Privacy Policy

1. Introduction

Cenkle Digital ("Company," "we," "us," or "our"), a company established in Turkey, operates the Tapstice mobile application (the "App" or "Service") and the website at tapstice.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App and website.

By downloading, installing, or using Tapstice, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the App.

We reserve the right to make changes to this Privacy Policy at any time and for any reason. We will alert you about any changes by updating the "Last updated" date of this Privacy Policy. You are encouraged to periodically review this Privacy Policy to stay informed of updates.

This Privacy Policy applies to users worldwide, including users in the European Economic Area (EEA), United Kingdom (UK), United States (including California), Brazil, Canada, Turkey, and all other jurisdictions. Jurisdiction-specific provisions are detailed in the relevant sections below.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: When you create an account, we collect your email address, display name, and profile picture (if provided through social login).
• Profile Data: Username, avatar selections, and customization preferences you set in the App.
• Communications: When you contact our support team, we collect the information you provide in your messages.
• User Content: Profile photos you upload, which are subject to automated and manual content moderation.
• Consent Records: Records of your consent to our Terms of Service, Privacy Policy, and cookie preferences, including version numbers and timestamps.
• Referral Data: If you participate in our referral program, we collect your referral code usage and associated device identifier to prevent duplicate referrals.

2.2 Information Collected Automatically

• Device Information: Device type, manufacturer, model, operating system version, unique device identifiers (e.g., IDFA on iOS, Android Advertising ID), screen resolution, and language settings.
• Usage Data: Game scores, achievements, progress, session duration, features used, in-app actions, interaction patterns, game mode preferences, and power-up usage.
• Log Data: IP address, access times, app crashes and diagnostic data, system activity, and referring URLs.
• Location Data: General geographic location based on IP address (country/region level only). We do not collect precise GPS location.
• Device Sensor Data: Accelerometer and gyroscope data used for gameplay mechanics and anti-cheat verification.
• Battery Information: Battery level and charging status, used for optimizing app performance and reducing battery drain.
• Network Information: Network connectivity status (Wi-Fi, cellular, offline) to optimize data synchronization.
• Device Integrity Data: Root/jailbreak detection status and device integrity signals, used for security and anti-cheat purposes.
• Push Notification Tokens: Encrypted Firebase Cloud Messaging (FCM) tokens for delivering push notifications.
• Performance Data: App startup time, screen rendering performance, and network latency metrics.

2.3 Biometric Information

If you choose to use biometric authentication (Face ID, Touch ID, or fingerprint) to secure your account, the biometric data is processed entirely on your device by the operating system. We do not collect, store, or have access to your biometric data. We only receive a success/failure signal from your device's secure enclave.

2.4 Information from Third Parties

• Social Login Providers: If you sign in using Google or Apple, we receive your name, email address, and profile picture from these providers.
• Game Services: Apple Game Center and Google Play Games may provide us with your gaming profile, achievements, and leaderboard data.
• Payment Processors: Apple App Store and Google Play Store process in-app purchases and provide us with transaction confirmations, order IDs, and subscription status (we do not receive or store your payment card details).
• Advertising Partners: Our ad network partners (Google AdMob, Meta Audience Network) may provide aggregated audience insights.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and Maintain the Service: To operate the App, authenticate users, save game progress, and sync data across devices.
• Personalization: To customize your experience, remember preferences, and provide personalized content.
• Social Features: To display leaderboards, enable friend challenges, PvP duels, and facilitate social interactions.
• Communications: To send push notifications (with your consent), in-app messages, daily reward reminders, and respond to support inquiries.
• Analytics: To understand how users interact with our App, identify trends, and improve our services. Analytics data may be exported to Google BigQuery for aggregated analysis.
• Advertising: To display relevant advertisements (which can be removed through in-app purchase). We use Google's User Messaging Platform (UMP) for ad consent management.
• Security and Anti-Cheat: To detect and prevent fraud, cheating, score manipulation, unauthorized access, and other prohibited activities. This includes server-side score verification, session token validation, and automated violation detection.
• Content Moderation: To review and moderate user-generated content (profile photos, usernames) using automated tools (Google Cloud Vision API) and manual review to ensure compliance with our content policies.
• Purchase Verification: To verify in-app purchases server-side, prevent duplicate transactions, manage subscriptions, and process refunds.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

4. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or United Kingdom (UK), we process your personal data based on the following legal grounds under the General Data Protection Regulation (GDPR):

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide you with the App and its features, including account management, game progress, and in-app purchases.
• Legitimate Interests (Art. 6(1)(f)): Processing for analytics, security, fraud prevention, anti-cheat measures, content moderation, and improving our services, where these interests are not overridden by your rights. Our legitimate interest assessment is available upon request.
• Consent (Art. 6(1)(a)): Processing based on your explicit consent, such as for push notifications, personalized advertising, and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
• Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with legal requirements, such as tax record keeping for purchase transactions.

5. Third-Party Services and Data Sharing

We share your information with the following categories of third parties. We require all third-party service providers to respect the security of your personal data and to treat it in accordance with applicable law.

5.1 Service Providers

5.2 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes. This applies under all applicable privacy laws, including the CCPA/CPRA, LGPD, and KVKK.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. We will notify you via in-app notification and/or email before your personal data becomes subject to a different privacy policy.

5.4 Legal Requirements

We may disclose your information if required by law, court order, or government request, or if we believe in good faith that disclosure is necessary to: (a) protect our rights or property; (b) protect the safety of our users or the public; (c) prevent fraud or other illegal activity; or (d) comply with a legal obligation.

5.5 Aggregated Data

We may share aggregated, de-identified data that cannot reasonably be used to identify you for research, analytics, or business purposes. This aggregated data is not considered personal data under applicable privacy laws.

6. Advertising

Our App displays advertisements provided by Google AdMob and Meta Audience Network. These services may collect and use data about you to display personalized ads.

6.1 Ad Consent

Before displaying personalized advertisements, we obtain your consent where required by law. We use Google's User Messaging Platform (UMP) for GDPR/ePrivacy compliance and Apple's App Tracking Transparency (ATT) framework on iOS 14.5 and later.

6.2 Personalized Advertising

Ad networks may use device identifiers, cookies, and similar technologies to deliver ads based on your interests and behavior across apps and websites. If you decline personalized ads, you will still see advertisements, but they will not be tailored to your interests.

6.3 Opting Out

• iOS: Go to Settings > Privacy & Security > Tracking and disable "Allow Apps to Request to Track"
• Android: Go to Settings > Google > Ads and enable "Opt out of Ads Personalization" or delete your advertising ID
• In-App: Purchase the ad removal option or any VIP subscription to remove all advertisements from the App
• Privacy Settings: Use the Privacy Options form accessible from the App settings to manage your ad preferences

6.4 Ad Network Privacy Policies

• Google AdMob Privacy Policy
• Meta Privacy Policy

7. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods are as follows:

• Active Accounts: Data is retained while your account remains active.
• Deleted Accounts: Upon account deletion request, we delete or anonymize your personal data within 30 days, including all game progress, achievements, scores, leaderboard entries, profile photos, and associated records. Some data may be retained longer where required for legal compliance.
• Transaction Records: Purchase records and order data are retained for 90 days for operational purposes, and summarized financial records are retained for 7 years for tax and legal compliance.
• Suspicious Activity Logs: Anti-cheat and suspicious score records are retained for 30 days.
• Failed Purchase Records: Retained for 30 days for transaction recovery purposes.
• Content Moderation Logs: Moderation decisions and records are retained for up to 1 year.
• Security Logs: Security-related logs are retained for up to 1 year.
• Analytics Data: Aggregated, de-identified analytics data (including subscription events exported to BigQuery) may be retained indefinitely as it cannot be used to identify individual users.
• Inactivity: Accounts that have been inactive for an extended period may receive reminder notifications. We may delete accounts after prolonged inactivity in accordance with our data minimization practices.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure authentication mechanisms with proactive token refresh
• Encrypted storage of sensitive data (FCM tokens, session tokens) using platform secure storage
• Server-side session token validation using HMAC-SHA256
• Purchase token hashing before storage
• User ID masking in server logs
• Firebase App Check enforcement on all server functions
• Rate limiting on sensitive API endpoints
• Input validation and sanitization on all server endpoints
• Access controls and role-based permissions
• Regular security assessments and monitoring
• Secure cloud infrastructure (Google Cloud Platform)
• Root/jailbreak detection to prevent tampering
• Emulator detection for anti-fraud purposes

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

8.1 Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33)
• Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms
• Document the breach, its effects, and the remedial actions taken
• Provide notification via email (if available) and/or in-app notification

For users in jurisdictions with specific breach notification requirements (e.g., California, Brazil), we will comply with applicable local notification timelines and procedures.

9. International Data Transfers

Cenkle Digital is established in Turkey. Your information may be transferred to and processed in countries other than your country of residence, including the United States and other countries where our service providers (Google, Meta, Apple) operate data centers.

For transfers from the EEA/UK, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Your explicit consent where required
• Binding Corporate Rules of our service providers where available

For transfers from Turkey, we comply with the requirements of Turkish Law No. 6698 on the Protection of Personal Data (KVKK), including obtaining explicit consent or relying on other lawful transfer mechanisms as approved by the Personal Data Protection Board.

For transfers from Brazil, we comply with the transfer requirements of the LGPD (Lei Geral de Proteção de Dados).

You may request information about the specific safeguards applied to the transfer of your data by contacting us at privacy@tapstice.com.

10. Your Rights

10.1 Rights for All Users

Regardless of your location, you have the following rights:

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and data
• Data Portability: Request your data in a portable, machine-readable format
• Opt-Out: Opt out of marketing communications and push notifications

10.2 Additional Rights for EEA/UK Users (GDPR)

Under the General Data Protection Regulation (GDPR), you additionally have the right to:

• Restriction: Request restriction of processing of your personal data
• Objection: Object to processing based on legitimate interests or direct marketing
• Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal
• Automated Decision-Making: Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (see Section 13)
• Lodge Complaint: File a complaint with your local data protection authority. A list of EEA data protection authorities is available at edpb.europa.eu

10.3 Additional Rights for California Users (CCPA/CPRA)

If you are a California resident, under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), you have the right to:

• Know: Right to know what personal information is collected, used, shared, or sold
• Delete: Right to request deletion of personal information
• Opt-Out of Sale/Sharing: We do not "sell" or "share" personal information as defined by CCPA/CPRA. We do not share personal information for cross-context behavioral advertising.
• Non-Discrimination: Right not to be discriminated against for exercising your privacy rights
• Correct: Right to correct inaccurate personal information
• Limit Use: Right to limit use and disclosure of sensitive personal information

Categories of Personal Information Collected (past 12 months): Identifiers, internet/electronic activity, geolocation data (coarse), commercial information (purchases), and inferences drawn from the above.

You may designate an authorized agent to make requests on your behalf. We may require verification of the agent's authority.

10.4 Rights for Brazilian Users (LGPD)

If you are located in Brazil, under the Lei Geral de Proteção de Dados (LGPD), you have the right to:

• Confirmation: Confirm whether we process your personal data
• Access: Access your personal data
• Correction: Request correction of incomplete, inaccurate, or outdated data
• Anonymization, Blocking, or Deletion: Request anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data
• Portability: Request portability of your data to another service provider
• Deletion: Request deletion of personal data processed with your consent
• Information: Receive information about public and private entities with which we share your data
• Consent Withdrawal: Be informed about the possibility and consequences of withdrawing consent
• Opposition: Object to processing carried out in violation of the LGPD
• Review of Automated Decisions: Request review of decisions made solely based on automated processing

The legal bases for processing under the LGPD include: consent, legitimate interest, contract performance, and legal/regulatory compliance.

You may file a complaint with the Brazilian National Data Protection Authority (ANPD) at www.gov.br/anpd.

10.5 Rights for Canadian Users (PIPEDA)

If you are located in Canada, under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation, you have the right to:

• Access: Request access to your personal information held by us
• Correction: Request correction of inaccurate or incomplete personal information
• Withdraw Consent: Withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions
• Complaint: File a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca

We will only collect, use, and disclose your personal information with your knowledge and consent, except where permitted or required by law.

10.6 Rights for Turkish Users (KVKK)

If you are located in Turkey, under the Turkish Law No. 6698 on the Protection of Personal Data (KVKK), you have the right to:

• Learn: Learn whether your personal data is processed
• Request Information: Request information about processing if your data has been processed
• Purpose: Learn the purpose of processing and whether data is used in accordance with that purpose
• Third Parties: Know the third parties to whom your data is transferred domestically or abroad
• Correction: Request correction of incomplete or inaccurate data
• Deletion: Request deletion or destruction of your data under the conditions set forth in Article 7 of KVKK
• Notification: Request that corrections or deletions are notified to third parties to whom data was transferred
• Objection: Object to outcomes arising exclusively from automated analysis of your data
• Compensation: Claim compensation for damages arising from unlawful processing

You may file a complaint with the Turkish Personal Data Protection Authority (KVKK) at www.kvkk.gov.tr.

10.7 How to Exercise Your Rights

You can exercise these rights by:

• Using the "Delete Account" feature in App Settings
• Contacting us at privacy@tapstice.com
• Including your User ID (found in App Settings) or account email in your request to help us locate your data

We will respond to your request within 30 days (or as required by applicable law: 15 days for LGPD, 30 days for KVKK, 45 days for CCPA/CPRA). We may ask for verification of your identity before processing your request. If we need additional time, we will notify you of the reason and extension period.

11. Children's Privacy

Tapstice is not directed to children under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children under these ages.

COPPA Compliance (United States): In compliance with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13 in the United States. If a parent or guardian becomes aware that their child has provided us with personal information without their consent, they should contact us. We will delete such information from our servers promptly.

Parental Rights: Parents or guardians of children under the applicable age may contact us to: (a) review personal information collected from their child; (b) request deletion of such information; (c) refuse further collection. Contact us at privacy@tapstice.com with the subject line "Child Privacy Request."

If we become aware that we have collected personal data from a child under the applicable age without verified parental consent, we will take steps to delete that information within 48 hours of discovery.

12. Do Not Track Signals

Some browsers have a "Do Not Track" (DNT) feature that signals websites and apps that you do not want your online activity tracked. Our App does not currently respond to DNT signals, as there is no industry standard for handling such signals in mobile applications.

However, we honor the Global Privacy Control (GPC) signal where required by law, including under the CCPA/CPRA. If we detect a GPC signal from your browser, we will treat it as a valid opt-out of the sale/sharing of personal information.

13. Automated Decision-Making and Profiling

We use certain automated processes that may affect your experience:

• Anti-Cheat System: Our servers automatically analyze game scores and session data to detect suspicious activity. Scores flagged as suspicious may be automatically rejected or held for review. Players who accumulate multiple violations may be automatically banned (3 violations: 7-day ban; 5+ violations: permanent ban).
• Content Moderation: Profile photos are automatically scanned by Google Cloud Vision API for inappropriate content. Photos that fail automated checks are blocked. Usernames are checked against content filters.
• Ad Personalization: Our advertising partners may use automated profiling to deliver personalized ads based on your usage patterns and interests.

Your Rights Regarding Automated Decisions: Under GDPR (Article 22), LGPD, and KVKK, you have the right to: (a) obtain human intervention in automated decisions; (b) express your point of view; (c) contest the decision. To exercise these rights, contact us at privacy@tapstice.com.

14. Third-Party Links

Our App may contain links to third-party websites or services that are not operated by us, including links to the Apple App Store, Google Play Store, and social media platforms. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policy of every site you visit.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last updated" date
• Sending an in-app notification or email for significant changes
• Requesting re-consent through the App where required for material changes to data processing

Your continued use of the App after any changes constitutes acceptance of the updated Privacy Policy. If you do not agree with the changes, you should discontinue use of the App and request deletion of your account.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy Inquiries: privacy@tapstice.com
• General Support: support@tapstice.com
• Legal Inquiries: legal@tapstice.com
• Website: tapstice.com

Data Controller:

• Company: Cenkle Digital
• Address: Icerenköy Mah., Atasehir, Istanbul, Turkey
• Email: privacy@tapstice.com

Data Protection Officer (DPO) / EU Representative (GDPR Article 27):

• Name: Cenk Yagmur
• Address: Icerenköy Mah., Atasehir, Istanbul, Turkey
• Email: privacy@tapstice.com

For Brazilian users: Complaints may be directed to the ANPD at www.gov.br/anpd.

For Canadian users: Complaints may be directed to the OPC at www.priv.gc.ca.

For Turkish users: Complaints may be directed to the KVKK at www.kvkk.gov.tr.