Scanwords 2.0 — Privacy Policy

Effective date:

This Privacy Policy (the "Policy") explains how the mobile application Scanwords 2.0 (the "App") collects, uses, and protects personal data of its users. The Policy is designed to meet the requirements of the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act / CPRA (CCPA), Apple App Store and Google Play policies, including requirements related to advertising (AdMob) and Apple App Tracking Transparency (ATT).

1. Controller

• Name: Aleks Kalenov
• Tax ID: Y3086983Y
• Address: Spain, Benidorm, Calle Derramador 10
• Contact email: scanwords2.0@gmail.com
• Website: scanwords2.com

For EU users: our Article 27 GDPR representative is (if appointed).

2. What data we collect

2.1. Data the App generates automatically

• Device identifier (device ID) — generated by the App and used to create an anonymous account.
• Technical device data: device model, OS name and version (iOS/Android), App version.
• Usage events: gameplay actions (start/finish of puzzles, hint usage, achievements), settings changes, purchase events, session duration, task completion times.

2.2. Data you provide

• Username — optional; may be changed or removed.
• Avatar — preset image or image uploaded from the device photo library.
• Interests / game settings — selected topics, difficulty, UI preferences.

2.3. Purchase data

• Fact of purchase, product name (coin pack), and amount.
• We do not collect or store payment card data. Payments are processed by Apple (Apple IAP) and Google (Google Play Billing).

2.4. Data we do NOT collect

• Email, phone number, government-issued ID.
• Precise location (GPS).
• Biometric data.
• Photos/videos/audio other than the user-selected avatar.
• Clipboard, contacts, calendar.
• Third-party social network data.

3. Purposes of processing

1. Provide App functionality, save gameplay progress and settings.
2. Anonymous authentication via device ID.
3. Process and verify in-app purchases.
4. App analytics and quality improvement (on an aggregated/anonymized basis).
5. Security and fraud prevention.
6. Display of in-app advertising via AdMob (subject to ATT consent on iOS).
7. Compliance with applicable law.

4. Legal bases (GDPR Article 6)

• Article 6(1)(a) — consent (granted at onboarding).
• Article 6(1)(b) — performance of the contract (Terms of Service).
• Article 6(1)(f) — legitimate interests (analytics, security, fraud prevention).
• For sensitive data: we do not process special categories of data under Article 9.

Note on Russian law: insofar as personal data is stored on servers physically located in the Russian Federation, Federal Law No. 152-FZ "On Personal Data" may apply to that data regardless of the controller's location. The legal bases for processing under that law are Articles 6(1)(1), 6(1)(2), and 6(1)(5).

5. Third parties

We share data only as described below. We do not sell personal data.

Recipient	Data	Purpose	Jurisdiction
Apple Inc.	Purchase data, device info	IAP processing, App Store distribution	USA
Google LLC	Purchase data, device info	Play Billing, Google Play distribution	USA
Reg.ru (RUVDS)	Stored data (as processor)	Hosting of servers and PostgreSQL database	Russia
Google LLC (AdMob)	Device advertising identifier (IDFA/GAID), device info, usage events (subject to ATT consent on iOS)	In-app advertising	USA
Apple Inc. (ATT framework)	ATT consent status (granted/denied)	Tracking permission prompt (iOS 14.5+)	USA
Competent authorities	Upon lawful request	Legal obligations	Applicable jurisdiction

We do not use:

• Third-party analytics (Google Analytics, Firebase Analytics, Amplitude, Mixpanel).
• Advertising SDKs (AppLovin, Unity Ads, Meta Audience Network). We use AdMob (Google) for in-app advertising — see table above.
• Cross-app tracking frameworks, except as required by Apple's App Tracking Transparency (ATT) framework for AdMob. On iOS 14.5+, users are shown an ATT prompt; if denied, only contextual (non-personalized) ads are served.
• Third-party push providers.

If we add any such service in the future, this Policy will be updated and users will be offered a meaningful choice.

6. International data transfers

Our servers are located in the Russian Federation. If you are located elsewhere, your data is transferred across borders to Russia.

For EU/EEA users: transfers to Russia rely on your explicit consent under Article 49(1)(a) GDPR, which is requested at onboarding. Russia does not have an adequacy decision from the European Commission. By accepting this Policy at onboarding, you acknowledge this risk and consent to the transfer.

Regarding applicable law: personal data stored on servers located in the Russian Federation is subject to Russian legislation on data protection, including Federal Law No. 152-FZ "On Personal Data" and Federal Law No. 242-FZ regarding the localization of personal data of Russian citizens, insofar as such laws apply to the physical location of the servers.

7. Retention

Category	Retention	On expiry
Account data (device ID, username, settings, progress)	For the lifetime of the account	Deleted within 30 days after account deletion
Analytics events	Up to 12 months	Automatically anonymized or deleted
Session logs	Up to 90 days	Automatically deleted
Purchase records	Up to the tax retention period (up to 5 years)	Deleted upon expiry
Consent records	Consent period + 3 years	Deleted upon expiry

8. Your rights

8.1. All users

• Right of access.
• Right to rectification.
• Right to erasure ("right to be forgotten").
• Right to restrict processing.
• Right to withdraw consent at any time (the App may stop functioning correctly).

8.2. EU/EEA users (GDPR)

• Right to data portability (Article 20).
• Right to object to processing based on legitimate interests (Article 21).
• Right to lodge a complaint with a supervisory authority of your member state.

8.3. California residents (CCPA/CPRA)

See section 11.

8.4. How to exercise your rights

• Delete your account directly in the App: Settings → Delete account.
• Web deletion page: scanwords2.com/delete_me
• Any questions: scanwords2.0@gmail.com. We respond within 30 days (15 additional days may be required under Article 12 GDPR).

9. Account deletion

You can permanently delete your account at any time from the App's Settings screen. Upon deletion, all personal data (device ID, username, avatar, settings, gameplay progress) is deleted or anonymized within 30 days. Purchase records may be retained in anonymized form for tax compliance purposes. Account recovery is not possible.

10. Children

The App is not directed to children under 13, and we do not knowingly collect data from them. If you believe a child has provided us with data without a parent's or guardian's consent, please contact scanwords2.0@gmail.com and we will delete such data.

For EU users: the age of consent under Article 8 GDPR ranges from 13 to 16 depending on the member state; parental consent is required if the user is below that threshold.

11. California privacy notice (CCPA / CPRA)

This section applies to California residents.

• Categories of personal information collected in the last 12 months: Identifiers (device ID, username); Commercial information (purchase history); Internet or other electronic network activity (in-App usage events); Inferences drawn from the above (preferred topics, difficulty).
• Sources: directly from you, automatically from your device.
• Purposes: as described in section 3.
• Sale or sharing of personal information: No. We do not sell or share personal information for cross-context behavioral advertising.
• Retention: see section 7.

Your California rights:

• Right to Know what personal information we collect.
• Right to Delete.
• Right to Correct.
• Right to Opt-Out of Sale or Sharing — not applicable, as we do not sell or share.
• Right to Limit Use of Sensitive Personal Information — we do not process sensitive PI.
• Right of Non-Discrimination.

To exercise these rights, contact scanwords2.0@gmail.com. You may also use an authorized agent.

12. Security

We apply reasonable technical and organizational measures to protect personal data, including:

• TLS 1.2+ encryption in transit;
• least-privilege access controls for database access;
• regular backups;
• logging of access events;
• timely software updates.

No method of transmission or storage is 100% secure.

13. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced in the App and/or on the website at least 10 days before taking effect. The current version is always available at scanwords2.com/PRIVACY_POLICY.

14. Contact us

• Email: scanwords2.0@gmail.com
• Postal address: Spain, Benidorm, Calle Derramador 10
• Data protection officer / controller representative: Aleks Kalenov