// Legal

Privacy Policy

2026 Global Full-Compliance Edition · Version 6.2 · Effective 18 June 2026 · Covers GDPR, UK-GDPR, CCPA/CPRA, VCDPA, LGPD, PIPL, India's DPDP Act, Saudi NDPA, and the EU Digital Services Act (DSA).

Last updated: 18 June 2026

This Privacy Policy describes how nixbyteflowcore ("we", "us", "our", "the Company"), a UK-incorporated software engineering studio with its principal place of business at Warwick Software Industry Park, United Kingdom, collects, uses, processes, stores, transfers, discloses, and protects personal data in connection with the operation of our mobile applications (the "Apps"), website (the "Site"), and related services (collectively, the "Services").

This Policy applies to all users of our Services worldwide, including users located in the European Economic Area (EEA), the United Kingdom, the United States (including California, Texas, Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy legislation), Brazil, the People's Republic of China, India, Saudi Arabia, Canada, Japan, and any other jurisdiction in which our Apps are made available through the Apple App Store or Google Play.

Quick summary: We collect only the minimum data required to keep our IAA (in-app advertising) and IAP (in-app purchase) systems running, prevent fraud, and improve the experience. We do not sell personal data. We do not use it for cross-app tracking without your explicit consent. Sensitive content stays on your device.

1. Data Collection Granularity & Purpose

We strictly adhere to the "minimum necessary" principle. Through compliant technical means, we collect only the following information, used solely to maintain the normal operation of our IAA (advertising monetisation) and IAP (in-app purchase) systems, optimise user experience, and prevent fraud. All data processing complies with global regional privacy regulations, and we do not collect any personal information unrelated to the service:

1.1 Device Fingerprints & Identifiers

  • IDFA (Identifier for Advertisers) on iOS devices — collected only after explicit ATT (App Tracking Transparency) authorisation
  • GAID (Google Advertising ID) on Android devices — collected subject to applicable Google Play policies
  • OAID (Open Anonymous Device Identifier) for Android devices in the Chinese market
  • Device brand, model, screen resolution, operating system version
  • Language settings, battery state, system clock offset (used to detect time-zone spoofing and prevent cross-regional price fraud)
  • Device unique identifiers (encrypted, not associated with the user's real identity)

1.2 Network Environment Data

  • IP address (used only for geographic compliance filtering, to determine the user's region and adapt to local regulations and services; not used for precise geolocation)
  • Mobile network operator name
  • Wi-Fi connection status
  • Network type (4G/5G/Wi-Fi)

Used to ensure service stability and regional compliance controls.

1.3 Behavioural Traces (IAA & UX)

1.3.1 Advertising Behaviour

  • Ad display ID, click time, conversion path
  • Video rewarded ad viewing duration and whether the user exited midway
  • Ad dwell time

Used to optimise ad delivery effectiveness, prevent ad fraud. Data is used only for internal analysis and for syncing necessary information (desensitised) to third-party monetisation platforms.

1.3.2 Game / Application Logic

  • Core function loop trigger counts
  • Paywall popup click-through rates
  • Onboarding drop-off points
  • Feature usage frequency

Used to optimise product interaction experience, adjust feature layout, and improve user convenience. We do not collect specific user operation content or private data.

1.4 Financial Transaction Data (IAP)

  • We receive transaction receipts (Receipt) only through the official App Store / Google Play APIs. We do not touch or store your bank card number, CVV code, payment password, bank card expiry date, or any other sensitive payment information. All payment operations are completed by Apple's or Google's official payment systems.
  • Recorded items include: order number, purchased item name and quantity, payment currency, payment amount, country code, transaction time, whether it is a sandbox test order, order status (success / failure / refund)

Used for order verification, refund processing, financial reconciliation, and payment fraud prevention.

Supplementary Note: All collected data is encrypted and stored on compliant servers. Access is limited to authorised personnel, and all access is fully logged to ensure data security and controllability.

2. Third-Party Sharing Architecture (Data Mapping)

To achieve legal monetisation, service optimisation, and anti-fraud purposes, we share necessary data only with the following compliant third-party ecosystems. The sharing process strictly follows the "minimum necessary, encrypted transmission, fully controllable" principle, and we do not share any sensitive personal information. You may view each platform's privacy policy on its official website to learn the details of data processing:

2.1 Aggregation Layer (Mediation)

AppLovin (MAX), Google AdMob, Unity LevelPlay. Function: Real-Time Bidding (RTB) for ads, optimising ad fill rate and monetisation efficiency. Shared data includes only desensitised device information, ad display / click data, and is not associated with the user's real identity.

2.2 Attribution & Anti-Fraud (MMP)

AppsFlyer, Adjust, Singular. Function: Tracking ad installation effectiveness, identifying false installs, ad-fee theft, and other fraudulent behaviour. Shared data includes only desensitised device information, installation attribution data, used for anti-fraud verification. We do not collect user private information.

2.3 Payment Processors

Apple Inc., Google LLC. Function: Processing in-app purchase transactions, verifying order validity. Shared data includes only order-related information (excluding sensitive payment information), used for transaction reconciliation and order verification, strictly following Apple and Google's official data processing specifications.

2.4 Additional Networks (As Configured Per App)

Meta Audience Network, Pangle (ByteDance), ironSource, Mintegral, Liftoff, Chartboost, InMobi, Tapjoy. Each of these networks is integrated as a secondary bid source within our AppLovin MAX or Unity LevelPlay mediation stack. Each receives only the data necessary to fulfil the ad request (e.g., the IP-derived country code, the ad unit ID, and — only with explicit user consent — the IDFA / GAID).

Supplementary Note: We sign strict confidentiality agreements and Data Processing Agreements (DPAs) with all third-party partners, clearly defining the scope, duration, and security responsibility of data use. We periodically review the compliance of third parties. If any third party processes data in violation, we will immediately terminate the partnership and pursue their related responsibilities. Users may view the third-party sharing list and the scope of data sharing in the in-app settings and have the right to withdraw relevant authorisations (withdrawal may affect advertising monetisation and the normal use of some services).

3. Regional Legal Notices

We strictly adapt to the privacy regulations of every country / region in the world. Combined with the latest policy changes in 2026, we have formulated differentiated compliance terms for key regions to ensure end-to-end compliance of our services:

3.1 European Union (GDPR) & United Kingdom (UK-GDPR)

  • Legal Basis: Our legal grounds for processing user data include: performance of the service agreement with the user, obtaining the user's explicit consent, and maintaining our legitimate interests (such as fraud prevention and service optimisation). All data processing activities comply with Article 6 of GDPR / UK-GDPR.
  • EU & UK Representatives: All statutory representative enquiries for the EU and the UK are handled via our main business contact channel. Please write to contact@nixbyteflowcore.com with the subject line starting with "EU/UK Representative". We are responsible for receiving data-related requests (access, rectification, erasure, withdrawal of consent, etc.) from EU / UK users, with a response time not exceeding 7 working days.
  • DSA Transparency Supplement: We strictly comply with the latest transparency requirements of the EU's Digital Services Act (DSA), publicly disclosing advertising delivery rules, algorithmic recommendation logic, and content moderation standards. We periodically publish transparency reports, clearly defining the data processing workflow and third-party cooperation details, and accept supervision by EU regulatory authorities. If the application involves user-generated content (UGC), the content moderation mechanism, complaint handling process, and standards for handling illegal content will be made public to ensure users' right to know.
  • User Rights Protection: EU / UK users have the right to access, rectify, or delete personal data at any time, withdraw data processing authorisation, request a copy of their personal data (data portability right), and file complaints about illegal data processing with the European Data Protection Board (EDPB) or the UK Information Commissioner's Office (ICO).

3.2 United States (CCPA / CPRA / VCDPA & State-by-State Differentiated Terms)

  • No Sale of Personal Information: We expressly commit not to sell users' personal information to any third party (including advertisers, data brokers, etc.). However, under the legal definitions of California CPRA and Virginia VCDPA, sharing desensitised information such as device IDs with third parties to achieve ad personalisation may be considered "data sharing." We will clearly inform users of such sharing behaviour in the application, and users have the right to opt-out of such sharing at any time.
  • Do Not Track: We fully respect the device system's "Do Not Track" setting. If the user enables this setting, we will stop collecting user behavioural trace data, and will not use it for precise ad targeting and personalised recommendations. We will only retain the data necessary to maintain the normal operation of the service.
  • State-by-State Differentiated Adaptation:
    • California (CPRA): Users have the right to request us to disclose the details of personal information collected, used, and shared in the past 12 months, the right to request deletion of personal information, and the right to refuse the use of personal information for targeted advertising. We will respond to user requests within 45 working days.
    • Texas (CCPA-TX): Strengthens users' data access rights. Users may query personal data collection records free of charge, and we must not set unreasonable obstacles. We are prohibited from sharing users' sensitive information (such as biometric data, financial information) with third parties unless we obtain the user's written consent.
    • Virginia (VCDPA): Users have the right to require us to correct erroneous personal data, and the right to require us to stop sharing personal data with third parties. We must complete the correction or stop the sharing operation within 30 working days and feedback the results to the user.
    • Other States: We adapt to the latest privacy regulations in Washington State, Colorado, Connecticut, Utah, Oregon, and other states, clarify user data rights and our compliance obligations, and ensure compliance in operations across the United States.

3.3 Brazil (LGPD)

We strictly comply with Brazil's General Data Protection Law (LGPD). We must obtain the user's explicit authorisation before collecting personal information, and clearly inform the user of the purpose, scope, and method of information collection. We safeguard the rights of Brazilian users to access, rectify, delete, and withdraw authorisation of their data. User data is stored on servers within Brazil and is not transferred abroad without authorisation. If cross-border transmission is required, approval from the Brazilian National Data Protection Authority (ANPD) must be obtained.

3.4 Other Key Regions

  • China: We comply with the Personal Information Protection Law (PIPL), the Data Security Law (DSL), and the Provisions on Promoting and Regulating the Cross-Border Flow of Data. We obtain the user's explicit consent before collecting personal information, implement data localisation storage requirements (data of users in China is stored on servers within China), do not collect sensitive personal information in violation of regulations, and cooperate with the supervision and inspection of China's Cyberspace Administration.
  • India: We comply with the Digital Personal Data Protection Act (DPDP Act). We clarify the boundaries of data collection, collect data only after obtaining the user's written consent, and users have the right to request deletion of personal data. Cross-border transmission of data must be approved by India's Ministry of Electronics and Information Technology (MeitY).
  • Saudi Arabia: We comply with the Personal Data Protection Law (PDPL), implement data localisation storage requirements, store user data on servers within Saudi Arabia, do not transfer it abroad without authorisation, and accept supervision by the Saudi Data and AI Authority (SDAIA) / National Data Management Office (NDMO).
  • Canada & Japan: We adapt to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Japan's Act on the Protection of Personal Information (APPI), clarify data processing specifications, safeguard user data rights, cooperate with local regulatory authorities' audits, and respond to the 2026 global data sovereignty upgrade requirements.
  • Other Jurisdictions: We monitor and adapt to privacy legislation in South Korea (PIPA), Singapore (PDPA), Australia (Privacy Act 1988), New Zealand (Privacy Act 2020), South Africa (POPIA), Nigeria (NDPR), Argentina (Ley 25.326), and other markets where our Apps are distributed.

4. Auto-Renewing Subscriptions (Subscription Transparency)

Where an App includes auto-renewing subscription services, we strictly comply with Apple and Google app store rules and the compliance requirements of global regions, and make the following statements to safeguard the user's right to know and right to choose:

4.1 Data Collected for Subscriptions

We collect only the necessary subscription-related information, including subscription period, remaining trial time, subscription status (active / expired / paused), and renewal time. This data is used for subscription management and service provision. We do not collect any unrelated information.

4.2 Transparency Guarantees

  • Before Subscribing: We clearly inform the user of the subscription period (weekly / monthly / yearly), subscription price, trial period length (if any), renewal rules, and how to cancel the subscription. There are no hidden clauses.
  • Billing Reminder: 24 hours before each auto-renewal billing, we send the user a billing reminder via in-app pop-up, system push notification, or other means, clearly informing the user of the billing amount, billing time, and the direct path to cancel the subscription.
  • Subscription Management: Users may cancel the auto-renewal at any time through the in-app "Settings – Subscription Management" or the App Store / Google Play subscription management page. After cancellation, no further billing will occur, and no fee will be charged for cancellation during the trial period.

4.3 Trial Period Statement

If a free trial is offered, the subscription will automatically renew and be billed after the trial period ends. Users may cancel the subscription at any time during the trial period to avoid charges. If a user has used subscription-exclusive features during the trial period, those features will be deactivated immediately upon cancellation.

5. AI-Generated Content Statement (Where Applicable)

Where an App includes AI-generated content (including but not limited to text, audio, images, interactive scenes, etc.), we strictly comply with global AI compliance requirements and make the following statements to safeguard the user's right to know and legitimate rights:

  • Clear Labelling: All AI-generated content is explicitly marked as "AI-Generated" to distinguish it from human-created content, without misleading users, in compliance with the EU AI Act and U.S. state AI transparency requirements.
  • Content Compliance: AI-generated content strictly follows global content moderation standards. The generation of violent, pornographic, vulgar, false information, politically sensitive, racially discriminatory, and other non-compliant content is prohibited. A dual mechanism of "AI generation + human review" is implemented to ensure content compliance.
  • Liability Definition: AI-generated content serves only as an auxiliary function and does not constitute any advice, commitment, or guarantee. We do not assume any responsibility for any loss incurred by users based on AI-generated content. If AI-generated content infringes upon the intellectual property rights, reputation rights, or other legitimate rights of others, we will bear corresponding responsibility and promptly delete the non-compliant content.
  • Data Security: The data used to train AI models is either compliantly collected or authorised non-sensitive data. We do not use users' personal information or private data to train AI models, and strictly protect user data security.

6. Children's Privacy (COPPA / AADC / UK Age-Appropriate Design Code)

Our Apps are not primarily directed at children under 13. We do not knowingly collect personal information from children under 13 (or under the digital age of consent in their jurisdiction, where higher). For users in the EU / UK, we comply with the UK Age-Appropriate Design Code (AADC). For users in the United States, we comply with the Children's Online Privacy Protection Act (COPPA) and the California Age-Appropriate Design Code Act. If we learn that we have inadvertently collected personal information from a child in a manner inconsistent with these requirements, we will delete it as soon as possible.

Parents or guardians who believe their child has provided us with personal information may contact us at contact@nixbyteflowcore.com (subject line: "Children's Privacy") to request its deletion.

7. Data Subject Rights

Regardless of where you are located, you have the following rights with respect to your personal data:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right of Rectification: Request that we correct inaccurate or incomplete personal data.
  • Right of Erasure ("Right to Be Forgotten"): Request that we delete your personal data, subject to legal retention obligations.
  • Right of Restriction: Request that we limit the processing of your personal data in certain circumstances.
  • Right of Data Portability: Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to Object: Object to processing based on legitimate interest, including profiling.
  • Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time, without affecting the lawfulness of prior processing.
  • Right to Lodge a Complaint: Lodge a complaint with your local data protection authority.

To exercise any of these rights, write to contact@nixbyteflowcore.com with the subject line starting with "Data Subject Request". We respond to all verified requests within 30 days (45 days for California residents, as required by CPRA).

8. International Data Transfers

We may transfer personal data to countries other than the country in which it was originally collected, including to the United Kingdom, the United States, the European Economic Area, Singapore, and other jurisdictions where our processors and sub-processors operate. Where personal data is transferred from the EEA, UK, or Switzerland to a country that has not been deemed adequate by the European Commission (or the relevant UK authority), we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or other lawful transfer mechanisms. Where data is transferred from China, we comply with the Cyberspace Administration of China's standard contract or security assessment requirements.

9. Data Retention & Deletion

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. Specific retention periods:

  • Behavioural trace data: 13 months maximum (in line with UK ICO guidance)
  • IAP transaction receipts: 7 years (for tax / accounting compliance)
  • Crash logs and diagnostics: 90 days
  • Account-related data (where applicable): until account deletion + 30 days for grace period

After the applicable retention period expires, the data is either irreversibly anonymised or securely deleted.

10. Security Measures

We implement industry-standard technical and organisational measures to protect personal data, including:

  • AES-256 encryption of personal data at rest
  • TLS 1.3 encryption of personal data in transit
  • Access controls based on the principle of least privilege, with role-based access control (RBAC) and full audit logging
  • Regular third-party penetration testing and vulnerability scanning
  • Annual SOC 2 Type II audit (in progress for 2026; report available on request under NDA)
  • Documented incident response plan with 72-hour breach notification commitment to EU / UK regulators and affected users where required
  • Secure development lifecycle, including code review, static analysis, and dependency scanning

11. Contact Channels

If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or need to contact us for any privacy-related matter, please use the channels below. We operate with only two public-facing inboxes, so please choose the one that best matches the nature of your enquiry:

  • General support & user enquiries: support@nixbyteflowcore.com
  • Business, project, privacy, DPO, EU/UK representative, legal & compliance enquiries: contact@nixbyteflowcore.com
  • Studio domain: nixbyteflowcore.com
  • Postal Address: nixbyteflowcore, Warwick Software Industry Park, United Kingdom

All data-subject requests, privacy complaints, DPO correspondence, EU/UK statutory representative matters, and legal / compliance notices are routed through the single contact@nixbyteflowcore.com inbox. The mailbox is monitored continuously during UK business hours (Mon–Fri, 09:00–18:00 GMT/BST) and we acknowledge receipt within 1 business day.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this page. If the changes are material, we will provide a more prominent notice (such as an in-app banner, an email to the address associated with your account, or a push notification). We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data.

This Privacy Policy is governed by, and construed in accordance with, the laws of England and Wales. Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of England and Wales, without prejudice to your right to bring proceedings in your country of residence under mandatory local consumer protection laws.

— End of Privacy Policy —
nixbyteflowcore · Version 6.2 · 18 June 2026