Privacy Policy

Effective Date and Last Updated: June 11, 2026

Introduction

Impostor Madness! is a multiplayer party game designed to be played with friends, either locally on the same Wi-Fi network (LAN) or online over the internet.

This privacy policy explains what data the app collects, how it is used, and your rights regarding that data.

This policy accurately reflects the app's actual data practices as of the date above.

Your Consent & Control

We believe in giving you complete control over your data. When you first launch the app, you will be asked whether you want to share anonymous analytics and crash reports.

Before You Consent:

• All analytics and crash reporting are completely DISABLED
• No analytics or crash data is sent to any external servers
• The app functions fully without any online data collection

If You Accept:

• Anonymous crash reports and usage statistics are enabled
• This helps us improve the app and fix bugs faster
• You can revoke consent at any time in Settings

If You Decline:

Nothing changes. No data is collected, all features remain available, and you can change your mind later in Settings.

This consent mechanism is designed to comply with GDPR, CCPA, and other privacy regulations worldwide.

Data Stored Locally on Your Device

The following data is stored ONLY on your device (not on any server). Note that some of it (your display name and avatar) is also shared with the other players while you are in a game; see "Network Communication" for how.

• Display Name: The username you choose for gameplay. Stored in SharedPreferences on your device.
• Avatar Image (Optional): If you take a photo for your avatar, it is stored locally as base64-encoded data in SharedPreferences. It is not stored on any server. While you are in a game it is shared with the other players: in Local games over your network, and in Online games relayed through our cloud relay (see "Network Communication").
• Avatar Emoji (Optional): If you select an emoji as your avatar, it is stored locally.
• App Preferences: Theme setting (light/dark/system), sound effects toggle, haptics toggle, shake to reveal toggle, auto-dim screen toggle, animated background toggle, language preference, last used lobby settings, and whether you've seen the tutorial. All stored locally via SharedPreferences.
• Premium Purchase Status and Receipt Data: If you purchase Premium Hosting, the purchase status and purchase receipt data (platform, receipt token, and product identifier) are stored locally using platform-secure storage for added security. The receipt data is retained to allow periodic re-verification of your purchase.
• Analytics Consent Record: Your consent choice for analytics and crash reporting (accepted or declined), the version of the consent prompt you responded to, and the timestamp of your response. Stored locally via SharedPreferences so we can honor your choice across app launches and prompt you again only if the policy materially changes.
• Active Room State: If you disconnect from a game, the app temporarily stores your room code and player information for up to 30 minutes to allow rejoining. This data is automatically deleted after 30 minutes.

Network Communication (Gameplay)

Impostor Madness! offers two ways to play together: Local games on the same Wi-Fi network, and Online games over the internet. The information shared with the other players is the same either way (see "Data Shared During Gameplay" below); the difference is how it travels.

Local (LAN) Games

Local games use a 4-character room code and operate entirely on your local network (LAN). No internet connection is required to play.

• Game communication uses WebSocket connections within your local network only
• The app uses Bonjour/mDNS for local device discovery on your Wi-Fi network or Personal Hotspot
• Game data is transmitted only to other players on your local network
• No gameplay data is sent to external servers, cloud services, or the internet

Online Games (Optional)

You can also create or join Online games that work over the internet, identified by a 6-character room code. When you play Online:

• Game data is relayed in real time through our cloud relay server (hosted on Cloudflare's global network) to the other players in your game, over an encrypted (TLS / wss://) connection.
• The relay only passes messages between the players. It does not store your data: information is held in memory only for the duration of the connection and is discarded when the game ends, or the room becomes idle or is abandoned. No game data is written to a database.
• As with any internet service, our relay (via Cloudflare) transiently sees your device's IP address and uses it solely to rate-limit connections and prevent abuse. It is held in memory only, briefly, and is never written to a database or otherwise stored.
• Because Cloudflare operates globally, this data may be routed through servers outside your country (see "International Data Transfers").
• Online play is entirely optional; Local games remain fully offline.

Note: Analytics and crash reporting use the internet only if you consent. Purchase receipt verification uses the internet separately from gameplay. See their respective sections below.

Data Shared During Gameplay

When playing a game (Local or Online), the following data is shared with the other players:

• Your chosen display name
• Your avatar (photo or emoji, if set)
• Your device platform (iOS or Android)
• Game actions (votes, guesses, game state)

In Local games this data only reaches devices on your local Wi-Fi network or Personal Hotspot. In Online games it travels through the relay to the other players. In both cases it is exchanged only during active gameplay and is not stored persistently by the relay or by other players' devices.

Deep Linking & Sharing

The app supports deep links (impostormadness://join?code=XXXX and https://impostorparty.com/join?code=XXXX) to let players join games easily. These links contain only a room code (4 characters for Local games, 6 for Online). When sharing a game invitation, the app uses your device's built-in share sheet. No personal data is collected, transmitted, or tracked.

Data Sent Online (With Your Consent)

The following data is ONLY collected and sent to external servers if you explicitly consent when first launching the app. You can change your choice at any time in the app's Settings.

Crash Reports (Firebase Crashlytics)

When enabled, if the app crashes, a report is sent containing:

• Device model and operating system version
• App version and build number
• Crash stack trace (technical error information)
• Game context for debugging:
  • Room code (4- or 6-character game code)
  • Game phase (e.g., "lobby", "voting")
  • Player count
  • Whether you are the host
  • Your session player ID (random, not personally identifiable)
  • Connection mode (whether you are hosting or joining)
  • Premium status
  • App language/locale setting

No personal information, such as your name, avatar, location, or advertising identifiers, is ever included in crash reports.

Crash reports help us identify and fix bugs to improve the app for everyone. This data is processed by Google Firebase and is subject to Google's Privacy Policy.

Anonymous Usage Statistics (Firebase Analytics)

When enabled, the app collects completely anonymous, aggregated usage statistics. These help us understand how the app is used so we can improve it.

Automatic data collected by Firebase:

• Daily and monthly active user counts (aggregate numbers only)
• Session counts (how many times the app is opened)
• General device type and operating system (e.g., "iPhone", "Android 14")
• App version distribution
• Country-level geographic distribution (derived from IP, not precise location)

Custom events logged by the app:

• App opens and app settings preferences
• Game configuration choices (e.g., game mode, category, number of rounds)
• Gameplay patterns (e.g., rounds played, voting participation, game outcomes)
• Connection health (e.g., disconnections, host migrations)
• Premium feature interactions (e.g., upgrade screen views, purchase outcomes)
• Purchase events (currency code, price, and product identifier when you buy Premium Hosting)
• How players join games (e.g., via deep link or LAN)

These events contain only general game data. No player names, identities, or personally identifiable information are ever included.

This data is:

• Completely anonymous - not linked to any individual user
• Aggregated - we see "142 users today", not individual identities
• Never used for advertising or sold to third parties
• Never used for personalization or user profiling

This anonymous data is processed by Google Firebase and is subject to Google's Privacy Policy.

Third-Party Services

The following third-party services may receive data from the app or website:

• Firebase Crashlytics (Google): Crash reporting, only if you consent. See "Crash Reports" above.
• Firebase Analytics (Google): Anonymous aggregate statistics, only if you consent. See "Anonymous Usage Statistics" above.
• Apple App Store / Google Play Store: Payment processing for the optional Premium Hosting purchase. See "In-App Purchases" below.
• impostorparty.com (our server): Purchase receipt verification when you buy or restore Premium Hosting, and periodic re-verification to confirm ongoing purchase validity. See "In-App Purchases" below.
• Google reCAPTCHA (Google): Spam protection on the website contact form. See "Contact Form" below for details on what data is collected.
• Cloudflare Turnstile (Cloudflare): Bot and abuse prevention on the website promo codes page. See "Promo Codes Page" below for details on what data is collected.
• Formspree: Form submission processing for the website contact form. See "Contact Form" below.
• Cloudflare (Online game relay): When you play an Online game, our relay server (hosted on Cloudflare's global network) passes game data (display name, avatar, platform, game actions) between the players in real time. It does not store this data after the game ends. It transiently sees your IP address (as any internet service does) solely to rate-limit connections and prevent abuse, and does not store it. See "Network Communication" above.

On-Device Features

The app uses standard device capabilities, including local network discovery, sharing, camera (for QR codes and avatars), motion sensors (shake gesture), screen wake lock, and network status detection. These capabilities operate on your device and do not, in themselves, collect, store, or transmit any data to external servers. The one exception is an avatar photo you choose to set: in an Online game it is relayed to the other players through our cloud relay (and is never stored on a server), as described in "Network Communication" above.

Font assets are bundled with the app at build time; no network requests are made for fonts.

In-App Purchases

The app offers an optional one-time "Premium Hosting" in-app purchase that unlocks additional game modes, categories, and features. Payment is processed entirely through Apple's App Store or Google Play Store. We do not have access to your payment information.

Purchase Receipt Verification

When you buy or restore Premium Hosting, the app verifies the purchase by sending a request to our server (impostorparty.com) over HTTPS. The app also periodically re-verifies your purchase to confirm it remains valid. Each verification request contains:

• The platform identifier (Apple or Google)
• The purchase receipt token (a cryptographic token issued by Apple or Google to confirm the transaction)
• The product identifier ("premium_hosting")

The receipt token is used solely to confirm the purchase is legitimate and is not stored on our server after verification. The receipt data is stored locally on your device in platform-secure storage to enable periodic re-verification.

Purchase status is stored locally on your device using platform-secure storage, and can be restored via the app stores.

Device Permissions

The app requests the following permissions:

Required Permissions:

• Local Network Access: Required for hosting and joining games on your Wi-Fi network or Personal Hotspot. This is essential for the app's core functionality.
• Internet Permission (Android): Required by the platform for network access. Used for LAN gameplay, online gameplay, purchase receipt verification, and sending crash reports/analytics to Firebase if you consent.

Optional Permissions:

• Camera: Used to scan QR codes for joining games and to take avatar photos. You can use the app without granting camera access by entering room codes manually and using emoji avatars. Camera images are used only in-game. In Local games they stay on your network; in an Online game your avatar photo is relayed to the other players through our cloud relay (it is not stored on a server). See "Network Communication".
• Vibration: For haptic feedback during gameplay. Can be disabled in Settings.
• Motion Sensors (Accelerometer): Used for the shake-to-reveal gesture during gameplay rounds. This feature can be disabled in Settings. Sensor data is processed in real time on your device only and is never stored, recorded, or transmitted. No motion or movement data leaves your device.

Data Retention

• Preferences and avatar: Stored on your device indefinitely until you clear app data or uninstall.
• Active room state: Automatically deleted after 30 minutes.
• Game session data: Exists only during active gameplay and is not persisted.
• Analytics/crash data (if you consent): Retained by Google Firebase per their retention policies. Disable in Settings at any time to stop future collection.

Deleting Your Data

Impostor Madness! does not store your data on external servers (the Online game relay holds game data only briefly in memory during a game, then discards it). All your data is deleted by simply uninstalling the app or clearing app data in your device settings. This removes all preferences, avatar photos, and any locally stored information.

If you previously opted in to analytics and crash reporting, that data is anonymous and cannot be linked back to you. You can disable future collection at any time in the app's Settings.

International Data Transfers

If you consent to analytics and crash reporting, the anonymous data described above is transmitted to Google Firebase servers. Google may process and store this data in data centers located outside your country of residence, including in the United States.

These transfers are governed by Google's data processing terms and their compliance with applicable data protection frameworks, including:

• EU-U.S. Data Privacy Framework (for transfers from the European Economic Area)
• Google's Standard Contractual Clauses (SCCs) for international transfers
• Google's Firebase Terms of Service and Data Processing Terms

If you play Online games, your game data (display name, avatar, platform, and game actions) is relayed through Cloudflare's global network and may be processed on servers outside your country, independently of your analytics choice. The relay does not store this data. These transfers are covered by Cloudflare's data processing terms and Standard Contractual Clauses. If you do not consent to analytics and you play only Local games, no data is transferred internationally; it remains on your local network and device.

Your Rights & Data Control

You have full control over your data:

• Right to withdraw consent: You have the right to withdraw your consent at any time by disabling analytics/crash reporting in the app's Settings
• Change your name and avatar at any time through the app
• Clear your avatar in the app's Settings
• Delete all app data by uninstalling the app or clearing app data in your device settings
• Deny optional permissions (camera) without affecting core functionality

Since all personal data is stored locally on your device, there is no account to delete or data access request to make. Simply uninstalling the app removes all stored data.

If you previously consented to analytics, you can disable it in Settings to stop future data collection. Any analytics data already sent to Firebase is anonymous and aggregate, meaning it cannot be linked back to you individually and therefore cannot be individually identified or deleted.

Children's Privacy

Impostor Madness! is designed as a party game for friends and family. The app does not:

• Collect personal information from children
• Require account creation or registration
• Contain advertising
• Sell your data or share it with advertisers or data brokers (analytics/crash reports, if enabled, contain no personal information)

Impostor Madness! is intended for a general audience and is not directed to children under 13 (or the minimum age required in your country); younger children should only play with the involvement of a parent or guardian. When used in a supervised party setting, the game is suitable for players of all ages. Parents and guardians should ensure that display names and avatar photos chosen during gameplay are appropriate, particularly for Online games, where they are transmitted over the internet to the other players in the game.

Security

• Sensitive data (premium purchase status) is stored using platform-provided secure storage (iOS Keychain / Android EncryptedSharedPreferences); other preferences use standard on-device storage (SharedPreferences)
• Local games communicate within your local network via WebSocket; Online games use an encrypted (TLS / wss://) WebSocket connection to the relay
• Purchase receipt verification and analytics/crash data (if you consent) is transmitted securely via HTTPS
• The app does not require authentication or store sensitive credentials

Changes to This Policy

We may update this privacy policy from time to time. Any changes will be reflected on this page with an updated "Last Updated" date. We encourage you to review this policy periodically.

Significant changes to data collection practices (if any) will be communicated through app updates and release notes.

impostorparty.com Website

Our website at impostorparty.com provides information about the app, includes a contact form, and offers a promo codes page where we occasionally distribute free codes for the Premium Hosting in-app purchase.

Contact Form

The website contact form collects:

• Your name
• Your email address
• Your message

This data is processed by Formspree (formspree.io), a third-party form service, to deliver your message to us. We use this information only to respond to your inquiry. Formspree's privacy policy applies to data submitted through the contact form.

Spam Protection (Google reCAPTCHA)

The contact form uses Google reCAPTCHA v2 to protect against spam and automated abuse. When you visit the contact page, reCAPTCHA may collect:

• Your IP address
• Cookies set by Google (including _GRECAPTCHA and other Google cookies)
• Browser and device information (user agent, screen resolution, browser plugins)
• Mouse movements and interaction patterns on the page

This data is sent to Google to determine whether you are a human visitor. It is processed under Google's Privacy Policy and Terms of Service.

reCAPTCHA is loaded only on the contact page. It is not present on any other page of the website.

Cookies & Local Storage

The website does not use analytics or tracking scripts of its own. Two pages load third-party verification widgets that may set cookies:

• The contact page loads Google reCAPTCHA, which may set Google cookies (see "Spam Protection" above).
• The promo codes page loads Cloudflare Turnstile, which may set Cloudflare cookies, and our server sets a first-party cookie imp_promo_id (see "Promo Codes Page" below).

These cookies are used solely for spam and abuse prevention.

The only data we store locally on every page is your language preference (English or Greek) in your browser's local storage, to remember your choice across visits. This is not personal data and is never transmitted.

No cookies or third-party scripts are loaded on any other page of the website.

Promo Codes Page

The promo codes page at impostorparty.com/promo-codes distributes a limited number of free promo codes for the Premium Hosting in-app purchase. To prevent automated abuse, the page uses Cloudflare Turnstile in invisible mode.

When you visit the promo codes page, Cloudflare Turnstile may collect:

• Your IP address
• Browser and device information (user agent, language, screen attributes)
• Limited interaction signals such as timing and pointer movement patterns

This data is processed by Cloudflare to determine whether you are a human visitor. It is handled under Cloudflare's Privacy Policy and the Cloudflare Turnstile Privacy Addendum.

To enforce our code-distribution rules, our server also stores:

• A first-party cookie named imp_promo_id containing a random opaque identifier (no personal data). The cookie hash is used to ensure a single browser can only claim one code per promotional campaign (each new campaign is a fresh slate).
• A salted SHA-256 hash of your IP address (for IPv6, collapsed to the /64 subnet before hashing). The IP hash is used to cap how many codes can be redeemed from the same network within a single promotional campaign (so a household or small group of friends can each claim while still preventing automated abuse). Your raw IP address is never stored.

Additionally, when you successfully claim a code, your browser stores a copy of that code in its local storage (imp_promo_claim). This is a convenience so we can re-display the code if you return to the page later, even if you cleared cookies. The local storage entry lives entirely in your browser and is never transmitted to us.

This data is used solely for the above fraud-prevention purposes and is not shared with any third party. The salted hashes associated with a claimed code are kept with that campaign's records so we can continue to enforce the one-code-per-person and per-network limits; they are not personal data and cannot be reversed to recover your IP address or identity. Our internal log of redemption attempts is kept while any promo codes remain available; once all distributed codes have been claimed and at least 7 days have passed since the most recent claim, it becomes eligible for deletion and is purged by a routine automated cleanup. Turnstile is loaded only on the promo codes page.

Contact

If you have questions about this privacy policy, the app's data practices, wish to exercise your data rights, or would like to report a bug, please reach out:

• Contact Form: impostorparty.com/contact
• General Inquiries: info@impostorparty.com
• Privacy Inquiries: privacy@impostorparty.com
  • For GDPR, CCPA, or other privacy-related requests. We will respond within 30 days.

Impostor Madness! is developed and operated by Andreas Neofytou.

Summary

Your privacy is important to us.
Enjoy the game!

Back to Top