LoyaPlay Privacy Policy

1. General Information

1.1 Controller Within the Meaning of Data Protection Law

For the data processing activities described in this Privacy Policy, the data controller is:

HK GANGXING TECHNOLOGY LIMITED
No. 14 Science Museum Road, Tsim Sha Tsui, Kowloon, Hong Kong
Website: https://www.loyaplay.com
Privacy Contact Email: [email protected]

If a specific feature is provided by a third-party service provider, advertising network, reward service provider, analytics provider, app store, or other external partner, that third party may act as an independent data controller for its own processing activities. In such cases, that third party’s privacy policy will apply to its processing of personal data.

1.2 Data Protection Contact Information

If you have any privacy-related questions, data subject requests, consent withdrawal requests, opt-out requests, or complaints, please contact us at:

Email: [email protected]
Address: HK GANGXING TECHNOLOGY LIMITED, No. 14 Science Museum Road, Tsim Sha Tsui, Kowloon, Hong Kong

If you have app usage issues, reward fulfillment issues, or general support questions, please contact [email protected].

2. Data Collection Regarding the Use of Our Services

We take the protection of personal data very seriously. We process personal data confidentially and in accordance with applicable privacy and data protection laws and this Privacy Policy.

“Personal data” or “personal information” means information that identifies, relates to, describes, is reasonably associated with, or could reasonably be linked to a particular individual or household, depending on the applicable law.

2.1 Access to and Storage of Information on Terminal Equipment

When you use our Services, we and our service providers may access information on your device or store information on your device. Such information may include cookies, local storage, SDK identifiers, device identifiers, advertising identifiers, app instance identifiers, cached data, and similar technologies.

Where such access or storage is strictly necessary to provide the Services, maintain security, prevent fraud, remember user choices, deliver functions requested by you, or ensure the technically error-free operation of the Services, we process such information based on applicable data protection laws, contractual necessity, legitimate interests, and applicable ePrivacy / cookie rules.

Where such access or storage is used for non-essential purposes, such as analytics, personalized advertising, advertising attribution, cross-app behavioral advertising, marketing, or similar measurement activities, we will obtain your consent where required by law. You may withdraw your consent at any time through in-app settings, website consent settings, device settings, advertising preference settings, opt-out links, or other opt-out tools we provide, with effect for the future.

For more information on how we process your personal data, the relevant processing purposes, legal bases, and third-party service providers, please refer to the sections of this Privacy Policy that describe specific processing activities.

2.2 Information Collected When Downloading the App

When you download the LoyaPlay app from app stores such as Google Play or the Apple App Store, the relevant app store providers process certain information. This may include your IP address, device information, app store account information, download date and time, device identifiers, operating system, interface language, crash data, download statistics, uninstall statistics, and similar technical or usage information.

We do not control the collection or processing of such information by app stores. The relevant app store providers process this information according to their own terms and privacy policies. We may receive user reviews, review-related data, aggregated statistics, crash reports, download numbers, uninstall numbers, or similar metrics from app stores.

2.3 Data Processing When Using the App

When you use our app and related Services, we collect and process certain data necessary to provide, maintain, protect, and improve the Services. Such data may include internal user IDs, internal device IDs, app instance IDs, device identifiers, advertising identifiers (such as IDFA, GAID, and App Set ID), operating system version, app version, access time, IP address, content accessed, country or region of access, device language, network status, app usage data, game progress, points and reward-related records, ad impression and interaction data, event data, error logs, crash reports, and similar technical data.

We collect this data to provide the Services and related functions, maintain accounts, points, and reward redemption processes, send service-related notifications, detect and resolve technical issues, prevent misuse, cheating, duplicate accounts, invalid traffic, unauthorized access, and other fraudulent behavior, and improve our products, advertising experience, and user experience.

To provide security, fraud prevention, notifications, analytics, crash reporting, advertising, attribution, hosting, network acceleration, and data storage functions, we may use service providers or infrastructure such as Fingerprint, Firebase Cloud Messaging, Firebase Analytics, Firebase Crashlytics, AppLovin MAX, Singular, OVH Cloud, Cloudflare, and Cloudflare R2. These service providers may process device information, IP addresses, advertising identifiers, app events, logs, crash reports, reward-related records, risk signals, advertising events, attribution data, and similar technical data according to their functions. For the purposes, possible data types processed, and privacy/legal information for each service provider, please refer to Section 11, “Third-Party Service Providers,” of this Privacy Policy.

We may determine your approximate country or region, market area, proxy/VPN usage, or other security risks based on IP address, device information, location permissions, and technical signals provided by service providers. We may also process device location data with your authorization for market identification, personalized experiences, security, fraud prevention, and reward redemption integrity verification.

To use additional app functions, you may need to provide certain other data to us. Such data will be sent and provided to us only after you click the relevant submit button in the app, authorize the relevant permission, complete a reward redemption process, or actively contact us.

For user management, service operation, reward record processing, troubleshooting, data analysis, internal business system maintenance, and compliance with legal obligations, we may also process user data in internal management systems, databases, analytics tools, logging systems, customer support systems, and similar tools.

If data processed to provide the app and related Services is considered personal data, such processing is based on Article 6(1)(b) GDPR where necessary to perform the service relationship with the user; where applicable, it is also based on Article 6(1)(f) GDPR, namely our legitimate interests in providing secure, stable, and error-free Services, preventing fraud and abuse, improving products, maintaining the integrity of reward redemption processes, and conducting business analytics. For processing activities that require user consent, such as certain advertising, attribution, analytics, push notifications, location access, or device permission access, we will obtain consent based on Article 6(1)(a) GDPR where required by law.

2.4 Advertising, Attribution, Monetization, and Analytics

LoyaPlay is an advertising-supported and reward-supported service. We may share certain information with advertising, attribution, measurement, analytics, and monetization partners to display ads, measure ad performance, prevent fraud, attribute installs and events, calculate advertising revenue, and improve advertising campaign performance.

The information shared with these partners may include advertising identifiers, device identifiers, IP address, approximate location, device information, app events, ad events, session information, attribution data, install source, and other technical or usage data.

We use MAX / AppLovin for ad mediation, ad delivery, ad monetization, and related ad measurement. We use Singular for mobile measurement, attribution, analytics, and marketing performance measurement. Depending on their role and applicable law, these providers may process data as our service providers/processors and, in some cases, as independent controllers.

Where required by law or platform rules, we will request consent before collecting or sharing advertising identifiers or using data for personalized advertising. On iOS, this may include the App Tracking Transparency prompt to access IDFA. You may also limit ad tracking or reset advertising identifiers through your device settings.

2.5 Contact Through Customer Support Systems, Email, or Contact Forms

If you contact us through a customer support system, email, in-app support entry, contact form, social media direct message, or other communication channel, we process the information you provide to respond to your inquiry, provide support, investigate issues, handle complaints, keep records of communications, and protect our legal rights.

The information we may process includes your name or nickname, email address, contact information, message content, attachments, screenshots, device information, user ID, reward redemption-related information, customer support history, and other information necessary to understand, process, and resolve your request.

We may use customer support systems, internal email systems, databases, logging systems, and internal management tools to process user inquiries, support tickets, issue tracking, reward support, and service quality management. If you contact us through third-party social media, messaging platforms, or other external channels, those platforms may also process your account information, message data, device information, and interaction data according to their own privacy policies and terms of service. We do not control the independent processing activities of those third-party platforms.

We may also send you replies or notices related to your inquiry, account, reward redemption, service notices, issue handling, or similar matters through email, customer support systems, or in-app messages. Such communications are generally used to complete requests initiated by you, provide customer support, explain reward status, or handle service-related issues.

Where the GDPR applies, the legal bases for processing this information include Article 6(1)(f) GDPR, namely our legitimate interests in responding to user requests, providing customer support, investigating issues, preventing misuse, protecting legal rights, and improving the Services. If your request relates to service use, reward redemption, or contract performance, processing may also be based on Article 6(1)(b) GDPR, namely the performance of a contract or pre-contractual measures. Where applicable, we may also process necessary information based on Article 6(1)(c) GDPR to comply with legal obligations.

Unless required by law, necessary to handle your request, or otherwise described in this Privacy Policy, we will not provide your customer support communications to unrelated third parties. Customer support records will be retained for as long as necessary to handle your request, maintain business records, prevent disputes, comply with legal obligations, or protect legal rights.

2.6 Technical Functions and Permissions

Certain device permissions may be requested only when you use additional functions beyond the basic Services.

Push Notifications. If you enable push notifications, we may send you information about points or reward status changes, account or activity reminders, app updates, promotions, campaigns, or offers. Push notification permissions are requested by the operating system or the app. You can turn off push notifications at any time in your device settings.

Location Access. We may request access to location data to determine your market, provide a more relevant experience, support reward catalog availability, support advertising and analytics, and prevent fraud or misuse. You may allow or deny location access through device permissions, and you may withdraw location permissions in device settings. If you deny or withdraw permission, some features may be limited.

Advertising Tracking Permission. Where required by law, we may request access to advertising identifiers or use tracking technologies for advertising, attribution, or measurement. You may manage tracking permissions through your device settings.

2.7 Direct Marketing to Existing Users

Where permitted by law, we may use your email address or in-app communication channels to send you information about LoyaPlay products, services, games, rewards, promotions, campaigns, challenges, or offers that may be similar to the Services you previously used.

Where the GDPR applies, unless applicable law requires consent, we process such information based on Article 6(1)(f) GDPR, relying on our legitimate interests in promoting our business and maintaining relationships with existing users. If the law requires consent, we will obtain your consent before sending such communications.

You may object to direct marketing at any time. Marketing emails will include an unsubscribe method where required by law. You may also contact us at [email protected] to opt out of direct marketing.

2.8 Reward Redemption Function

LoyaPlay allows eligible users to redeem points or rewards through gift card reward options. The reward redemption process is completed with the assistance of external reward service providers, including Tango Card / Blackhawk Network.

To process reward redemption, we may ask you to provide an email address, country/region, selected reward type, reward amount, and other information necessary to process and deliver the reward. We may transmit redemption-related information to Tango Card / Blackhawk Network or other reward service providers to fulfill the gift card reward you selected.

Under the current process, we do not collect bank account information, payment card information, payment account passwords, government identity documents, facial photos, facial mapping data, or other biometric data for LoyaPlay reward redemption. However, when you claim, redeem, or use a gift card, the reward service provider, card issuer, or brand issuer may process relevant information according to their own terms and privacy policies.

Where the GDPR applies, redemption-related processing is based on Article 6(1)(b) GDPR for contract performance or pre-contractual measures, Article 6(1)(f) GDPR for our legitimate interests in operating and recording reward redemptions, and, where applicable, Article 6(1)(c) GDPR for compliance with legal obligations.

We may display and store your redemption history so that you can review past rewards and so that we can provide support, prevent fraud, maintain accounting records, and comply with legal obligations.

For reward fulfillment issues, please contact [email protected]; for privacy rights requests related to redemption data, please contact [email protected].

3. Data Disclosure, Transfers, and Recipients

We will not disclose, share, transfer, or allow third parties to access your personal data except in the following circumstances:

• the relevant processing has been described in this Privacy Policy, in-app notices, consent prompts, or specific feature descriptions;
• you have given consent;
• the processing is necessary to provide the Services, operate the app, maintain accounts, record points or rewards, process reward redemption, display or measure ads, perform attribution analysis, provide customer support, host data, maintain security, prevent fraud, troubleshoot issues, conduct data analysis, or manage our business;
• the processing is necessary to perform our service relationship with you or take pre-contractual measures at your request;
• the processing is necessary to comply with legal, tax, regulatory, accounting, audit, law enforcement, or other legal obligations;
• the processing is necessary to establish, exercise, or defend legal claims, or to protect our rights, property, and safety or those of others;
• the processing occurs in connection with a business transaction, such as a merger, acquisition, financing, reorganization, asset transfer, or similar transaction, in compliance with applicable law.

We may disclose, transfer, or allow the following categories of recipients to process personal data:

• Server, cloud hosting, and infrastructure providers, including OVH Cloud / OVHcloud. Our servers are currently provided by OVH Cloud and located in Hillsboro, Oregon, United States;
• Network acceleration, security protection, and proxy service providers, including Cloudflare, Inc., whose principal location is San Francisco, California, United States;
• Persistent data storage providers, including Cloudflare R2. We currently use Cloudflare R2’s automatic location selection configuration, so relevant data may be stored or processed in locations automatically selected by Cloudflare based on its infrastructure, service configuration, and available regions, rather than in a fixed data storage region specified by us;
• Notification service providers, including Firebase Cloud Messaging or related Firebase notification services. Firebase is part of the Google services ecosystem, and relevant Google entities mainly include Google LLC (Mountain View, California, United States) or applicable Google affiliates;
• Analytics service providers, including Firebase Analytics / Google Analytics for Firebase. Relevant Google entities mainly include Google LLC (Mountain View, California, United States) or applicable Google affiliates;
• Crash reporting, logging, and stability analytics service providers, including Firebase Crashlytics. Relevant Google entities mainly include Google LLC (Mountain View, California, United States) or applicable Google affiliates;
• Fraud prevention, risk control, and device intelligence providers, including Fingerprint / FingerprintJS, Inc. FingerprintJS, Inc. is a U.S. company, and its service hosting regions may include the United States, Europe, and Asia-Pacific;
• Ad mediation, ad network, ad measurement, and monetization service providers, including AppLovin MAX / AppLovin Corporation. AppLovin Corporation’s principal location is Palo Alto, California, United States;
• Attribution and marketing analytics service providers, including Singular / Singular Labs, Inc. Singular Labs, Inc.’s principal location is San Francisco, California, United States;
• Reward fulfillment and gift card service providers, including Tango Card / Blackhawk Network. Blackhawk Network, Inc.’s global privacy contact address is in Reno, Nevada, United States. Depending on the gift card type, brand, card issuer, or banking partner, relevant data may also be processed by other Blackhawk affiliates, brands, card issuers, or financial partners in other regions;
• App store and platform providers, including Apple App Store and Google Play. Apple entities may include Apple Inc. (Cupertino, California, United States) or applicable local Apple affiliates; Google Play entities may include Google LLC (Mountain View, California, United States) or applicable Google affiliates;
• Customer support systems, email, databases, internal management, logging, monitoring, business intelligence, and operational tool providers. We primarily process user inquiries through email and customer support systems and handle relevant data in accordance with this Privacy Policy and applicable law;
• Third-party social media, communication, and messaging platforms, but only where you contact us through Facebook, Messenger, or other third-party platforms. Such third-party platforms may process relevant data according to their own policies;
• Professional advisors and authorities, including lawyers, auditors, tax advisors, accountants, regulators, law enforcement authorities, courts, or other competent authorities.

The locations above are provided only to describe the relevant service providers, affiliates, principal business locations, server locations, or approximate regions where data may be processed. Actual data processing, storage, or access locations may vary depending on the user’s region, service configuration, cloud infrastructure, vendor subprocessors, data backups, network routing, customer support, or compliance requirements.

Because we use certain global infrastructure and service providers, including Cloudflare, Cloudflare R2, Firebase, AppLovin MAX, Singular, Fingerprint, OVH Cloud, Tango / Blackhawk Network, and other service providers, your personal data may be processed, stored, accessed, or transferred outside the country or region in which you reside, including Hong Kong, the United States, Canada, the United Kingdom, European Economic Area member states, and other countries or regions where service providers operate. These countries or regions may have data protection laws different from those in your region.

Where the GDPR, UK GDPR, or similar data protection laws apply, if personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country or region that has not been recognized as providing an adequate level of protection, we will take appropriate safeguards in accordance with applicable law. Such safeguards may include relying on European Commission adequacy decisions, UK adequacy regulations, EU Standard Contractual Clauses, the UK International Data Transfer Agreement or Addendum, data processing agreements, vendor security commitments, encryption, access controls, data minimization, transfer impact assessments, and other appropriate technical and organizational measures.

We carefully select service providers and, where required by law, enter into written data processing agreements, Standard Contractual Clauses, or other appropriate contractual terms with them. Service providers that process personal data on our behalf should process personal data only under our authorization and instructions and implement appropriate technical and organizational security measures. These service providers may not use personal data for their own purposes without authorization.

If we allow other third parties to access information collected through our Services, we will require them to adopt privacy and security protections no less protective than those described in this Privacy Policy to the extent permitted by applicable law.

4. Retention Period

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Specific retention periods depend on the type of data and the processing purpose, including:

• Account, app usage, points, and reward data: retained while your account or app profile remains active and for a reasonable period thereafter for customer support, fraud prevention, accounting, legal, and audit purposes;
• Redemption records: retained for as long as necessary to provide reward history, resolve reward issues, prevent fraud, meet accounting or tax requirements, and comply with legal obligations;
• Fraud prevention and security logs: retained for as long as necessary to detect, prevent, investigate, and record fraud, abuse, unauthorized access, or rule violations;
• Advertising and attribution data: retained for as long as necessary for campaign measurement, attribution windows, reporting, fraud prevention, and partner requirements;
• Customer support communications: retained until the request is resolved and for a reasonable period thereafter for recordkeeping, quality assurance, and legal protection;
• Consent records and privacy request records: retained for as long as necessary to demonstrate compliance.

If you delete your account or request deletion, we will delete or anonymize personal data according to applicable law and our deletion process, unless we need to retain certain data for legal, accounting, security, fraud prevention, dispute resolution, or compliance purposes.

Uninstalling the app from your device will not automatically delete personal data we have previously collected. To request deletion, please contact [email protected] or use any deletion tools provided within the Services.

5. Cookies and Similar Technologies

Our Services may use cookies, local storage, SDK identifiers, device identifiers, advertising identifiers, app instance identifiers, pixels, cached data, and other similar technologies.

These technologies serve various functions. Some technologies are necessary for the proper operation of the Services, such as keeping app features available, maintaining security, preventing fraud, remembering your choices, delivering functions requested by you, troubleshooting errors, and ensuring the technical stability of the Services. Other technologies may be used to analyze user behavior, measure ad performance, perform advertising attribution, display personalized ads, optimize content, or improve our Services.

For strictly necessary cookies or similar technologies, we process the relevant information based on applicable data protection laws, contractual necessity, our legitimate interests, and applicable ePrivacy / cookie rules. Our legitimate interests include providing stable, secure, and error-free Services, preventing fraud and misuse, and maintaining the integrity of accounts and reward redemption processes.

For the use of cookies or similar technologies for non-essential purposes, such as statistical analytics, personalized advertising, advertising attribution, cross-app behavioral advertising, marketing, or similar measurement activities, we will obtain your consent where required by law. The specific scope of such consent may be described in in-app consent prompts, website cookie settings, advertising preference settings, or other consent management tools.

You may consent to all purposes or, where we provide relevant options, make separate choices for the following purposes:

• improving Services based on statistics and analytics;
• remembering preferences and improving app usability;
• advertising attribution, advertising measurement, and marketing;
• personalized advertising and cross-app behavioral advertising;
• security, fraud prevention, and risk control.

You may change your privacy settings or withdraw consent at any time through in-app settings, website consent settings, device settings, advertising preference settings, opt-out links, or other opt-out tools we provide. Withdrawal of consent applies only for the future and does not affect the lawfulness of processing based on consent before withdrawal.

You may also limit the use of advertising identifiers through your device settings, such as managing App Tracking Transparency / IDFA permissions on iOS devices or resetting or limiting the advertising ID on Android devices. Please note that if you reject or restrict certain cookies, SDKs, or similar technologies, some features, personalized experiences, advertising-related functions, or reward attribution may be affected.

6. Your Rights

Depending on your region and applicable law, you may have rights related to your personal data. These rights may include:

• Right of access: request information about the personal data we process about you.
• Right to rectification: request correction of inaccurate or incomplete personal data.
• Right to deletion: request deletion of personal data, subject to legal exceptions.
• Right to restriction of processing: request restriction of processing in specific circumstances.
• Right to data portability: receive certain personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to object: object to processing based on legitimate interests or processing for direct marketing purposes.
• Right to withdraw consent: if processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right to lodge a complaint: lodge a complaint with a competent supervisory authority where applicable.
• Right to information about automated decision-making: request meaningful information about automated decision-making or profiling where required by law.

Where the GDPR applies, the rights above correspond to rights under Articles 15 to 21 and Article 77 GDPR, and the right to withdraw consent under Article 7(3) GDPR.

To exercise your rights, please contact [email protected]. We may need to verify your identity before processing your request. If we cannot verify your identity or a legal exception applies, we may deny the request in accordance with applicable law.

We will not discriminate against you for exercising your privacy rights.

7. Children’s Privacy and Age Restrictions

The Services are intended only for users aged 18 or older. If you are under 18, please do not use the Services.

We do not knowingly collect, sell, or share personal information of minors under 18. If we discover that we have collected personal information of a minor in violation of this Policy or applicable law, we will take steps to delete the information or otherwise comply with applicable law.

If you believe that a minor has provided personal information to us, please contact [email protected].

8. Necessity of Providing Personal Data

Providing personal data is generally voluntary. However, certain data is necessary to use core features of the Services.

For example, we may need to process device data, usage data, and fraud prevention data to operate the app and protect the Services. We may need your email address and redemption-related information to deliver gift card rewards. We may need advertising and attribution data to support the advertising-funded model of the Services.

If you do not provide certain information or disable certain permissions, you may be unable to use some features, collect or redeem rewards, receive customer support, or obtain the full app experience.

9. Automated Decision-Making and Profiling

For fraud detection, risk control, security, abuse prevention, reward eligibility determination, and protection of our Services, we may automatically evaluate certain criteria. These criteria may include IP addresses, device and network signals, location signals, advertising identifiers, app activity, game behavior, reward activity, redemption history, email address or contact information you provide, and risk signals generated through Fingerprint or other security tools.

Automated evaluation may be used to identify suspected fraud, multiple account abuse, automated behavior, VPN/proxy abuse, abnormal reward activity, abnormal gaming or advertising interaction patterns, or violations of our terms or rules.

Depending on the circumstances, automated or semi-automated fraud prevention decisions may result in additional review, reward processing delays, reward request rejection, feature restrictions, access suspension, or exclusion from certain Services.

Where the GDPR applies, such processing may be necessary for contract performance under Article 6(1)(b) GDPR and, where applicable, Article 22(2)(a) GDPR; it may also be based on our legitimate interests in preventing fraud and abuse under Article 6(1)(f) GDPR. Where required by law, you may contact [email protected] to request human review, express your point of view, contest a decision, or obtain more information.

Fraud prevention data and risk assessment results are retained only for as long as necessary for security, fraud prevention, dispute resolution, compliance, and legal purposes.

10. Certain Data Processing Activities Not Directly Related to In-App Use

10.1 Social Media Pages and Page Insights

If we operate official pages on Facebook, Instagram, TikTok, X, YouTube, or similar services, platform providers may collect and process personal data when you visit or interact with our pages. Platform providers may provide us with aggregated analytics or insights about how users interact with our pages or content.

Such analytics may be based on personal data collected by platforms through cookies, account data, device data, and interaction data. We may use these insights to understand interactions, improve content, communicate with users, and promote our Services.

We do not control the independent data processing of platform providers. Please review the privacy policies and privacy settings of the relevant platforms. If you do not want a social media platform to process your data in connection with our page, please contact us through a channel outside that platform.

10.2 Data Processing Through Off-App Contact

If you contact us by email, website form, instant messaging tool, or social media direct message, we process the information you provide to handle your inquiry and follow-up questions. The data collected depends on the information you provide and the communication channel you use.

Unless there is a legal basis, we will not disclose such data to third parties. Where the GDPR applies, the legal basis is our legitimate interest in responding to inquiries under Article 6(1)(f) GDPR; where applicable, processing may also be based on contract performance or pre-contractual measures under Article 6(1)(b) GDPR.

11. Third-Party Service Providers

We may use third-party service providers, infrastructure services, software tools, platform services, and business partners to provide, maintain, protect, analyze, promote, and improve the LoyaPlay Services. Different service providers may process different types of data for different purposes, depending on the features you use, device permissions, your location, advertising consent status, reward redemption process, and our service configuration.

These providers may update their privacy notices, data processing terms, or legal information from time to time. Please review their official notices for the latest information. The links below are provided for reference only; if a third-party provider updates its website or policies, its latest official pages will apply.

The actual processing locations, participating affiliates, or subprocessors of the above service providers, software tools, platforms, or infrastructure may vary depending on user region, contractual relationships, service configuration, data backups, network routing, customer support, supplier arrangements, or compliance requirements.

Data related to our customer support system and internal email system is mainly controlled by us and processed through server infrastructure we deploy. If relevant functions involve third-party platforms or service providers, their official privacy policies and terms of service will apply.

Where required by applicable law, we enter into data processing agreements, Standard Contractual Clauses, or other appropriate contractual documents with relevant service providers and require them to implement appropriate technical and organizational security measures.

If we add, replace, or stop using certain third-party service providers in the future, or if the processing purposes of relevant service providers materially change, we will update this Privacy Policy or notify users by other appropriate means in accordance with applicable law.

1. Personal Information We Collect

The table below describes the categories of personal information we may collect, use, disclose, sell, or share. The terms “sell” and “share” are understood according to the definitions under the CCPA. We do not necessarily collect every example item listed in the table for every user.

2. Sale or Sharing of Personal Information

We do not sell personal information for money. However, under the CCPA, disclosing identifiers, advertising identifiers, internet or other electronic network activity information, geolocation data, and inferences to advertising, analytics, attribution, or measurement partners may be considered a “sale” or “sharing” if used for cross-context behavioral advertising.

Categories of personal information that may be sold or shared for cross-context behavioral advertising purposes include:

• identifiers;
• advertising identifiers and device identifiers;
• internet or other electronic network activity information;
• geolocation data;
• inferences.

The categories of third parties to whom we may sell or share such personal information include advertising partners, ad networks, attribution providers, analytics providers, and measurement partners.

We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age. The Services are intended only for users aged 18 or older.

3. California Privacy Rights

Subject to applicable legal exceptions, California residents may have the following rights:

3.1 Right to Know

You may request that we disclose information about our collection, use, disclosure, sale, or sharing of your personal information, including:

• the categories of personal information collected;
• the categories of sources of the information;
• the business or commercial purposes;
• the categories of recipients;
• the categories of personal information sold or shared and the categories of third parties receiving such information;
• the categories of personal information disclosed for business purposes and the categories of recipients;
• the specific pieces of personal information about you.

3.2 Right to Delete

You may request deletion of personal information we collected from you, subject to legal exceptions.

3.3 Right to Correct

You may request correction of inaccurate personal information we maintain about you.

3.4 Right to Opt Out of Sale or Sharing

You may opt out of the sale of personal information or sharing of personal information for cross-context behavioral advertising. You may exercise this right through the email link below, available in-app privacy settings, device settings where applicable, or by contacting us at [email protected].

Opt-out link: Do Not Sell or Share My Personal Information

If you use a Global Privacy Control (“GPC”) browser signal, you should enable the signal on each browser and device you use. Where required by law, we will treat a valid GPC signal as an opt-out request for that browser.

3.5 Right to Limit Use of Sensitive Personal Information

Where applicable, you may have the right to limit our use or disclosure of sensitive personal information. You may exercise this right through the email link below or by contacting [email protected]. Except as permitted by law, we do not use or disclose sensitive personal information to infer characteristics.

Limit link: Limit the Use of My Sensitive Personal Information

3.6 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

3.7 Exercising California Rights

To exercise your rights, please email [email protected] with the subject line “California Privacy Rights Request.” We may verify your identity by matching the information you provide with information we maintain. If we cannot verify your identity or a legal exception applies, we may deny the request.

Where permitted by law, you may use an authorized agent to submit a request on your behalf. We may require proof of authorization and may require you to verify your identity directly with us.

We will respond within the time required by applicable law. If we need additional time, we will notify you as required by law.

3.8 California “Shine the Light” Law

California’s “Shine the Light” law permits California residents to request information about our disclosure of certain personal information to third parties for those third parties’ own direct marketing purposes. To submit such a request, please email [email protected] with the subject line “California Shine the Light Request” and include your name, street address, city, state, and ZIP code.

1. Right to Know, Access, and Data Portability

You may have the right to confirm whether we are processing your personal data, access your personal data, and obtain a copy of the personal data you provided to us in a portable format.

Certain states provide additional transparency rights. For example, where applicable, Oregon residents may be able to request a list of the specific third parties to whom we disclose personal data, and Delaware residents may be able to request a list of categories of third parties to whom we disclose personal data.

2. Right to Delete

You may request deletion of your personal data, subject to legal exceptions.

3. Right to Correct

You may request correction of inaccurate personal data.

4. Right to Opt Out

You may opt out of:

• sale of personal data;
• targeted advertising;
• profiling for decisions that produce legal or similarly significant effects, where applicable.

You may exercise opt-out rights through available in-app privacy settings, device settings where applicable, or by contacting us at [email protected].

5. Right to Appeal

If we deny your request and the law of your state provides a right to appeal, you may appeal our decision by emailing [email protected] with the subject line “Privacy Request Appeal.”

6. Authorized Agents

Depending on the law of your state, you may designate an authorized agent to submit certain privacy requests on your behalf. We may require proof of authorization and identity verification.

7. Non-Discrimination

We will not deny you Services or charge you different prices because you exercise your privacy rights.

8. Request Records

If you submit a privacy rights request, we may retain information related to that request for recordkeeping, compliance, and dispute resolution purposes.