Privacy Policy

1. Introduction & Scope

"Apex & Abyss" (the "Game") is a free-to-play tactical dungeon roguelike available on iOS and Android platforms, as well as as a Progressive Web App. This Privacy Policy ("Policy") explains how we collect, use, disclose, and safeguard your personal information when you access and play our Game.

This Privacy Policy applies to:

• The Apex & Abyss mobile application (iOS and Android)
• The Apex & Abyss Progressive Web App and website
• All related services, features, and functionality provided through these platforms

Please read this Privacy Policy carefully. By downloading, installing, or accessing Apex & Abyss, you acknowledge that you have read and understood this Policy and agree to be bound by its terms. If you do not agree with this Policy, please do not use the Game.

2. Information We Collect

We collect information in several categories to provide, improve, and optimize your gaming experience:

2.1 Account & Authentication Data

When you create an account to sync your game progress across devices or enable cloud saves, we collect:

• Email address – used for account recovery, password reset, and account management
• Username – chosen by you for in-game identification
• Authentication credentials – securely processed through Firebase Authentication (see Section 5 for details)
• Account creation date and last login timestamp

Authentication is optional. You may play the Game without creating an account, though cloud save functionality will not be available.

2.2 Game Progress & Gameplay Data

To enable cloud saves, progression synchronization, and provide gameplay features, we collect:

• Current dungeon depth and progression stage
• Hero roster, character stats, and equipment inventory
• Skill selections, ability configurations, and build preferences
• Game settings and user preferences (graphics quality, audio levels, difficulty settings, control schemes)
• Achievements, unlocks, and milestone progress
• Playtime statistics and session history
• Leaderboard standings and competitive rank (if applicable)

2.3 Purchase & Transaction Data

When you make in-app purchases, we collect transaction-related information:

• Transaction ID – unique identifier from App Store or Google Play
• Purchase timestamp – when the transaction occurred
• Item purchased – what was bought (e.g., cosmetic hero skin, battle pass)
• Purchase price and currency – cost of the transaction
• Receipt validation tokens – for purchase verification

2.4 Device & Technical Information

To optimize performance and ensure compatibility, we collect:

• Device information: Device manufacturer and model (e.g., "iPhone 14 Pro", "Samsung Galaxy S23")
• Operating system: iOS version, Android version, or web browser information
• Hardware specifications: RAM available, storage capacity, processor type
• Display information: Screen resolution, screen size, pixel density
• Unique identifiers: Device ID, advertising ID (for analytics purposes only)
• Network type: WiFi or cellular connection (for performance optimization)
• App version and build number

2.5 Analytics & Gameplay Patterns

To understand how players interact with the Game and improve design, we collect:

• Session information: Session duration, start and end times, frequency of play
• Feature usage: Which game modes are played most, hero selections, ability usage patterns
• Player behavior: Progression speed, difficulty preferences, average run length
• Event participation: Participation in limited-time events and seasonal content
• Engagement metrics: Daily active users (DAU), monthly active users (MAU), session frequency
• Funnel analysis: Where players drop off in progression, purchase conversion rates

2.6 Crash Reports & Error Logs

When the Game crashes or encounters errors, we automatically collect:

• Crash dump files and stack traces
• Device state at time of crash (memory usage, CPU load)
• Last actions before the crash (for reproduction and debugging)
• Error messages and warning logs
• Timestamp of the crash event

This information helps us identify and fix bugs quickly. Crash reports typically do not contain personal information but may include device identifiers for tracking crash patterns across devices.

2.7 Progressive Web App & Browser Data

If you access Apex & Abyss as a Progressive Web App, we may collect:

• Service Worker registration data – to enable offline functionality
• Browser storage: IndexedDB and LocalStorage usage (game settings and cached data)
• Cache information: Which resources are cached for offline play
• Browser type and version – for compatibility tracking

2.8 Information You Provide Directly

Additional information you may voluntarily provide:

• Support requests: Any messages sent through customer support (email, in-game feedback)
• User-generated content: Clan names, custom build descriptions, feedback or bug reports
• Survey responses: If you participate in optional surveys about game enjoyment or feature preferences

2.9 Information Collected by Third Parties

Firebase and related services may collect additional data. See Section 5 for details on third-party data collection.

3. How We Use Information

We use the information collected for the following purposes:

3.1 Core Service Delivery

• Cloud save functionality: Synchronizing game progress across your devices
• Account management: Creating and managing your game account, password recovery, account security
• Game data persistence: Saving your heroes, inventory, achievements, and settings
• Multiplayer features: If applicable, enabling player-to-player interactions, clan functionality, or competitive ranking

3.2 Performance & Technical Optimization

• Device compatibility: Optimizing graphics, frame rate, and performance based on your device specifications
• Bug fixing and debugging: Using crash reports and error logs to identify and resolve technical issues
• Network optimization: Adjusting data transfer and sync frequency based on connection type

3.3 Game Improvement & Development

• Feature analysis: Understanding which game modes, heroes, and abilities are most popular
• Balance adjustments: Identifying overpowered or underpowered game mechanics through gameplay data
• User retention: Analyzing where players drop off to improve progression pacing and difficulty curves
• Content planning: Deciding which new heroes, dungeons, or features to prioritize

3.4 Marketing & Analytics

• Usage reporting: Tracking daily and monthly active users (DAU/MAU) for performance assessment
• Engagement metrics: Measuring average session duration and play frequency
• Conversion tracking: Understanding free-to-play to paid conversion rates
• Campaign effectiveness: Measuring success of limited-time events and seasonal content
• Benchmarking: Comparing performance against industry standards

3.5 Customer Support

• Issue resolution: Troubleshooting technical problems you report
• Account recovery: Restoring lost progress or recovering compromised accounts
• Abuse prevention: Investigating and preventing cheating, fraud, or terms of service violations

3.6 Legal & Compliance

• Terms of Service enforcement: Detecting and preventing fraud, cheating, or policy violations
• Legal obligations: Responding to lawful requests from authorities or courts
• Dispute resolution: Resolving disputes over accounts, purchases, or refunds

3.7 Safety & Security

• Fraud prevention: Detecting suspicious purchase patterns or unauthorized account access
• DDoS protection: Protecting our servers from attacks or abuse
• Data breach response: Investigating and mitigating security incidents

3.8 Communication

• Service announcements: Notifying you of maintenance, updates, or service changes
• Optional newsletters: With your consent, sending information about new content, events, or features
• Promotional messages: With your consent, sending targeted offers for cosmetics or battle passes

4. Legal Bases for Processing (GDPR Compliance)

For users in the European Union and countries with similar data protection laws, we process personal information only under the following lawful bases:

4.1 Contractual Necessity

Data processed: Account information, game progress, purchase data

We process this data because it is necessary to perform our contract with you—specifically, to provide the Game and enable cloud save functionality. Without this data, we cannot deliver the service you have agreed to use.

4.2 Legitimate Interests

Data processed: Analytics data, device information, gameplay patterns, crash reports

We process this data because we have legitimate business interests in:

• Maintaining and improving the Game
• Preventing fraud and ensuring security
• Understanding player behavior to make informed development decisions
• Ensuring the technical performance and stability of our servers

We have carefully balanced our interests against your privacy rights and concluded that our processing is proportionate and does not unduly intrude on your privacy.

4.3 Consent

Data processed: Optional analytics, promotional emails, certain types of marketing communications

Where consent is required (e.g., for marketing emails), we will obtain your explicit prior consent and provide you with a clear mechanism to withdraw consent at any time.

4.4 Legal Obligation

Data processed: Purchase records, account information, crash logs

We may process personal data where required by law, including:

• Tax and accounting obligations (transaction records)
• Payment Card Industry (PCI) compliance requirements
• Legal process and court orders
• Mandatory data retention laws

4.5 Public Interest

We may process data where necessary for public interest purposes, such as protecting against fraud or ensuring the integrity of online gaming.

5. Data Sharing & Third Parties

We do not sell, rent, or lease your personal information. However, we may share data with third-party service providers who assist in operating the Game. All third parties are bound by confidentiality agreements and data protection standards.

5.1 Google Firebase (Infrastructure & Authentication)

What is shared: Account credentials, game progress data, player ID, email address (if provided)

Purpose: Cloud data storage, account authentication, real-time database synchronization, crash reporting

Data Processing Agreement: Google is a data processor under our Firebase agreements. Their processing complies with GDPR and other applicable standards.

Google's Privacy Practices: https://policies.google.com/privacy

Firebase Specific Terms: https://firebase.google.com/support/privacy

5.2 Apple App Store

What is shared: Purchase transaction ID, receipt validation, Apple Developer ID

Purpose: Processing in-app purchases, validating receipts, preventing purchase fraud

Data Processing: Apple processes payment information directly. We only receive confirmation of successful transactions and do not access payment methods.

Apple's Privacy Practices: https://www.apple.com/privacy/

5.3 Google Play Store

What is shared: Purchase transaction ID, receipt validation, Google Account ID

Purpose: Processing in-app purchases, validating receipts, preventing purchase fraud

Data Processing: Google processes payment information directly. We only receive confirmation of successful transactions and do not access payment methods.

Google Play's Privacy Practices: https://policies.google.com/privacy

5.4 Analytics & Monitoring Services

What is shared: Gameplay metrics, session data, crash reports, device information

Purpose: Performance monitoring, error tracking, usage analytics

Optional: You may disable some analytics features in the Game settings. However, basic technical logs may still be collected for critical error reporting.

5.5 Customer Support & Communication

What is shared: Account information, support ticket details, communication history

Purpose: Responding to your support requests and resolving issues

Sharing Model: Support tickets may be accessed by authorized support team members who are bound by confidentiality agreements.

5.6 Legal & Law Enforcement

We may disclose personal information without your consent if required by law, including:

• Lawful requests from government authorities: Subpoenas, court orders, search warrants
• Legal compliance: Responding to legal processes in accordance with applicable laws
• Emergency situations: Protecting safety, health, or property in imminent danger
• Terms of Service enforcement: Taking action against fraud, cheating, or policy violations

Where legally permitted, we will attempt to notify you of such requests before disclosure, unless doing so would be illegal or interfere with an investigation.

5.7 Business Transfers

If Apex & Abyss is acquired, merged, restructured, or sold, personal information may be transferred as part of that transaction. You will be notified of any such change and any choices you may have regarding your personal data.

5.8 Aggregated & Anonymized Data

We may share aggregated and anonymized data that cannot identify you personally with:

• Marketing partners (for demographic analysis)
• Gaming industry analysts
• Academic researchers

This data does not contain personal information and cannot be used to identify you individually.

We Do NOT Sell Personal Information

We explicitly do not sell, rent, lease, or share personal information with unaffiliated third parties for their direct marketing purposes. Your email address, account information, and gameplay data will not be sold to advertisers or data brokers.

6. Data Retention

We retain personal information for as long as necessary to provide the Game and fulfill the purposes outlined in this Policy. Retention periods vary by data type:

6.1 Active Account Data

Retention Period: As long as your account is active

• Account information (email, username)
• Game progress and settings
• Purchase history

If you delete your account, we will delete or anonymize this data within 30 days, except where retention is required by law.

6.2 Crash Reports & Error Logs

Retention Period: 90 days from collection

Crash data is retained for debugging purposes. After 90 days, logs are automatically deleted unless an ongoing investigation requires longer retention.

6.3 Analytics & Gameplay Metrics

Retention Period: 24 months from collection

Aggregated analytics data is retained for trend analysis and long-term development insights. Individual identifiers are removed after 12 months.

6.4 Purchase & Transaction Records

Retention Period: 7 years (tax and accounting compliance)

Purchase records are retained in accordance with tax law and financial reporting requirements. After the retention period, records are securely destroyed.

6.5 Device & Login Information

Retention Period: 12 months from last login

Device information and login history are retained for security and fraud prevention. If your account is inactive for 12 months, this data may be deleted.

6.6 Customer Support Communications

Retention Period: 2 years from last interaction

Support tickets and communications are retained for future reference and dispute resolution. After 2 years, archived tickets are securely deleted.

6.7 Legal Holds

If we receive a legal request or become aware of pending litigation, we will preserve relevant data for as long as required by law, regardless of normal retention schedules.

6.8 Data Deletion Requests

You may request deletion of your personal data under applicable privacy laws (see Section 8). We will comply with deletion requests within the legal timeframe, except where:

• Retention is required by law or regulation
• Data is needed to resolve disputes or enforce agreements
• Data is part of an active investigation

7. Data Security Measures

We implement comprehensive technical, organizational, and administrative measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction.

7.1 Encryption

• In transit: All data transmitted between your device and our servers uses TLS/SSL encryption (HTTPS)
• At rest: Sensitive data stored in Firebase is encrypted using AES-256 encryption
• Authentication data: Passwords are hashed using industry-standard algorithms (never stored in plain text)

7.2 Access Controls

• Role-based access: Staff can only access data necessary for their role
• Authentication: Multi-factor authentication is required for administrative access to systems handling personal data
• Audit trails: All access to personal data is logged and monitored
• Termination protocols: Access is immediately revoked when staff leave

7.3 Infrastructure Security

• Firewalls: Network-level protection against unauthorized access
• DDoS mitigation: Protection against distributed denial-of-service attacks
• Intrusion detection: Automated monitoring for suspicious activity
• Regular updates: Security patches applied promptly to all systems

7.4 Data Minimization

• We collect only the personal information necessary to provide the Game
• Unnecessary personal data is not retained
• Personal identifiers are removed from analytics data where possible

7.5 Third-Party Security

• Firebase complies with SOC 2 Type II and ISO 27001 standards
• Apple App Store and Google Play Store implement their own security standards
• All third-party processors are contractually obligated to implement equivalent security measures

7.6 Breach Notification

In the event of a data breach affecting personal information, we will:

• Notify affected users without unreasonable delay (typically within 72 hours)
• Provide details of the breach, affected data, and protective measures
• Notify relevant authorities as required by law
• Provide guidance on steps you can take to protect yourself

8. Your Rights (GDPR & Similar Laws)

Under the General Data Protection Regulation (GDPR) and similar privacy laws, you have the following rights regarding your personal information:

8.1 Right of Access

You have the right to obtain a copy of the personal information we hold about you. We will provide this information in a structured, commonly-used, and machine-readable format within 30 days of your request.

8.2 Right to Rectification

If your personal information is inaccurate or incomplete, you have the right to request correction or completion. You can often update information directly in your account settings.

8.3 Right to Erasure ("Right to Be Forgotten")

Under certain circumstances, you may request deletion of your personal data. We will delete your information within 30 days unless:

• The information is necessary to fulfill our contract with you
• Deletion is prohibited by law (e.g., tax records)
• We have a legitimate interest in retaining the data
• The data is necessary for legal claims or defense

8.4 Right to Restrict Processing

You have the right to request that we limit how we process your personal information. For example, you may request that we process data only for specific purposes without using it for marketing or analytics.

8.5 Right to Data Portability

You have the right to receive a copy of your personal information in a structured, commonly-used, and machine-readable format (e.g., JSON, CSV) and to transmit that data to another service. We will provide this information within 30 days of your request.

8.6 Right to Object

You have the right to object to processing of your personal information for certain purposes, including:

• Marketing: You can opt out of promotional emails and marketing communications at any time
• Analytics: You can disable analytics tracking in Game settings
• Legitimate interests: You can object to processing based on our legitimate business interests

8.7 Right to Withdraw Consent

If we process your data based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

8.8 Right Not to Be Subject to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produces legal or similarly significant effects. We do not use automated decision-making for purposes like credit assessment or eligibility determination.

8.9 Exercising Your Rights

To exercise any of these rights, please contact us at [CONTACT EMAIL]. We will verify your identity and respond to your request within 30 days. If your request is complex or requires extensive information gathering, we may extend the timeframe to 90 days, which we will communicate to you.

9. California Privacy Rights (CCPA)

If you are a resident of California, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

9.1 Right to Know

You have the right to request what personal information we have collected, the categories of sources, the purpose of collection, and the categories of third parties with whom it is shared.

9.2 Right to Delete

You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., information needed to complete a transaction, comply with law, or detect fraud).

9.3 Right to Correct

You have the right to request correction of inaccurate personal information.

9.4 Right to Opt-Out of Sale or Sharing

We do not sell or share your personal information as defined by the CCPA or CPRA. We do not exchange personal information for monetary or other valuable consideration. However, we do share certain information with service providers as permitted by law (see Section 5).

9.5 Right to Limit Use and Disclosure

You have the right to limit our use and disclosure of your "sensitive personal information" (as defined by the CPRA), which includes:

• Social security numbers or similar identifiers
• Financial account information
• Precise geolocation
• Racial or ethnic origin
• Religious or philosophical beliefs
• Union membership
• Genetic data
• Biometric data for identification
• Health data
• Sex life or sexual orientation data

We do not collect most of this sensitive information. Where we do, we will honor requests to limit our use to purposes necessary to provide the Game.

9.6 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA or CPRA rights, including by:

• Denying goods or services
• Charging different prices or rates
• Providing different levels of quality
• Suggesting different terms, conditions, or prices

9.7 Exercising California Rights

To submit a CCPA or CPRA request, contact us at [CONTACT EMAIL] and specify your request clearly (Know, Delete, Correct, Limit, or Opt-Out). We will verify your identity and respond within 45 days.

9.8 Authorized Agent

You may authorize another person or organization to make requests on your behalf. We will require the authorized agent to provide proof of authorization and verify their identity.

9.9 Categories of Personal Information Collected (CCPA Disclosure)

Under the CCPA, we collect the following categories of personal information:

• Identifiers: Email address, username, device ID, IP address, account ID
• Commercial Information: Purchase history, transaction amounts, payment method (limited)
• Biometric Information: None (we do not collect biometric data)
• Internet Activity: Gameplay patterns, session duration, feature usage, clickstream data
• Geolocation Data: Inferred from IP address (not precise location)
• Professional Information: Not applicable
• Education Information: Not applicable
• Inferences: We may draw inferences about your gaming preferences or skill level

10. Children's Privacy (COPPA)

10.1 Age Requirements

Apex & Abyss is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided personal information, we will delete such information promptly and terminate the child's account.

10.2 COPPA Compliance

This Game does not implement collection practices specifically designed for children. We do not:

• Collect or target children under 13
• Require parental consent for account creation or gameplay
• Collect persistent identifiers for children under 13
• Use children's data for behavioral targeting
• Require children to share unnecessary personal information

10.3 Age Verification

We rely on user attestation regarding age. By creating an account, you represent that you are at least 13 years old (or the equivalent minimum age in your jurisdiction).

10.4 Parental Concerns

If you are a parent or guardian and believe a child under 13 has been registered on Apex & Abyss, please contact us immediately at [CONTACT EMAIL]. We will investigate and remove the child's account and personal information.

10.5 Teen Privacy (Ages 13-18)

For users ages 13-18, we limit collection to information necessary for account and gameplay functionality. We recommend parents review this Privacy Policy and discuss privacy and online safety with their teens.

10.6 Parental Controls & Settings

The Game does not contain direct parental control features beyond standard account security. Parents can:

• Set device-level parental controls on iOS and Android
• Monitor in-app purchase restrictions through device settings
• Review session activity and playtime through device analytics

11. International Data Transfers

11.1 Transfers from the European Union

If you are located in the European Union or European Economic Area, your personal information will be transferred to and processed in the United States (where Google Firebase is based) or other countries. The United States has not been determined to have an "adequate" level of data protection under GDPR.

11.2 Legal Mechanisms for Transfers

We rely on the following mechanisms to ensure adequate protection of personal information transferred internationally:

Standard Contractual Clauses (SCCs)

We use Standard Contractual Clauses approved by the European Commission with our third-party processors (such as Google Firebase) to establish appropriate safeguards for international data transfers.

Google's Transfer Mechanisms

Google has implemented Standard Contractual Clauses and other mechanisms to protect personal data transferred from the EU. For details, see https://cloud.google.com/terms/data-processing-terms

11.3 Your Rights Regarding Transfers

You have the right to:

• Request information about the legal mechanisms we use for transfers
• Request data deletion if transfer mechanisms are deemed inadequate
• Lodge a complaint with your data protection authority regarding transfers

11.4 California & Other Non-EU Residents

If you are not in the EU, data transfer mechanisms like SCCs still apply, as they reflect industry best practices for international data protection.

12. Cookies & Local Storage

12.1 Cookies in Web Browser Access

If you access Apex & Abyss through our Progressive Web App or website, we may use cookies and similar tracking technologies:

Essential Cookies

• Session cookies: Maintain your login session and preferences
• Authentication cookies: Store authentication tokens securely
• CSRF tokens: Prevent cross-site request forgery attacks

Functional Cookies

• Language preference: Remember your language selection
• Game settings: Persist gameplay preferences and interface settings
• Analytics opt-out: Remember if you've disabled analytics

Analytics Cookies

• Performance tracking: Track page load times and user interaction patterns (optional)
• Error reporting: Report errors and crashes for debugging

12.2 Local Storage & IndexedDB

For the Progressive Web App, we use browser storage technologies:

• LocalStorage: Store game settings, user preferences, and UI state
• IndexedDB: Cache game assets and data for offline functionality
• Service Worker Cache: Cache resources for offline play and performance

12.3 Cookie Consent

When you first access the web version of Apex & Abyss, we present a cookie consent banner. You can:

• Accept All: Enable all cookies and tracking
• Reject Non-Essential: Accept only essential cookies; disable analytics and marketing cookies
• Customize: Select specific cookie categories

12.4 Managing Cookies

You can control cookies through your browser settings:

• Chrome, Edge, Firefox, Safari: Settings → Privacy/Security → Cookies
• Clear cookies: Clear browser cache and storage regularly
• Third-party cookies: Block third-party cookies if desired

Note: Disabling essential cookies may impair Game functionality.

12.5 Third-Party Cookies

Third-party services may set their own cookies (e.g., analytics providers, payment processors). We recommend reviewing their privacy policies to understand their practices.

12.6 Do Not Track

Some browsers include "Do Not Track" (DNT) signals. While we respect DNT preferences, we may still collect essential technical data necessary for Game operation.

13. Changes to This Policy

13.1 Policy Updates

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. Any updates will be effective when posted.

13.2 Notice of Material Changes

If we make material changes to this Policy that affect how we use your personal information, we will notify you by:

• Posting the updated Policy with a new "Effective Date"
• Sending an email notification to your registered email address (if available)
• Displaying a prominent notice in the Game or on our website
• Requesting your consent if required by law

13.3 Continued Use

Your continued use of the Game following notification of changes constitutes your acceptance of the updated Policy. If you do not agree with changes, you should stop using the Game.

13.4 Reviewing Policy History

We maintain a record of previous versions of this Privacy Policy. If you would like to review prior versions, please contact us at [CONTACT EMAIL].

13.5 Significant Changes Requiring Consent

If we make changes that materially increase our collection, use, or sharing of personal information, we will obtain your explicit consent before implementing those changes, where required by law.