Privacy Policy

2. What Data We Collect

2.1 Data You Provide Voluntarily

• Contact / Support Data. Name, email address, and any details you provide when contacting our customer support. Retained for up to three years after your last contact to handle follow-up queries.
• Survey / Feedback Data. Information you submit through in-game surveys, beta feedback forms, or promotional entries.

2.2 Data Collected Automatically

When you use our Services, the following data is collected automatically:

• Device Identifiers. Apple Identifier for Advertisers (IDFA) on iOS; Google Advertising ID (GAID) on Android. These are non-permanent, resettable identifiers that enable ad personalisation, frequency capping, and attribution. You can reset or limit them in your device settings (iOS: Settings > Privacy & Security > Tracking; Android 12+: Settings > Google > Ads > Delete Advertising ID). We also collect the Identifier for Vendor (IDFV) or Android ID for analytics purposes; these do not follow you across apps. Zero-State Handling: If you have disabled ad tracking (iOS “Limit Ad Tracking” or declined ATT prompt) or deleted your advertising ID (Android 12+), we will serve only contextual (non-personalised) ads and use device-bound identifiers (IDFV/Android ID) for analytics only. This does not affect core gameplay functionality.
• IP Address. Collected automatically. We use your IP address to derive broad geographic location (country and city). Raw IP addresses are retained for a maximum of 14 days for security, fraud prevention, and operational logging, after which they are deleted or truncated. The IP-derived geolocation (country/city only) may be retained as part of aggregated session data for the durations specified in Section 10.
• Device & OS Information. Manufacturer, model, screen resolution, operating system and version, system language and locale, network type (Wi-Fi or mobile data), and basic hardware specifications (CPU, RAM, available storage). Used for game compatibility, performance optimisation, and detecting low-end devices.
• Gameplay / Session Data. Level reached, scores, session start and end times, features used, items purchased, achievements unlocked. This is core analytics data processed via Unity Analytics and Google Firebase Analytics.
• Ad Interaction Data. Which ads were shown, viewed, clicked, or resulted in installs. Used for ad measurement, fraud detection, and campaign optimisation.
• Anti-Cheat & Integrity Data. We employ automated detection systems to identify modified game clients (modded APKs, jailbreak tweaks), emulator or virtualisation usage, abnormal progression patterns (impossible score changes, timing anomalies), and payment fraud indicators (chargebacks, refund abuse patterns). Detection methods include device fingerprinting (hardware identifiers, screen properties, sensor data), behavioral analytics (gameplay velocity, input patterns), code integrity checks (binary signature verification, runtime tampering detection), and transaction anomaly scoring. This processing is necessary to maintain fair gameplay, prevent economic harm to legitimate players, protect our revenue from fraud, and comply with anti-money laundering obligations. Legal basis: Legitimate interests (GDPR Art. 6(1)(f)) — our legitimate interest in preventing fraud and ensuring service integrity outweighs any minimal privacy impact, as the data collected is technical and non-sensitive. Violators may be permanently banned without refund and may have their device identifiers blocklisted from future access.
• Crash & Error Logs. Stack traces, error codes, and device state at the time of a crash. These logs do not ordinarily contain personal identity information.
• App Performance Metrics. Frame rate, load times, latency. Used for quality assurance.
• Broad Geolocation. Country or city derived from your IP address. We never collect precise GPS-level location data.
• Third-Party SDK Data. Third-party SDKs integrated in our games (see Section 5) automatically collect certain device and usage data. Please refer to each SDK’s own privacy policy for details.

2.3 Data Received From Third Parties

• Install Attribution Data. From advertising networks (e.g. CAS.ai downstream partners, Unity Ads): which campaign, network, or creative led to a user installing our game. Includes a device ID hash, not personal identity.
• App Store Transaction Data. From Google Play and the Apple App Store: device ID, order timestamp, encrypted order details. Used only to fulfil in-app purchases.
• Analytics Aggregates. Third-party analytics providers may share aggregated or benchmarked data back to us. This is not individual-level personal data.

2.4 Data We Do NOT Collect

• We do not intentionally collect racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, trade union membership, biometric data, or genetic data.
• We do not collect credit card numbers, bank account numbers, or financial credentials. All payments are handled entirely by the app store.
• We do not collect passport numbers, national insurance numbers, social security numbers, or similar government-issued identifiers.
• We do not knowingly collect any personal data from users under the applicable minimum age (see Section 7).

3. How We Use Your Data

We process your personal data for the following purposes:

1. Service Delivery. To operate our games, enable core features, serve game content, apply updates, and ensure the game runs correctly on your device.
2. In-App Purchase Fulfilment. To verify, process, and deliver in-app purchases and subscriptions made through the app store.
3. Game Performance & Bug Fixing. To identify crashes, performance bottlenecks, and technical errors in order to improve game stability.
4. Analytics & Research. To understand how users interact with our games, identify popular features, inform product decisions, and improve future game design. Processed via Unity Analytics (see Section 5.8).
5. Displaying Contextual Ads. To show non-personalised advertisements to users who have not consented to interest-based advertising.
6. Displaying Personalised Ads. To show targeted, interest-based advertisements to users who have given explicit consent. Legal basis: consent only.
7. Cross-Promotion. To promote our other games to users of this game.
8. Advertising Campaign Tracking. To measure the effectiveness of our advertising campaigns promoting our games in other apps.
9. Fraud Detection & Prevention. To identify and block bots, fake installs, ad fraud, cheating, and account compromise attempts.
10. Safety & Security. To protect users from harmful content, harassment, or abuse within our services.
11. Customer Support. To receive, process, and respond to support tickets, bug reports, and user complaints.
12. Legal Compliance. To meet legal obligations including tax records, responding to law enforcement requests, and complying with child protection laws.
13. Business Operations. For internal administration: financial reporting, internal auditing, and staff training using anonymised data.
14. Business Transfers. In the event of a merger, acquisition, or asset sale, data may be transferred as part of the business assets.

4. Legal Basis for Processing

Under Article 6 of the UK GDPR and EU GDPR, we must have a lawful basis for every processing activity. The following table maps each purpose to its legal basis.

Consent withdrawal. You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. You can withdraw consent through our in-app privacy settings or by contacting us at privacy@avajora.com.

Legitimate Interests Assessment. Where we rely on legitimate interests, we have conducted an internal Legitimate Interests Assessment (LIA) that balances our interests against your rights and freedoms. In summary: our legitimate interest in analytics is balanced against minimal privacy impact because we use device-bound identifiers (not advertising IDs) for analytics, data is aggregated at the cohort level, and individual users are not profiled for advertising purposes. For contextual ads, no personal targeting occurs. For fraud detection, the security benefit to all users outweighs the limited processing involved. A full copy of the LIA is available on request by contacting privacy@avajora.com.

Data Protection Impact Assessment (DPIA). We have conducted a Data Protection Impact Assessment under GDPR Article 35 for our large-scale processing of advertising identifiers and behavioural data across our user base. The DPIA evaluates the necessity and proportionality of the processing, assesses risks to data subjects, and documents the safeguards and measures we apply to mitigate those risks. A summary of the DPIA is available on request by contacting privacy@avajora.com.

Automated Decision-Making. We do not use automated decision-making (including profiling) that produces legal effects concerning you or similarly significantly affects you, as described in GDPR Article 22. Ad personalisation is based on interest signals processed by our advertising partners and does not constitute automated decision-making with legal or similarly significant effects.

5. Advertising

5.1 Why Advertising Exists

Advertising revenue is what enables us to offer our games for free or at a low cost. We display the following ad formats: banner ads, interstitial (full-screen) ads, and rewarded video ads. Rewarded video ads are always voluntary — you choose to watch them in exchange for in-game benefits.

We do not directly choose individual advertisements. That decision is made by our advertising network partners using their own algorithms. We may blacklist certain ad categories that we consider inappropriate.

5.2 Advertising Identifiers

IDFA (iOS) — Apple’s Identifier for Advertisers is a unique, non-permanent, non-personal identifier assigned to your Apple device. It enables personalised advertising, ad frequency capping, and install attribution.

GAID (Android) — Google’s Advertising ID is the equivalent identifier on Android devices. It serves the same purposes. Note: Google is transitioning Android to the Privacy Sandbox, which will eventually replace GAID with privacy-preserving APIs such as the Topics API, Attribution Reporting API, and FLEDGE (Protected Audiences). As these APIs become available, we will migrate our data practices accordingly and update this policy. We are committed to adopting privacy-preserving alternatives as they become production-ready.

These advertising identifiers can be used by ad networks to track user behaviour across different apps on the same device. This is the mechanism behind interest-based advertising.

How to reset or limit advertising identifiers:

• iOS: Settings > Privacy & Security > Tracking — opt out of tracking, or delete your IDFA.
• Android 12+: Settings > Google > Ads > Delete Advertising ID.

App Tracking Transparency (iOS 14.5+). On iOS, a system-level permission prompt asks whether you allow tracking across apps. If you decline, personalised ads will not be served.

The advertising identifier (user-resettable, used for ad targeting) is distinct from the device identifier / IDFV (persistent, used for analytics). They are different identifiers with different purposes.

5.3 Personalised vs Contextual Advertising

Interest-based (personalised) advertising means ads selected based on your past behaviour, preferences, and demographics across apps. This requires your explicit consent for EEA and UK users.

Contextual advertising means ads relevant to the content of the current app or screen, not your personal profile. This does not require consent and is the fallback when consent is refused.

If you do not consent to personalised advertising, you will still see ads — but those ads will be contextual and not tailored to you. The number of ads does not change.

5.4 Ad Mediation & Network Partners

Our games are free to play and are funded by in-app advertising. To enable this, we and our advertising partners collect certain information from your device. This subsection explains what is collected, by whom, for what purpose, and how you can control it.

We use CAS.ai (Clever Ads Solutions, operated by CLEAR INVEST LTD) as our advertising mediation platform. CAS.ai manages in-game advertising by conducting real-time auctions among multiple advertising networks simultaneously. When an advertising slot becomes available in the game, CAS.ai sends a request to multiple advertising companies at the same time. Each company offers a price for that slot, and the highest-paying ad is displayed. This process takes milliseconds and is invisible to you. As part of this process, your device’s advertising identifier (IDFA on iOS / GAID on Android), IP address, device model, operating system, app identifier, and ad interaction data may be transmitted to participating ad networks. For CAS.ai’s own data practices, visit: https://cas.ai/privacy-policy

CAS.ai uses the IAB Open Measurement SDK (OM SDK) to allow third-party ad measurement companies to verify ad impressions. Third-party measurement partners may collect and process data as part of the IAB Open Measurement Working Group to perform ad measurement and related services.

Because CAS.ai routes data to many ad networks, your privacy policy disclosures extend to every downstream network. The following are the direct and mediated ad network partners integrated in our games:

• AppLovin (AppLovin Corporation, Palo Alto, USA) — We work with AppLovin to deliver ads in our mobile application and other devices and/or platforms. For more information about AppLovin’s collection and use of your information, visit: https://legal.applovin.com/privacy/. AppLovin may collect the following categories of information through its SDK:
  
  Identifiers: advertising identifiers (IDFA, GAID, Amazon Advertising ID), Vendor ID (IDFV), App Set ID, and your advertising and tracking preferences and restrictions (e.g., “Limit Ad Tracking” or ATT status).
  Device & hardware data: device make, model, and hardware configuration; operating system and version; device properties related to screen, display, size, orientation, audio, video, battery, memory usage, device settings, and boot time; device settings related to accessibility features and font size; carrier information; network connection type and speed.
  App data: application name, properties, performance, session information, and installation information of the app through which you interact with AppLovin’s Services.
  Location & locale: IP address (used to derive approximate geographic location at the country/region level); country, time zone, and locale settings (country and preferred language).
  Ad interaction data: ad events including impression, completion, click, and skip.
  Advertiser event data: advertisers (directly or through a third-party service provider) may share transactional or other “event” data related to your interaction with an application, such as information about purchases or application installations, with AppLovin for campaign optimisation and measurement.
  
  The exact information AppLovin collects depends on choices you have made in the ad settings on your device, on permissions you give in apps, and in the privacy controls offered by those services and AppLovin.
  
  AppLovin uses this data to deliver its Advertising Services, maintain and improve them — including its AI-powered advertising technology (Axon) — and to research and develop new ones; to promote safety, security, and integrity of its Services; to provide measurement, analytics, and reporting; and to comply with legal and regulatory obligations. AppLovin may also use AI-powered advertising technology to serve ads that are more relevant and interesting to you, in ways that do not produce legal or similarly significant effects on you.
  
  How AppLovin shares your data: AppLovin may share information it collects with: (a) its service providers who support its business (infrastructure, analytics, customer service, payments); (b) its affiliates within the AppLovin family of companies (including Adjust, Wurl, and other subsidiaries) for purposes consistent with its Privacy Policy; (c) advertising partners — including advertisers, ad networks, exchanges, demand-side platforms, merchants, and mobile measurement partners (MMPs) — to provide advertising services; and (d) as required by law or in connection with business transfers. Unless otherwise noted on AppLovin’s partner list, each AppLovin advertising partner is an independent controller of your data. You can view AppLovin’s full list of advertising partners at: https://legal.applovin.com/applovin-partners-privacy/.
  
  AppLovin acts as an independent data controller for the data it collects through its SDK and Services. AppLovin is certified under the EU-US Data Privacy Framework (DPF), the UK Extension to the EU-US DPF, and the Swiss-US DPF, and is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. AppLovin refers unresolved DPF complaints to TRUSTe, an alternative dispute resolution provider based in the United States.
  
  AppLovin retains information collected through its Services for limited periods, typically up to two (2) years from the date of collection, or until you request deletion, whichever occurs first. To access or delete the data collected by AppLovin from your device, you may download the AppLovin Privacy Management Application from the Apple App Store or Google Play Store: iOS | Android. You may also opt out of interest-based advertising within ads served by AppLovin; for detailed instructions, see How AppLovin Shows You Ads.
  
  AppLovin and other ad network partners may use the IAB Open Measurement SDK (OM SDK) to allow third-party ad measurement companies to verify ad impressions. Third-party measurement partners may collect and process data as part of the IAB Open Measurement Working Group to perform ad measurement and related services.
  
  Sensitive data & PHI: We do not include in the data we share with AppLovin any sensitive personal data (as defined under applicable laws, including racial or ethnic origin, political opinions, religious or philosophical beliefs, health data, sex life or sexual orientation, criminal convictions, genetic data, biometric data, government-issued identifiers, financial account information, account log-in credentials, contents of user communications, or precise geolocation). We do not provide AppLovin with protected health information (“PHI”) as defined under applicable laws, nor do we use any aspect of AppLovin’s Services in connection with PHI.
  
  Children: AppLovin does not knowingly collect personal information from, or serve advertisements to, children as defined by applicable laws. We do not initialise or use the AppLovin SDK for any end user identified as a child via our age-gate. See Section 7 for details.
  
  Privacy policy: https://legal.applovin.com/privacy/
  Data Sharing Requirements: https://legal.applovin.com/data-sharing-requirements
• Unity Ads (Unity Technologies Inc.) — Unity Ads displays ads in our games and may collect your advertising identifier (IDFA/GAID), IP address (used to derive approximate geographic location at the city/country level), device model and operating system version, app identifier (bundle ID), and ad interaction events (impression, completion, click, skip). Unity Ads displays a Data Privacy icon directly on ad units, through which you can access the personal data collected from your device on a per-app basis and opt out of future collection. Privacy policy: https://unity.com/legal/game-player-and-app-user-privacy-policy
• Liftoff Monetize (Liftoff Mobile Inc. / LMI Inc., formerly Vungle) — Liftoff and its demand partners use tracking technologies to collect Ad Data including your device advertising identifier (IDFA/GAID), IP address (used for approximate geolocation), device model and OS, app identifier, and ad interaction data (impression, click, completion) for the purpose of serving targeted advertisements. Liftoff does not record or store personal information that users cannot easily revoke (such as email addresses or phone numbers); it relies only on device advertising IDs, which you control and can reset or delete at any time via device settings. Users who wish to opt out of Liftoff’s collection and use of their information for targeted advertising can do so at: https://vungle.com/opt-out/. Privacy policy: https://vungle.com/privacy/
• InMobi (InMobi Pte. Ltd., Singapore / InMobi Inc., USA) — InMobi provides advertising services in our games, including retargeting advertising — ads may be shown to you based on your prior interactions with apps or sites that use InMobi. InMobi may collect your device advertising identifier (IDFA/GAID), IP address (used to estimate geographic location at country/city level), device model and operating system, app bundle identifier, and ad interaction events. InMobi retains device-level data for a maximum of 13 months, after which data is deleted or retained in aggregated (non-personal) format. InMobi acts as a joint controller with us under GDPR Article 26 — both parties share responsibility for how personal data is processed. The essence of our joint controller arrangement is as follows: InMobi is responsible for its own data collection, ad serving, and compliance with data subject requests directed to InMobi; AVAJORA GAMES LTD is responsible for obtaining valid consent from users and passing consent signals to InMobi via the SDK. A copy of the joint controller arrangement is available on request by contacting privacy@avajora.com. For EEA and UK users, InMobi requires consent via the IAB TCF 2.2 framework (IAB Vendor ID 333) before serving personalised ads. Users can opt out of InMobi’s interest-based advertising at any time by visiting: https://www.inmobi.com/page/opt-out/. Users who wish to exercise data subject rights (access, deletion, objection) with respect to InMobi’s processing may contact InMobi directly at: privacy@inmobi.com. Privacy policy: https://www.inmobi.com/privacy-policy/
• Google AdMob (Google LLC, USA) — Google AdMob serves ads in our games via CAS.ai mediation. AdMob may collect your advertising identifier (IDFA/GAID), IP address (used to derive approximate geographic location), device model and operating system, app identifier (bundle ID), and ad interaction data (impression, click, conversion). Google acts as anindependent data controller for the data it collects through AdMob. Google is certified under the EU-US Data Privacy Framework. Users can manage Google’s ad personalisation at adssettings.google.com. Privacy policy: https://policies.google.com/privacy
• ironSource (Unity LevelPlay) — Reached via CAS.ai mediation. https://unity.com/legal/privacy-policy
• Meta Audience Network — Reached via CAS.ai mediation. https://www.facebook.com/privacy/policy/
• Mintegral — Reached via CAS.ai mediation. https://www.mintegral.com/en/privacy/
• Pangle (ByteDance) — Reached via CAS.ai mediation. https://www.pangleglobal.com/privacy/privacy-center-overseas
• Digital Turbine — Reached via CAS.ai mediation. https://www.digitalturbine.com/legal/end-user-privacy-policy/

Since CAS.ai’s partner network list can change over time, we publish the current list of principal advertising partners at: avajora.com/advertising-partners. This list is updated periodically and may not reflect every downstream reseller or measurement provider in real time. Each partner operates under its own privacy policy and is responsible for its own data practices.

5.5 COPPA & Child-Directed Disclosures (Advertising)

We configure game-level settings in Unity, Liftoff, InMobi, and CAS.ai dashboards regarding their COPPA status (directed to children or not). For any game not directed at children under 13, advertising identifiers may be used for personalised ads. For child-directed apps: Unity will not collect cross-app advertising identifiers; Liftoff is instructed not to collect cross-app advertising identifiers for targeting purposes; InMobi will not conduct behavioural advertising; and CAS.ai will not pass advertising identifiers to downstream networks for targeting.

AppLovin SDK — Child Exclusion. In accordance with AppLovin’s Publisher Policies and Terms of Use, we do not initialise or use the AppLovin SDK in any way for any end user who qualifies as a “child” under applicable laws (including COPPA, UK AADC, GDPR Art. 8, and equivalent laws in other jurisdictions). When our age-gate identifies a user as under the applicable minimum age, the AppLovin SDK is not loaded for that user session, no data is transmitted to AppLovin, and no AppLovin ads are served. AppLovin is excluded from the CAS.ai mediation waterfall and bidding stack for all child-identified sessions. This ensures compliance with AppLovin’s strict prohibition on using their Services in connection with children.

App Store Age Range APIs. Where available, we integrate Apple’s and Google’s age range APIs (including APIs announced in response to U.S. state laws such as those in Texas, Utah, and Louisiana) to receive platform-verified age-range information for end users. This information is used in conjunction with our in-app age-gate to determine whether an end user qualifies as a “child” under applicable laws and to ensure that the AppLovin SDK and other age-restricted services are not initialised for such users.

5.6 Consent & Opt-Out Mechanisms

Consent flow sequence. On iOS 14.5+, Apple’s App Tracking Transparency (ATT) prompt is displayed first, before any other consent dialogue. If you decline tracking via ATT, personalised advertising is disabled immediately regardless of any subsequent CMP selection — the CMP will not be shown for personalised ads in this case. If you allow tracking via ATT (or on Android / pre-iOS 14.5), the CAS.ai Consent Management Platform (CMP) is presented next, requesting your consent for personalised advertising under the IAB Transparency & Consent Framework (TCF 2.2). For EEA and UK users, personalised advertising via CAS.ai mediation is only displayed after you provide explicit consent through this CMP popup. You may update your preferences at any time via Settings > Privacy within the game.

For users in the EEA, UK, and applicable US states, consent signals are passed to Unity Ads, Liftoff, InMobi, AppLovin, and all CAS.ai downstream networks via each SDK’s consent API. Specifically, we pass the following signals to the AppLovin SDK: ATT authorisation status (iOS), IAB TCF 2.2 consent string, “Do Not Sell” flag (for CCPA/US state laws), age-restriction flags, and any other applicable privacy flags required by law or app store policies. These consent signals govern whether AppLovin serves personalised or contextual ads, and whether your advertising identifier is used for interest-based advertising or for improving AppLovin’s Services, including its AI-powered technologies. Users who opt out of targeted advertising will receive contextual (non-personalised) ads only. If you opt out of personalised advertising, CAS.ai is instructed not to pass your advertising identifier to downstream networks (including AppLovin), and only contextual (non-targeted) ads will be displayed.

• EEA/UK users: Personalised ads are only shown after you give explicit consent via the consent popup presented at first launch.
• US users: You may opt out of the “sale” or “sharing” of your personal information via Settings > Privacy > Advertising Preferences within the game, or via our Do Not Sell or Share page.
• To withdraw consent: Navigate to Settings > Privacy > Advertising Preferences within the game at any time. Withdrawal takes effect immediately.
• Unity Ads: Unity Ads displays a Data Privacy icon on ad units through which you can access your data and opt out of future collection.
• Liftoff opt-out: https://vungle.com/opt-out/
• InMobi opt-out: https://www.inmobi.com/page/opt-out/
• AppLovin opt-out & data management: You may opt out of interest-based advertising by AppLovin, or access and delete the data AppLovin has collected from your device, by downloading the AppLovin Privacy Management Application: iOS | Android. You may also visit: https://applovin.com/opt-out
• iOS: Settings > Privacy & Security > Tracking — you can prevent all apps from requesting your advertising identifier.
• Android 12+: Settings > Google > Ads > Delete Advertising ID — you can permanently delete your advertising ID.

5.7 Our Ads in Other Apps

We advertise our games in other apps using advertising networks. Your advertising ID may be used to target audiences likely to enjoy our games, to create lookalike audiences (where an ad network finds users similar to our existing players), and to conduct re-engagement campaigns for users who have not played for a period of time.

When you install a game after seeing one of our ads, the install is attributed to the relevant campaign using your advertising ID. Attribution data (device ID hash, campaign identifier, network source) is received from advertising networks and used solely for campaign measurement and fraud detection.

5.7B Cross-Promotion of Our Portfolio

We may display advertisements promoting our other games within our apps (“cross-promotion”). These ads function differently from third-party advertising:

• Cross-promotional ads are served directly by us, not via external ad networks.
• We may use aggregated gameplay data from your current session (e.g., “Players who reached Level 10 also enjoy [Other Game]”) to suggest relevant titles from our portfolio.
• Cross-promotion does not use cross-app tracking identifiers. We do not link your identity or gameplay data across different games in our portfolio.
• Cross-promotional ads do not require separate consent as they are part of our legitimate business operations (GDPR Art. 6(1)(f)) and do not involve third-party data sharing.

You cannot opt out of cross-promotional ads, as they are integral to how we operate free-to-play games, but they are non-intrusive and do not collect additional data beyond what is already collected for the current game session.

5.8 Analytics (Unity Analytics & Google Firebase Analytics)

We use Unity Analytics (a product of Unity Technologies Inc.) and Google Firebase Analytics (a product of Google LLC) to collect gameplay analytics and operational metrics across all of our games.

Unity Analytics collects device session data, event data we define (e.g. level complete, session start, tutorial steps), device type and OS version, app version, and a device-bound identifier (not the advertising ID) to identify unique devices.

Google Firebase Analytics is integrated into all of our games via the Firebase SDK for Unity (Unity SDK 13.8.0). Firebase Analytics automatically collects the following data without any additional code:

• Device & system information: Device model, brand, category (mobile/tablet), operating system and version, app version, app store source, device language, and screen resolution.
• Approximate location (from IP): Country, region/state, city, and continent — derived from your device’s IP address at the time of the request. Firebase does not use GPS. The IP address itself is not stored by Google after the geo-lookup is performed.
• Usage & engagement: Number of sessions, session duration, first launch timestamp, app opens, and app update events.
• Identifiers: An app-instance ID (unique per app install; reset when the app is uninstalled and reinstalled) used to count unique users, and the Android Advertising ID (GAID) which is collected by the Firebase SDK by default on Android. The Android Advertising ID is a resettable, user-controlled identifier — you can reset or opt out of personalisation in your device’s settings under Settings → Privacy → Ads.
• Automatically collected events: first_open, session_start, app_update, os_update, screen_view, and user_engagement.

In addition to Firebase’s automatic collection, our games send custom gameplay events to Firebase Analytics — such as level starts, score milestones, attempt completions, and session counts. These custom events contain only numerical gameplay statistics (level number, scores, durations, percentages) and do not include names, email addresses, or any other personally identifying information.

Purpose: Both Unity Analytics and Firebase Analytics are used to understand how players interact with our games, measure user engagement metrics (daily active users, session length, retention rates D1/D7/D30), identify gameplay issues, score distribution patterns, and inform future game design decisions. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Analytics data is aggregated and used at the cohort level for business reporting. We do not use analytics data to build individual user profiles for advertising. Individual-level event data is retained by Unity for a defined period per Unity’s own data retention policy. Firebase Analytics event data is retained for up to 14 months, after which it is automatically deleted by Google. Unity Analytics is configured with the same consent signals as Unity Ads — users who opt out of data collection will have analytics disabled or anonymised to the extent permitted by the SDK.

Firebase Analytics data sharing: Firebase Analytics data is processed by Google LLC (and its subsidiaries) under the Firebase Data Processing and Security Terms. Google may use aggregated, anonymised analytics data for its own product improvement purposes. Google does not sell your end-users’ data to third parties. No Firebase Analytics data is shared with any party other than Google. International transfers: Google complies with the EU–U.S. Data Privacy Framework (DPF) and Swiss–U.S. DPF for transfers of personal data from the EEA, Switzerland, and the UK.

How to opt out of Firebase Analytics: You can contact us at privacy@avajora.com to request that Firebase Analytics collection be disabled for your device. You can also reset your Android Advertising ID in your device settings. Upon request, we will remove any identifiable data associated with your app-instance ID using the Google Analytics User Deletion API.

Firebase Analytics is governed by the Firebase Terms of Service, Firebase Data Processing and Security Terms, and the Google Cloud Terms of Service.

Privacy policies: Unity — unity.com/legal/developer-privacy-policy | Firebase — firebase.google.com/support/privacy | Google — policies.google.com/privacy

5.9 Crash Reporting & Performance Monitoring

As of the date of this policy, we do not use Firebase Crashlytics or any standalone crash-reporting SDK. Crash and performance data is collected only through Unity’s built-in crash-reporting facilities as part of the Unity SDK already disclosed above. Google Firebase Analytics (disclosed in Section 5.8) is used for gameplay analytics only and is separate from crash reporting.

If we integrate a dedicated crash-reporting or performance-monitoring service (e.g. Firebase Crashlytics, Sentry, Bugsnag) in the future, we will update this policy to disclose: (a) the provider and its role, (b) data collected, (c) retention period, (d) applicable legal basis, and (e) any international transfers involved. Material additions of this kind will be communicated in accordance with Section 17 (Changes to This Policy).

6. How We Share Your Data

6.1 Service Providers (Data Processors) & Sub-Processor Register

Service providers act as data processors — they process data only on our instructions, are contractually bound, and cannot use the data for their own purposes. We have signed Data Processing Agreements with all service providers that require them, in compliance with GDPR Article 28. The following is our sub-processor register (GDPR Art. 28(2)):

• Cloud & Hosting: Google Cloud Platform — cloud.google.com/privacy. Data is stored in the EU (europe-west) region.
• Analytics: Unity Analytics (Unity Technologies Inc.) — unity.com/legal/developer-privacy-policy. Receives device identifiers, gameplay events, and session data for product analytics. Uses a device-bound identifier (not the advertising ID).
• Analytics: Google Firebase Analytics (Google LLC) — firebase.google.com/support/privacy. Receives device information, approximate location (IP-derived), app-instance ID, Android Advertising ID, session data, and custom gameplay events. Governed by the Firebase Terms of Service, Firebase Data Processing and Security Terms, and Google Cloud Terms of Service.
• Ad Mediation: CAS.ai (CLEAR INVEST LTD) — cas.ai/privacy-policy. Manages real-time ad auctions and routes requests to downstream ad networks. Receives advertising IDs, IP address, device info, and ad interaction data.
• Consent Management: CAS.ai CMP — manages user consent via the IAB TCF 2.2 framework and passes consent signals to ad networks.

6.2 Advertising Networks

Advertising networks receive: your advertising ID, IP-derived country/city, app bundle ID, ad placement, and interaction events (impressions, clicks). They do not receive your name, email address, or precise GPS location.

Most advertising networks are independent data controllers — each has its own privacy policy and is responsible for its own data practices. We are not responsible for their processing. Exception: InMobi acts as a joint controller with us under GDPR — see Section 5.4 for details. For the full list of all advertising partners and their privacy policy links, see Section 5.4 and our Advertising Partners page.

6.3 Legal & Regulatory Disclosures

• We may disclose data in response to court orders, legal processes, or government requests, and will notify you where legally permitted.
• We may share data to prevent fraud, protect safety, enforce our Terms of Service, or protect legal rights.
• In certain jurisdictions, governments may compel disclosure without our knowledge or ability to notify you.

6.4 Business Transfers

In the event of a sale, merger, acquisition, or bankruptcy, user data may be transferred to the acquiring entity as a business asset. The new owner will be bound by this policy. Potential acquirers may access anonymised data during due diligence, but not personal data until a transaction is completed.

7. Children’s Privacy

Our games are not directed to children under the age of 13 (or the higher age threshold applicable in your jurisdiction — for example, 16 in Germany and the Netherlands, 15 in France, 14 in Italy and Spain). GDPR Article 8 sets the default age of consent for data processing at 16 in the EU but allows member states to lower it to no less than 13. UK GDPR sets the threshold at 13.

We do not knowingly collect personal data from children under the applicable minimum age. We do not knowingly serve targeted or interest-based advertising to children. Where a game is or may be accessible to a mixed-age audience, we have configured our ad network settings (Unity Ads, Liftoff/Vungle, InMobi, and CAS.ai) to disable behavioural targeting for users below the applicable minimum age.

AppLovin SDK — Not Used for Children. In accordance with AppLovin’s Terms of Use and Publisher Policies, we do not initialise or use the AppLovin SDK in any way, or otherwise use any aspect of AppLovin’s Services, in connection with any end user who qualifies as a “child” under applicable laws. When our age-gate (or platform-provided age range APIs) identifies a user as under the applicable minimum age, the AppLovin SDK is not loaded for that user session, no data is transmitted to AppLovin, and no AppLovin-served advertisements are displayed. This prohibition applies regardless of whether the game is classified as “child-directed” or “mixed audience.”

Mixed Audience Games. For games that may appeal to a broad audience including children (“Mixed Audience”), we implement an age-gate at first launch. Users identifying as under the age of digital consent (13 in most jurisdictions, 16 in certain EU member states) are automatically served a “Non-Personalised” experience with the following restrictions: (a) restricted data collection (only essential device and gameplay data required for service delivery); (b) disabled social features (if applicable); (c) contextual-only advertising (no behavioural profiling or cross-app tracking); (d) complete exclusion of the AppLovin SDK from the ad mediation stack for the child-identified session; and (e) Firebase Analytics collection is disabled for the child-identified session via FirebaseAnalytics.SetAnalyticsCollectionEnabled(false), ensuring no data is transmitted to Google from child users. This treatment applies until the user reaches the applicable minimum age or until a parent or guardian provides verifiable consent where permitted by law.

App Store Age Range APIs. Where available, we integrate platform-provided age range APIs (such as those introduced in response to U.S. state laws in Texas, Utah, and Louisiana, and similar features offered by Apple and Google) to receive platform-verified age-range information for end users. This information supplements our in-app age-gate and is used to determine whether an end user qualifies as a “child” under applicable laws and therefore whether the AppLovin SDK and other age-restricted ad network SDKs should be initialised.

We configure game-level settings in Unity, Liftoff, InMobi, and CAS.ai dashboards regarding their COPPA status. For child-directed apps: Unity will not collect cross-app advertising identifiers; Liftoff is instructed not to collect cross-app advertising identifiers for targeting; InMobi will not conduct behavioural advertising; CAS.ai will not pass advertising identifiers to downstream networks for targeting; and the AppLovin SDK will not be initialised at all.

UK Age Appropriate Design Code (AADC). As a UK-registered company, we are aware of the Age Appropriate Design Code (also known as the Children’s Code), which has been enforceable since September 2021. We have implemented age-appropriate defaults: behavioural profiling and targeted advertising are disabled by default for users who may be children, geolocation data is not collected, and data collection is minimised to what is strictly necessary for the service. Our privacy settings are designed to be high-privacy by default.

If a parent or guardian believes their child has provided personal information to us or to one of our advertising partners through our games, please contact us at privacy@avajora.com. We will take steps to delete such information and notify the relevant advertising partners of the requirement to do so.

Upon discovery that we have collected data from a child without verifiable parental consent, we will promptly delete such data from our servers.

This policy complies with the Children’s Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.) for distribution on United States app stores.

For a plain-language explanation of our children’s data practices written specifically for parents and guardians, please see our Privacy for Parents page.

8. Your Rights

8.1 GDPR / UK GDPR Rights

If you are in the EEA or the United Kingdom, you have the following rights:

• Right to Access (Art. 15). You may obtain confirmation of whether we process your personal data, a copy of that data, and supplementary information (purposes, recipients, retention periods, source). We will respond within 30 days at no charge.
• Right to Rectification (Art. 16). You may have inaccurate personal data corrected without undue delay.
• Right to Erasure (Art. 17). You may request deletion of your personal data. This right may be limited where we have a legal obligation to retain certain data. Deletion requests are fulfilled within 30 days.
• Right to Restrict Processing (Art. 18). You may pause (but not delete) processing where accuracy is contested, processing is unlawful but you prefer restriction, or data is no longer needed but you require it for a legal claim.
• Right to Data Portability (Art. 20). You may receive your data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller. Applies to data processed by consent or contract.
• Right to Object (Art. 21). You may object to processing based on legitimate interests or for direct marketing purposes. If you object to direct marketing, we will stop immediately.
• Right to Withdraw Consent (Art. 7). You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. The withdrawal mechanism is as easy as granting consent.
• Right to Lodge a Complaint (Art. 77). You may lodge a complaint with the supervisory authority in your country of residence. For UK users, this is the Information Commissioner’s Office at ico.org.uk.

8.2 US State Privacy Rights

California (CCPA / CPRA). If you are a California resident, you have the right to:

• Know what personal information has been collected, from which sources, for what purposes, and with whom it has been shared or sold — covering the prior 12 months.
• Request deletion of personal information collected from you, subject to legal exceptions.
• Request correction of inaccurate personal information (CPRA § 1798.106).
• Direct us to stop “selling” or “sharing” (including for cross-context behavioural advertising) your personal information. See our “Do Not Sell or Share My Personal Information” toggle in Settings > Privacy.
• Not be discriminated against for exercising your privacy rights — we will not deny service, charge a different price, or provide a lower quality of service.

Virginia, Colorado, Connecticut, Utah, Texas, and other states have enacted privacy laws with opt-out rights for targeted advertising. We provide a single mechanism in Settings > Privacy that satisfies all applicable state requirements. If we deny a request, you may appeal the decision by contacting privacy@avajora.com. We accept requests from authorised agents acting on your behalf; please contact us for the verification process.

8.3 How to Exercise Your Rights

• Email us at privacy@avajora.com.
• Use the in-app privacy settings: Settings > Privacy > Contact Us.
• Submit a structured request via our Privacy Request page.
• We may ask you to confirm your account email and provide your in-game user ID to verify your identity before fulfilling a request.
• GDPR response timeframe: 30 calendar days (extendable by 2 months for complex requests, with notice).
• CCPA response timeframe: 45 calendar days (extendable by a further 45 days with notice).
• We will respond to all rights requests free of charge, unless requests are manifestly unfounded or repetitive.

9. International Data Transfers

Your personal data may be transferred to, stored in, and processed in countries other than your country of residence. Our primary servers are located within the European Union (Google Cloud, europe-west region).

For transfers from the EEA to third countries, we rely on the European Commission’s Standard Contractual Clauses (SCCs, 2021 version). For transfers to US-based companies certified under the EU-US Data Privacy Framework (DPF), we rely on that certification.

For transfers from the United Kingdom to third countries, we rely on the UK International Data Transfer Agreement (UK IDTA) approved by the ICO. For transfers to DPF-certified US companies, we may also rely on the UK-US Data Bridge (approved October 2023).

Key international data recipients include: Unity Technologies Inc. (San Francisco, USA), Google LLC (USA) (for Firebase Analytics, Google AdMob, and Google Cloud Platform), CAS.ai / CLEAR INVEST LTD (Belize), Liftoff Mobile Inc. / LMI Inc. (Palo Alto, USA), InMobi Pte. Ltd. (Singapore) and InMobi Inc. (USA), and AppLovin Corporation (Palo Alto, USA). For Firebase Analytics, Google LLC is certified under the EU-US Data Privacy Framework and processes data under the Firebase Data Processing and Security Terms. Data transfers from EEA/UK users to Unity, Liftoff, and InMobi are governed by Standard Contractual Clauses as per each company’s Data Processing Addendum. InMobi is headquartered in Singapore with operations in the USA; transfers are covered by appropriate safeguards per InMobi’s own privacy documentation.

AppLovin Corporation is certified under the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF). For transfers of personal data from the EEA, UK, and Switzerland to AppLovin, we rely on AppLovin’s DPF certification as the primary transfer mechanism. AppLovin is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. AppLovin has appointed Prighter Group as its privacy representative in the EU and UK. For further details, see AppLovin’s Privacy Policy at legal.applovin.com/privacy.

Where data is transferred to countries that do not benefit from an adequacy decision (including Belize, where CAS.ai’s operator CLEAR INVEST LTD is incorporated), we conduct Transfer Impact Assessments (TIAs) and apply supplementary technical measures. Belize does not currently have comprehensive data protection legislation. For transfers to CAS.ai/CLEAR INVEST LTD, the following supplementary measures are in place:

• All data transmitted to CAS.ai is encrypted in transit (TLS 1.2+) and at rest.
• Advertising identifiers are pseudonymised before transmission where technically feasible.
• CAS.ai’s processing is limited to real-time ad mediation; it does not retain personal data beyond the auction cycle except for fraud detection logs.
• CAS.ai is bound by contractual data protection obligations equivalent to GDPR Article 28 requirements.
• We regularly review CAS.ai’s data handling practices and reserve the right to terminate the relationship if adequate protections are not maintained.

Note: We do not reference the EU-US Privacy Shield or Swiss-US Privacy Shield, as both were invalidated and are no longer a valid transfer mechanism.

10. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy, in accordance with the GDPR storage limitation principle (Art. 5(1)(e)).

If data is subject to a legal claim or investigation, it may be retained beyond the periods above until the matter is resolved.

Data may be anonymised (made impossible to link back to any individual) and retained indefinitely for statistical or research purposes. Anonymised data is not personal data under GDPR.

Deletion requests are fulfilled within 30 days. Backups may persist for 30–90 days after deletion until backup rotation completes; data in backups is not actively accessible.

If your account is inactive for 2 years, your account data will be flagged for deletion. You will be notified 30 days before deletion occurs.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or destruction, in accordance with GDPR Article 32.

• Encryption in transit. Data transmitted between your device and our servers is encrypted using TLS/SSL.
• Encryption at rest. Data stored on our servers is encrypted at rest using Google Cloud’s default encryption.
• Access controls. Access to personal data is restricted to authorised personnel who need it to perform their duties. Staff are bound by confidentiality obligations.
• Breach response. We maintain a data breach response plan. Under GDPR, we will notify the ICO within 72 hours of becoming aware of a personal data breach likely to result in risk to individuals. Where a breach is likely to result in a high risk to your rights and freedoms (GDPR Art. 34), we will also notify affected users directly without undue delay, describing the nature of the breach, the likely consequences, and the measures taken or proposed to address it.
• Record of Processing Activities (ROPA). We maintain a Record of Processing Activities as required by GDPR Article 30, documenting all categories of processing, their purposes, legal bases, recipients, and retention periods.

No method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

You are responsible for keeping your account credentials secure and should not share passwords. If you suspect unauthorised access to your account, please contact us immediately at support@avajora.com.

11.1 Data Breach Incident Response Timeline

In the event of a personal data breach, we follow a structured incident response process:

Redacted incident reports (with personally identifiable information removed) are published on our Transparency Report page within 90 days of incident closure, where disclosure does not compromise ongoing security measures.

11.2 Third-Party Security Audits

We conduct annual independent third-party security assessments covering:

• Infrastructure penetration testing: External security firms conduct penetration tests of our cloud infrastructure, APIs, and authentication systems to identify vulnerabilities.
• Mobile app binary analysis: Static and dynamic analysis of our game binaries to detect insecure data storage, code injection vulnerabilities, and improper cryptography implementation.
• Data processing agreement compliance: Review of our contracts with sub-processors to ensure they meet GDPR Article 28 requirements and include appropriate Technical and Organisational Measures (TOMs).
• SDK security review: Assessment of third-party SDKs integrated in our games to verify their data collection practices match vendor disclosures and do not introduce security risks.

Audit summaries (excluding detailed vulnerability findings) are available upon request by contacting privacy@avajora.com. Full audit reports are provided to supervisory authorities upon request.

Our next scheduled audit is Q2 2026. Audit findings are tracked via an internal remediation register, and high-severity issues are escalated to senior management for immediate action.

12. Cookies & Tracking Technologies

On our website: Cookies are small text files stored on your device that enable websites to recognise your browser and store preferences. We use:

• Strictly necessary cookies — required for the website to function; cannot be opted out (e.g. cookie consent preferences via Klaro).
• Analytics cookies — help us understand website usage patterns (Google Analytics 4, set only with consent).

We do not use advertising, marketing, or targeting cookies on our website. Advertising identifiers and SDKs are used only within our mobile games, as described in Sections 2 and 5 of this policy.

A cookie consent banner is presented to EU/UK visitors on first visit, allowing you to accept or reject non-essential cookies. Pre-ticked boxes are not valid consent.

In our mobile apps: SDKs, local storage, device fingerprinting, and advertising identifiers function as the equivalent of cookies. These are disclosed in Sections 2 and 5 of this policy. Analytics SDKs (Unity Analytics, Google Firebase Analytics) and advertising SDKs (CAS.ai mediation, Unity Ads, Liftoff, InMobi) collect data via these mechanisms.

How to opt-out of non-essential cookies: Adjust your browser settings, use the cookie preference tool on our website, or change platform-level advertising settings on your mobile device.

Do Not Track (DNT). Our systems do not currently respond to browser “Do Not Track” (DNT) signals, as DNT lacks a common industry standard. We support opt-out controls through our in-app Privacy Settings and request channels. Where technically available on our website, we also attempt to treat the Global Privacy Control (GPC) browser signal as an opt-out request — see Section 14.4 for details.

For a detailed list of cookies used on our website, please see our Cookie Policy.

13. In-App Purchases & Payments

All payment processing is handled by the app store (Google Play or the Apple App Store). We do not collect, store, or process credit card numbers, bank account numbers, or any financial credentials.

We do receive transaction metadata from the app store: transaction timestamp, order ID, product purchased, encrypted order confirmation, and device ID. We use this data solely to unlock purchased content and to detect fraudulent transactions.

If we offer subscriptions, we verify active subscription status via the app store’s API. We do not directly handle recurring billing. To cancel a subscription, use the app store’s subscription management.

In-game virtual currency has no real-world value, is not refundable (except where required by law), and transactions involving virtual currency are recorded for fraud prevention. Refunds for purchases are handled by the app store according to their own policies.

14. Jurisdiction-Specific Disclosures

14.1 EEA & Switzerland

This subsection applies to users in the European Economic Area (EEA) and Switzerland and supplements the main policy. Legal bases for processing are set out in Section 4. EEA users may lodge complaints with their national supervisory authority — see edpb.europa.eu for the full list of national Data Protection Authorities. Transfer mechanisms for EEA users are described in Section 9.

14.2 United Kingdom

This subsection applies to users in the United Kingdom and supplements the main policy. UK GDPR is a separate legal framework from EU GDPR, though largely mirroring it. UK users may lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113. Transfer mechanisms for UK users are described in Section 9.

14.3 California (CCPA / CPRA)

This subsection applies to California residents and supplements the main policy, as required by the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.).

Sources: Directly from you (support); automatically from your device; from advertising partners (attribution); from app stores (transactions).

Business purposes: As described in Section 3.

Sale / Sharing. We do not sell personal information for direct monetary consideration. However, sharing advertising identifiers with ad networks for cross-context behavioural advertising may qualify as a “sale” or “sharing” under the CCPA’s broad definitions. You may opt out via our “Do Not Sell or Share My Personal Information” toggle in Settings > Privacy, or via our Do Not Sell or Share page.

14.4 Other US States

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Delaware (DPDPA), New Hampshire, New Jersey, Nebraska, Tennessee, Indiana, Kentucky, Maryland, Minnesota, and other states have enacted or are enacting comprehensive consumer privacy laws granting opt-out rights for targeted advertising, the sale or sharing of personal information, and profiling. We monitor evolving US state privacy legislation and update our compliance practices accordingly. Our unified Settings > Privacy mechanism is designed to satisfy all currently applicable and future US state privacy requirements. Where technically detected on our website, we treat the Global Privacy Control (GPC) browser signal as an opt-out request under all applicable US state privacy laws. Because GPC is browser-based, it may not apply to in-app mobile environments; for mobile gameplay, please use the in-app privacy controls or contact us directly.

We correctly set “Do Not Sell” flag values and similar privacy flags via the AppLovin SDK and other integrated advertising SDKs, as required by the US Multistate Data Protection Laws. When you exercise your opt-out right, the signal is passed to AppLovin and all CAS.ai downstream networks in real time.

14.5 Brazil (LGPD)

The Lei Geral de Proteção de Dados (LGPD, Law No. 13.709/2018) applies to processing of Brazilian residents’ data. We honour data subject rights equivalent to those described in Section 8, including access, correction, deletion, portability, and information about public and private entities with which data has been shared.

LGPD legal bases (Art. 7):

• Consent (Art. 7, I): Personalised advertising.
• Contract performance (Art. 7, V): Service delivery, in-app purchase fulfilment.
• Legitimate interests (Art. 7, IX): Analytics, contextual advertising, fraud detection.
• Legal obligation (Art. 7, II): Tax records, law enforcement requests.

Brazilian users may contact the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd to exercise their rights or lodge a complaint.

14.6 Other Jurisdictions

If you are located in Canada (PIPEDA), Australia (Privacy Act 1988), Japan (APPI), South Korea (PIPA), or India (DPDPA 2023), we comply with the applicable local requirements to the extent they apply to our processing activities. If you have questions about how your local law applies, please contact privacy@avajora.com.

14.6B India (DPDPA 2023)

For users in India, we comply with the Digital Personal Data Protection Act 2023 (DPDPA) when its provisions come into force. Our DPDPA compliance commitments include:

• Consent notices in local languages: Privacy disclosures will be made available in Hindi and English (and other regional languages as our user base grows).
• Verifiable consent: Consent for data processing will be obtained through clear, affirmative action (e.g., in-app consent dialogues) that can be withdrawn at any time.
• Data Principal rights: Indian users may exercise rights to access, correction, erasure, and grievance redressal by contacting privacy@avajora.com.
• Data Protection Officer (if required): If our processing volumes exceed statutory thresholds requiring appointment of a Data Protection Officer for India, we will designate one and publish contact details here.
• Grievance Officer: We will appoint a Grievance Officer reachable at privacy@avajora.com (subject line: “India DPDPA Grievance”) to address complaints within the timeline prescribed by DPDPA rules.
• Children’s data: We do not knowingly process data of children under 18 in India without verifiable parental consent, in accordance with DPDPA Section 9.

As DPDPA rules and regulations are finalised by the Data Protection Board of India, we will update this section with additional compliance measures, including registration requirements (if applicable) and cross-border data transfer mechanisms.

14.6C China & South Korea (if applicable)

We do not currently offer our games in mainland China or South Korea. If we expand to these markets in the future, we will implement jurisdiction-specific compliance measures:

China (Personal Information Protection Law — PIPL):

• Obtain separate explicit consent for cross-border data transfers outside China (PIPL Art. 39)
• Store Chinese user data within China via local cloud providers (subject to data localization requirements)
• Conduct security assessments before cross-border transfers for data processors handling personal information of over 1 million individuals (PIPL Art. 40)
• Appoint a representative within China to handle personal information protection matters (PIPL Art. 53)

South Korea (Personal Information Protection Act — PIPA):

• Designate a Chief Privacy Officer (CPO) reachable at a published contact point
• Real-name verification is not required for our games as we do not collect personal identification information (resident registration numbers, passport numbers)
• Provide privacy notices in Korean and obtain explicit consent for processing sensitive data or cross-border transfers
• Implement mandatory security measures under PIPA enforcement decree (encryption, access logging, annual security audits)

Users in regions not explicitly covered above may contact us at privacy@avajora.com for jurisdiction-specific information.

15. Contact & Data Protection

We will respond to all privacy requests within 30 calendar days (GDPR) or 45 calendar days (CCPA), whichever applies. For complex requests, we may extend this period and will notify you promptly.

Data Protection Officer. Given our current scale and processing activities, we are not required to appoint a Data Protection Officer under GDPR Article 37. We have designated a privacy contact point reachable at privacy@avajora.com who is responsible for handling all data protection matters. Should our processing activities change to require a formal DPO appointment, we will update this section accordingly.

Please contact privacy@avajora.com with any questions regarding this Privacy Policy. You may also submit a structured request via our Privacy Request page.

16. Push Notifications & Marketing

Push notifications require explicit opt-in permission via your device’s system prompt (iOS) or app notification settings (Android). We only send push notifications if you have consented.

We distinguish between transactional notifications (e.g. “Your reward is ready”) and promotional notifications (e.g. “New content available!”). Different legal bases apply.

You can disable push notifications at any time via your device settings:

• iOS: Settings > Notifications > [App Name]
• Android: Settings > Apps > [App Name] > Notifications

In-app messages — displayed within the game, not as device notifications — may be used without additional consent as they are part of the service.

17. Changes to This Policy

We reserve the right to update or change this Privacy Policy at any time. Please review this policy periodically for changes.

For material changes — such as a new category of data collected, a new third-party recipient, a change to retention periods, or a change in legal basis — we will notify you via in-app notification or a prominent notice on the policy page at least 30 days before the changes take effect.

Continued use of our Services after changes are posted constitutes your acceptance of the updated policy. However, where our processing relies on your consent (for example, personalised advertising), we will seek your renewed, specific consent separately and will not treat continued use of the Services as consent to materially different processing.

We review this policy at least annually and update it to reflect changes in law, data practices, or third-party relationships. Previous versions are available on request by contacting privacy@avajora.com.

17.1 Version History

18. General Provisions

• Third-Party Links. Our games and website may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.
• App Store Terms. This policy supplements the privacy policies and terms of the Apple App Store and Google Play Store. Please also review those policies, as they govern how the platforms handle data related to your use of their services.
• App Store Privacy Labels. We provide simplified data-collection disclosures via Apple’s App Privacy Nutrition Labels and Google Play’s Data Safety Section, as required by each platform. In the event of any discrepancy between those simplified store-level summaries and this Privacy Policy, this Privacy Policy is the comprehensive, authoritative statement of our data practices.
• No Sale of Personal Data for Monetary Consideration. We do not sell your personal data for direct monetary consideration. Note that under the CCPA’s broader definitions, sharing advertising identifiers with ad networks for cross-context behavioural advertising may qualify as a “sale” or “sharing” — see Section 14.3 and our Do Not Sell or Share page.
• Aggregated & Anonymised Data. We may use aggregated and anonymised data — which cannot identify you individually — for research, benchmarking, industry reports, and business analysis. Such data is not subject to this policy.
• Severability. If any provision of this Privacy Policy is found to be unenforceable, the remaining provisions will continue in full force and effect.
• Governing Law. This policy is governed by the laws of England and Wales.
• Language. In the event of any conflict between the English version of this policy and any translated version, the English version shall prevail.
• Accessibility. This privacy policy is available in an accessible format on request (e.g. large print, screen-reader compatible). We aim to conform to WCAG 2.1 Level AA for the web-hosted version.

Game-Specific Privacy Appendices

Each of our published games may have minor differences in the SDKs integrated, ad formats used, or age-gate implementation. Specific features for individual games are listed on the store listing page for that game (Google Play Data Safety Section and Apple App Privacy Details). That information takes precedence for game-specific features. This approach ensures that each game’s privacy disclosures are accurate, up-to-date, and platform-compliant at the time of download.

The privacy-relevant configuration common to all our games is described throughout this policy. Game-specific variations (for example, whether a particular title integrates an additional analytics SDK, offers in-app purchases, or has a specific age rating) are disclosed on the relevant app store listing page before installation.

If a game enables child-directed treatment (COPPA tag / Google Families), personalised advertising is disabled for that title and the age-gate flow described in Section 7 is applied. For games that may appeal to a mixed audience, refer to Section 7 for our “Mixed Audience” safeguards.

19. Glossary

• Personal Data — Any information relating to an identified or identifiable natural person.
• Data Controller — The entity that determines the purposes and means of the processing of personal data.
• Data Processor — An entity that processes personal data on behalf of the controller.
• Processing — Any operation performed on personal data, whether automated or manual.
• Consent — Freely given, specific, informed, and unambiguous indication of the data subject’s wishes.
• Legitimate Interests — A lawful basis for processing where the controller’s interests are balanced against the rights of the data subject.
• Supervisory Authority — An independent public authority responsible for monitoring data protection compliance (e.g. the ICO in the UK).
• IDFA — Apple’s Identifier for Advertisers — a resettable device identifier for ad targeting.
• GAID — Google Advertising ID — the Android equivalent of IDFA.
• SDK — Software Development Kit — a collection of tools, libraries, and code that developers integrate into an app to add specific functionality (e.g. analytics, advertising).