConnect, MetaMask) and blockchain networks. When you interact with these services, their own privacy policies govern the data they collect. We encourage you to review them. Key third-party integrations include:

  • WalletConnect / MetaMask — wallet connection and transaction signing
  • Blockchain networks — any on-chain data is publicly visible and immutable; we cannot delete data stored on a public blockchain

We are not responsible for the privacy practices of third-party services. Links to external services are provided for convenience and do not imply endorsement.

15. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by posting the updated policy on this page, updating the "Last updated" date, and where appropriate, sending you an in-game or email notification. Where changes affect processing based on consent, we will seek fresh consent where required by law. Continued use of the Service after non-consent-based changes constitutes acknowledgment of the revised policy.

16. Contact Us

For all privacy-related inquiries, data subject requests, or complaints:

Children of Titan — Privacy Team

Email: privacy@childrenoftitan.com

General support: support@childrenoftitan.com

We aim to respond to all requests within 30 days.

Terms of ServiceHome