← Back to Home
Privacy Policy for wildcard dex
Last Updated: May 12, 2026
Introduction
This privacy policy describes how Play Outside Games ("we", "us", or "our") collects, uses, stores, and protects your information when you use the wildcard dex mobile application ("the app"). We are committed to protecting your privacy and being transparent about how we handle your data.
By using wildcard dex, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the app.
Information We Collect
Information You Provide Directly
- Photos: Images you take or select to identify species
- Display Name: An optional name you choose for your profile
- Profile Photo: An optional photo you set as your profile picture. If you use social features, a compressed copy is stored in Firebase Storage and can be shown to active friends
- Location Data: Optional location information when you photograph species, if you grant permission
Information Collected Automatically
- Device Identifier: A unique device identifier generated from your device's vendor ID (iOS) or Android ID, combined with a random component. This is used to identify your account before you sign in
- Authentication Data: We create an anonymous account for you via Firebase Authentication. If you sign in with Google or Apple to back up your collection, or subscribe to dex++, your email address and provider-supplied display name are collected so you can recover your account on a new device
- Push Notification Token: If you enable push notifications, a Firebase Cloud Messaging (FCM) token is collected to deliver notifications to your device
- Device Information: Basic device type and operating system information used for generating your device identifier
- App Version: Your app version, collected for compatibility purposes
Information Collected Through Social Features
If you use friend and trading features, the following is collected and stored on our servers:
- Your display name, level, total species count, total card count, earned badges, current title, generated profile avatar settings, and optional profile photo
- Friend connections and friend request history
- Trade offers and trade history
- Photos uploaded for trading cards (stored in Firebase Storage)
Information Collected When You Back Up Your Dex (Optional)
If you sign in with Google or Apple, the following is mirrored to our servers so you can recover your collection on a new device:
- Each species you've discovered, including the photo, the AI-generated species details, the capture date, and any location associated with the sighting (when you have granted location permission)
- The compressed photo for each sighting (stored in Firebase Storage under a path that only you can read or write)
You can stop these backups at any time by signing out from Settings; previously uploaded data will remain on the server until you request deletion.
Information Used in the Public Community Map
If you have granted location permission, sightings contribute anonymously to an aggregated public map of where each species is being seen. To protect privacy:
- A region is only published once at least three total sightings have been recorded in that admin region during the aggregation window
- Public map markers use the centroid of a coarse administrative region (typically county-equivalent, with state or country fallback when needed), not your exact sighting coordinates
- Once a region is public, the map may still show species with only one sighting inside that region because the privacy threshold applies to the region as a whole
- Public region labels prefer the resolved place name, but can fall back to a top-species summary if a label is unavailable
- Public region timestamps are reduced to a date (
YYYY-MM-DD) rather than exposing a time of day
- The public community feed never includes your account identifier, device identifier, or display name
How We Use Your Information
- Species Identification: Photos and optional location data are sent to Google Gemini AI via our secure server proxy for species identification. Photos are not permanently stored by the AI service
- Social Features: Your profile information, friend connections, and trade data are stored on Firebase servers to enable multiplayer features
- Account Backup and Recovery: When you sign in with Google or Apple, your dex entries and their photos are mirrored to your account so you can recover them after reinstalling or switching devices
- Community Map: Aggregated, admin-region sighting data powers a public map of where species are being seen. Individual sightings and raw coordinates are never published
- Push Notifications: FCM tokens are used to notify you of friend requests, trade offers, and other app events
- Advertisements: Google AdMob displays ads to free users. AdMob may collect device identifiers and usage data according to Google's privacy policy. Premium subscribers (dex++) do not see ads
- In-App Purchases: Subscription purchases are processed by Apple (App Store) or Google (Play Store). We store your subscription status locally; we do not collect or store payment information
- App Improvement: Usage data stored locally on your device helps us understand how features are used
Data Storage
Local Storage (On Your Device)
- Species discoveries, sighting history, and photos (the full-resolution copy stays on your device unless you sign in for backup)
- Quest progress, XP, and badge data
- Profile/avatar preferences and user preferences
- Subscription status
- Optionally, a copy of each photo is also written to your device's Photos / Gallery if you turn on "Save originals to camera roll" in Settings, so it is included in your normal phone backup (such as iCloud Photos or Google Photos). We do not control or receive that backup
Server Storage (Firebase/Google Cloud)
- User profile data (display name, level, badges, friend code, avatar settings, and optional profile photo)
- Friend lists and friend requests
- Trade data and uploaded trade photos
- Profile photos for social features, stored so only the owner can access them directly and active friends can view them through the authenticated app service
- Sighting backups (only when you have signed in with Google or Apple): per-user dex entries and their compressed photos, stored under your account so only you can access them
- Aggregated, admin-region community sighting data used for the public map (see "Information Used in the Public Community Map" above)
- FCM push notification tokens
- Anonymous, Google, Apple, or email authentication credentials
Our servers are hosted on Google Cloud Platform (Firebase) in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States.
Data Security
We use industry-standard security measures to protect your data:
- All communication between the app and our servers uses HTTPS encryption
- Server access is restricted to authenticated users via Firebase Authentication
- Firestore security rules enforce that users can only access their own data
- Firebase Storage rules restrict photo uploads to authenticated users
- AI identification requests are routed through our authenticated server proxy
Third-Party Services
The app uses the following third-party services, each with their own privacy policies:
We do not sell your personal information to any third party.
Permissions
The app may request the following device permissions:
- Camera: To take photos for species identification and trading
- Location (Optional): To record where you discovered each species, to provide location context for AI identification, and to derive anonymized admin-region aggregates for the community map without publishing exact coordinates
- Notifications (Optional): To receive alerts about friend requests, trades, and app events
- Photo Library (Optional, iOS): If you enable "Save originals to camera roll" in Settings, the app needs permission to add photos to your library. The app does not read your existing photo library
All permissions are optional and requested at the point of use. You can revoke permissions at any time through your device settings.
Your Rights
Regardless of where you are located, you have the right to:
- Access: View your data, which is primarily stored locally on your device. Server-stored profile data is visible within the app
- Deletion: Request deletion of your server-stored data by contacting us at the email below. Local data can be deleted by uninstalling the app or clearing app data
- Opt-Out of Location Tracking: Deny or revoke location permission in your device settings
- Opt-Out of Push Notifications: Disable notifications in your device settings
- Withdraw Consent: Stop using the app at any time
Additional Rights for Users in the European Economic Area (EEA) and United Kingdom
Under the General Data Protection Regulation (GDPR), you also have the right to:
- Rectification: Request correction of inaccurate personal data
- Portability: Request a copy of your data in a portable format
- Restriction: Request restriction of processing of your personal data
- Object: Object to processing of your personal data
- Lodge a Complaint: File a complaint with your local data protection authority
Our legal basis for processing your data is:
- Consent: For optional features like location tracking and push notifications
- Legitimate Interest: For core app functionality, security, and fraud prevention
- Contract Performance: For providing subscription services you purchase
To exercise any of these rights, contact us at: support@wildcarddex.com
Data Retention
- Local Data: Retained on your device until you uninstall the app or clear app data
- Server Data: Profile and social data are retained while your account exists. You may request deletion by contacting us
- Trade Photos: Retained in Firebase Storage while the associated trade exists
- Sighting Backups: Retained in Firestore and Firebase Storage while your account exists. Deleting a sighting in the app removes it from the server backup; signing out from Settings does not delete previously uploaded backups, but you may request deletion by contacting us
- FCM Tokens: Retained while you have notifications enabled; removed when you disable notifications or uninstall the app
- Authentication Data: Retained until account deletion is requested
Children's Privacy
The app is suitable for general audiences. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA) without verifiable parental consent. If we learn that we have collected personal information from a child without appropriate consent, we will delete it promptly. If you believe a child has provided us with personal data, please contact us.
International Data Transfers
Our servers are located in the United States. If you use the app from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the app, you consent to this transfer. For users in the EEA and UK, these transfers are conducted in compliance with applicable data protection laws, relying on Google's data processing terms and standard contractual clauses.
Changes to This Policy
We may update this privacy policy from time to time. We will notify you of material changes by posting the updated policy within the app and updating the "Last Updated" date. Continued use of the app after changes constitutes acceptance of the updated policy.
Contact Us
If you have questions, concerns, or requests regarding this privacy policy or your personal data, please contact us at:
← Back to Home