privacy-policy-inventory.md

Internal documentation for the privacy policy of the mobile game.

Purpose: This document lists all systems that process user data.
It serves as the source for:

• Privacy Policy generation
• Google Play Data Safety form
• Apple App Privacy form
• GDPR documentation

Last updated: YYYY-MM-DD Responsible: Kilde Studio UG

1. Data Controller

Company name: Kilde Studio UG (haftungsbeschränkt)

Address: Kaiserswerther Straße 115 3rd floor 40880 Ratingen Germany

Contact email: privacy@kildestudio.games

Register court: Amtsgericht Düsseldorf

HRB number: TBD

VAT ID: TBD

2. App Information

App name: TBD

Platform: - iOS - Android

Game engine: Unity

App functionality summary: - word puzzle gameplay - optional ads - optional in-app purchases - analytics for gameplay balancing - optional cloud save / login

3. Data Categories

The application may process the following categories of personal data:

Device information - device model - OS version - language - screen resolution

Identifiers - advertising ID - device identifier - Unity player identifier

Usage data - gameplay progress - level completion - session duration - help usage statistics

Purchase data - purchase status - transaction identifiers - receipt verification

Network data - IP address - approximate region

Diagnostics - crash logs - performance metrics

4. SDK / Service Inventory

4.1 Game Engine and Core Services

Service name: Unity Engine

Provider: Unity Technologies

Purpose: Game runtime and technical infrastructure

Data processed: - device information - crash diagnostics - performance metrics

Legal basis: Legitimate interest (service operation)

Data transfer outside EU: Possible

Retention: Defined by provider

4.2 Analytics

Service name: Unity Analytics

Provider: Unity Technologies

Purpose: Understanding gameplay behavior and improving game balance

Data processed: - Unity Analytics player identifier (e.g., unityPlayerID) - app-generated session identifier - gameplay events - session duration - device information

Example events collected:

• level_completed
• session_end
• session_crash
• level_abandoned
• ad_event
• gift_event
• economy_event
• daily_diamonds_collected
• iap_purchase

Example event parameters:

• level
• time_seconds
• duration_seconds
• coins
• diamonds
• hexagon_help_used
• letter_help_used
• crossword_help_used
• extra_words_found
• coins_found
• bronze_gift_found
• silver_gift_found
• gold_gift_found
• ad_type
• result
• placement
• reward_type
• gift_source
• gift_tier
• currency
• source
• amount
• product_id

Legal basis: User consent

Retention: Unity Analytics retention varies by data type - raw event data: approximately 13 months - aggregated / dashboard metrics: retained according to provider policy until deletion or account termination

4.3 Advertising

Ad mediation platform: Unity LevelPlay

Provider: Unity Technologies

Purpose: Ad mediation and delivery of advertisements from multiple advertising networks.

Data processed: - advertising identifier (Android GAID / iOS IDFA) - device information - IP address - approximate geographic region - ad engagement data (impressions, clicks, rewarded completions)

Legal basis: User consent

Retention: Defined by the respective providers

Unity Ads

Provider: Unity Technologies

Purpose: Serving rewarded, interstitial, and banner advertisements.

Data processed: - advertising identifier - device information - ad interaction events

ironSource Ads

Provider: ironSource Ltd.

Purpose: Ad delivery and ad mediation through LevelPlay.

Data processed: - advertising identifier - device information - IP address - ad interaction data

Google AdMob

Provider: Google LLC

Purpose: Mobile advertising and ad performance measurement.

Data processed: - advertising identifier - device information - IP address - ad engagement metrics

Notes: These advertising partners are loaded through the Unity LevelPlay mediation platform. They may process personal data required for ad delivery, frequency capping, fraud prevention, and measurement of advertising performance.

4.4 Distribution Platforms

Google Play

Provider: Google LLC

Purpose: App distribution, in-app purchases, authentication

Data processed: - purchase receipts - Google account identifiers - device integrity checks

Apple App Store (StoreKit)

Provider: Apple Inc.

Purpose: App distribution and in-app purchase processing

Data processed: - purchase transactions - transaction identifiers

Apple Game Center

Provider: Apple Inc.

Purpose: Authentication, achievements, and optional cloud-related identity

Data processed: - Game Center player identifier - achievement and leaderboard identifiers

4.5 Authentication / Cloud Save

Service name: Google Play Games

Provider: Google LLC

Purpose: Cloud save and achievements

Data processed: - player ID - save data - leaderboard data

Service name: Apple Game Center

Provider: Apple Inc.

Purpose: Cloud save and achievements

Data processed: - player identifier - save data

4.6 Crash Reporting

Service name: Unity Cloud Diagnostics

Provider: Unity Technologies

Purpose: Crash reporting and performance diagnostics

Data processed: - crash stack traces - device type - OS version

Legal basis: Legitimate interest

5. Gameplay Analytics Events

Example analytics events logged by the game:

level_completed session_end session_crash level_abandoned ad_event gift_event economy_event daily_diamonds_collected iap_purchase

Purpose: - game balancing - feature improvement - bug detection

Identifiers used: - session_id generated by the app for each analytics session - anonymous Unity service-side player identifier may exist at provider level

6. Advertising

Ad formats used:

• banner ads
• interstitial ads
• rewarded ads

Ad triggers:

• after level completion
• voluntary rewarded ads

Ads are disabled if the player purchases “No Ads”.

7. In-App Purchases

Types of purchases:

• No Ads (non-consumable)
• premium currency (optional)

Payments are processed by the platform provider:

• Google Play
• Apple App Store

The developer does not process payment card data.

8. Data Retention

Typical retention periods:

Analytics data: - raw event data retained approximately 13 months by the analytics provider - aggregated analytics metrics retained according to provider policy

Crash reports: until resolved

Account data: until user deletes the app or account

9. International Data Transfers

Some services may process data outside the European Union.

Safeguards used: Standard Contractual Clauses (SCC)

10. User Rights

Users may request:

• access to personal data
• correction of data
• deletion of data
• restriction of processing
• data portability (where applicable)
• withdrawal of consent

Requests can be sent to: privacy@kildestudio.games

11. Children’s Privacy

The application is not specifically directed at children under 13.

If such data is identified, it will be deleted.

12. Consent System

Custom gameplay analytics events are sent only after user consent. Advertising personalization is also controlled by user consent.

Consent can be withdrawn through the in-game settings.

13. Policy Updates

The privacy policy may be updated periodically.

The latest version will always be available at:

https://kildestudio.games/privacy

14. Store Submission / Compliance Notes

This section is internal and used to ensure consistency between documentation and store submission forms.

Google Play requirements: - Google Play Data Safety declarations must match the data categories listed in this inventory. - Advertising ID usage must be declared where applicable. - Third-party SDK data practices must be reflected in disclosures.

Apple requirements: - App Privacy answers in App Store Connect must include data collected by third-party SDKs. - SDK privacy manifests may be required for certain commonly used SDKs.

Maintenance rule: This inventory must be updated whenever: - a new SDK is added - an SDK is removed - analytics events change materially - login, cloud save, or advertising partners are added