This page is maintained by the Strolla team to answer common security and privacy questions about the app. It describes current practices and is not an independent certification.
Accounts & sign-in
Sign-in uses email/password and Google. We never see or store your Google password — Google handles authentication and returns an identity token we use to create your session.
You can sign out at any time from your profile page. Deleting your account on request removes your profile, progress, and rewards.
Data in transit & at rest
All traffic between your device and Strolla is encrypted with HTTPS (TLS). Data is stored in a managed PostgreSQL database hosted by our infrastructure provider, with encryption at rest provided by the platform.
What we store
We store the information you give us (profile name, optional avatar), gameplay data (XP, completed tours, rewards), and notification preferences. We do not sell your data.
Public leaderboard entries show your chosen display name, avatar, and XP total. Other users cannot see your email address or private activity.
Access controls
Row-level security is enforced in the database so that signed-in users can only read and modify their own records. Admin tooling is limited to accounts with an explicit admin role.
Push notifications are delivered only to your own subscribed devices, and the delivery endpoint is protected by a server-side secret so it cannot be triggered by third parties.
Reporting a security issue
If you believe you have found a security or privacy issue, please email vunjaklabs@gmail.com with the details. We respond as quickly as we can.
We update this page as the product evolves. Last reviewed: June 2026.