Privacy Policy

WinITGames Studios ("WinITGames", "we", "us", or "our")

Effective Date: 1 June 2026

This Privacy Policy explains who we are, how we process (i.e. collect, record, organize, structure, store, adapt or alter, retrieve, consult, use, disclose by transmission, disseminate or otherwise make available, align or combine, restrict, erase or destroy) personal information about you, and how you can exercise your privacy rights.

We, WinITGames Studios, a studio established under the laws of India, with registered address at WinITGames Studios, Mumbai, Maharashtra, India 400 001 ("WinITGames", "we", "us", or "our"), are a developer and publisher of games and mobile game applications that are made available via app stores including the Apple App Store and Google Play Store. This Privacy Policy applies to the personal information that we collect through our games, mobile applications, websites, and other products ("Games") and related services (together, the "Services"), including all current and future titles we publish under the WinITGames brand.

By using our Services, you agree to be bound by this Privacy Policy. Where the law requires your consent for a specific processing activity (for example, personalized advertising), we will ask for it separately, and you may withdraw it at any time. If you do not agree with this Privacy Policy, please do not use the Services.

This Privacy Policy forms part of, and should be read together with, our Terms of Service.

1. Scope & Who We Are

WinITGames Studios is the developer and publisher of casual mobile games. For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, the India Digital Personal Data Protection Act, 2023 (DPDP Act), and similar laws, the data controller (and "Data Fiduciary" under Indian law) responsible for your information is WinITGames Studios, Mumbai, Maharashtra, India 400 001, contactable at winitgames18@gmail.com.

This Policy applies to all WinITGames Services across all platforms (Apple App Store, Google Play, web, and any other distribution channel). Some Services may operate fully offline and collect little or no personal information; others display advertising or offer optional accounts and in-app purchases. Where a specific title's data practices differ from this Policy, the in-app or store-listing disclosure for that title will state so.

2. Information We Collect

The categories of information we may collect depend on which Service you use and which features you enable. We design our games to minimize data collection and, wherever feasible, to function without requiring a personal account.

2.1 Information you provide voluntarily

Account & profile data (when you create an account or sign in): username, display name, email address, password (stored hashed), avatar, and language preference.
Support & communications: your name, email, message contents, and attachments when you contact support, report a bug, or respond to a survey.
User-generated content: nicknames, custom level data, or messages you submit, where a title supports this.

2.2 Information collected automatically

Device & technical data: device model, operating system and version, app version, device language and timezone, screen metrics, network type, and crash/diagnostic logs.
Identifiers: advertising identifier (Apple IDFA / Google GAID/AAID), Firebase installation ID, and similar non-permanent identifiers. We do not collect persistent hardware identifiers such as IMEI or MAC address.
Usage & gameplay data: levels played, scores, progress, session length, in-app events, feature interactions, and ad interactions (impressions, clicks).
Approximate location: coarse location inferred from IP address (e.g. country/region) for legal compliance, fraud prevention, tax, and ad localization. We do not collect precise GPS location unless a feature explicitly requires it and you grant permission.
Purchase events: records that a purchase occurred, the product identifier, and validation receipts (see §10). We do not receive or store your full payment card number.
Device permissions: we request only the permissions a feature needs — for example notifications (push), network access (ads, purchases, account sync), and, where a specific title offers such a feature, camera or photo-library access. Sensitive permissions are requested at the point of use, and you may decline or revoke them in your device settings.

2.3 Information from third parties

Platform & sign-in providers: if you sign in via Apple, Google, or Facebook (where offered), we receive the basic profile data you authorize (e.g. name, email, profile picture).
Advertising & analytics partners: aggregated or pseudonymous measurement data such as installs, attribution, and ad performance.

2.4 Sensitive data

We do not intentionally collect special-category or sensitive personal data (such as health, biometric, genetic, racial or ethnic, religious, political, or precise geolocation data). Please do not send such information to us.

3. How We Collect It

We collect information (a) directly from you when you interact with the Services; (b) automatically through SDKs, APIs, cookies, and similar technologies integrated into our games; and (c) from third-party platforms, advertising networks, and service providers acting on our behalf or with whom you choose to connect.

4. How We Use Information

Purpose	Examples
Provide & operate the Services	Run gameplay, save progress, sync across devices, authenticate accounts.
Maintain & improve	Diagnose crashes, fix bugs, measure performance, develop new features and titles.
Advertising	Display ads, support contextual or (with consent) personalized ads, measure ad performance, cap frequency, prevent ad fraud, cross-promote our other games.
Analytics & research	Understand engagement and retention using aggregated/pseudonymous data.
Transactions	Process and validate in-app purchases and entitlements; handle refunds and chargebacks; meet tax/accounting obligations.
Communications	Respond to support requests; send service and (where permitted) optional promotional messages and push notifications.
Safety & security	Detect, prevent, and respond to fraud, abuse, cheating, and security incidents.
Legal compliance	Comply with applicable laws, respond to lawful requests, and enforce our terms.

5. Legal Bases for Processing (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

Legal basis	When we rely on it
Contract (Art. 6(1)(b))	To deliver gameplay, accounts, and purchases you request.
Consent (Art. 6(1)(a))	For personalized advertising, certain cookies/SDKs, optional marketing, and any non-essential tracking. You may withdraw consent at any time.
Legitimate interests (Art. 6(1)(f))	For security, fraud prevention, analytics, contextual (non-personalized) ads, service improvement, and cross-promotion — balanced against your rights.
Legal obligation (Art. 6(1)(c))	For tax, accounting, and responding to lawful requests.

Where we rely on consent (including for personalized ads in the EEA, UK, and Switzerland), we present a consent management prompt and do not serve personalized ads or set non-essential identifiers unless you opt in.

We do not make decisions producing legal or similarly significant effects about you based solely on automated processing. The only profiling we perform is ad and content personalization, which you can opt out of (see §6.1). For users in India, our processing is based principally on your consent, which is itemized by purpose, may be withdrawn at any time through the in-app privacy settings or by contacting us (and is as easy to withdraw as it is to give), and may be managed through a Consent Manager where we make one available.

6. Advertising & AdMob

Most of our games are free to download and supported by advertising (alongside optional in-app purchases). We primarily use Google AdMob and its mediation network to serve banner, interstitial, rewarded, and native ads, and we may use additional ad networks and mediation partners listed in Appendix A.

Personalized vs. non-personalized ads. In the EEA, UK, and Switzerland (and wherever else required), we request your consent before serving personalized ads. If you decline, you will still see ads, but they will be contextual / non-personalized.
Data used for ads. Advertising partners may process your advertising identifier, IP address, coarse location, device data, and ad-interaction data to deliver and measure ads. These partners are independent controllers for their own advertising purposes.
Apple App Tracking Transparency (ATT). On iOS, we will request permission via the ATT prompt before any cross-app tracking. If you decline, we do not use the IDFA for tracking.
Google AdMob. Google's handling of data is described in its Privacy & Terms and AdMob policies. You can manage personalization at Google Ad Settings.
Opting out. See §16 and the device instructions in §6.1.

6.1 How to limit ad personalization

iOS: Settings → Privacy & Security → Tracking → turn off "Allow Apps to Request to Track"; and Settings → Privacy & Security → Apple Advertising.
Android: Settings → Google → Ads → "Delete advertising ID" or "Opt out of Ads Personalization".
In-app: where a title offers it, adjust consent via the in-game Privacy/Consent settings.
Web tools: YourAdChoices (DAA), Your Online Choices (EU), and the NAI opt-out.

7. Cookies & Similar Technologies

Our mobile games generally use SDKs and mobile identifiers rather than browser cookies. Our website (where applicable) and any web-based features may use cookies and local storage. We use these technologies for the purposes below.

Type	Purpose	Consent
Strictly necessary	Core functionality, security, load balancing, saving local game state/settings.	Not required
Analytics / performance	Understand usage and improve the Services (e.g. Firebase Analytics).	Consent where required
Advertising	Deliver and measure ads, including personalization where consented.	Consent in EEA/UK/CH and where required

You can clear local storage by reinstalling the app or clearing app data, and manage browser cookies in your browser settings.

8. Third-Party Services

We integrate trusted third-party SDKs and services to operate, secure, monetize, and improve the Services. These providers process data on our behalf as processors, or as independent controllers for advertising. Representative providers are listed in Appendix A (advertising) and Appendix B (analytics & infrastructure), and include Google (AdMob, Firebase, Play Services), Apple, and our cloud hosting provider. Each provider's own privacy policy governs its independent processing; links are provided in the Appendices. We are not responsible for the content or privacy practices of third-party websites or services that you access through links in the Services.

We do not sell your personal information for money. We may share information in the following circumstances:

Service providers / processors: hosting, analytics, crash reporting, customer support, and ad-serving partners, under contracts that restrict their use of the data.
Advertising partners: as described in §6. Note that under certain U.S. state laws, sharing identifiers for cross-context behavioral advertising may be treated as a "sale" or "sharing" — see §18.
Platform providers: Apple and Google for app distribution, purchase processing, and platform services.
Legal & safety: to comply with law, lawful requests, court orders, or to protect the rights, safety, and property of WinITGames, our users, or the public.
Corporate transactions: in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to this Policy.
With your direction or consent: e.g. social sharing features you choose to use.

10. Payments, Purchases, Taxes & Refunds

10.1 In-app purchases

Where a Service offers in-app purchases (IAP) or subscriptions, all payments are processed by the platform operator — Apple (App Store / In-App Purchase) or Google (Google Play Billing) — not by WinITGames. We do not collect, receive, or store your full payment card details. We receive a validated purchase receipt, the product identifier, transaction/order ID, purchase status, and approximate country (for tax). Your payment data is handled under Apple's and Google's respective privacy policies.

10.2 Taxes

Applicable sales tax, VAT, GST, or similar taxes on digital purchases are calculated, collected, and remitted by the platform operator (Apple or Google) based on your billing location, in accordance with applicable law. Prices shown may include or exclude such taxes depending on your region and platform rules.

10.3 Refunds — No Direct Refunds

WinITGames does not offer or process refunds directly. Because all purchases are processed by the platform operator, any refund — where available — is handled exclusively by the service provider (Apple or Google) in accordance with their policies. All purchases made through the Services are otherwise considered final.

Apple App Store: request refunds via reportaproblem.apple.com under Apple Media Services / EULA terms.
Google Play: request refunds via the Google Play refund policy and Play Store order history.

Nothing in this Policy limits any non-waivable statutory rights you may have under applicable consumer law (for example, EU/UK cooling-off rights); where such rights apply, they are administered through the platform's refund process. Virtual items and in-game currency have no real-world monetary value, are non-transferable, and are licensed (not sold) to you. If you believe you were charged in error, please contact the platform operator directly; you may also contact us (§25) and we will try to help, but final refund authority rests solely with the platform.

11. Children's Privacy

Protecting children is a priority, and our practices depend on whether a particular title is general-audience or directed to children. We comply with the U.S. Children's Online Privacy Protection Act (COPPA) and its Rule, the GDPR provisions on children's consent (Art. 8), the UK Age Appropriate Design Code (Children's Code), the children's provisions of the India DPDP Act, and similar laws.

11.1 Age screening

Where a title may be used by children, we apply a neutral age screen to establish the user's age (in a way that does not encourage falsification) and route the user into the appropriate experience. The applicable minimum age of digital consent is 13 under COPPA and up to 16 in parts of the EEA/UK; we treat a user below the applicable age as a "child."

11.2 General-audience titles

These titles are not directed to children. We do not knowingly collect personal information from children, serve them personalized ads, or permit account creation by them. If we learn that a child has provided personal information without verifiable parental consent, we delete it promptly.

11.3 Child-directed titles (COPPA)

Some titles are directed to children. For these titles, and for any user we treat as a child:

Direct notice & verifiable parental consent (VPC). Before collecting personal information from a child beyond what is permitted as "support for the internal operations" of the Service (e.g. an identifier used solely for security, fraud prevention, or frequency capping), we give the parent direct notice and obtain verifiable parental consent using a method reasonably calculated to confirm the person is the parent — for example a verified payment-card transaction, a signed consent form, a government-ID check, or an equivalent method.
Data minimization. We collect only the personal information reasonably necessary for the child to participate, and we do not condition participation on disclosing more than is necessary.
Advertising. We serve only contextual, non-personalized ads through child-directed-compliant (Google Play Families self-certified / kid-safe) networks, with AdMob configured for tagForChildDirectedTreatment / tagForUnderAgeOfConsent. We do not permit behavioral tracking, cross-app tracking, or the "sale"/"sharing" of a child's personal information.
In-app purchases. Where offered in a child-directed title, purchases sit behind a parental gate and require the device account holder's authorization.
No profiling. We do not build behavioral profiles of children or use their data for targeted advertising.

11.4 Parental rights

A parent or guardian may at any time: (a) review the personal information we have collected from their child; (b) refuse to permit further collection or use; (c) revoke consent previously given; and (d) request deletion of the child's personal information. To exercise these rights, contact us at winitgames18@gmail.com (§25); we will verify that the request comes from the child's parent before acting. If you believe a child has provided us personal information without your consent, contact us and we will delete it.

12. Push Notifications & Communications

With your permission, we may send push notifications about gameplay events, updates, rewards, or new titles. You can disable push notifications at any time in your device settings. Service/transactional messages (e.g. security or purchase confirmations) may still be sent where necessary. Where we send optional marketing emails, each includes an unsubscribe mechanism, and you may opt out at any time.

13. International Data Transfers

WinITGames operates globally, and your information may be transferred to, stored in, and processed in countries other than your own, including the United States and other countries where we or our service providers operate. These countries may have different data-protection laws than your jurisdiction.

Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, adequacy decisions where available, and supplementary measures as needed. You may request a copy of the relevant safeguards by contacting us (§25).

14. Data Retention

We retain personal information only for as long as necessary for the purposes described in this Policy, to provide the Services, to comply with our legal, tax, and accounting obligations, to resolve disputes, and to enforce our agreements. General retention guidelines:

Data	Retention
Account & progress data	While your account is active; deleted after 14 months of inactivity or upon valid deletion request, whichever is earlier.
Support communications	Up to 24 months after resolution.
Purchase / tax records	As required by tax and accounting law (commonly 7–10 years).
Analytics & ad event data	Retained in pseudonymous/aggregated form per provider defaults (commonly up to 14 months for event-level data).
Crash/diagnostic logs	Up to 90 days, then deleted or anonymized.

When retention is no longer required, we delete or irreversibly anonymize the data.

15. Security

We implement appropriate technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, loss, or destruction. These include encryption in transit (TLS/HTTPS), hashed credential storage, access controls and least-privilege principles, secure cloud infrastructure, and regular review of our practices. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security; you are responsible for keeping any account credentials confidential.

16. Your Rights (General)

Depending on your location, you may have rights to:

Access the personal information we hold about you and obtain a copy;
Rectify inaccurate or incomplete information;
Erase your information ("right to be forgotten");
Restrict or object to certain processing, including profiling for ads;
Data portability (receive your data in a portable format);
Withdraw consent at any time, without affecting prior lawful processing;
Opt out of personalized advertising and the "sale"/"sharing" of personal information;
Lodge a complaint with a supervisory authority; and
Not be subjected to unlawful discrimination for exercising your rights.

To exercise any right, contact us at winitgames18@gmail.com (§25). We will respond within the timeframe required by applicable law (generally within 30 days, extendable where permitted). We may need to verify your identity before acting on a request. You may use an authorized agent where the law permits; we may require proof of authorization. These rights are free to exercise, though we may charge a reasonable fee or decline manifestly unfounded or excessive requests as permitted by law.

16.1 Deleting your account and data

You can request deletion of your account and associated personal data at any time:

In-app: open Settings → Account → Delete Account in any title that offers accounts.
By request: email winitgames18@gmail.com with the subject "Delete My Account", from the email address associated with your account.

After we verify your request, we delete or irreversibly anonymize your personal data, typically within 30 days, except data we must retain for legal, tax, accounting, or fraud-prevention purposes (see §14). Data held by platform providers (Apple, Google) or independent advertising partners must be deleted through their own controls, and we will point you to those where applicable.

17. Additional Rights — EEA, UK & Switzerland

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights set out in §16 under the GDPR / UK GDPR / Swiss FADP, including the right to object to processing based on legitimate interests and the right to lodge a complaint with your local supervisory authority (e.g. your national Data Protection Authority, the UK ICO, or the Swiss FDPIC). Our legal bases are described in §5. To exercise any of these rights, or to object to processing based on legitimate interests, contact us using the details in §25.

18. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, provides you the following rights:

Right to know / access the categories and specific pieces of personal information collected, the sources, purposes, and the categories of third parties to whom it is disclosed;
Right to delete personal information, subject to exceptions;
Right to correct inaccurate personal information;
Right to opt out of the "sale" or "sharing" of personal information (including cross-context behavioral advertising);
Right to limit the use of sensitive personal information (we do not use sensitive PI for purposes requiring this right);
Right to non-discrimination for exercising your rights.

Notice regarding "sale"/"sharing". WinITGames does not sell personal information for money. However, our use of advertising identifiers for personalized/cross-context behavioral advertising may constitute "sharing" (and, under some interpretations, a "sale") under the CCPA. You may opt out by limiting ad tracking on your device (§6.1), using a Global Privacy Control signal (§21), or by emailing us at winitgames18@gmail.com with "Do Not Sell or Share My Personal Information" in the subject line. We do not knowingly sell or share the personal information of consumers under 16 without opt-in consent.

Categories collected in the past 12 months may include: identifiers (advertising ID, IP), internet/app activity (gameplay and ad interactions), commercial information (purchases), geolocation (coarse), and inferences for ad delivery. We disclose these categories to service providers, advertising partners, and platform providers as described above. To exercise rights, contact us (§25); you may also designate an authorized agent.

19. Other U.S. State Privacy Rights

Residents of states with comprehensive privacy laws — including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, and others as they take effect — may have rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling. You may exercise these rights and, where available, appeal a decision by contacting us (§25). We honor recognized universal opt-out signals (such as Global Privacy Control) where required by law (§21).

20. Other Regions

Canada (PIPEDA): you may access and correct your personal information and withdraw consent, subject to legal/contractual restrictions.
Quebec, Canada (Law 25): you additionally have rights of data portability, deletion, and to be informed about automated decision-making.
Brazil (LGPD): you have rights of confirmation, access, correction, anonymization, portability, deletion, and information about sharing; our legal bases mirror §5. You may contact our data controller for requests.
India (DPDP Act, 2023): as our home jurisdiction, the DPDP Act applies to our processing. You may access, correct, update, and erase your personal data, withdraw your consent at any time, nominate another person to exercise your rights on your behalf, and raise grievances with our Grievance Officer at winitgames18@gmail.com. We process children's data only with verifiable parental consent and do not undertake behavioural monitoring or targeted advertising directed at children, as required by the Act.
Australia (Privacy Act / APPs): you may access and correct your personal information and complain to the OAIC.
South Korea, Japan, and other jurisdictions: we comply with applicable local data-protection laws; contact us to exercise local rights.

21. Do Not Track & Global Privacy Control

Some browsers offer a "Do Not Track" (DNT) signal. Because there is no common industry standard for DNT, our websites do not currently respond to DNT signals. Where required by law, we treat a recognized Global Privacy Control (GPC) signal as a valid request to opt out of the "sale"/"sharing" of personal information for that browser/device.

22. Licenses & Intellectual Property

The Services, including all games, code, graphics, audio, trademarks, and the WinITGames name and logos, are owned by WinITGames or its licensors and are protected by intellectual-property laws. We grant you a limited, personal, non-exclusive, non-transferable, revocable license to use the Services for personal, non-commercial entertainment, subject to our Terms of Service / EULA. Virtual items and in-game currency are licensed, not sold, and have no monetary value. Third-party SDKs and open-source components are used under their respective licenses; attribution and license notices are available on request or within the app's "Licenses/Acknowledgements" section. This Privacy Policy does not grant any rights to use our intellectual property.

23. Data Breach Notification

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and affected individuals without undue delay and within the timeframes required by applicable law (for example, within 72 hours of becoming aware, where GDPR applies). As an Indian Data Fiduciary, we will also notify the Data Protection Board of India and affected Data Principals as required by the DPDP Act, and report qualifying cyber-incidents to CERT-In within the timelines under its directions (including the six-hour reporting requirement for specified incidents). We maintain an incident-response process to investigate, contain, and remediate security incidents.

24. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will revise the Effective Date above and, where required, provide additional notice (for example, in-app or by email) and obtain consent. Your continued use of the Services after the updated Policy takes effect constitutes acceptance, except where additional consent is legally required. We encourage you to review this Policy periodically.

25. How to Contact Us

For privacy questions, requests, or complaints, contact:

WinITGames Studios
Privacy & Support: winitgames18@gmail.com
Grievance Officer (India): winitgames18@gmail.com
Registered address: WinITGames Studios, Mumbai, Maharashtra, India 400 001

If you are in the EEA/UK and we cannot resolve your concern, you have the right to lodge a complaint with your local data-protection supervisory authority.

Appendix A — Advertising Partners

Depending on the title and mediation configuration, our advertising and mediation partners may include, but are not limited to, Google AdMob (primary network and mediation), Unity Ads, AppLovin / MAX, Meta Audience Network, and other advertising and mediation networks commonly used in Android and iOS games, including those below. Each partner operates under its own privacy policy, and the specific networks active in a given title depend on its mediation setup.

Google AdMob Unity Ads AppLovin / MAX ironSource Mintegral Pangle Liftoff / Vungle InMobi Chartboost Digital Turbine (Fyber / DT Exchange) SuperAwesome (kids-certified) Kidoz (kids-certified) + other Google Play Families self-certified ad SDKs

Typical data shared with ad partners: advertising identifier (IDFA/GAID), IP address, coarse location, device/app data, and ad-interaction events. Manage personalization via the controls in §6.1. Google's partner data practices: policies.google.com/technologies/partner-sites. For titles or users treated as child-directed, we restrict advertising to partners that support COPPA / GDPR-K child-directed treatment (e.g. certified kid-safe networks) and serve only non-personalized, contextual ads.

Appendix B — Analytics & Infrastructure Providers

Provider	Purpose	Privacy policy
Google Firebase (Analytics, Crashlytics, Cloud Messaging)	Analytics, crash reporting, push notifications	firebase.google.com/support/privacy
Google Play Services	Core Android services, billing, integrity	policies.google.com/privacy
Apple App Store / StoreKit	Distribution, in-app purchases	apple.com/legal/privacy
Google Cloud Platform / Firebase backend	Hosting & storage	cloud.google.com/terms/cloud-privacy-notice
Adjust / AppsFlyer / Tenjin (attribution SDK — one or more)	Install attribution & fraud prevention	appsflyer.com/legal

The specific SDKs active vary by title; we keep our Apple "Privacy Nutrition Labels" and Google Play "Data safety" disclosures consistent with this Policy.