Back

Privacy Policy

Effective Date: April 29, 2026

Version 2.0

This Privacy Policy explains how The Fifth Family ("we", "us", "our") collects, uses, shares, and protects personal data when you use our game, website at www.thefifthfamily.com, mobile applications, and related services (the "Service").

It is written to comply with the UK General Data Protection Regulation and the Data Protection Act 2018 (the "UK GDPR"), the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "EU GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Brazilian General Data Protection Law (Lei 13.709/2018, "LGPD"), and equivalent laws where applicable.

This Privacy Policy should be read alongside our Terms of Service and Code of Conduct.

Quick summary. We collect what we need to run the Service: the email and password you sign up with, the game data your account generates, technical logs to keep the game secure, and payment records when you buy something. We do not sell your personal data. We use a small number of trusted third parties (listed in Section 6) to deliver the Service. You have rights to access, delete, and control your data, and you can exercise them by emailing [email protected].

Contents

Who We Are & Controller
Data We Collect
How We Use Your Data & Legal Basis
Anti-Cheat & Automated Decision-Making
Cookies & Tracking
Third-Party Services & Sub-Processors
Sharing & Disclosure
International Transfers
How Long We Keep Data
How We Protect Data
Your Rights (UK / EU)
California Residents (CCPA / CPRA)
Brazil Residents (LGPD)
Other Jurisdictions
Children's Privacy
Marketing & Email Communications
Push Notifications
Account Deletion
Data Breach Notification
Changes to This Policy
How to Contact Us

1. Who We Are & Data Controller

The Fifth Family is the data controller of personal data collected through the Service. We are based in the United Kingdom. Our contact details are at Section 21.

References to a "controller", "processor", "personal data", "processing", and "data subject" have the meaning given in the UK GDPR. References to "personal information", "sale", and "sharing" in Section 12 have the meaning given by CCPA/CPRA.

2. Data We Collect

We collect the following categories of personal data, broken down by purpose. Most categories are collected directly from you; some are generated automatically when you use the Service; and some are received from third parties (such as payment processors).

2.1 Account & Identity

Email address — required for registration, login, password reset, and transactional communications.
Username — chosen by you; visible publicly inside the game.
Password — stored only as a salted, one-way hash (bcrypt). We never see, store, or transmit your password in plain text.
In-character profile data you provide voluntarily — character gender, avatar, profile background, slogan, bio, badge, family crest, family banner. These are visible to other Players according to your privacy settings.
Account state — registration date, last login date, last login IP, account status, deletion-request timestamp, terms-of-service version accepted and acceptance timestamp.

2.2 Game & Service Data

Gameplay data — level, XP, in-game currencies (cash, bank, Mafia Gold, Platinum, respect, combat rating), inventory, equipped items, properties, vehicles, vigilantes, cosmetics, collections, families, ranks, blood bonds, bloodline allocations, achievements, mission progress, daily / battle / syndicate pass progress.
Action logs — crime, attack, raid, smuggling, heist, casino, training, career, racing, market, property, banking, mail, support, family, forum, and chat activity, including timestamps and outcomes.
Communications you send — chat messages, mail (private and group), forum posts, family forum posts, support tickets, and ticket replies. Stored on our servers in plain text and visible to relevant Players, recipients, and (where moderation requires) staff.
Cooldowns & timers — jail timers, hospital timers, travel timers, regen timers, ban or mute durations.
Referral attribution — referral code, referring user ID, referral milestone progress, marketing source / UTM parameters captured at signup.

2.3 Technical & Device Data

IP address — collected on every request to the Service. Used for security, fraud detection, multi-account detection, and (in approximate form) for jurisdictional compliance.
User-agent string — browser and OS details sent by your device.
Capacitor / app flag — a cookie that tells us whether you are using our mobile application or the website.
Login event logs — successful and failed login attempts, with IP, user-agent, and timestamp, stored in our login logs table.
Security event logs — rate-limit triggers, suspicious activity, CSRF failures, session-fingerprint mismatches, IP-ban events.
Approximate location — derived from your IP address. We do not collect precise geolocation. The location may be used to apply regional rules (for example, to restrict Casino Features in jurisdictions where they are legally restricted).

2.4 Purchase & Payment Data

Transaction records — product purchased, date, price, currency, platform (Apple App Store, Google Play, Stripe, PayPal), transaction or order identifier, and the in-game items credited. Stored in our iap transactions, paypal orders, purchase log, and related tables.
Risk & chargeback signals received from payment processors.
We do not see, store, or process your payment-card details. Card data is collected and processed exclusively by Apple, Google, Stripe, or PayPal under their own privacy policies.

2.5 Push & Notification Tokens

If you allow push notifications in our mobile app, we store your device push token and platform identifier (iOS or Android) so we can deliver gameplay notifications via Firebase Cloud Messaging or Apple Push Notification Service.

2.6 Support & Moderation Data

Support tickets you submit, with category, subject, message body, replies, status, priority, and assignment to staff.
Player warnings, bans, mutes, and IP bans with reasons, duration, the staff member who issued them, and any associated multi-account watchlist entries.
Staff notes attached to your account by moderators or administrators.

2.7 Data Categories We Do Not Collect

We do not knowingly collect any of the following:

Real legal name (we do not require it);
Date of birth (we age-gate by self-attested checkbox at registration only);
Government-issued ID, biometric data, or precise GPS location;
Sensitive personal data under Article 9 UK GDPR (race, religion, health, sexual orientation, etc.) — please do not submit any of this through chat, support tickets, or other Service features;
Payment-card numbers, CVV, or banking details.

3. How We Use Your Data & Legal Basis

Under UK and EU GDPR we must identify a legal basis for every purpose. The following table sets out our purposes, the data involved, and the legal basis we rely on:

Purpose	Data Involved	Legal Basis (UK / EU GDPR)
Create and operate your account	Account & identity, game data	Performance of contract (Art. 6(1)(b))
Authenticate logins, manage sessions	Account, technical, login logs	Performance of contract; legitimate interests in security (Art. 6(1)(b)/(f))
Process and fulfil purchases, deliver virtual items	Purchase records, account	Performance of contract (Art. 6(1)(b))
Tax, accounting, and statutory record-keeping	Purchase records	Legal obligation (Art. 6(1)(c))
Send transactional emails (receipts, password reset, security alerts)	Email, account	Performance of contract; legal obligation (Art. 6(1)(b)/(c))
Send marketing newsletters and promotional emails	Email, name, marketing preferences	Consent (UK PECR / EU ePrivacy & Art. 6(1)(a)) — opt-in only and revocable at any time
Detect and prevent fraud, multi-accounting, automation, RMT, and abuse	Technical, action logs, security events, communications metadata, payment risk signals	Legitimate interests in protecting the Service and our Players (Art. 6(1)(f)); legal obligation where applicable (Art. 6(1)(c))
Moderate user-generated content and enforce our Terms / Code of Conduct	Communications content, action logs, support tickets	Legitimate interests; legal obligation (UK Online Safety Act 2023, EU DSA)
Provide customer support and resolve disputes	Support tickets, account, action logs	Performance of contract; legitimate interests
Send push notifications related to gameplay	Push token, platform, account	Consent (your device permission grant) (Art. 6(1)(a))
Improve and develop the Service (analytics, balancing)	Aggregated, pseudonymised gameplay metrics	Legitimate interests (Art. 6(1)(f))
Cookie-based website analytics and marketing pixels	Cookie identifiers, IP, page activity	Consent (UK PECR / EU ePrivacy)
Comply with law enforcement, court orders, regulatory requests	Whatever is lawfully requested	Legal obligation (Art. 6(1)(c))
Establish, exercise, or defend legal claims	Whatever is relevant	Legitimate interests (Art. 6(1)(f))

Where our legal basis is "legitimate interests" we have balanced our interests against your rights and freedoms. You may object to processing on this basis at any time (Section 11).

4. Anti-Cheat & Automated Decision-Making

To keep the Service fair and secure we operate automated systems that analyse behavioural and technical data — including IP, device fingerprints, login patterns, request rates, in-game actions, communications metadata, and payment-risk signals — to detect:

Multi-accounting and farm accounts;
Bots, scripts, and other automation;
Real-Money Trading (RMT) patterns;
Fraud, chargeback abuse, and account takeover;
Code of Conduct breaches.

Automated detection may produce alerts, watchlist entries, rate-limit triggers, or temporary restrictions. Decisions of significant impact on you (including permanent bans, account terminations, and forfeiture of Virtual Items) include human staff review before being final. You have the right to appeal any moderation decision through the in-game Support Ticket system, and to obtain meaningful information about the logic involved by contacting us.

The legal basis for this processing is our legitimate interests in protecting the integrity of the Service, our Players, and our community, balanced against your rights.

5. Cookies & Tracking

We use a small number of cookies and similar storage mechanisms (local storage, session storage). These fall into two categories:

5.1 Strictly Necessary (no consent required)

Session cookie (MAFIA SID) — keeps you logged in. Cleared when you log out or your session expires.
CSRF token — protects you from cross-site request forgery attacks.
App-detection cookie (capacitor app) — tells the server you are using the mobile app so we can show the right interface.
Referral cookie (tff ref, 24-hour lifespan) — captures a referral code from a referral URL so the referrer is credited if you sign up.

5.2 Optional — Analytics & Marketing (consent required)

On our website (not within the in-game session), where lawfully permitted and subject to your consent, we use:

Google Analytics (cookies _ga, _gid) — to understand how visitors find and use our site, on an aggregated basis. Privacy: policies.google.com/privacy.
Google Ads / DoubleClick — for measurement and conversion tracking on our marketing pages. May set advertising-identifier cookies.
Meta (Facebook) Pixel — for measurement and conversion tracking on our marketing pages. Privacy: facebook.com/privacy/policy.

Where required by UK PECR, EU ePrivacy, or other law, we will request your consent before setting non-essential cookies, via a cookie banner. You can withdraw consent or change your preferences at any time. Strictly necessary cookies cannot be disabled; if you block them, the Service may not function.

You can also manage cookies through your browser settings, opt out of Google Analytics via the Google opt-out tool, and exercise advertising opt-outs at youronlinechoices.com (UK/EU) or optout.aboutads.info (US).

6. Third-Party Services & Sub-Processors

We rely on a limited number of trusted service providers ("sub-processors") to operate the Service. Each acts on our instructions under written agreements that include data-protection terms required by law. The current list:

Provider	Purpose	Data Categories	Location
Hosting / server provider	Hosting the Service and its database	All Service data	UK / EU
Apple App Store	App distribution, in-app purchases on iOS	Purchase records, transaction IDs	Global (Apple)
Google Play Store	App distribution, in-app purchases on Android	Purchase records, transaction IDs	Global (Google)
Stripe	Web-based payments	Transaction details, risk signals (we do not see card numbers)	Ireland / United States
PayPal	Web-based payments	Transaction details, order IDs	Global (PayPal)
RevenueCat	Cross-platform purchase verification and entitlement management	User identifier, transaction records, platform	United States
Firebase Cloud Messaging (Google)	Push notifications on Android	Push token, message payload	Global (Google)
Apple Push Notification Service	Push notifications on iOS	Push token, message payload	Global (Apple)
Google Analytics	Aggregated website analytics (subject to consent)	Cookie IDs, pseudonymised IP, page events	Global (Google)
Google Tag Manager	Tag deployment for analytics and marketing	Tag configuration only	Global (Google)
Google Ads / DoubleClick	Marketing measurement and conversion tracking (subject to consent)	Cookie IDs, conversion events	Global (Google)
Meta (Facebook) Pixel	Marketing measurement (subject to consent)	Cookie IDs, conversion events	Global (Meta)
Beehiiv	Newsletter and marketing-email delivery	Email address, subscription status	United States
Discord	Optional community server (linked from the Service)	Whatever you submit on Discord — governed by Discord's policy	United States
Cloudflare (where used)	Network protection, DDoS mitigation, bot management	IP address, request metadata	Global (Cloudflare)

This list may change as we add or remove providers. We will keep this Section up to date and where required will give you advance notice of material additions.

7. Sharing & Disclosure

We do not sell personal data, and we do not "share" personal data for cross-context behavioural advertising in the CCPA/CPRA sense, except to the extent that the marketing pixels described in Section 5.2 may constitute "sharing" under California law — in which case Californian residents may opt out as set out in Section 12.

We disclose personal data only as follows:

To other Players — your username, public profile, in-game actions visible by design (attacks, family activity, market listings, etc.), and chat / mail content with the recipients you choose.
To our sub-processors (Section 6) — under data-protection terms.
To professional advisors (lawyers, accountants, auditors) — where necessary and under confidentiality obligations.
To law enforcement, regulators, or courts — when we are legally required, or where reasonably necessary to protect rights, property, or safety. We will resist disclosure that we believe is overreaching.
In connection with a corporate transaction — if we sell, merge, restructure, or transfer all or part of our business, personal data may transfer to the buyer or successor entity, with notice to you and continuing protection at least equivalent to this Policy.

8. International Transfers

Some of our sub-processors are located outside the UK or EEA (notably the United States). When personal data is transferred outside the UK or EEA we use one or more lawful transfer mechanisms, including:

Adequacy decisions made by the UK government or the European Commission (for example, the UK Extension to the EU-US Data Privacy Framework where the recipient is certified);
The UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses;
Additional safeguards (encryption, access controls, contractual restrictions) where appropriate.

You may request a copy of the safeguards we rely on by contacting [email protected].

9. How Long We Keep Data

We keep personal data only for as long as we need it for the purposes set out in this Policy and the legal periods we are required to observe. The principles we apply:

Category	Retention
Active account data (account, gameplay, communications)	For the life of your account, plus a short technical buffer for backups
Personal data after account deletion	Deleted or irreversibly anonymised within 30 days of a verified deletion request, except where another rule below applies
Payment / tax records	Up to 7 years from the transaction (UK HMRC and equivalent obligations)
Login and security event logs	Up to 12 months, or longer where needed for an open investigation
Moderation records (warnings, bans, watchlist)	Retained while the underlying issue may recur or be appealed; serious-misconduct records may be retained indefinitely to prevent re-creation of banned accounts
Backups	Rolling backup retention of up to 90 days; deleted-account data is overwritten in the normal backup-rotation cycle
Anonymised / aggregated analytics	May be retained indefinitely as it is no longer personal data

10. How We Protect Data

We apply technical and organisational measures appropriate to the risk, including:

HTTPS / TLS encryption for data in transit;
Salted, hashed password storage (bcrypt) — passwords are never stored in plain text;
Server-side authoritative game logic — sensitive operations (combat, casino outcomes, mine positions, currency mutations) are computed and validated on the server, not the client;
CSRF token verification on every state-changing endpoint;
Rate limiting and brute-force protection on authentication and high-risk endpoints;
Session fingerprinting, IP and device tracking for anomaly detection;
IP and account ban systems for malicious activity;
Restricted staff access on a need-to-know basis with role-based permissions and audit logging;
Regular review of third-party libraries, hosting infrastructure, and security configuration.

No system can be guaranteed 100% secure. If you believe your account has been compromised, contact [email protected] immediately.

11. Your Rights (UK / EU)

If you are in the UK or the EEA, you have the following rights under the UK GDPR and EU GDPR:

Right of access — request a copy of the personal data we hold about you;
Right to rectification — ask us to correct inaccurate or incomplete data;
Right to erasure ("right to be forgotten") — ask us to delete your data, subject to legal exceptions;
Right to restriction — ask us to limit processing in defined circumstances;
Right to data portability — receive certain data in a structured, commonly-used, machine-readable format, or have it transmitted to another controller;
Right to object — to processing based on legitimate interests, including profiling, and to direct marketing at any time;
Right to withdraw consent — where processing is based on consent (for example, marketing or non-essential cookies), at any time, without affecting prior lawful processing;
Right not to be subject to a decision based solely on automated processing — see Section 4 on human review;
Right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ico.org.uk). In the EU, your local data-protection authority — list at edpb.europa.eu.

To exercise any of these rights, email [email protected] with the subject "Data Subject Request". We will respond within one month (extendable by up to two further months for complex requests, with notice). We may need to verify your identity before acting. Requests are free of charge unless they are manifestly unfounded or excessive.

12. California Residents (CCPA / CPRA)

If you are a California resident, the CCPA/CPRA gives you the following rights:

Right to know — what categories of personal information we collect, the sources, the purposes, and the categories of third parties we disclose to;
Right to delete — request deletion of personal information we have collected from you, subject to exceptions;
Right to correct — request correction of inaccurate personal information;
Right to opt out of sale or sharing — see below;
Right to limit use of sensitive personal information — we do not knowingly collect sensitive personal information as defined by CCPA;
Right to non-discrimination — we will not deny service, charge different prices, or provide a different quality of service because you exercised a privacy right.

12.1 Categories of Personal Information Collected (last 12 months)

Identifiers; commercial information (purchase records); internet/network activity; approximate geolocation; user-generated content; inferences (e.g. behavioural patterns used for anti-cheat). Categories collected and purposes are detailed in Sections 2 and 3.

12.2 "Sale" and "Sharing"

We do not sell personal information for monetary value. We may "share" certain identifiers and online activity with our analytics and advertising partners (Google, Meta) for cross-context behavioural advertising on our marketing pages. California residents may opt out of this sharing by:

Using the cookie consent banner where shown;
Sending a request to [email protected] with subject "California Privacy Request — Do Not Share";
Enabling the Global Privacy Control (GPC) signal in your browser, which we honour as a valid opt-out request.

12.3 Authorised Agents

You may designate an authorised agent to act on your behalf. We will require written authorisation and verification.

12.4 "Shine the Light"

We do not disclose personal information to third parties for their direct-marketing purposes.

13. Brazil Residents (LGPD)

If you are in Brazil, the Lei Geral de Proteção de Dados (Law 13.709/2018) gives you the following rights:

Confirmation of processing and access;
Correction of incomplete, inaccurate, or out-of-date data;
Anonymisation, blocking, or deletion of unnecessary or excessive data, or data processed unlawfully;
Portability;
Information about public and private entities with which we have shared your data;
Information about the possibility of refusing consent and the consequences of refusal;
Revocation of consent;
To file a complaint with the Brazilian National Data Protection Authority (ANPD).

To exercise these rights, contact [email protected] with the subject "LGPD Request".

14. Other Jurisdictions

Canada (PIPEDA) — Canadian residents may exercise rights of access, correction, and complaint under PIPEDA via the contact details in Section 21.
Australia (Privacy Act 1988) — Australian residents may contact us about access, correction, or complaint to the Office of the Australian Information Commissioner (oaic.gov.au).
Other US states (Virginia, Colorado, Connecticut, Utah, Texas, and others with comprehensive privacy laws) — residents may exercise the rights granted by their state law via the contact details in Section 21. We treat such requests with parity to CCPA/CPRA where consistent with our obligations.
South Korea, Japan, Singapore, India and others — local rights apply mandatorily where relevant; contact us to exercise them.

15. Children's Privacy

The Service is intended only for adults (Players aged 18 or over) and is rated accordingly. We do not knowingly collect personal data from anyone under the age of 18. We do not target the Service to children, and our age-gate at registration requires self-attestation that the Player is 18 or older.

If we become aware that an account belongs to someone under 18, we will suspend the account immediately and delete or anonymise the associated personal data. We do not sell or share personal information of minors and we do not engage in cross-context behavioural advertising to minors.

If you are a parent or guardian and believe your child has registered, contact [email protected] immediately and we will action removal.

16. Marketing & Email Communications

16.1 Transactional Emails

Receipts, password resets, account-security notifications, and mandatory service notices (such as material changes to these Terms or this Policy) are sent on the basis of contract performance and legal obligation. They are essential to operating your account and cannot be opted out of while your account is active.

16.2 Marketing

We may send marketing emails (newsletters, event announcements, seasonal content, occasional promotions) only where you have opted in (UK / EU) or where the soft-opt-in conditions of UK PECR are satisfied (e.g. you provided your email in the course of registering for our Service, the marketing relates to similar features, and you were given a clear opt-out at every step). We use Beehiiv for newsletter delivery — Beehiiv Privacy Policy.

16.3 How to Opt Out

Every marketing email contains an unsubscribe link. Clicking it removes you from our marketing list and stops further marketing emails. You can also email [email protected] with subject "Unsubscribe" at any time. Opt-out is processed promptly. Opting out of marketing does not affect transactional emails.

17. Push Notifications

If you grant push permission in our mobile app, we send notifications related to gameplay (energy restored, hospital release, attacks, mail, support replies). Your push token is stored securely and is used only for delivery via Firebase Cloud Messaging (Android) or Apple Push Notification Service (iOS). You can disable push notifications at any time through your device settings or in-app, which revokes consent for future notifications.

18. Account Deletion

You may request account deletion at any time:

Through the in-game Support Ticket system; or
By emailing [email protected] with subject "Account Deletion Request".

We will verify the request, then permanently delete or irreversibly anonymise your personal data within 30 days. This includes account, profile, gameplay, communications, and most logs. We retain limited records where required by law (Section 9), where a moderation matter remains open, or where data is needed to establish, exercise, or defend legal claims.

Deletion is permanent. Virtual Items, Virtual Currency, and active premium passes are forfeited without refund (see Terms of Service, Section 18).

19. Data Breach Notification

If we suffer a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (and any other relevant supervisory authority) within 72 hours of becoming aware, where required by law. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

20. Changes to This Policy

We may update this Policy from time to time. The "Effective Date" at the top reflects the latest version. Where changes are material, we will give you notice by email, in-game notification, or both, before the changes take effect. Where law requires, we will obtain renewed consent. Continued use of the Service after the Effective Date of an update means you accept the updated Policy.

21. How to Contact Us

For any privacy question, request, complaint, or to exercise any right described in this Policy:

Email: [email protected]
Subject lines that help us route your request quickly: "Data Subject Request", "California Privacy Request", "LGPD Request", "Account Deletion Request", "Cookie Preferences", "Unsubscribe".
In-game: Support Ticket system
Website: www.thefifthfamily.com

UK Players have the right to complain to the Information Commissioner's Office (ico.org.uk). EU Players may complain to their local data-protection authority.

See also: Gazette · Terms of Service · Code of Conduct · Game Manual