Privacy Policy for [Game App Name]
Effective Date: [Month Day, Year]
Version: [v1.0]
This Privacy Policy describes how [Company Legal Name], a [jurisdiction of incorporation and company form, e.g., Delaware corporation] with registered address at [Address] (referred to as “Company,” “we,” “us,” or “our”), collects, uses, discloses, and safeguards personal information in connection with the [Game App Name] mobile application and related services (collectively, the “Services”).
Scope and Roles
- Controller/Business: For purposes of the EU/UK General Data Protection Regulation (EU/UK GDPR), we act as a “controller” of personal data processed through the Services. For purposes of the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), we act as a “business.” For other U.S. state privacy laws (e.g., Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA), we act as a “controller.”
- Processors/Service Providers: We engage third-party vendors that process personal information on our behalf under written contracts limiting their processing to specified purposes and requiring appropriate safeguards.
1) Categories of Personal Information We Collect
We may collect the following categories of personal information, depending on how you interact with the Services and your platform settings:
- Identifiers: Account username, display name, user ID, platform IDs (e.g., Apple Game Center ID, Google Play Games ID), device identifiers (e.g., IDFA/AAID where permitted), IP address.
- Contact Information: Email address (e.g., for support, newsletters), optional profile information.
- Commercial Information: In-app purchase history, transaction identifiers (from app stores), virtual goods balance and inventory.
- Internet/Network Activity: App usage data, gameplay events, session logs, crash logs, performance data, referral/attribution data, in-app navigation, interaction with ads (e.g., ad impressions and clicks).
- Geolocation Data: Approximate location inferred from IP address; precise location only if you grant permission for features that require it.
- Inferences: Segments or profiles derived from gameplay or app interactions to customize gameplay difficulty, content recommendations, or advertising (where permitted).
- User-Generated Content: Chat messages, usernames, avatars, forum posts, support tickets, feedback, and bug reports.
- Device and Technical Data: Device type/model, OS version, language, time zone, network type, app version, SDK versions, diagnostic information.
- Sensitive Personal Information: We do not seek to collect sensitive personal information (e.g., precise geolocation, biometric identifiers, health data) unless a specific feature requires it and you provide consent or enable the feature. If collected, such use is restricted to purposes permitted by applicable law and this Policy.
We do not intentionally collect special categories of personal data under GDPR (e.g., health, biometric, religious, union membership) in connection with the Services.
2) Sources of Personal Information
- Directly from you: Account registration, gameplay, in-app chat, customer support requests, surveys, and beta testing programs.
- Automatically from your device: Through SDKs, cookies or similar technologies embedded in the App (e.g., analytics, crash reporting, attribution, ad measurement).
- Third parties: Platform operators (Apple/Google), authentication providers (e.g., Game Center/Play Games), payment processors (App Store/Google Play billing), ad partners, analytics providers, user acquisition and attribution partners, and social features you authorize.
3) Purposes and Legal Bases for Processing
We process personal information for the following purposes and, where required, under the specified legal bases:
- Provide and Operate the Services: Create and manage accounts, enable gameplay, matchmaking, leaderboards, social features, save state synchronization, and in-app purchases.
• Legal bases (EU/UK): Performance of a contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)) to ensure service functionality; Legal obligation (Art. 6(1)(c)) for payments/records.
- Personalize Gameplay and Content: Adjust difficulty, recommend content, optimize progression.
• Legal bases: Legitimate interests (Art. 6(1)(f)); Consent (Art. 6(1)(a)) where required.
- Analytics and Service Improvement: Measure performance, fix bugs, detect fraud/cheating, enhance stability and features.
• Legal bases: Legitimate interests (Art. 6(1)(f)) to improve and secure the Services.
- Customer Support and Communications: Respond to inquiries, provide notices regarding changes, send service-related messages.
• Legal bases: Performance of a contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)).
- Marketing and Promotions: Send newsletters or in-app marketing; deliver contextual or interest-based advertising (including cross-context behavioral advertising) where allowed.
• Legal bases: Consent (Art. 6(1)(a)) where required; Legitimate interests (Art. 6(1)(f)), subject to opt-out rights.
- Security and Fraud Prevention: Monitor and prevent cheating, hacking, unauthorized transactions, spam, and abuse; ensure integrity of leaderboards and multiplayer.
• Legal bases: Legitimate interests (Art. 6(1)(f)); Legal obligation (Art. 6(1)(c)).
- Compliance and Corporate Activities: Regulatory compliance, tax and accounting, enforcing terms, responding to lawful requests, defending legal claims, or in the context of a merger or acquisition.
• Legal bases: Legal obligation (Art. 6(1)(c)); Legitimate interests (Art. 6(1)(f)).
Where we rely on consent, you may withdraw it at any time via in-app settings or by contacting us, without affecting processing prior to withdrawal.
4) Targeted Advertising; “Sale” or “Share” of Personal Information
- Targeted Advertising: We may allow ad partners to collect or receive data (e.g., device identifiers, app interactions) to display ads tailored to your interests across apps and websites. In jurisdictions that require consent, we request your consent before enabling such tracking (e.g., Apple AppTrackingTransparency on iOS 14.5+). You can opt out in-app and, where applicable, via device settings.
- “Sale” or “Share” (California CPRA): We do not exchange your personal information for money. However, certain disclosures for cross-context behavioral advertising may be deemed a “sale” or “sharing” under California law. California residents can opt out of “sale”/“sharing” via the “Do Not Sell or Share My Personal Information” link and in-app controls.
- Other U.S. States: Where required (e.g., VA, CO, CT, UT, TX), you may opt out of targeted advertising or the “sale” of personal data, if applicable, through our in-app controls or by contacting us.
5) Disclosures of Personal Information
We disclose personal information to the following categories of recipients under appropriate contracts and safeguards:
- Service Providers/Processors: Cloud hosting, analytics, crash reporting, customer support tools, email/SMS vendors, QA/testing, security vendors.
- Advertising and Attribution Partners: Ad networks, mediation platforms, demand-side platforms, ad measurement and attribution providers, subject to consent/opt-out mechanisms.
- Platform Operators and Payment Processors: Apple App Store, Google Play, and other platforms that process purchases, entitlements, refunds, and fraud prevention.
- Social/Identity Providers: If you link accounts (e.g., Game Center, Play Games), we receive and disclose limited identifiers to enable such features consistent with the provider’s terms.
- Other Players: Your user-generated content (e.g., display name, avatar, chat messages) may be visible to other players as part of the game.
- Corporate Transactions: Prospective or actual acquirers, assignees, or successors in connection with mergers, acquisitions, financings, or asset transfers, subject to confidentiality.
- Legal and Safety: Law enforcement or regulators where required by law or to protect rights, safety, and property, prevent fraud, or enforce our terms.
We do not permit service providers to use your personal information for their own independent purposes.
6) International Data Transfers
If you are located in the EEA, UK, or other regions with data transfer restrictions, we may transfer personal data to countries that have not been deemed to provide an adequate level of protection by the European Commission/UK authorities. In such cases, we rely on appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) adopted by the European Commission and, where applicable, the UK International Data Transfer Addendum/Agreement;
- Data Transfer Impact Assessments and supplementary measures where necessary.
You may request a copy of the relevant transfer safeguards by contacting us.
7) Data Retention
We retain personal information for as long as necessary to fulfill the purposes outlined in this Policy, including:
- Account and gameplay data: For the duration of your account and for [X] months thereafter for backup, dispute resolution, and fraud prevention.
- Transaction records: For [X–Y] years to comply with tax/accounting obligations.
- Analytics and logs: For up to [X] months unless a longer period is needed for security or legal purposes.
We will delete or de-identify data when it is no longer needed, subject to legal retention requirements.
8) Your Rights
Your rights depend on your jurisdiction. Subject to applicable law and certain exceptions, you may have the right to:
EU/UK (EU/UK GDPR):
- Access your personal data and receive a copy.
- Rectify inaccurate or incomplete data.
- Erase personal data (“right to be forgotten”).
- Restrict processing.
- Data portability.
- Object to processing based on legitimate interests and to direct marketing.
- Withdraw consent at any time (without affecting prior processing).
- Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects (Art. 22), unless permitted by law and subject to safeguards.
- Lodge a complaint with a supervisory authority (e.g., your local data protection authority).
United States:
- California (CCPA/CPRA): Know/access specific pieces and categories, correct, delete, opt out of sale/sharing, limit use/disclosure of sensitive personal information (if applicable), and be free from discrimination for exercising your rights. We provide a Notice at Collection within this Policy. You may use an authorized agent subject to verification.
- Other States (e.g., VA, CO, CT, UT, TX): Access, correct, delete, data portability, and opt out of targeted advertising, the sale of personal data, and certain profiling. You have the right to appeal our decisions regarding your requests.
Brazil (LGPD), Canada (PIPEDA), and other jurisdictions:
- Rights may include confirmation of processing, access, correction, deletion, portability, and revocation of consent.
Exercising Rights:
- Submit requests via: [Web form/DSAR portal URL] or [privacy email].
- Verification: We may request information to verify your identity and authority. We will respond within statutory timeframes.
- Appeals (U.S. states requiring appeal): If we deny your request, you may appeal by [email/portal]. You may also contact your state attorney general if you have concerns.
9) Children’s Privacy
Our Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will delete it and, where applicable, terminate the child’s account.
- COPPA: If we offer features directed to children under 13 in the United States, we will implement verifiable parental consent mechanisms and limit data collection to what is reasonably necessary.
- EU/UK: Where consent is the legal basis for processing and the user is below the age of digital consent established by local law (between 13 and 16), we will obtain consent from a parent or guardian.
10) Security
We implement appropriate technical and organizational measures designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including access controls, encryption in transit, network monitoring, and security reviews of third-party SDKs. No method of transmission or storage is fully secure; we cannot guarantee absolute security.
11) Cookies, SDKs, and Tracking Technologies
We and our partners may use software development kits (SDKs), cookies, device identifiers, and similar technologies to:
- Enable core app functions (e.g., login, save states).
- Perform analytics and measure performance.
- Deliver and measure advertising (subject to consent and opt-out).
- Prevent fraud and ensure security.
Platform Controls:
- iOS: You can manage tracking permissions via AppTrackingTransparency and reset the advertising identifier.
- Android: You can reset or delete the advertising ID and opt out of ad personalization.
- You may also control notifications, location, camera, microphone, and other permissions via device settings.
12) Social Features and User-Generated Content
If you choose to participate in chat, leaderboards, multiplayer, or social sharing, information you post (e.g., display name, avatar, messages) may be visible to other users. Do not share information you do not wish to be public.
13) Payments and In-App Purchases
Purchases are processed by the platform operator (e.g., Apple App Store, Google Play). We do not receive your full payment card details. We receive transaction confirmations and receipts needed to grant entitlements, prevent fraud, and comply with accounting obligations.
14) Automated Decision-Making and Profiling
We may use limited profiling to personalize gameplay or ads. We do not engage in automated decision-making that produces legal or similarly significant effects within the meaning of GDPR Article 22 without your consent or as otherwise permitted by law and subject to appropriate safeguards.
15) Do Not Track and Global Privacy Control
Our Services currently do not respond to browser-based “Do Not Track” signals. Where required by applicable law, we honor Global Privacy Control (GPC) or similar opt-out signals for “sale”/“sharing” and targeted advertising.
16) California Notice at Collection
- Categories Collected: Identifiers; contact information; commercial information; internet/network activity; geolocation (approximate); inferences; device/technical data; user-generated content. We do not intentionally collect sensitive personal information except as disclosed and only for limited, permitted purposes.
- Purposes of Use: See Section 3.
- Retention: See Section 7.
- Sale/Share: Certain disclosures for cross-context behavioral advertising may be considered a “sale” or “share.” You may opt out via our “Do Not Sell or Share My Personal Information” link or in-app settings.
- Financial Incentives: We do not offer programs that constitute “financial incentives” under CCPA/CPRA. If we launch such a program, we will provide a separate notice describing material terms and how to opt in.
- Non-Discrimination: We will not discriminate against you for exercising CCPA/CPRA rights.
17) Third-Party Links
The Services may link to third-party sites or services. We are not responsible for the privacy practices of such third parties. Review their privacy policies for more information.
18) Changes to This Policy
We may update this Policy from time to time. We will post the updated version with a revised Effective Date and, where required by law, will notify you and/or seek your consent for material changes.
19) How to Contact Us
- Controller/Business: [Company Legal Name], [Address], [Email], [Phone, if applicable].
- Data Protection Officer (if appointed): [Name/Title], [Contact].
- EU Representative (GDPR Art. 27, if applicable): [Representative Name and Address].
- UK Representative (if applicable): [Representative Name and Address].
- Complaints: EU/UK users may contact their supervisory authority. California residents may contact the California Privacy Protection Agency (CPPA). Residents of other U.S. states may contact their state attorney general.
20) Jurisdiction-Specific Disclosures
- EEA/UK: We rely on consent, contract necessity, legitimate interests, and legal obligations as described above. Marketing communications will be sent in accordance with applicable ePrivacy rules; you may opt out at any time.
- Brazil (LGPD): Our legal bases include consent, performance of contract, and legitimate interests. You may contact us to exercise LGPD rights and to request information about processors.
- Canada (PIPEDA/Provincial Laws): We obtain consent as required and limit collection to reasonable purposes. Contact us to access or correct your information.
21) Your Choices and Controls
- Tracking/Ads: Use in-app privacy controls and device settings to manage tracking and ad personalization.
- Marketing: Unsubscribe via the link in our emails or in-app settings.
- Permissions: Manage location, notifications, camera, microphone, and contacts permissions in your device settings.
- Account: You may request account deletion via in-app settings or by contacting us.
Important Notices and Implementation Guidance for Your Team (Non-substantive to users; remove before publishing if desired)
- Replace placeholders (company name, address, email, DPO, representatives, retention periods, DSAR portal).
- Inventory SDKs and ensure your disclosures match actual data flows (analytics, ads, crash reporting, attribution).
- If you engage in targeted advertising or cross-context behavioral advertising, enable opt-out mechanisms and GPC handling and maintain records of consent where required.
- For iOS: Implement AppTrackingTransparency where tracking occurs; ensure purpose strings are accurate. For Android: Honor “opt out of Ads Personalization.”
- Maintain records of processing activities (GDPR Art. 30), data processing agreements with vendors (Art. 28), and SCCs/IDTA for international transfers where applicable.
- If the game is directed to children or mixed audience, consult COPPA/GDPR-K requirements and use age screens and verifiable parental consent where required.
By installing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not install or use the Services.
