Privacy Policy
Status: Ship-ready draft — pending TODO-USER placeholders. Last updated: 2026-05-27. Owner: Product + Legal. Source of truth: this file. The in-app condensed view lives in web/privacy.html; the engineering draft in ../launch/privacy-page-draft.md is its working copy.
Two classes of placeholder appear below:
<!-- TODO-USER -->— entity-specific values (legal entity name, jurisdiction, contact email). Filled by the user (Product/Legal) before submission.<!-- TODO-OPS -->— operations-provisioned values (Apple SKUs). Filled by Ops once provisioned. Hosted URLs are backfilled tohttps://arcaneduck.com/...; the arcaneduck-vm region is tracked underTODO-USER.
Do not fill placeholders here without also updating web/privacy.html, README.md, and the matching rows in ../launch/app-store-submission-checklist.md.
Related legal docs in this directory (see README.md for the full index):
terms-of-service.md— EULA / acceptable use.dsa-contact.md— EU Digital Services Act contact point.coppa-and-age.md— age rating + GDPR-K stance.dsar-procedure.md— Data Subject Access Request handling.refund-policy.md— refund handling under Apple + EU consumer law.account-deletion-policy.md— deletion SLA + retention exceptions.
Cross-links to supporting internal docs:
../launch/data-processing-record.md— GDPR Art. 30 Record of Processing.../launch/privacy-nutrition-label-template.md— Apple App Privacy Nutrition Label answers.../product/privacy-data-requirements.md— internal data-handling spec.
1. Who we are (Controller)
We are the publisher of the AlcheMagic mobile game ("AlcheMagic", "the Service", "we", "us").
- Legal entity:
<!-- TODO-USER: legal entity name --> - Jurisdiction of incorporation:
<!-- TODO-USER: jurisdiction --> - Postal address:
<!-- TODO-USER: postal address --> - Privacy contact email:
<!-- TODO-USER: privacy@example.com -->
For EU users, this entity is the data controller under GDPR Art. 4(7) for all data described in this policy. Apple Inc. is a separate controller for App Store transactions and Game Center authentication.
2. Scope
This policy covers data processed by the AlcheMagic iOS app, its backend service, and its supporting websites. It does not cover data processed by Apple Inc. or other third parties acting as independent controllers — see their own policies.
3. Data we process
We process the following pseudonymous data. We do not receive your real name, email address, Apple ID, phone number, postal address, IDFA, IDFV, or any contact list.
| Category | Examples | Source | Identifier link |
|---|---|---|---|
| Game Center identity (pseudonymous) | HMAC-SHA256 hash of Game Center player id | Apple Game Center sign-in | Hashed server-side; see app/auth/playerStore.js:23. |
| Session id (pseudonymous) | HMAC-SHA256 hash of session token | Created on Game Center proof verify | Hashed server-side; see app/auth/sessionStore.js:61-68. |
| Cloud save data | Level progress, owned upgrades, settings, display name | In-app gameplay | Linked to hashed player id only. |
| Purchase records | Apple originalTransactionId, product id, entitlement state, refund flags | Apple App Store Server Notifications (ASSN v2) | Linked to hashed player id only. See app/iap/entitlementStore.js, app/iap/purchaseRoutes.js. |
| Gameplay telemetry (opt-in) | Waves played, levels completed, towers built, funnel events | In-app instrumentation | Sent to GameAnalytics only with consent (default OFF). See web/runtime/iosTelemetry.js. |
| Crash & ANR reports (opt-in) | Stack traces, device model, OS version | Firebase Crashlytics | Sent only with consent (default OFF). |
| Server access log | HTTP method, path, status, timing, hashed player id | Backend Pino logger | Retained 30 days; rotated daily. |
| Audit log | Account deletion events, purchase mutations | Backend audit writer | Retained indefinitely (compliance — see §7). |
We do not collect: IDFA, IDFV (telemetry layer blocks IDFA at code level — see web/runtime/iosTelemetry.js:189-200), location, contacts, camera, microphone, photo library, calendar, or health data.
4. Why we process (legal bases — GDPR Art. 6)
| Purpose | Data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Verify Game Center sign-in (anti-abuse, account binding) | Hashed Game Center id, session id | Contract (Art. 6(1)(b)) — necessary to provide the Service. |
| Sync cloud save across devices | Cloud save data, hashed player id | Contract (Art. 6(1)(b)). |
| Deliver and verify In-App Purchases | Purchase records | Contract (Art. 6(1)(b)). |
| Comply with tax, accounting, and fraud-prevention obligations | Purchase records | Legal obligation (Art. 6(1)(c)). |
| Measure gameplay quality (analytics) | Telemetry events | Consent (Art. 6(1)(a)) — opt-in only, default OFF, withdrawable any time. |
| Investigate abuse / security incidents | Access log, audit log | Legitimate interest (Art. 6(1)(f)) — to keep the Service secure for all players. |
We do not process for: advertising, profiling, automated decision-making with legal effect, or sale of personal data.
5. Where data is stored
- Backend: managed cloud infrastructure in
<!-- TODO-USER: arcaneduck-vm region -->. Data does not leave this region except as described in §6. - iOS device: local cache + Apple's Game Center.
- Third-party processors: see §6.
6. Third-party processors and international transfers
We use the following processors. All process data on our behalf under signed Data Processing Agreements (DPAs) / Standard Contractual Clauses (SCCs) where the processor is outside the EEA. The current contract status is tracked in ../launch/data-processing-record.md §7.
| Processor | Role | Data received | Location | Transfer mechanism |
|---|---|---|---|---|
| Microsoft Azure | Hosting | All backend data | <!-- TODO-USER: arcaneduck-vm region --> | EU SCCs (if region outside EEA) |
| Apple Inc. | Game Center auth, App Store payments | Game Center proof, purchase events | US / global | Apple's published terms (Apple is independent controller, not processor) |
| GameAnalytics ApS (Denmark) | Gameplay analytics (opt-in) | Pseudonymous gameplay events | EU + US sub-processors | DPA + SCCs (<!-- TODO-USER: DPA signature date -->) |
| Google LLC — Firebase Crashlytics | Crash reporting (opt-in) | Crash stack traces, device info | US | DPA + EU SCCs (<!-- TODO-USER: DPA signature date -->) |
| Google LLC — Firebase Remote Config | App config delivery | Anonymous device/install id | US | DPA + EU SCCs (<!-- TODO-USER: DPA signature date -->) |
| Sentry (Functional Software, Inc.) | Backend error reporting | Backend stack traces, hashed player id | US | DPA + EU SCCs (<!-- TODO-USER: DPA signature date -->) |
We do not transfer your data to advertisers, brokers, social networks, or any party not listed above.
7. Retention
We delete or anonymize data as soon as the purpose for which it was collected is satisfied. See account-deletion-policy.md for the full schedule.
| Data | Retention | Reason |
|---|---|---|
| Session id | 30 days from last use | Auth UX; reduce re-sign-in friction. |
| Cloud save | Until account deletion | Service functionality. |
Purchase records (originalTransactionId, product id, refund state) | 7 years | Tax, accounting, and fraud-prevention legal obligations. |
| Telemetry events | 90 days (GameAnalytics retention) | Aggregate measurement only. |
| Crash reports | 90 days (Firebase Crashlytics default) | Bug triage. |
| Server access log | 30 days | Security investigation. |
| Audit log of account access / deletion | Indefinite (anonymized after account deletion) | Security forensics + DSAR audit trail. |
8. Your rights (GDPR Chapter III)
You have the following rights at no cost. We answer within 30 days of receiving a valid request (extendable to 90 days for complex cases per Art. 12(3)).
| Right | How to exercise |
|---|---|
| Access (Art. 15) | Settings → Account → Download my data. Returns td-account-export-<date>.json. Full procedure in dsar-procedure.md. |
| Rectification (Art. 16) | Settings → Account → edit display name, language, consent. For other corrections, contact <!-- TODO-USER: privacy@example.com -->. |
| Erasure (Art. 17) | Settings → Account → Delete my account. Cascade cleans players, sessions, cloud save, and entitlements (app/player/accountRoutes.js). Retention exceptions in account-deletion-policy.md. |
| Restriction (Art. 18) | Email <!-- TODO-USER: privacy@example.com -->. We freeze processing within 7 days. |
| Portability (Art. 20) | Same as Access — exported JSON is portable. |
| Object (Art. 21) | Settings → Privacy → Share analytics toggle (revokes consent — Art. 7(3)). Email for legitimate-interest objections (logs / fraud detection). |
| Lodge a complaint (Art. 77) | Contact your national Data Protection Authority. List at edpb.europa.eu/about-edpb/board/members_en. |
9. Consent (analytics + crash reporting)
On first launch in the EU, the analytics consent toggle defaults to OFF. We only send data to GameAnalytics or Firebase Crashlytics after you set the toggle to ON in Settings → Privacy → Share analytics.
You can withdraw consent at any time. Withdrawal does not affect data we already processed lawfully before withdrawal (GDPR Art. 7(3)).
EU detection method: Accept-Language header on first launch. The list of EU locales and the runtime detector live at web/runtime/iosTelemetry.js (EU_LANGUAGE_TAGS constant + detectEUFromAcceptLanguage()).
10. Children
The Service is rated 4+ on the App Store. We do not knowingly collect data from children under 13 (US — COPPA) or under 16 in the EU (GDPR Art. 8 — "GDPR-K"). Full age policy and parental contact procedure in coppa-and-age.md.
If you believe we have collected data from a child without verifiable parental consent, contact <!-- TODO-USER: privacy@example.com --> and we will delete it within 30 days.
11. Security
- Game Center proof verification uses RSA-SHA256 with Apple's public-key URL allowlist (
app/auth/gameCenterVerifier.js). - Session tokens are stored as HMAC-SHA256 hashes (
app/auth/sessionStore.js:61-68) — never plaintext. - Cloud-save store blacklists 28 forbidden keys (
paidCurrency,idfa,transactionId,sessionToken, …) — seeapp/player/progressStore.js. - TLS termination at Nginx; backend listens on
127.0.0.1only. - Rate limiting on
/auth/game-center,/auth/session,/player/progress,/td/purchases/*. - Prometheus
/metricsgated byMETRICS_TOKEN. - Backend errors reported to Sentry (release tag + source maps; PII scrubbed).
We disclose security breaches affecting EU residents to the lead supervisory authority within 72 hours (GDPR Art. 33). For incident handling, see ../operations/incident-response.md.
12. Apple ATT (App Tracking Transparency)
We do not track you across apps or websites owned by other companies. The App Privacy manifest declares NSPrivacyTracking=false (see ios/App/App/PrivacyInfo.xcprivacy). The ATT prompt is therefore not required and not shown.
If we ever add a tracking SDK, we will show the ATT prompt and update this policy before that SDK ships.
13. Refunds
See refund-policy.md. Apple is the merchant of record for all In-App Purchases; refund requests go through Apple. We honor Apple's refund decisions and revoke entitlements automatically via App Store Server Notifications (app/iap/purchaseRoutes.js).
14. EU Digital Services Act (DSA)
Our DSA single point of contact for authorities and users is published in dsa-contact.md. It satisfies DSA Art. 11 (authorities) and Art. 12 (users).
15. Changes to this policy
We notify users of material changes by:
- Updating the
Last updateddate at the top of this file. - Publishing the new policy at the hosted Privacy URL: https://arcaneduck.com/legal/privacy.
- Showing an in-app notice on next launch if the change is material (e.g., new processor, new data category).
Minor edits (typo fixes, link updates) do not trigger an in-app notice.
16. Contact
For any privacy question or to exercise any right above, contact:
- Email:
<!-- TODO-USER: privacy@example.com --> - Postal:
<!-- TODO-USER: postal address -->
For DSA-specific requests, see dsa-contact.md. For DSAR-specific procedure, see dsar-procedure.md.