Privacy Policy

Welcome to PictoPlace. This Privacy Policy explains how PictoPlace Studios ("we", "our", "us") collects, uses, stores, and protects your personal information when you use our mobile game application. This policy complies with COPPA, CCPA/CPRA, GDPR, the Israeli Privacy Protection Law (Amendment 13, effective August 2025), and the Google Play Developer Program Policy.

1. Developer Information

• Developer: PictoPlace Studios
• Contact: pictoplaceinfo@gmail.com
• Website: https://pictoplace.online
• Privacy requests: pictoplaceinfo@gmail.com

2. Information We Collect

2.1 Information You Provide

• Email address, username, and password (hashed)
• Date of birth (for COPPA age verification — stored only to verify you are 13+)
• Social sign-in data (Google, Facebook, Twitter, Instagram) if you choose these methods
• Profile data: bio, avatar, preferred language
• Game progress: puzzles completed, stars, hints used, achievements, streaks
• Purchase history (processed by Google Play — we never see payment details)
• Friend relationships, hint gifts, invite codes
• Hashed phone numbers of contacts (optional, for friend finding)
• Feedback and messages you send us
• Consent records (timestamps of your agreement to Terms, Privacy Policy, marketing opt-ins)

2.2 Information Collected Automatically

• Device identifiers: Android ID, Firebase Installation ID, device hash (for guest recovery)
• Device info: model, brand, OS version, app version, language
• Usage data: screens viewed, features used, session duration, puzzle times
• Approximate location: derived from IP (country/region — NOT GPS)
• Crash reports (via Firebase Crashlytics)
• Advertising data: Google Advertising ID, ad impression events

2.3 We Do NOT Collect

• Precise GPS location, photos, videos, microphone audio, SMS, call history
• Browser history outside our app
• Biometric, health, or fitness data
• Financial account credentials

3. How We Use Your Information

• Operate the game and authenticate your account
• Save and sync your progress across devices
• Process in-app purchases via Google Play
• Age verification (COPPA compliance)
• Analytics, crash reporting, and product improvement
• Fraud prevention and security
• Show advertisements (personalized only with your consent)
• Send optional marketing emails (only if you opt in)
• Respond to support requests
• Comply with legal obligations

4. Third Parties We Share Data With

We do NOT sell your personal information. We share limited data only with:

• Google Firebase — authentication, database, analytics, crash reporting (US/EU servers)
• Google AdMob — advertising (Teen-rated ads, not child-directed)
• Google Play Billing — Google is the merchant of record for all in-app purchases
• Google Sign-In, Meta/Facebook, Twitter/X, Instagram — only if you choose these sign-in methods
• Our backend server — dedicated VPS located in the United States

We may also disclose information when required by law or in connection with a business transfer.

5. International Data Transfers

Your data may be processed in countries other than your country of residence, including the United States and the European Union. By using the App, you consent to this transfer. Where required, we rely on Google's Standard Contractual Clauses to ensure adequate protection. Note: US surveillance laws could theoretically grant government access to data stored by US-based providers. You acknowledge and accept this risk.

6. AI-Generated Content

Some puzzle images are generated using Google Gemini AI. AI is used only for visual game content and is NOT used to profile users, make automated account decisions, or process personal data. You can report problematic AI content by emailing us.

7. Data Security

• All data in transit is encrypted (HTTPS/TLS 1.2+)
• Passwords are hashed with bcrypt
• Sensitive local data uses Android EncryptedSharedPreferences (AES-256)
• API requests are signed with HMAC-SHA256
• Rate limiting, JWT authentication, and SQL injection protection

8. Data Retention and Deletion

• Active accounts: retained while account exists
• Deleted accounts: permanently removed within 30 days
• Inactive guest accounts: may be purged after 365 days
• Crash reports: 90 days in Firebase Crashlytics
• Analytics data: max 14 months per Firebase defaults
• Purchase records: 7 years (legal/tax compliance)

To delete your account: Open the app → Settings → Account Management → Delete Account, or use our web deletion form, or email pictoplaceinfo@gmail.com.

9. Children's Privacy

PictoPlace is intended for users aged 13 and above. We do not knowingly collect personal information from children under 13. Account creation requires a date of birth for age verification; under-13 users are blocked from creating accounts. If you believe we have accidentally collected information from a child under 13, please contact us and we will delete it within 30 days.

10. Your Rights

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Receive a copy of your data in a portable format
• Withdraw consent at any time
• Object to specific processing activities
• Opt out of marketing emails

Refusing consent does not affect guest-mode play but may prevent account creation and certain features. You can withdraw any consent at any time without penalty.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the CCPA as amended by the CPRA:

• Right to Know what personal information we collect
• Right to Delete your personal information
• Right to Correct inaccurate information
• Right to Opt-Out of Sale/Sharing: We do NOT sell or share your personal information for cross-context behavioral advertising
• Right to Limit Sensitive Information Use: We do not collect sensitive personal information as defined by CPRA
• Right to Non-Discrimination

Email pictoplaceinfo@gmail.com to exercise your rights. We respond within 45 days as required by law.

12. Israeli Privacy Rights (Amendment 13)

If you are a resident of Israel, you have rights under the Privacy Protection Law 5741-1981 as amended by Amendment 13 (effective August 2025), including access, correction, deletion, data portability, consent withdrawal, and the right to lodge a complaint with the Israeli Privacy Protection Authority (רשות הגנת הפרטיות, Ministry of Justice).

13. Advertisements

We show ads through Google AdMob. Ads are rated Teen (T). For EU/UK users, a GDPR consent banner is shown on first launch. For California users, a CCPA opt-out mechanism is provided. You can reset your Google Advertising ID in device settings at any time.

14. Changes to This Policy

We may update this Privacy Policy. Material changes will be announced via in-app notification and the "Last updated" date. Continued use after changes take effect constitutes acceptance.

15. Contact Us

Questions, requests, or complaints:
pictoplaceinfo@gmail.com
Delete account: pictoplace.online/delete-account
Response time: 7 days for general inquiries, 30-45 days for formal privacy rights requests.