Privacy Policy — Card World

1. Overview

Card World ("the App") is developed and operated by Appa11y. This Privacy Policy explains what information we collect, how we use it, how we share it, and the choices available to you. By using the App, you agree to the practices described in this policy.

2. Information We Collect

2a. Account Information

When you create an account, we store a username, display name, and avatar selection. If you set a password, it is hashed using bcrypt and never stored in plaintext. If you upload a custom photo avatar, we store the image data. We do not require or collect your email address, real name, or phone number.

2b. Device Information

We collect a device identifier (via Expo Secure Store on iOS, Android ID on Android) to support device-based account recovery and to associate devices with user accounts.

2c. Gameplay Data

We store match results, scores, statistics, achievements, XP, level progression, day streaks, and hand-by-hand move history to provide game functionality including leaderboards, achievements, and skill tracking.

2d. Chat Messages

If you use the in-app chat feature, we store your messages to deliver them to other players. Chat messages may be reviewed for moderation purposes.

2e. Purchase Data

Subscription status (Gold Membership) and consumable in-app purchases (Gem Packs) are managed through RevenueCat. We store transaction identifiers to prevent duplicate purchases. We do not store payment card details or billing addresses.

2f. Analytics & Crash Data

We use Firebase Analytics to understand how players use the App and Firebase Crashlytics to diagnose crashes and technical issues. These services may collect device model, OS version, and usage events. Crashlytics logs include your user ID to help us investigate reported issues.

2g. Attribution Data

We use Branch.io to understand how users discover the App. Branch may collect the channel, campaign, and source that brought you to the App. This data is stored server-side and used to measure marketing effectiveness.

2h. Push Notification Tokens

If you grant notification permission, we store your Expo push token to send game-related notifications (e.g., your turn, match invites, chat messages). You can disable notifications in your device settings at any time.

3. Third-Party Services

The App uses the following third-party services, each with their own privacy policies:

• Firebase (Google) — Analytics, crash reporting, and remote configuration. Firebase Privacy
• AdMob (Google) — Ads shown to non-Gold members. AdMob may use device identifiers for ad personalization per Google's policies. Google Privacy Policy
• RevenueCat — Subscription and in-app purchase management. RevenueCat Privacy Policy
• Branch.io — Attribution and deep linking. Branch may collect device identifiers and referral data. Branch Privacy Policy
• Expo — Push notification delivery and over-the-air updates. Expo Privacy Policy

4. How We Use Your Information

• Provide and improve the game experience, including matchmaking, leaderboards, and progression.
• Track game statistics, achievements, and skill ratings.
• Deliver push notifications you have opted into.
• Manage subscriptions and in-app purchases.
• Diagnose technical issues, crashes, and bugs.
• Measure the effectiveness of marketing campaigns via attribution data.
• Enforce our Terms of Use, including chat moderation and anti-abuse measures.

5. Cookies & Tracking Technologies

The App does not use browser cookies. However, AdMob and Firebase may use device identifiers and advertising identifiers for analytics and ad personalization. Gold Members are exempt from ad-related tracking since ads are not shown to Gold Members. You can limit ad tracking in your device's privacy settings (Settings > Privacy > Advertising on iOS, or Settings > Google > Ads on Android).

6. Cross-App Data Sharing

If you link your Card World account to DiceWorld (another Appa11y app), your Gold membership status is shared between apps so you only need one subscription. No gameplay data, statistics, or chat messages are shared between apps.

7. Data Sharing

We do not sell your personal information. We share data only with the third-party services listed above, and only as necessary to operate the App. We may also disclose information if required by law or to protect the safety of our users.

8. Data Security

We take reasonable measures to protect your information:

• Passwords are hashed using bcrypt with a cost factor of 12 and never stored in plaintext.
• All data in transit is encrypted via TLS (HTTPS).
• Our database (hosted on Neon) provides encryption at rest.
• Authentication uses signed JSON Web Tokens (JWT) with expiration.

No system is 100% secure. If you discover a security vulnerability, please report it to security@appa11y.com.

9. Data Retention

We retain your account and gameplay data for as long as your account is active. If you delete your account (via Settings in the App), your personal data is anonymized immediately and permanently deleted after 30 days, except where retention is required by law.

10. GDPR Rights (EEA/UK)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

• Access — Request a copy of the personal data we hold about you.
• Rectification — Request correction of inaccurate personal data.
• Erasure — Request deletion of your personal data (you can also delete your account directly in the App via Settings).
• Data Portability — Request your data in a structured, machine-readable format.
• Restriction — Request restriction of processing of your personal data.
• Objection — Object to processing of your personal data based on legitimate interests.

Our legal basis for processing your data is: (a) performance of a contract (providing the game service), (b) legitimate interests (analytics, security, fraud prevention), and (c) consent (push notifications, optional features).

You also have the right to lodge a complaint with your local Data Protection Authority. To exercise your GDPR rights, contact us at support@appa11y.com with "Data Request" in the subject line.

11. CCPA Rights (California)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following rights:

• Right to Know — You can request the categories and specific pieces of personal information we have collected about you.
• Right to Delete — You can request deletion of your personal information (you can also delete your account directly in the App via Settings).
• Right to Opt-Out of Sale — We do not sell your personal information to third parties.
• Non-Discrimination — We will not discriminate against you for exercising your CCPA rights.

Categories of personal information we collect: identifiers (username, device ID), internet or network activity (gameplay data, analytics), and commercial information (purchase history). To exercise your CCPA rights, contact us at support@appa11y.com.

12. International Data Transfers

Your data is processed and stored in the United States (Neon database in us-west-2, Railway application servers). If you are located outside the United States, your data will be transferred to the US for processing. For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission.

13. Children's Privacy

The App is not directed at children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children under these ages. If you believe a child has provided us with personal data, contact us at support@appa11y.com and we will promptly delete it. If we discover that we have collected data from a child under these ages, we will delete that data as soon as possible.

14. Your Choices

• Delete your account — You can delete your account at any time from the Settings screen in the App. Your data will be anonymized immediately and permanently deleted after 30 days.
• Request a data copy — Contact us at support@appa11y.com to request an export of your personal data.
• Disable push notifications — Turn off notifications in your device settings.
• Limit ad tracking — Use your device's privacy settings to limit ad personalization.
• Gold Membership — Gold Members do not see ads and are exempt from ad-related tracking.
• Opt out of analytics — Contact us to request that we disable analytics collection for your account.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the App or by updating the "Last updated" date above. Continued use of the App after changes constitutes acceptance of the revised policy.

16. Contact

Questions about this policy? Contact us at support@appa11y.com.

For GDPR or data-related requests, please include "Data Request" in the subject line to ensure timely processing.