Privacy Policy

Last updated: 21 April 2026

1. Who we are

Bumpo (the "Service") is operated by Mindysm OÜ, a private limited company registered in the Republic of Estonia, with its registered office in Tallinn, Estonia ("Mindysm", "we", "us", "our"). Mindysm is the data controller for any personal data processed in connection with the Service. You can contact us at privacy@bumpo.fun.

2. Summary

Bumpo is designed to require as little information about you as possible. In this version of the Service:

• the game client uses Firebase Authentication to establish a session so you can join rooms and play matches;
• that session may be anonymous by default, and we may also offer optional account-backed sign-in using email and password;
• we do not collect payment information;
• the marketing site at bumpo.fun does not use analytics or advertising cookies;
• the game client at app.bumpo.fun uses Firebase Analytics on first load in supported browsers to measure page views and coarse gameplay funnel events;
• we do not send room codes, nicknames, chat text, Firebase UID/email, or ad-personalization signals as analytics event parameters.

3. What we process

The limited information we do process is:

• Authentication and session data. The game client uses Firebase Authentication to establish a player session. This can include a Firebase UID, the sign-in provider, and, if you create or use an account-backed sign-in method, your email address.
• Session data. The nickname and character colour you pick, your current room assignment, and gameplay state (position, inputs, match events). This data lives in server memory for the duration of the match and is discarded when the match ends or the room disposes.
• App analytics data. The game client logs page views and coarse product-usage events such as room creation, invite joins, room join success, match start, match end, and rematch clicks. These events may include arena, mode, rounds, player counts, bot counts, and similar coarse configuration data. They do not include room codes, nicknames, chat text, Firebase UID, or email addresses.
• Connection metadata. When your browser connects to our servers, the connection carries your IP address and a user-agent string, as with any website. We use this transiently to route your WebSocket connection, to protect the Service from abuse (rate limiting, blocking malicious traffic), and to produce aggregate operational logs. We do not use IP addresses to build marketing profiles.
• Operational logs. Short-lived server logs that record errors, request paths, and performance metrics. Logs are retained for up to 30 days and then deleted.

We do not use advertising cookies on the marketing site. We do not use Firebase Analytics for ad personalization. We do not sell personal data.

4. Legal bases (GDPR)

Where the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") applies, we process the limited data described above on the following legal bases:

• Performance of a service at your request (Article 6(1)(b) GDPR) — to operate the game while you are playing it;
• Legitimate interests (Article 6(1)(f) GDPR) — to secure the Service against abuse, to keep it running reliably, and to diagnose faults;
• Legitimate interests (Article 6(1)(f) GDPR) — to understand basic product usage in the game client and improve the Service. We have weighed these interests against the limited nature of the analytics events we collect and consider the impact on players' privacy to be minimal.

5. Who we share data with

We share data only with service providers who help us run the Service and who process data on our behalf under written instructions (processors under Article 28 GDPR). These currently include our cloud infrastructure and platform providers, including Google Cloud and Firebase services for hosting, authentication, and app analytics. We do not sell or rent personal data. We do not transfer data outside the European Economic Area except where a valid transfer mechanism recognised by EU law is in place.

6. Cookies and local storage

The marketing site at bumpo.fun does not set advertising, analytics, or tracking cookies. The game client at app.bumpo.fun may use your browser's local storage, IndexedDB, and similar browser storage for session handling, authentication state, and in-session preferences (for example, the nickname you just typed). In supported browsers, the game client also loads Firebase Analytics on first app load, which may use cookies or similar client-side identifiers to measure app usage. We do not enable ad-personalization signals for this analytics setup. You can clear local browser storage from your browser settings.

7. Retention

Gameplay state is held in server memory only while the match is running and is discarded when the room disposes. Operational logs are retained for up to 30 days. Firebase Authentication session state may persist on your device until you sign out or clear browser storage. Analytics data is retained according to the retention settings of the linked Google Analytics property.

8. Security

We apply commercially reasonable technical and organisational measures to protect the Service and any data it handles, including encrypted transport (TLS), access controls, and minimisation of stored data. No online service can be guaranteed to be completely secure; report suspected vulnerabilities to security@bumpo.fun.

9. Your rights (GDPR)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with equivalent law, you have the following rights in relation to personal data we hold about you: access, rectification, erasure, restriction of processing, objection to processing, and, where applicable, data portability. Because this version of the Service minimises personal data but may still involve authentication records, analytics records, and short-lived operational logs, the exact data we can identify for you depends on how you used the Service. If you believe we hold personal data about you, you can contact us at privacy@bumpo.fun and we will respond within one month.

You also have the right to lodge a complaint with a supervisory authority. In Estonia, the competent authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee). You may also contact the supervisory authority in your country of residence or the place of the alleged infringement.

10. Children

Bumpo is not directed at children under 13, and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us and we will take appropriate steps to delete it.

11. Changes to this policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Material changes become effective when posted. Your continued use of the Service after changes are posted constitutes your acknowledgement of the updated policy.

12. Contact

Questions about privacy can be sent to privacy@bumpo.fun.