Privacy Policy

1. Data Controller & Contact

We are the data controller for personal information processed in connection with the Services. Where we act as a processor on behalf of another controller (for example, in a business-to-business consulting or white-label engagement), a separate data processing agreement governs that relationship and this Policy does not apply to that processing.

For all privacy-related inquiries, rights requests, or complaints, please contact us.

We aim to acknowledge all privacy-related correspondence within 5 business days and to resolve it within 30 calendar days, extendable by a further 30 days where the complexity of the request reasonably requires it, in which case we will notify you of the extension.

2. Scope and Applicability

This Policy applies to:

• All visitors to the Website, regardless of geographic location.
• All users of any current or future Product offered by us, whether distributed through first-party channels or through third-party software distribution platforms including but not limited to the Apple App Store, Google Play Store, Microsoft Store, Steam, or any other application marketplace (each a "Marketplace").
• Any individual who communicates with us in connection with support, feedback, or any other inquiry relating to the Services.

This Policy does not govern data practices of third-party platforms, Marketplaces, or services that you access independently. We encourage you to review the privacy policies of any third-party service you use.

3. Information We Collect

We apply a strict principle of data minimisation. We collect only information that is necessary to provide the Services, fulfil a legal obligation, or that you choose to provide to us directly. The categories below represent the full extent of personal information we may hold.

3.1 Information You Provide Through Marketplaces

When you purchase, download, or subscribe to a Product through a Marketplace, the Marketplace collects and processes your payment and account information directly under its own privacy policy. We do not receive, see, or store your payment card details, billing address, or full Marketplace account information.

We may receive from a Marketplace only the minimum transactional signals necessary to operate the Product, which may include:

• A subscription or purchase status signal (e.g., active, expired, cancelled, refunded) - used solely to determine whether to unlock or restrict premium features.
• A Marketplace-assigned anonymous or pseudonymous identifier - used to associate a subscription status with an installation without identifying you to us personally.
• Transaction date and region - used for tax, accounting, and regulatory compliance purposes.

The specific information received varies by Marketplace and Product. We receive only what the Marketplace's developer API makes available and what is strictly necessary for the above purposes.

3.2 Information You Provide During Support

When you contact us for support, submit a bug report, provide feedback, or otherwise communicate with us (collectively, "Support Communications"), you may voluntarily provide personal information. This may include, but is not limited to:

• Your name and email address (required to respond to you).
• A description of your issue, question, or feedback, which may incidentally contain personal information you choose to include.
• Device type, operating system, or Product version information you share to assist in diagnosing a technical issue.
• Any attachments, screenshots, or files you voluntarily attach to your communication.

4. Purposes and Legal Bases for Processing

We process personal information only for the specific, explicit, and legitimate purposes described below. Where applicable law requires a legal basis (as under the GDPR), we identify that basis for each purpose. We do not process personal information in a manner incompatible with the purposes stated here.

4.1 Subscription and Licence Management

Purpose: To verify whether a user holds a valid subscription or licence and to unlock, restrict, or otherwise manage access to Product features accordingly.

Data used: Subscription or purchase status signal; Marketplace-assigned identifier; transaction date and region.

Legal basis (GDPR): Performance of a contract - this processing is necessary to deliver the Product functionality you have purchased. Where required, we may also rely on compliance with a legal obligation for financial record-keeping purposes.

Legal basis (CCPA): Processing necessary to perform the contract with the consumer; business purposes as defined under Cal. Civ. Code.

4.2 Customer Support

Purpose: To receive, process, and respond to support requests, bug reports, and general inquiries; to diagnose and resolve technical issues; to improve the quality of the Services based on feedback received.

Data used: Name, email address, and the content of your Support Communication, including any attachments voluntarily provided.

Legal basis (GDPR): Performance of a contract; and where processing is not directly related to an existing contract, our legitimate interests in operating a functioning support process and improving our Products, balanced against the reasonable expectations of users who choose to contact us.

Legal basis (CCPA): Business purposes; performing services on behalf of the consumer.

4.3 Legal Compliance and Rights Enforcement

Purpose: To comply with applicable laws and regulations; to respond to lawful requests from courts, regulators, and law enforcement; to establish, exercise, or defend legal claims; to enforce our Terms of Service; to prevent fraud or abuse of the Services.

Data used: Any personal information we hold to the extent necessary for the specific legal purpose.

Legal basis (GDPR): Compliance with a legal obligation; legitimate interests in protecting our legal rights and preventing fraud and abuse; establishment, exercise, or defence of legal claims for any Special Category Data.

4.4 Business Operations and Continuity

Purpose: To maintain financial and tax records as required by law; to carry out corporate transactions such as restructuring, merger, acquisition, or sale; to manage our internal business processes, including record-keeping, audits, and assessments of our privacy compliance obligations.

Data used: Transaction dates, regions, and Marketplace identifiers; support correspondence to the extent necessary for record-keeping.

Legal basis (GDPR): Compliance with a legal obligation; legitimate interests in managing and operating our business.

4.5 No Further Processing Without Notice

We will not use personal information for any purpose materially different from those listed in this Section without first providing you with notice of the new purpose and, where required by applicable law, obtaining your consent.

5. Data Retention

We retain personal information for no longer than is necessary for the purposes set out in this Policy or as required by applicable law. The following periods govern each category of data we hold. Upon expiry of the applicable retention period, data is securely deleted or irreversibly anonymised.

5.1 Subscription and Marketplace Transaction Data

Transaction records (subscription status signals, anonymous identifiers, transaction dates, and region information) are retained for seven (7) years from the date of the transaction. This period reflects the financial record-keeping obligations imposed by tax and accounting laws in most jurisdictions, including but not limited to the United States (IRS), the United Kingdom (HMRC), and the European Union member states (VAT Directive 2006/112/EC), and the limitation periods applicable to contractual and tax disputes.

Where a shorter period is prescribed by applicable law in your jurisdiction, we will apply that shorter period to the extent technically and operationally practicable.

5.2 Support Communications

Support emails and related correspondence are retained for ninety (90) calendar days from the date on which the support request is resolved or closed. We apply this default period to allow for reasonable follow-up and to address any recurrence of the same issue.

Notwithstanding the above, we may retain specific Support Communications for longer where:

• Ongoing legal proceedings or disputes - where correspondence is relevant to a dispute, claim, or investigation that is pending or reasonably anticipated, data will be retained under a legal hold until the matter is finally resolved, including the expiry of any applicable appeal period.
• Regulatory compliance or inquiry - where a regulator, court, or law enforcement authority has made or is reasonably anticipated to make a request for information.
• Your explicit request for extended retention - where you have requested, for your own purposes, that we retain correspondence beyond the standard period.

You may request deletion of your Support Communications at any time by contacting us. We will comply within 30 calendar days, subject to the exceptions described in Section 5.4 below.

5.3 Compliance Records

When we process a data subject rights request (including a request for erasure), we are required under GDPR and equivalent provisions in other applicable laws to demonstrate compliance with our obligations (the "accountability principle"). To fulfil this requirement without retaining the underlying personal data, we create a minimal compliance record consisting only of:

• The date and time of the request.
• The type of right exercised (e.g., erasure, access, correction).
• A one-way cryptographic hash (e.g., SHA-256) of the email address or other identifier used to submit the request. This hash is mathematically irreversible and cannot be used to reconstruct or re-identify the individual; it serves only to demonstrate that a specific request was processed.
• The date the requested action was completed.

Compliance records contain no personal data in recoverable form and are retained for five (5) years from the date of completion of the relevant action. This period reflects the limitation periods for regulatory enforcement proceedings under the GDPR, CCPA, and comparable frameworks. After this period, compliance records are permanently deleted.

5.4 Exceptions and Legal Holds

Notwithstanding any retention period specified above, we reserve the right to retain personal information for a longer period where:

• Retention is required or permitted by applicable law, including any mandatory minimum retention periods imposed by tax, financial, employment, health and safety, or other regulatory requirements.
• The data is subject to a legal hold in connection with actual or reasonably anticipated litigation, arbitration, regulatory investigation, or law enforcement request.
• Erasure is technically infeasible due to backup or archival processes, in which case we will isolate and protect the data from further processing until deletion is possible, and will delete it in the next available scheduled purge cycle.

In all cases, retained data will be used only for the specific purpose justifying the extended retention and will not be processed for any other purpose.

5.5 Deletion and Anonymisation Methods

Upon expiry of the applicable retention period, personal data is destroyed using methods appropriate to its sensitivity and format, including but not limited to: secure overwriting of electronic records, cryptographic erasure of encrypted stores, and irreversible aggregation or anonymisation of structured data. Anonymised or aggregated data from which no individual can reasonably be identified is not considered personal data and may be retained indefinitely for statistical, research, or product improvement purposes.

6. Sharing and Disclosure of Personal Information

We do not sell, rent, or trade personal information. We do not share personal information with third parties for cross-context behavioural advertising or marketing purposes. Disclosure of personal information is limited to the following circumstances:

6.1 Service Providers and Processors

We may engage third-party vendors who process personal information on our behalf and under our documented instructions as data processors (under the GDPR) or service providers (under the CCPA). These may include providers of email infrastructure, customer support tooling, cloud hosting, and accounting software. Each processor is bound by a data processing agreement that prohibits use of personal information for any purpose other than performing services for us and imposes security obligations consistent with this Policy.

We will update this Policy or publish a supplemental sub-processor list where we engage processors whose involvement is material to your privacy rights.

6.2 Legal Requirements and Enforcement

We may disclose personal information to courts, regulators, law enforcement authorities, or other governmental or quasi-governmental bodies where such disclosure is required by applicable law, regulation, or binding legal process (such as a court order, subpoena, or regulator's information notice). Where permitted by law, we will notify you of such a request before complying.

6.3 Protection of Rights and Safety

We may disclose personal information where we believe in good faith that disclosure is necessary to protect the rights, property, or our safety, our users, or third parties, including to prevent or investigate fraud, abuse, security incidents, or violations of our Terms of Service.

6.4 Business Transfers

In the event of a merger, acquisition, reorganisation, asset sale, or other corporate transaction involving us or substantially all of our assets, personal information we hold may be transferred to the acquiring entity as part of that transaction. We will notify you of any such change via notice on our Website or by direct communication where feasible and where required by applicable law, and we will ensure the receiving entity is bound by privacy obligations substantially equivalent to those in this Policy.

6.5 With Your Consent

We may share personal information for purposes not described in this Policy where you have given us your explicit, informed consent. You may withdraw that consent at any time by contacting us, without affecting the lawfulness of any processing carried out before withdrawal.

7. Security

We implement and maintain technical and organisational measures appropriate to the nature, scope, and sensitivity of the personal information we hold, and to the risks that processing presents to the rights and freedoms of individuals. These measures are designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

Specific measures applied may include, where appropriate: encryption of data in transit and at rest; access controls and authentication requirements; regular security assessments; and contractual security obligations imposed on processors.

No method of transmission or storage is completely secure. In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected individuals and the relevant supervisory authority in accordance with applicable law.

8. Your Privacy Rights

Depending on your jurisdiction and the applicable law, you may have some or all of the following rights with respect to personal information we hold about you. We will not discriminate against you for exercising any of these rights.

8.1 Rights Available in Most Jurisdictions

• Right of Access - the right to request confirmation of whether we hold personal information about you and, if so, to receive a copy of that information and related details (including purpose, categories, recipients, and retention period).
• Right to Rectification / Correction - the right to request that inaccurate personal information we hold about you be corrected without undue delay.
• Right to Erasure / Deletion - the right to request deletion of personal information we hold about you, subject to applicable legal obligations and the exceptions described in Section 5.4.
• Right to Restriction of Processing - the right to request that we restrict processing of your personal information in certain circumstances (for example, while we verify a rectification request or assess an objection).
• Right to Data Portability - the right to receive personal information you have provided to us in a structured, commonly used, machine-readable format, and to transmit it to another controller, where technically feasible.
• Right to Object - the right to object, on grounds relating to your particular situation, to processing of your personal information based on our legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless the processing is necessary for the establishment, exercise, or defence of legal claims.
• Right to Withdraw Consent - where processing is based on your consent, the right to withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

8.2 How to Exercise Your Rights

To exercise any of the above rights, or to ask any question about how we handle your personal information, please submit a written request with the subject line "Privacy Rights Request". Please describe your request with sufficient detail to allow us to identify and locate the relevant data. We may ask you to verify your identity before processing your request; any information requested for identity verification will not be used for any other purpose.

We will respond within 30 calendar days. Where the complexity or number of requests justifies it, this period may be extended by up to a further 60 days (GDPR) or 45 days (CCPA), with prior written notice.

Because we hold very limited personal information, we may not be able to identify a specific individual from a Marketplace identifier alone. In such cases, we will inform you of this limitation and take all reasonable steps available to us to locate the data.

9. California Residents - CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and the CPRA Regulations issued by the California Privacy Protection Agency (CPPA) grant you specific rights in addition to those set out in Section 8.

9.1 Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following categories of personal information as defined under California Civil Code:

• Identifiers - email address (only if you contact us for support); anonymous or pseudonymous Marketplace identifier (where received from a Marketplace API).
• Commercial information - subscription or purchase status signal; transaction date and region.
• Internet or other electronic network activity - we do not collect this category.
• Geolocation data - we do not collect this category.
• Sensitive personal information - we do not collect this category.

9.2 Business or Commercial Purposes for Collection

Personal information is collected for the business purposes described in Section 4. We do not use or disclose sensitive personal information for purposes beyond those permitted under CPRA.

9.3 Sale or Sharing of Personal Information

We do not sell personal information, and we do not share personal information with third parties for cross-context behavioural advertising as defined under the CCPA/CPRA.

9.4 California-Specific Rights

• Right to Know - the right to request disclosure of the categories and specific pieces of personal information we have collected, the purposes of collection, and the categories of third parties with whom we have disclosed it.
• Right to Delete - the right to request deletion of personal information we have collected, subject to the exceptions set out in CCPA § 1798.105(d) and Section 5.4 of this Policy.
• Right to Correct - the right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale / Sharing - as we do not sell or share personal information, this right is not triggered. Should our practices change, we will update this Policy and provide a "Do Not Sell or Share My Personal Information" mechanism prior to any such change.
• Right to Limit Use of Sensitive Personal Information - as we do not collect sensitive personal information (as defined under CPRA), this right is not triggered.
• Right to Non-Discrimination - we will not discriminate against you for exercising any California privacy right, including by denying goods or services, charging different prices, or providing a different level of service.

To exercise California privacy rights, contact us with the subject line "California Privacy Request". We will verify your identity and respond within 45 calendar days, extendable by a further 45 days with prior notice.

10. EEA, UK & Switzerland - GDPR

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (EU GDPR), the UK GDPR, or the Swiss Federal Act on Data Protection (nFADP), respectively, applies to the processing of your personal data.

10.1 Legal Bases for Processing

All processing rests on one or more of the following legal bases:

• Performance of a contract: Subscription and licence management; provision of support in connection with a Product you have purchased or downloaded.
• Legal obligation: Retention of transaction records for tax and accounting compliance; compliance with data protection accountability obligations; responding to binding legal process.
• Legitimate interests: Provision of customer support in connection with free or trial-version Products; prevention of fraud and abuse; protection and enforcement of our legal rights; general business operations and continuity. In each case, these interests are balanced against your interests and fundamental rights and freedoms; we do not consider them to override those rights, given the limited nature and sensitivity of the personal information involved.
• Consent: Any processing that falls outside the above bases and for which we have obtained your explicit, freely given, specific, informed, and unambiguous consent.

10.2 Automated Decision-Making

We do not make decisions based solely on automated processing of personal data that produce legal or similarly significant effects on individuals.

11. International Data Transfers

We operate globally and personal information we hold may be transferred to, stored in, or processed in countries outside your country of residence, including countries that may not provide the same level of data protection as your home jurisdiction. Where such transfers occur, we implement appropriate safeguards to ensure that your personal information receives a level of protection consistent with applicable law.

Support emails sent to us may transit or be stored on email infrastructure in countries outside your jurisdiction. We take reasonable steps to ensure that processors handling such data are subject to adequate contractual protections.

For more information about the safeguards applicable to a specific transfer, please contact us.

12. Children's Privacy & COPPA

12.1 General Age Restriction

The Services are not directed to children under the age of 13 (or the applicable minimum age in your jurisdiction, which may be higher in certain EEA member states under GDPR). We do not knowingly collect personal information from children below the applicable minimum age without verified parental or guardian consent. For users between the applicable minimum age and 18, parental or guardian consent may be required as described in our Terms of Service.

12.2 COPPA Compliance (United States)

We comply with the Children's Online Privacy Protection Act (COPPA), and the FTC's implementing regulations. We do not knowingly collect, use, or disclose personal information from children under 13 in the United States. Our Products are designed to require no personal information during ordinary use, which substantially eliminates COPPA exposure in the normal course.

12.3 Discovery of a Minor's Information

If we become aware that we have inadvertently collected personal information from a child below the applicable minimum age without verifiable parental consent, we will:

1. Immediately cease any further processing of that information beyond what is necessary to fulfil our deletion obligations.
2. Securely delete the information from our systems as promptly as practicable - typically within 5 business days.
3. Notify the parent or guardian if we have a contact address, confirming what was collected and that it has been deleted.

12.4 Parental Rights

Parents or legal guardians who believe we hold personal information from a child under 13 may contact us with the subject line "COPPA Parental Request" to request access, correction, or deletion of that information. We will respond within 10 business days and will not require more information than is reasonably necessary to process the request.

13. Third-Party Services and Software Marketplaces

Our Products are distributed through third-party Marketplaces. Those platforms operate independently and under their own privacy policies. We are not responsible for and does not control the data practices of any Marketplace or other third-party platform. We encourage you to review the relevant policies.

Any personal information you provide directly to a Marketplace - such as your name, payment details, or account credentials - is collected and controlled by that Marketplace, not by us.

The Website or Products may contain links to third-party websites or services. The inclusion of a link does not imply endorsement by us of that website or service, and we are not responsible for the privacy practices of any linked third party.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, applicable law, or regulatory guidance. The current version is always available at this URL. Changes take effect on the "Effective date" shown at the top of this page.

For material changes - meaning changes that significantly expand the scope of personal information we collect, alter the purposes for which we process it, or reduce your rights - we will provide at least 30 days' prior notice via a prominent notice on our Website, an in-Product notification, or direct communication where we hold your contact details. Where required by applicable law, we will seek your renewed consent before the change takes effect.

Your continued use of the Services or Products after a revised Policy takes effect constitutes your acknowledgment of the changes. If you do not agree with a revised Policy, you should cease using the Services or Products and may contact us to exercise your data subject rights.

15. Contact Us

For any questions, concerns, rights requests, or complaints regarding this Privacy Policy or our data practices, please contact us:

[email protected]

We aim to acknowledge all inquiries within 5 business days and to resolve them within 30 calendar days.