Privacy Policy
Effective: April 1, 2026
1. Scope and Applicable Laws
This Policy applies to information processed by IdolRun in connection with the Service. We strive for compliance with applicable data-protection laws, including:
- United States: California Consumer Privacy Act (CCPA/CPRA) and other state-level privacy laws as applicable.
- Indonesia: Personal Data Protection Law (UU PDP, Law No. 27 of 2022).
- Philippines: Data Privacy Act of 2012 (RA 10173).
- Singapore: Personal Data Protection Act 2012 (PDPA).
- Malaysia: Personal Data Protection Act 2010.
- Thailand: Personal Data Protection Act B.E. 2562 (2019).
- European Economic Area and United Kingdom: GDPR and UK GDPR, where applicable.
2. Information We Collect
2.1 Information You Provide
- Account information: name, date of birth, email address, password, phone number, country of residence.
- Eligibility and prize-fulfillment verification: where required to confirm your age, eligibility, or location — or to fulfill a Prize (particularly higher-value experiences such as travel or event access) — we may collect government-issued identification and proof of address.
- Payment information: collected and processed by our payment processors (such as Stripe, Apple Pay, Google Pay, and — for Users in Indonesia — Xendit). IdolRun does not store full card numbers; we receive a tokenized reference and metadata sufficient to manage transactions and reconcile accounts. Payment information applies only where a User chooses to make an optional in-app purchase; playing IdolRun is free.
- Prize fulfillment information: shipping address, contact details for delivery, and recipient identification documents where required for travel-and-event Prizes.
- Communications: messages you send to support, feedback, survey responses.
2.2 Information We Collect Automatically
- Usage data: Cards answered, Answers submitted, Gold Coins and Tickets earned, Quests and Challenges entered, Chests opened, and Reward Store redemption activity.
- Device data: device type, operating system, browser, device identifiers, language settings.
- Network data: IP address, approximate geolocation derived from IP, network operator.
- Cookies and similar technologies as described in our Cookie Policy.
2.3 Information from Third Parties
- Identity and age verification providers.
- Payment processors (transaction status, risk signals, chargeback notifications).
- Fraud-prevention and sanctions-screening services.
- Marketing partners and referral sources, where you have engaged with them.
3. How We Use Information
We process personal data for the following purposes:
- Operating the Service, including Account creation, Card play, Quests and Challenges, Chest and reward mechanics, Prize fulfillment, and customer support.
- Verifying your eligibility, age, and location, and confirming identity where needed to fulfill a Prize.
- Detecting, preventing, and investigating fraud, abuse, and breaches of our Terms (including multiple-account and automation abuse).
- Complying with applicable laws, including tax reporting (for example, prize-related reporting where required), sanctions screening, and consumer-protection law.
- Communicating with you about the Service, including transactional emails, security alerts, and — with your consent where required — marketing communications.
- Improving the Service, including analytics, performance monitoring, and product development.
- Establishing, exercising, or defending legal claims.
4. Lawful Bases for Processing (where applicable)
Where the GDPR, UK GDPR, or analogous frameworks apply, we rely on the following lawful bases:
- Performance of a contract with you (operating the Service, fulfilling Prizes).
- Compliance with legal obligations (age verification, tax, sanctions).
- Legitimate interests (security, fraud prevention, product improvement), balanced against your rights and freedoms.
- Consent (marketing, optional analytics, where required by law).
5. How We Share Information
We share personal data only as described below:
- Service providers: cloud hosting, customer support, identity and age verification, fulfillment partners (merchandise vendors, experience providers), and analytics providers, in each case bound by confidentiality and data-protection obligations.
- Payment processors: Stripe, Apple Pay, Google Pay, Xendit (for Users in Indonesia), and other approved processors, which process optional in-app purchases and chargebacks subject to their own privacy policies.
- Fraud and sanctions partners, including for eligibility screening and ongoing monitoring.
- Legal authorities, where required by valid legal process or to protect rights, property, or safety.
- Corporate transactions: in connection with a merger, acquisition, financing, or sale of all or substantially all of our assets, subject to customary confidentiality protections.
- With your consent.
We do not sell personal data within the meaning of CCPA/CPRA.
6. International Data Transfers
IdolRun is based in the United States. Personal data may be transferred to and processed in the United States and other jurisdictions where our service providers operate. Where required by law, we use Standard Contractual Clauses, adequacy decisions, or other recognized transfer mechanisms to protect your data during international transfer.
7. Data Retention
We retain personal data for as long as needed to provide the Service and to comply with our legal, accounting, and regulatory obligations:
- Account data: for the life of the Account plus SEVEN (7) years after closure (or longer where required by tax or other law).
- Verification and prize-fulfillment records: retained as required for tax, audit, and legal compliance, typically up to SEVEN (7) years.
- Transaction records: as required for tax and audit, typically SEVEN (7) years.
- Marketing data: until you unsubscribe or withdraw consent.
8. Security
We use administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit and at rest where appropriate, access controls, monitoring, and incident-response procedures. No system is perfectly secure; you should also take reasonable steps to protect your Account credentials.
9. Your Rights
Depending on your jurisdiction, you may have rights to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion (subject to legal-retention requirements).
- Object to or restrict certain processing.
- Data portability.
- Withdraw consent (where processing is based on consent).
- Lodge a complaint with your local data-protection authority (for example, the relevant Indonesian data protection authority under UU PDP, the Philippines National Privacy Commission, Singapore's PDPC, the UK ICO, the U.S. FTC, or the California Privacy Protection Agency).
To exercise rights, contact privacy@idolrun.com. We may verify your identity before responding.
You can also contact us for additional privacy-related requests.
10. Children
The Service is not directed to children under 18, and use of the Service requires you to be at least 18 (or the age of majority in your jurisdiction, whichever is greater). We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact privacy@idolrun.com and we will delete it.
11. Changes to This Policy
We may update this Policy from time to time. Material changes will be notified via email or through prominent notice in the Service at least THIRTY (30) days before they take effect.