1. Who We Are

The controller of your personal data is:

Cosmicode, Lda.
Rua Barão de Corvo, 37, Sala L
4400-039 Vila Nova de Gaia
Portugal
Email: geral@cosmicode.pt

For privacy-related requests, you may contact us at: geral@cosmicode.pt.

We may update this contact information from time to time, including by providing a dedicated privacy email address or additional regional contact details.

2. Scope of This Policy

This Privacy Policy covers personal data processed in connection with our Services, including:

- our mobile games and applications;
- our websites and landing pages;
- app store listings and related interactions;
- accounts and user profiles, where available;
- gameplay, progression, scores, achievements, and usage data;
- in-app purchases, subscriptions, virtual items, and purchase verification;
- advertising, analytics, attribution, fraud prevention, and crash reporting;
- support communications;
- social features, user-generated content, chat, reporting, and moderation, where available.

Not all features are available in every Service. Where a feature is not present in a particular Service, the related data processing may not apply to you.

The app store privacy information, data safety information, or other product-specific disclosures for each Service may provide additional details about the data practices of that specific Service.

3. Personal Data We Collect

We collect different categories of personal data depending on how you use the Services.

3.1 Data You Provide to Us

Depending on the Service, you may provide:

- name, username, nickname, display name, or profile information;
- email address;
- authentication credentials or login information, where accounts are available; we do not store your third-party login passwords;
- profile picture, avatar, biography, or other profile details;
- date of birth, age range, or age confirmation, where needed;
- country, language, or region preferences;
- support messages, feedback, bug reports, and correspondence;
- content you create, upload, submit, share, or make available through the Services;
- information submitted in contests, surveys, promotions, or community features.

3.2 Account and Authentication Data

Some Services may allow you to create an account or sign in through third-party providers such as Apple, Google, Meta/Facebook, or other identity providers. In those cases, we may receive information such as:

- user identifier from the provider;
- name or display name;
- email address;
- profile picture, if made available;
- authentication token or login confirmation;
- country, language, or age-related information, where provided by the provider.

The information we receive depends on the product, your settings with the provider, and the permissions you grant. For example, some Services may support Google Sign-In, Sign in with Apple, or Meta/Facebook Sign-In.

3.3 Device, Technical, and Usage Data

When you use the Services, we and our service providers may automatically collect:

- device type, model, operating system, and app version;
- IP address and approximate location derived from IP address;
- language, region, time zone, and network information;
- device identifiers, app instance identifiers, and installation identifiers;
- advertising identifiers, where permitted and consented to when required;
- session information, pages/screens viewed, buttons tapped, and feature usage;
- gameplay events, level progress, scores, achievements, session duration, and interaction patterns;
- crash logs, diagnostics, performance data, and error reports;
- security, anti-fraud, and abuse-prevention signals.

3.4 Purchases, Subscriptions, and Virtual Items

If a Service offers purchases, subscriptions, virtual currency, virtual goods, or other paid features, we may process:

- purchase history and product identifiers;
- transaction identifiers;
- app store receipt or purchase token data;
- subscription status and renewal information;
- fraud-prevention and payment-verification information.

Payments made through Apple App Store or Google Play are processed by the relevant app store. We generally do not receive your full payment card details from Apple or Google.

3.5 Advertising, Analytics, Remote Configuration, In-App Messaging, and Attribution Data

Some Services may use advertising, analytics, attribution, remote configuration, in-app messaging, and measurement tools. Depending on the Service, region, platform, and your choices, these tools may process:

- advertising identifiers such as IDFA or Google Advertising ID;
- app usage events;
- gameplay, progression, and engagement events;
- ad views, clicks, impressions, conversions, and campaign performance;
- installation source and attribution data;
- approximate location, language, and device data;
- identifiers used to prevent fraud, limit ad frequency, and measure performance;
- information used to configure app features, test variations, deliver in-app messages, and improve user experience.

We use Firebase services for purposes such as analytics, remote configuration, and in-app messaging. Some Services use Google Mobile Ads / AdMob, including ad mediation, which may allow Google and other advertising partners in the mediation stack to process data for ad delivery, measurement, fraud prevention, frequency capping, and, where permitted, personalized advertising.

Where required, we will ask for consent before using certain advertising, tracking, analytics, or similar technologies.

3.6 User-Generated Content and Social Features

Some Services may allow users to create, submit, share, display, or exchange content, including usernames, avatars, text, images, messages, game content, answers submitted in online rooms, scores, rankings, or other material (“User Content”).

Some content, settings, or game data may be stored only locally on your device and may not be transmitted to Cosmicode unless you choose to share it, sync it, contact support, or use an online feature.

If social or user-generated content features are available, we may process:

- User Content you submit;
- chat messages or communications with other users;
- reports, complaints, moderation decisions, and enforcement records;
- block lists, safety settings, and abuse-prevention data;
- public profile information, leaderboards, rankings, achievements, and similar social data.

Content you choose to make public may be visible to other users and may be copied or shared by them. Please do not share information that you do not want others to see.

Answers submitted in online rooms are generally processed only for the duration of the live game session and are not stored after the session ends, except where necessary for reports, safety, abuse prevention, legal compliance, or technical logs.

3.7 Location Data

Some Services may process approximate location, such as country or region derived from your IP address, for localization, analytics, fraud prevention, legal compliance, and regional settings.

We do not collect precise GPS location unless a Service clearly asks for it and you grant the relevant device permission. If precise location is ever used, we will explain why and provide appropriate controls.

3.8 Camera, Photos, Video, and Media Processing

Some Services may request access to your camera, photos, videos, or media files for specific app features. Such access occurs only with your device permission. Media may be processed locally on your device unless the Service clearly explains that it will be uploaded, shared, or stored online. You can manage camera, photo, and media permissions through your device settings.

3.9 Customer Support Data

When you contact us for support, we may process:

- your contact details;
- your message and attachments;
- device, account, purchase, gameplay, crash, or diagnostic data needed to resolve your request;
- correspondence history and support outcome.

4. How We Use Personal Data

We use personal data for the following purposes:

4.1 To Provide and Operate the Services

This includes:

- making the Services available;
- creating and managing accounts;
- saving progress, preferences, achievements, and settings;
- enabling gameplay and app functionality;
- verifying purchases, subscriptions, and entitlements;
- providing customer support;
- sending service-related messages;
- maintaining security, availability, and reliability.

4.2 To Improve and Develop the Services

We use analytics, diagnostics, feedback, and usage information to:

- understand how users interact with the Services;
- fix bugs and crashes;
- test and improve features;
- balance gameplay and difficulty;
- develop new products, features, and content;
- measure performance and user experience.

4.3 To Personalize the Services

Where appropriate, we may use data to:

- remember preferences;
- adapt language, region, or content;
- recommend features, content, or game modes;
- personalize gameplay experience;
- show relevant in-app messages or promotions.

4.4 To Show Advertising and Measure Advertising Performance

Some Services may be supported by advertising. We and our advertising partners, including Google Mobile Ads / AdMob and mediation partners, may use data to:

- show ads;
- limit how often you see the same ad;
- measure ad performance;
- detect ad fraud;
- attribute installs or actions to advertising campaigns;
- show personalized advertising, where permitted and consented to when required.

You can control certain advertising choices through your device settings, consent options, and platform-level privacy controls. In the EEA, UK, and other regions where required, personalized advertising and certain tracking technologies will be subject to your consent.

4.5 To Protect Users and Enforce Our Rules

We may use data to:

- detect, prevent, and investigate fraud, cheating, abuse, spam, security incidents, or prohibited conduct;
- moderate User Content and social features;
- respond to user reports;
- suspend or terminate accounts that violate our Terms;
- protect the rights, safety, and property of users, Cosmicode, and third parties.

4.6 To Comply With Law and Defend Legal Claims

We may process data to:

- comply with legal obligations;
- respond to lawful requests from authorities;
- keep accounting, tax, and business records;
- enforce our Terms;
- establish, exercise, or defend legal claims.

5. Legal Bases for Processing in the EEA, UK, Switzerland, and Other Regions With Similar Data Protection Laws

Where the GDPR, UK GDPR, or similar data protection laws apply, we rely on one or more of the following legal bases:

- Performance of a contract: to provide the Services, manage accounts, save progress, verify purchases, provide requested features, and deliver customer support.
- Legitimate interests: to improve the Services, maintain security, prevent fraud and abuse, perform non-intrusive analytics, respond to support requests, and protect our business and users, unless overridden by your rights and interests.
- Consent: for certain cookies, tracking, personalized advertising, push notifications, precise location, or optional features where consent is legally required.
- Legal obligation: to comply with accounting, tax, consumer protection, regulatory, and law enforcement obligations.
- Vital interests or public interest: where strictly necessary in exceptional safety or legal situations.

In general, we rely on performance of a contract to provide accounts, gameplay, progress saving, purchases, subscriptions, and customer support; on legitimate interests for security, fraud prevention, service improvement, non-intrusive analytics, crash reporting, and enforcement of our Terms; on consent for personalized advertising, certain tracking technologies, optional push notifications, precise location, and other optional features where consent is required; and on legal obligation for tax, accounting, consumer protection, regulatory, and law enforcement compliance.

Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect processing that took place before withdrawal.

6. Advertising, Tracking, Cookies, and Similar Technologies

We may use cookies, software development kits, mobile identifiers, pixels, local storage, and similar technologies to operate, secure, analyze, improve, and monetize the Services.

6.1 Websites

On our websites, we may use:

- strictly necessary cookies;
- preference cookies;
- analytics cookies;
- advertising or measurement cookies.

Where required by law, non-essential cookies will only be used with your consent. You may manage cookies through our cookie banner or your browser settings, where available.

6.2 Mobile Apps

In mobile apps, we may use SDKs and similar technologies for:

- app functionality;
- analytics;
- remote configuration;
- in-app messaging;
- crash reporting and diagnostics;
- advertising and ad mediation;
- attribution;
- fraud prevention;
- purchase verification;
- push notifications or in-app communications;
- authentication;
- real-time multiplayer or online room functionality.

Our Services may use technologies and providers such as Expo, Firebase, Google Mobile Ads / AdMob, Google Sign-In, Google Play Games Services, Sign in with Apple, Meta/Facebook Sign-In, Sentry, StoreKit, Google Play Billing, FFmpegKit, VisionCamera, App Tracking Transparency, Pusher, and in-app purchase tools. Not every provider is used in every Service.

Where required, we will request consent before using identifiers or technologies for tracking or personalized advertising. On iOS, certain tracking activities may require Apple’s App Tracking Transparency permission. On Android, you may have device-level advertising ID and privacy controls.

If you deny permission under Apple’s App Tracking Transparency framework, we will not access your IDFA or use it for tracking across apps and websites owned by other companies. We may still process limited data for app functionality, security, fraud prevention, contextual advertising, and measurement where permitted.

6.3 Your Choices

Depending on your device and region, you may be able to:

- reset or delete your advertising ID;
- limit ad personalization;
- deny app tracking permission;
- manage cookie consent;
- disable push notifications;
- manage location permissions;
- withdraw consent through in-app or device settings, where available.

If you do not consent to personalized advertising, we may still show contextual or non-personalized ads, where available and permitted. These ads may still involve limited processing for ad delivery, frequency capping, fraud prevention, security, and measurement.

Where we rely on consent, you may withdraw your consent at any time through the privacy settings available in the relevant Service, through your device or platform settings, through the consent prompt where available, or by contacting us at geral@cosmicode.pt. Withdrawal of consent does not affect processing that occurred before withdrawal.

7. Push Notifications

Some Services may ask permission to send push notifications. Push notifications may include service-related messages, gameplay updates, reminders, events, promotions, or other relevant information. Some notifications are functional or service-related, while others may be promotional. Where required by law, promotional notifications will be sent only with your consent. You can enable or disable push notifications at any time through your device settings.

8. How We Share Personal Data

We may share personal data with the following categories of recipients:

8.1 Service Providers

We use trusted service providers to help us operate the Services, including hosting, cloud infrastructure, analytics, remote configuration, in-app messaging, crash reporting, customer support, advertising, attribution, payment verification, fraud prevention, authentication, real-time communication, and communication tools. These providers process data according to our instructions or their own applicable legal obligations.

Examples of providers or technologies we may use include Firebase, Google, Apple, Meta/Facebook, Sentry, Pusher, app store billing systems, and advertising mediation partners. Not every provider is used in every Service.

8.2 Advertising and Analytics Partners

Where advertising, analytics, mediation, or attribution is used, we may share or allow access to certain data with advertising networks, ad mediation partners, analytics providers, attribution providers, and measurement partners. This may include device data, advertising identifiers, app events, approximate location, and ad interaction data, depending on the Service, region, platform, and your choices.

Some Services use AdMob with mediation. This means that Google and other ad networks participating in the mediation stack may process data to request, deliver, personalize where permitted, measure, and secure ads.

Because our advertising mediation partners may change over time, we may provide a current list of advertising and analytics partners in the relevant app, in our consent management flow, or upon request.

8.3 App Stores and Payment Platforms

If you make purchases through Apple App Store, Google Play, or another platform, your transaction is also subject to that platform’s terms and privacy practices. We may receive purchase confirmation, receipt, token, subscription, and entitlement data from those platforms.

8.4 Other Users and the Public

If a Service includes public profiles, leaderboards, rankings, multiplayer features, social features, chat, or User Content, certain information may be visible to other users or the public, depending on the feature and your settings.

8.5 Legal, Safety, and Compliance Recipients

We may disclose data when we believe it is necessary to:

- comply with law, legal process, or government requests;
- enforce our Terms;
- investigate fraud, abuse, security incidents, or illegal activity;
- protect the rights, property, or safety of Cosmicode, users, or others;
- respond to valid intellectual property, privacy, or safety complaints.

8.6 Business Transfers

If Cosmicode is involved in a merger, acquisition, financing, reorganization, sale of assets, or similar transaction, personal data may be transferred as part of that transaction, subject to applicable law.

8.7 Aggregated or De-Identified Data

We may use and share aggregated, anonymized, or de-identified information that cannot reasonably identify you.

9. International Data Transfers

We are based in Portugal, and our Services may be provided using partners, infrastructure, and service providers located in other countries, including the United States and countries outside the European Economic Area, the United Kingdom, or your country of residence.

Where required, we use appropriate safeguards for international transfers, such as:

- adequacy decisions;
- standard contractual clauses;
- the EU-US Data Privacy Framework, UK Extension, or Swiss-US Data Privacy Framework, where applicable to certified providers;
- other lawful transfer mechanisms recognized by applicable law.

10. Data Retention

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention periods vary depending on the type of data and the reason for processing. In general:

- account data is kept while your account is active and for a reasonable period after deletion where needed for legal, security, fraud-prevention, backup, or dispute-resolution purposes;
- gameplay and progress data is kept while needed to provide the Services and maintain your account or local/user profile;
- support records are kept for a reasonable period to manage support history, quality, disputes, and legal obligations;
- purchase records may be kept as needed for accounting, tax, fraud-prevention, and legal compliance;
- security logs may be kept for a limited period to detect and prevent abuse, fraud, and unauthorized access;
- analytics data may be aggregated, anonymized, or deleted when no longer needed;
- User Content may remain available while your account or the relevant feature is active, unless removed by you, by us, or as required by law.
- Answers submitted in online rooms are generally processed only for the duration of the live game session and are not stored after the session ends, except where necessary for reports, safety, abuse prevention, legal compliance, or technical logs.

When personal data is no longer needed, we will delete it, anonymize it, or securely retain it only where legally permitted.

11. Account Deletion and Data Deletion

Where a Service allows account creation, we will provide a way to request deletion of your account and associated data. You can delete your account directly in the relevant app, where available, or contact us at geral@cosmicode.pt to request deletion.

When you request account deletion, we will delete or anonymize personal data associated with your account, unless we need to retain certain information for legitimate reasons, such as:

- completing transactions or verifying purchases;
- complying with tax, accounting, or legal obligations;
- preventing fraud, abuse, cheating, or security incidents;
- resolving disputes;
- enforcing our Terms;
- protecting legal rights;
- maintaining backup systems for a limited period.

Deletion of your account may permanently remove progress, purchases linked only to that account, virtual items, settings, and access to certain features, except where restoration is required by law or platform rules.

12. Your Privacy Rights

Depending on your location and applicable law, you may have rights to:

- access the personal data we hold about you;
- correct inaccurate or incomplete data;
- delete your personal data;
- restrict or object to processing;
- withdraw consent where processing is based on consent;
- request data portability;
- object to direct marketing;
- opt out of certain targeted advertising or sharing activities;
- appeal or challenge certain decisions, where applicable;
- lodge a complaint with a data protection authority.

To exercise your rights, contact us at geral@cosmicode.pt. We may need to verify your identity before responding.

If you are in Portugal or the European Economic Area, you may also contact your local data protection authority. In Portugal, the competent authority is the Comissão Nacional de Proteção de Dados (CNPD). You may also contact the supervisory authority in your country of residence or place of the alleged infringement.

13. Children and Younger Users

Our Services are generally intended for a general audience, unless a specific Service states otherwise. We do not knowingly collect personal data from children below the age at which they may lawfully use the Services without parental consent.

Some of our Services may be designed for or suitable for younger audiences. Where a Service is specifically designed for children or younger users, we apply additional protections appropriate to that Service. For example, Guess Up Kids does not display advertising and we do not use personalized advertising in that Service. If we launch other Services designed for children or younger audiences, we may apply similar or additional protections depending on the Service, platform rules, and applicable law.

Age requirements may vary by country, product, and feature. Some Services or features may have age restrictions, including accounts, social features, personalized advertising, purchases, contests, or User Content. Unless a specific Service states otherwise, the Services are intended for users aged 13 or older.

If you are under the age required by applicable law, you may use the Services only with consent from your parent or legal guardian, where permitted. Parents and guardians should supervise minors’ use of the Services, including in-app purchases, social features, and online interactions.

We do not knowingly target personalized advertising to children where prohibited by law. If we learn that we have collected personal data from a child in a way that is not permitted, we will take reasonable steps to delete it or obtain appropriate parental consent.

If you believe that a child has provided us with personal data unlawfully, please contact us at geral@cosmicode.pt.

14. User Content, Safety, and Moderation

Where a Service includes User Content, chat, public profiles, multiplayer interactions, or similar features, we may process User Content and related data to operate, moderate, and protect the Service.

We may review, remove, restrict, or report User Content where we believe it violates our Terms, applicable law, platform rules, or user safety standards. We may also suspend or terminate accounts involved in abuse, harassment, illegal activity, cheating, spam, or other prohibited conduct.

Some Services may include tools to report content or users, block users, or contact us about safety concerns. Reports may include the reported content, account identifiers, timestamps, device or technical information, and reviewer decisions.

If you believe that we have removed content, restricted a feature, or taken moderation action by mistake, you may contact us at geral@cosmicode.pt to request a review.

15. Security

We use reasonable technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, and disclosure. These measures may include access controls, encryption in transit where appropriate, logging, monitoring, vendor security reviews, and internal procedures designed to limit access to personal data. However, no method of transmission or storage is completely secure. You are responsible for keeping your account credentials confidential and for using secure devices and networks.

16. Third-Party Links and Services

The Services may include links to third-party websites, platforms, app stores, social networks, advertisements, or services. We are not responsible for the privacy practices of third parties. Their own terms and privacy policies apply to their services.

17. Regional Notices

17.1 EEA, UK, and Switzerland

If you are located in the EEA, UK, or Switzerland, the GDPR, UK GDPR, or similar laws may apply. You have the rights described in this Privacy Policy and may lodge a complaint with your local supervisory authority.

17.2 California and Certain U.S. States

Depending on whether applicable legal thresholds are met, residents of California and certain other U.S. states may have additional rights, such as the right to know, access, delete, correct, opt out of certain sales or sharing, limit use of sensitive personal information, and not be discriminated against for exercising privacy rights.

We do not sell personal data for money. However, some advertising and analytics practices may be considered “sharing”, “targeted advertising”, or “sale” under certain U.S. state privacy laws. Where required, we will provide appropriate opt-out mechanisms.

17.3 Other Regions

Users in other countries may have additional privacy rights under local law. We will respond to valid requests as required by applicable law.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice as required by law, such as by updating the date above, posting a notice in the Services, or sending a notification. Your continued use of the Services after the effective date of an updated Privacy Policy means that the updated policy applies to your use of the Services, to the extent permitted by law.

Where required by law, we will request your consent before applying material changes to processing activities that require consent.

19. Contact Us

For questions or requests about this Privacy Policy or your personal data, contact us at:

Cosmicode, Lda.
Rua Barão de Corvo, 37, Sala L
4400-039 Vila Nova de Gaia
Portugal
Email: geral@cosmicode.pt

Last Update: April 24, 2026