Privacy Policy
1. Introduction
Acena Education - FZCO, doing business as "Componi" ("we," "us," "our," or "Company"), operates the Componi mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and otherwise process personal information in connection with the App.
We are committed to protecting your privacy and providing transparency about our data practices. This Privacy Policy applies to all users of the App, including those in the United States.
Entity Information:
- Legal Name: Acena Education - FZCO
- Registration Number: DSO-FZCO-51976
- License Number: 54329
- Registered Address: IFZA Business Park, DDP, PO Box 342001, Dubai, United Arab Emirates
- Contact Email: admin@acena.cc
2. Personal Information We Collect
2.1 Account Information
When you create an account, we collect:
- Full name
- Email address
- Authentication provider account identifier (if you sign in via Apple or Google)
- Account creation date
- Account deletion request date (if applicable)
2.2 Gameplay and Activity Data
- Puzzle completion history (which puzzles you've played, completion status, time taken)
- League participation and rankings
- Lounge match history and results
- Daily bonus task completion status
- Weekly streak information
- Energy and hints usage patterns
- In-app purchase history (crystals purchased, virtual currency balance)
- Game settings and preferences
2.3 Device Information
- Device model, operating system, and version
- Mobile advertising identifiers:
- Apple IDFA (Identifier for Advertisers)
- Google Advertising ID
- App version
- Device language and locale
- Time zone
- Approximate IP address
2.4 Advertising and Tracking Data
- Google AdMob tracking data, including:
- Ad impressions and interactions
- Advertiser IDs
- Ad placement and performance metrics
- Apple App Tracking Transparency (ATT) consent status
- Advertising preferences and opt-out signals
2.5 Push Notification Data
- Device push notification token
- Notification preferences
2.6 Analytical Data
- App usage frequency and session duration
- Feature engagement (which features you use most)
- Event logs and crash reports
- Performance metrics
- Amplitude event data (product analytics — see Section 3.2 and the Cookie & Tracking Disclosure for the full event list)
2.7 Purchase Data
When you make an in-app purchase (Crystals or the one-time Lifetime Ad-Free Purchase), we receive purchase metadata through the RevenueCat SDK:
- Store receipts and anonymized transaction identifiers from Apple App Store or Google Play
- Entitlement information (whether your Lifetime Ad-Free Purchase is active)
- Purchase history by product and date
- Platform (iOS/Android), store (App Store/Google Play), and country
Componi does not receive or store your credit card, debit card, or bank account information. All payment processing is handled directly by Apple or Google. Componi does not offer recurring subscriptions; there is no recurring billing data.
3. How We Collect Personal Information
3.1 Direct Collection
We collect information directly from you when you:
- Create an account in the App
- Update your account profile
- Configure settings or preferences
- Make in-app purchases
- Request account deletion
- Interact with support (email to admin@acena.cc)
- Accept or deny permissions (including ATT consent)
3.2 Automatic Collection
We automatically collect information through:
- Mobile SDKs and tracking technologies integrated into the App
- Google AdMob SDK — advertising tracking and ad serving
- Amplitude SDK — product analytics (which features you use, how long you play, conversion events)
- RevenueCat SDK — in-app purchase management, receipt validation
- Apple App Tracking Transparency framework
- In-app event logging and analytics
- Crash reporting services
- Server logs from our backend infrastructure (Supabase)
3.3 Third-Party Collection
Third parties collect information about you:
- Google (AdMob): Collects device identifiers and engagement data for serving and personalizing ads
- Apple: Collects IDFA through ATT consent flow
- Supabase: Collects backend usage metrics and access logs
- Amplitude: Receives in-app event data (screen views, feature usage, gameplay and purchase events) as our product-analytics processor — no ad targeting; see Tracking Disclosure §3.4
- RevenueCat: Receives store receipts and purchase metadata to validate purchases with Apple and Google and to resolve your Lifetime Ad-Free entitlement — no payment card data; see Tracking Disclosure §3.5
4. How We Use Personal Information
We use the personal information we collect for the following purposes:
4.1 Core Service Delivery
- Creating and maintaining your account
- Delivering the App's features and functionality
- Processing in-app purchases and managing virtual currency
- Operating the League, Lounge, and rewards systems
- Providing customer support via admin@acena.cc
4.2 Advertising and Marketing
- Serving personalized advertisements through Google AdMob
- Measuring ad campaign performance
- Creating audience segments for ad targeting
- Complying with Apple's App Tracking Transparency requirements
4.3 Analytics and Improvement
- Understanding user behavior and engagement patterns
- Improving game features and user experience
- Detecting and preventing fraud and cheating
- Monitoring app performance and stability
- Conducting crash analysis and debugging
4.4 Legal and Compliance
- Complying with applicable laws and regulations (CCPA, COPRA, etc.)
- Responding to legal requests from authorities
- Enforcing our Terms of Service and other agreements
- Protecting against fraud, abuse, and security threats
- Maintaining audit trails and immutable transaction records
4.5 Communication
- Sending service announcements and updates
- Responding to your inquiries and requests
- Notifying you of changes to our policies or services
5. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
5.1 Right to Know
You have the right to request that we disclose:
- The specific pieces of personal information we have collected about you
- The categories of personal information collected
- The source of the personal information
- Our business purposes for collecting the information
- The categories of third parties with whom we share the information
5.2 Right to Delete
You have the right to request deletion of personal information we have collected from you, subject to certain exceptions. We must delete the personal information within 45 days of receiving your request, unless an exemption applies.
Exemptions: We may retain personal information if necessary to:
- Complete the transaction for which information was collected
- Provide the goods or services reasonably expected by the consumer
- Comply with legal obligations
- Detect and protect against fraud, security, or technical issues
- Enable internal uses reasonably aligned with consumer expectations
- Comply with the California Online Privacy Protection Act (CalOPPA)
5.3 Right to Correct
You have the right to request that we correct inaccurate personal information we maintain about you.
5.4 Right to Opt-Out of Sale or Sharing
We do not sell or share personal information as defined by CCPA/CPRA. However, our use of Google AdMob tracking may constitute a "share" for cross-context behavioral advertising purposes under CPRA. You can opt out of this sharing by:
- Enabling "Do Not Track" signals in your device settings
- Using the Global Privacy Control (GPC) signal
- Submitting a request to admin@acena.cc with "Do Not Sell My Personal Information" in the subject line
5.5 Right to Limit Sensitive Personal Information
We do not collect sensitive personal information beyond what is necessary for the App's functionality. We do not knowingly:
- Collect social security numbers, financial account information, or precise geolocation
- Process sensitive categories of personal information outside the purposes stated in this policy
5.6 Non-Discrimination
We will not discriminate against you for exercising your privacy rights by denying services, charging different prices, or providing a different quality of service. However, we may offer different functionality based on whether you have completed the optional Lifetime Ad-Free Purchase or other App features.
5.7 How to Submit Requests
To submit a privacy request or exercise your California rights:
Email: admin@acena.cc
Subject: "California Privacy Request" (specify Right to Know, Right to Delete, Right to Correct, or Opt-Out)
Include: Your full name, email address associated with your Componi account, and a detailed description of your request
We will verify your identity before responding to your request. Verification may require you to provide:
- Your account email address
- The email address used for sign-in (Apple or Google email)
- Account creation date
We aim to respond to all verifiable requests within 45 days of receipt.
5.8 Authorized Agents
If you wish to submit a request on your behalf through an authorized agent, the agent must provide:
- Proof of authorization (power of attorney, signed declaration, or other evidence)
- Proof of their own identity
- Your account information for verification
6. Google AdMob and Advertising Tracking
6.1 What Google AdMob Collects
When you view ads in the App, Google AdMob collects:
- Your Google Advertising ID (Android) or IDFA (iOS)
- Device model and operating system
- Approximate location (based on IP address, not precise GPS)
- Ad impression and click data
- In-app purchase and conversion information
- Engagement metrics
6.2 How AdMob Uses This Data
Google uses this information to:
- Serve personalized and contextual advertisements
- Measure ad performance and ROI
- Create audience segments and lookalike audiences
- Conduct ad fraud detection
- Comply with applicable advertising laws
For more information about Google's data practices, see Google's Privacy Policy at https://policies.google.com/privacy.
6.3 Opting Out of Personalized Ads
You can opt out of personalized advertising through:
- Android: Settings > Google > Manage your Google Account > Data & Privacy > Ad Settings > Opt out of personalized ads
- iOS: Settings > Privacy > Apple Advertising > Turn off personalized ads
7. Apple App Tracking Transparency (ATT)
7.1 ATT Consent Flow
When you first launch the App, we request permission to track your activity across other apps and websites using your Apple IDFA. This consent is obtained through Apple's App Tracking Transparency framework and displayed as a native system alert.
7.2 Your ATT Choice
- If you grant consent: We and our advertising partners (Google AdMob) can access your IDFA to provide personalized ads and measure ad performance.
- If you deny consent: The App functions normally. Ads are still shown, but they will be contextual rather than personalized. We cannot access your IDFA.
7.3 Changing Your ATT Preference
After your initial choice, you can modify your ATT preference at any time:
- Go to Settings > Privacy > App Tracking and toggle Componi on or off
8. Data Storage and Security
8.1 Where Your Data Is Stored
- Primary Data Storage: Supabase (PostgreSQL database) with infrastructure in the United States (AWS)
- User Accounts and Authentication: Supabase Auth
- User-Generated Content: Supabase Storage (S3-compatible)
- Product Analytics: Amplitude (United States)
- Purchase Records: RevenueCat (United States), which synchronizes with Apple App Store and Google Play
- Advertising: Google AdMob (United States / global)
- Backup: Encrypted offsite backups as per Supabase standards
8.2 Security Measures
We implement industry-standard security controls:
- HTTPS/TLS encryption for all data in transit
- AES-256 encryption for data at rest
- Database-level access controls and authentication
- Regular security audits and penetration testing
- Restricted access to production systems (principle of least privilege)
- Secure credential management (no hardcoded secrets in source code)
- Two-factor authentication for administrative access
- Incident response and breach notification procedures
8.3 Data Retention Periods
| Data Category | Retention Period | Reason |
|---|---|---|
| Account registration info | Duration of account + 90 days | Legal hold, potential re-activation |
| Gameplay and activity logs | 90 days active, then archived | Analytics and fraud detection |
| In-app purchase records | 7 years | Tax and financial compliance, fraud prevention |
| Crystal transaction ledger | Permanent (immutable) | Audit trail, fraud detection, dispute resolution |
| Device and advertising IDs | Duration of account + 30 days | Ad optimization, fraud detection |
| Crash reports and technical logs | 30 days | Debugging and performance optimization |
| Deleted account data | 30 days (with exceptions) | See Section 9: Account Deletion Policy |
8.4 Limitation
While we implement reasonable security measures, no system is completely secure. We cannot guarantee absolute security of your personal information.
9. Third-Party Services and Integrations
9.1 Authentication Providers
- Apple Sign-In: See Apple's Privacy Policy (https://www.apple.com/privacy/)
- Google Sign-In: See Google's Privacy Policy (https://policies.google.com/privacy)
When you sign in via these providers, we receive a unique identifier but not your actual password. These providers may retain their own logs of your authentication activity.
9.2 Cloud Infrastructure (Supabase)
Supabase (which uses Postgres and AWS S3) acts as a data processor for us:
- Your account data, gameplay records, and game state are stored in Supabase's PostgreSQL databases
- Supabase's Privacy Policy: https://supabase.com/privacy
- Data is encrypted in transit and at rest under Supabase's security controls
- Supabase is SOC 2 Type II certified
9.3 Advertising Networks
- Google AdMob: Detailed in Section 6
- AdMob's Privacy Policy: https://policies.google.com/privacy
- AdMob's EU User Consent Policy: https://admob.google.com/about/ump/
9.4 Product Analytics (Amplitude)
Amplitude, Inc. acts as our data processor for product analytics:
- Receives anonymous device ID, Componi user ID (after sign-in), event name and properties, device metadata, and IP-based approximate country
- Does not receive your name, email, precise location, payment information, or advertising identifiers
- Is not used for ad targeting or cross-app tracking
- Amplitude Privacy Policy: https://amplitude.com/privacy
- Direct data-subject request form: https://amplitude.com/privacy/personal-data-request
9.5 Purchase Management (RevenueCat)
RevenueCat, Inc. acts as our data processor for in-app purchases:
- Receives Apple/Google store receipts, anonymized transaction IDs, entitlement state, and your Componi user ID after sign-in
- Validates receipts with Apple App Store and Google Play on our behalf
- Does not receive your payment card or bank details — those are handled directly by Apple or Google
- RevenueCat Privacy Policy: https://www.revenuecat.com/privacy
9.6 Push Notification Service
We may use a push notification provider to send you game updates and promotional messages. The provider may collect:
- Device push tokens
- Device type and OS version
- Notification engagement metrics
You can disable push notifications at any time in your device settings.
10. Children's Privacy (COPPA)
The App is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will delete that information promptly.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at admin@acena.cc.
For more information about COPPA, see the Federal Trade Commission's guidance at https://www.ftc.gov/business-guidance/privacy-security/childrens-privacy.
11. International Data Transfers
11.1 Cross-Border Data Flows
Acena Education - FZCO is registered in the United Arab Emirates, but we serve users in the United States. Your personal information may be transferred to, stored in, and processed in the United States (where our cloud infrastructure resides) and in the UAE (where our corporate entity is based).
11.2 Data Protection
By using the App, you consent to the transfer of your personal information to the United States and other countries where we operate. These countries may have different data protection laws than your home country. We implement appropriate safeguards (encryption, contractual commitments) to protect your information during transfers.
11.3 EU / International Users
If you are located outside the United States, please note that the App is primarily designed for US users and may not fully comply with your local privacy laws (e.g., GDPR, UK DPA 2018). We do not specifically target users in Europe or other jurisdictions, but if you use the App, your data will be transferred to the US.
12. Data Retention and Deletion
12.1 General Retention
We retain personal information for as long as necessary to:
- Provide the App's services
- Comply with legal obligations
- Resolve disputes and enforce agreements
- Prevent fraud and security threats
- Maintain accurate records for tax and accounting purposes
12.2 Account Deletion
For details on how to request account deletion, see the separate Account Deletion Policy document.
Summary: Deleted accounts are removed from active service within 30 days, but certain data (transaction logs, fraud prevention records) may be retained longer for legal compliance.
13. Your Privacy Rights Summary
Depending on your location, you may have the following rights:
| Right | Availability | How to Exercise |
|---|---|---|
| Right to Know | California (CCPA/CPRA), and others | Email: admin@acena.cc |
| Right to Access | Most jurisdictions | Email: admin@acena.cc |
| Right to Delete | California (CCPA/CPRA), and others | Email: admin@acena.cc or in-app settings |
| Right to Correct | California (CPRA), and others | Email: admin@acena.cc |
| Right to Opt-Out | California (CCPA/CPRA, sale/sharing) | Email or GPC signal |
| Right to Limit Sensitive Info | California (CPRA) | Not applicable (we don't collect sensitive categories) |
| Right to Data Portability | Some jurisdictions | Email: admin@acena.cc |
| Right to Non-Discrimination | California (CCPA/CPRA), and others | Automatic; no discrimination for exercising rights |
14. App Store Privacy Labels
In compliance with Apple's App Privacy policies and Google Play's data safety disclosures, we maintain accurate privacy labels in both app stores. The labels reflect:
- Data collection practices (device identifiers, gameplay activity, account info, purchase history)
- Data sharing with third parties (Google AdMob, Supabase, Amplitude, RevenueCat)
- Tracking for advertising purposes (AdMob)
- Data security practices
- User controls (ATT, privacy settings, account deletion)
Our app store labels are updated whenever our privacy practices change, with advance notice to users where required.
15. Contact Us for Privacy Inquiries
15.1 Privacy Officer
For any privacy-related questions, requests, or concerns:
Email: admin@acena.cc
Subject Line: "Privacy Inquiry — [Your Request Type]"
Mailing Address:
Acena Education - FZCO
IFZA Business Park, DDP
PO Box 342001
Dubai, United Arab Emirates
15.2 Response Time
We aim to respond to all privacy inquiries within 30 business days. If you submit a formal data subject request (Right to Know, Right to Delete, etc.), we will follow the timelines specified in applicable law (typically 45 days in California).
15.3 Escalation
If you are not satisfied with our response, you may lodge a complaint with your local data protection authority (if applicable in your jurisdiction).
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy in the App with a notice of the change
- Updating the "Last Updated" date at the top of this document
- Sending an email notification for significant privacy changes (if your email is on file)
Your continued use of the App after changes become effective constitutes your acceptance of the updated Privacy Policy.