This policy describes what data LWS Quartermaster collects, how it uses that data, and the controls available to users. The Service is a fan-made tool for analyzing alliance and player data from the mobile game Last War: Survival (developed by First Fun, published by FUNFLY PTE. LTD); the Service is operated independently of both the developer and the publisher.
| Field | Why we have it |
|---|---|
| Email address | Account identification, password reset |
| Password (hashed with argon2id) | Authentication. Plaintext is never stored. |
| Display name | How you appear in the portal UI |
| Last login timestamp + IP | Audit, security review |
access_token cookie — short-lived (4 hours) JWT identifying the signed-in user. Set as secure, httpOnly, samesite=lax.refresh_token cookie — 30-day rotating token used to mint new access tokens without re-prompting for password.
The companion Windows client passively captures specific
SmartFoxServer packets from the running game (developed by
First Fun, published by FUNFLY PTE. LTD) and forwards them to the
portal. Captured packets include:
All of this data is publicly observable in-game by anyone who taps the relevant icons; the LWS Client does not extract anything that is not already exposed to the running game client. The LWS Client does not capture chat messages, mail content, payment information, or your in-game account credentials for First Fun / FUNFLY PTE. LTD's services.
The Service uses only the session cookies described in §1.2. No third-party tracking, analytics, or advertising cookies are set.
Data is stored on a single AWS EC2 instance in the eu-west-1 region. The database is a single SQLite file on an encrypted EBS volume. HTTPS (TLS 1.3) is enforced via Caddy with Let's Encrypt certificates. Passwords are hashed with argon2id; plaintext passwords are never persisted anywhere.
We do NOT:
Within the platform, alliance data is shared among members of that alliance (rosters, power, VS scores) and visible to platform admins. Map tile data on a server is visible to all users with map_track module access on that server.
Two distinct retention rules apply, depending on whether the data identifies you as the registered account holder or describes in-game state captured by the LWS Client.
Data captured by the LWS Client — alliance rosters, world-tile observations, VS-event scores, similar in-game state — is not personally identifying to you as the account holder. It describes other players' in-game characters as the game itself broadcasts that state to anyone playing nearby. We retain captured game data as part of the historical record of your alliance's performance for as long as the Service operates, because that history is the core feature Quartermaster exists to provide.
If you appear in captured rosters via your own linked in-game player and you want those records deleted (for example, after you stop playing the game), email privacy@0x88.sh with the in-game uid(s) you want removed. We will action verified deletion requests within 30 days. Deletion of one player's records does not delete that player's appearance in alliance-wide aggregate metrics where re-identification is no longer possible.
Subject to applicable law (including the GDPR for users in the EU/EEA and the UK Data Protection Act), you may:
To exercise these rights, contact the platform operator at privacy@0x88.sh. We aim to respond within 30 days; identity verification may be required for access or deletion requests covering personal data.
You also have the right to lodge a complaint with the Irish Data Protection Commission (dataprotection.ie) — the lead supervisory authority given the Service's eu-west-1 hosting — or with the supervisory authority in your country of residence, if you believe your data has been processed unlawfully.
The Service is not directed at children under 16, and we do not knowingly collect personal data from anyone under that age. The threshold is set at 16 universally — matching the GDPR Art. 8 digital consent age in the strictest EU/EEA Member States — rather than the 13-year baseline applied in some other jurisdictions, to keep a single defensible age across all users.
The Service does not operate an age-verification mechanism; eligibility relies on the self-declaration made when accepting the Terms of Service at registration. If you become aware that a person under 16 has registered, contact us at privacy@0x88.sh. Once we confirm the report, we will delete the account and any directly-identifying records associated with it within 5 business days.
Data is processed in eu-west-1 (Ireland). If you access the Service from outside the EU, your data is transferred to the EU for processing.
Material changes will be surfaced in the portal UI and/or via email to registered users. The "last updated" date at the top of this page reflects the most recent revision.
Privacy questions, data subject requests, and breach reports can be directed to privacy@0x88.sh.