Legal document

Privacy Policy

Last updated: 24 June 2026 · Version 1.0

Draft pending legal review. This text describes how Hollowmew processes personal data during its closed beta. Some identifying details of the data controller (legal/tax identity and registered address) must be completed before final publication. If you spot an error or wish to exercise your rights, write to privacidad@hollowmew.com.

At Hollowmew we take your privacy seriously. This policy explains what personal data we process when you use the Hollowmew game (the "App") and the hollowmew.com and beta.hollowmew.com websites (the "Sites"), for what purpose, on what legal basis, with whom we share it, and how you can exercise your rights. It is written in accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on the protection of personal data and the safeguarding of digital rights (LOPDGDD).

Hollowmew is in closed beta. We show no advertising, use no third-party analytics, do not sell or share your data with third parties for commercial purposes, and there are no in-app purchases: it is a free beta.

1. Data controller

The controller of your personal data is the development team behind Hollowmew ("the Hollowmew team", "we", "us"), based in Spain (European Union).

Controller: the Hollowmew team

Contact and privacy email: privacidad@hollowmew.com

Data controller: Pedro Manuel Crespo Jiménez · Tax ID (NIF) 76649334V · Spain (operating under the brand "the Hollowmew team").

For any matter relating to your personal data or this policy, you can write to us at privacidad@hollowmew.com. We have not appointed a Data Protection Officer (DPO), as none of the cases in Article 37 GDPR applies; the privacy point of contact is the email above.

2. What data we process and why

We process only the data strictly necessary for the beta to work and improve. Here is the breakdown by purpose:

2.1. Account registration and sign-in

Access to Hollowmew is exclusively through your Google account ("Sign in with Google") or your Apple account ("Sign in with Apple"), using these providers' identity protocols (OAuth / OpenID Connect). We do not create or store passwords: authentication is performed by the provider.

From the provider we receive and process:

  • Your email address, to identify your account uniquely, link your progress, and send you essential beta notices.
  • Your name (as shared by the provider), to personalize your in-game profile.
  • A unique identifier of your account at the provider, to relate your sign-ins without relying on the email.

If you use "Sign in with Apple" and choose to hide your email, we will receive an anonymous relay address from Apple instead of your real email; everything else works the same way.

2.2. Cloud save and game progress

So that you can continue your game from any device, we store your game progress on our servers, linked to your account: unlocked classes, progression-tree upgrades, run statistics (waves cleared, results) and player settings. This is game data; it does not include sensitive information.

2.3. Profile avatar

If you choose an avatar for your profile, we store that choice (the selection you make in-game) associated with your account, for the sole purpose of displaying it on your profile.

2.4. Crash diagnostics

When the App detects an unexpected close or hang, it may automatically send us a technical crash report to diagnose and fix the problem. That report includes: device model, operating-system version, device language, game version and an extract of the technical log at the time of the crash. We do not collect your contacts, photos, precise location or any other personal device content for this purpose.

2.5. Transactional beta email

We use your email address to send you essential beta communications (for example: access confirmation, new-version notices, service incidents or beta closure). These are sent from our own mail server. They are not marketing communications or promotional newsletters; they are operational and necessary to provide you with the beta service.

PurposeData processedLegal basis
Account registration and sign-inEmail, name, provider identifierPerformance of a contract (Art. 6(1)(b) GDPR)
Cloud save and progressProgress, run statistics, settingsPerformance of a contract (Art. 6(1)(b) GDPR)
Profile avatarAvatar chosen by youPerformance of a contract (Art. 6(1)(b) GDPR)
Crash diagnosticsModel, OS version, language, game version, log extractLegitimate interest in stability (Art. 6(1)(f) GDPR)
Transactional beta emailEmail addressPerformance of a contract (Art. 6(1)(b) GDPR)

3. Legal basis

The processing of your data relies on the following legal bases under Article 6 GDPR:

  • Performance of a contract (Art. 6(1)(b)): registration, sign-in, cloud save of your progress, the avatar and transactional emails are necessary to provide the beta service you request when you create your account and accept the Terms and Conditions.
  • Legitimate interest (Art. 6(1)(f)): crash diagnostics serve our legitimate interest in keeping the App stable and secure. We have balanced this interest against your rights: the reports are technical, minimal, and not used to profile you. You can object to this processing (see section 7).

We do not process special categories of data (Art. 9 GDPR) and do not carry out consent-based processing beyond accepting registration. We do not use your data for advertising, nor share it for third-party profiling.

4. Retention periods

  • Account and progress data: kept while your account is active. If you request deletion or delete your account, it is erased from our systems within a maximum of 30 days, except for backups that are overwritten on a rolling basis within no more than 90 days.
  • Inactive accounts: being a beta, we may delete accounts with no activity for an extended period (for example, 12 months) or when the beta ends, with reasonable prior notice by email.
  • Crash reports: kept for as long as needed to diagnose and fix the issue, with an indicative maximum of 180 days, after which they are deleted or anonymized.
  • Email address for notices: for the duration of your participation in the beta; when the beta closes or you unsubscribe, it is deleted.

5. Recipients and data processors

We do not sell your data. To provide the service we rely on a small number of third parties, each with its own role:

  • Google (Google Ireland Limited / Google LLC) — "Sign in with Google". When you choose to sign in with Google, Google acts as identity provider and supplies us with your email and name. Google's processing of your data is governed by the Google Privacy Policy.
  • Apple (Apple Distribution International Ltd.) — "Sign in with Apple". If you sign in with Apple, Apple acts as identity provider. Its processing is governed by the Apple Privacy Policy.
  • Hostinger (server hosting, data center in the European Union). Our backend (the game database, cloud save and mail server) runs on a virtual private server (VPS) contracted with Hostinger, on infrastructure located in the EU. Hostinger acts as a data processor and only processes the data to host our service.

With our data processors we maintain the commitments required by Article 28 GDPR. We may also disclose data to public authorities where a legal obligation requires it.

6. International transfers

Our own server (holding your progress, account and crash reports) is hosted in the European Union, so that processing does not involve an international transfer.

The sign-in providers Google and Apple are global companies that may process data outside the European Economic Area, in particular in the United States. Such transfers are covered by the mechanisms provided for in the GDPR (Chapter V), such as the European Commission's Standard Contractual Clauses and, where applicable, the EU–U.S. Data Privacy Framework. You can find the details in their respective privacy policies linked in the previous section.

7. Your rights

As a data subject, the GDPR grants you the following rights over your personal data:

  • Access: to know what data of yours we process and obtain a copy.
  • Rectification: to correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): to ask us to delete your data when it is no longer necessary.
  • Objection: to object to processing based on our legitimate interest, such as crash diagnostics.
  • Data portability: to receive your data in a structured, commonly used and machine-readable format, or to have us transmit it to another controller where technically feasible.
  • Restriction of processing: to ask us to "freeze" the use of your data in certain cases.

To exercise any of these rights, write to us at privacidad@hollowmew.com stating which right you wish to exercise. We will respond within a maximum of one month (extendable by two further months in complex cases, with notice). We may ask you to verify your identity to prevent a third party from exercising your rights in your name. Exercising these rights is free of charge.

Many of these actions you can also perform yourself: for example, deleting your account from the game settings, or revoking Hollowmew's access from your Google or Apple account settings.

8. Lodging a complaint with the supervisory authority

If you believe that the processing of your data does not comply with the law, or that we have not properly handled your rights, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD):

Agencia Española de Protección de Datos (AEPD)

C/ Jorge Juan, 6 — 28001 Madrid (Spain)

Electronic office: www.aepd.es

That said, we would appreciate the chance to resolve it first—please write to us at privacidad@hollowmew.com before going to the AEPD.

9. Security of your data

We apply reasonable technical and organizational measures to protect your data against unauthorized access, loss or alteration: encryption of connections (HTTPS/TLS) between the App and the server, authentication delegated to trusted providers (we store no passwords), restricted access to the database, and servers hosted on EU infrastructure. No system is 100% infallible; if a security breach affecting your data occurs and poses a risk to your rights, we would notify you and report it to the AEPD in accordance with Articles 33 and 34 GDPR.

10. Minors

Hollowmew is not directed to children under 14. In Spain, Article 7 of the LOPDGDD sets 14 as the age from which a minor may consent to the processing of their own data. By registering, you declare that you are 14 or older. If you are under 14, you must not use the game or create an account. If we become aware that we have processed data of a child under 14 without the consent of the holder of parental authority or guardianship, we will delete that data. If you believe a minor in your care has provided us with data, write to privacidad@hollowmew.com and we will erase it.

11. Automated decisions and profiling

We do not make automated decisions producing legal effects on you or similarly significantly affecting you, and we do not carry out profiling with your personal data.

12. Changes to this policy

As a beta, this policy may evolve. If we make substantial changes, we will update the "Last updated" date and, where appropriate, notify you by email or within the App. We recommend reviewing it periodically. Continued use of the service after a change means you are aware of the version in force.

Questions about your data? Write to us at privacidad@hollowmew.com. See also our Terms and Conditions.