Cookie and Tracking Disclosure

1. Introduction

This Cookie and Tracking Disclosure describes the tracking technologies used in the Componi mobile application, how they work, and how to control them. This disclosure complies with:

• Apple App Tracking Transparency (ATT) requirements
• Google Play Developer Policy on tracking and privacy
• California CCPA/CPRA transparency requirements
• Industry standards for mobile app tracking disclosure

2. Mobile App Tracking vs. Web Cookies

2.1 No Web Cookies

Componi is a native mobile application (not a web app). It does not use web cookies (HTTP cookies, third-party cookies, or persistent cookies in the traditional sense).

2.2 SDK-Based Tracking

Instead of cookies, Componi uses Software Development Kits (SDKs) from third-party services that employ mobile identifiers and in-app tracking mechanisms.

3. Tracking Technologies Used in Componi

3.1 Apple IDFA (Identifier for Advertisers)

What It Is:

• A unique identifier assigned by Apple to each iOS device
• Used for advertising tracking and user analytics
• Different for each app; not shared across apps (by design)
• Periodically refreshed when users reset the identifier

How Componi Uses It:

• We request your consent via Apple's App Tracking Transparency (ATT) framework
• If you grant consent, we allow Google AdMob to access your IDFA for personalized ads
• If you deny consent, we do not access your IDFA; ads are contextual

Your Control:

• You grant or deny IDFA access via the ATT prompt when first launching the app
• You can change your choice at any time: Settings > Privacy > App Tracking
• To reset your IDFA: Settings > Privacy > Apple Advertising > Reset Advertising ID

Data Retention:

• Apple IDFA is retained while your account is active
• IDFA mapping is deleted 30 days after account deletion
• Apple retains IDFA data separately (see Apple's privacy policy)

3.2 Google Advertising ID (GAID / Google Ad ID)

What It Is:

• A unique identifier assigned by Google to each Android device
• Used for advertising tracking and analytics
• Resettable by the user at any time
• Allows Google and third parties to serve targeted ads

How Componi Uses It:

• We automatically collect the Google Advertising ID from Android devices
• We share this ID with Google AdMob for serving and personalizing advertisements
• We use it to measure ad performance and user engagement

Your Control:

• Android 12 and later: Settings > Privacy > Advertising > Ad ID (view and reset your ID)
• Older Android versions: Settings > Google > Manage your Google Account > Data & Privacy > Ad Settings (opt out of personalized ads)
• Resetting your Google Advertising ID generates a new unique identifier

Data Retention:

• Google Advertising ID is retained while your account is active
• ID mapping is deleted 30 days after account deletion
• Google retains separate records for analytics and fraud detection

3.3 Google AdMob SDK

What It Tracks:

• Ad impressions (when ads are shown)
• Ad interactions (clicks, closes, engagement)
• User engagement with advertised products
• Device information (model, OS version, language)
• Approximate location (IP-based, not GPS)
• Conversion events (in-app purchases)
• User demographics and inferred interests

How It Works:

• The AdMob SDK runs in the background while the app is open
• It collects data about app usage and ad engagement
• Data is encrypted and sent to Google's servers
• Google uses this data to personalize ads and measure campaign performance

Your Control:

• Deny ATT consent on iOS (Section 3.1): AdMob cannot access your IDFA; ads are less personalized
• Opt out of personalized ads on Android (Section 3.2): Google will show contextual rather than behavioral ads
• Both devices: Disable specific ad categories or advertisers through your device settings (limited control)

Data Retention:

• Engagement logs are retained for 90 days in Componi's systems
• AdMob retains data separately per Google's privacy policy (typically 24+ months for analytics)

3.4 Amplitude Product Analytics SDK

What It Is:

• Amplitude is a third-party product analytics platform used by Componi to understand how players interact with the app
• The Amplitude SDK runs inside Componi and sends events to Amplitude's servers
• Operated by Amplitude, Inc. (United States)

What It Tracks:

• App launches, sessions, and session duration
• Screen views and feature usage (puzzles opened, puzzles completed, Leagues joined, Lounge matches played, shop visits)
• Gameplay events (hints used, energy spent, rewarded ad views, daily bonus claims)
• Purchase events (Crystal pack purchased, Lifetime Ad-Free purchased)
• Device metadata (model, OS version, app version, language, country from IP)
• An Amplitude-issued anonymous device ID and, after sign-in, your Componi user ID

How It Works:

• The SDK collects the events listed above as you play and batches them to Amplitude over TLS
• We use Amplitude dashboards to measure retention, conversion, and feature adoption — never to contact you personally
• We do not send your real name, email, precise location, IP address, or payment details to Amplitude
• We do not use Amplitude to serve ads or to build cross-app advertising profiles

Your Control:

• There is no selective opt-out for product analytics inside the app — they are necessary to understand and improve Componi
• Deleting your account disassociates future events from your user ID and removes the identifier mapping (see Account Deletion Policy)
• Amplitude honors Global Privacy Control (GPC) signals and California CCPA opt-out-of-sale requests; see Section 6.3 and the Privacy Policy for details

Data Retention:

• Amplitude retains event data according to the plan and retention policy we configure (typically 12–24 months)
• On account deletion we submit a user-delete request to Amplitude within 30 days; Amplitude processes deletions within its own service-level window
• Amplitude privacy policy: https://amplitude.com/privacy

3.5 RevenueCat Purchase SDK

What It Is:

• RevenueCat is a third-party purchase-management platform that validates Apple App Store and Google Play in-app purchases on our behalf
• The RevenueCat SDK runs inside Componi and communicates with RevenueCat's servers, which in turn verify receipts with Apple and Google
• Operated by RevenueCat, Inc. (United States)

What It Tracks:

• In-app purchase events (Crystal packs, Lifetime Ad-Free)
• Active entitlements (whether you currently have Lifetime Ad-Free)
• Store receipts and anonymized transaction identifiers from Apple/Google
• A RevenueCat-issued anonymous app user ID linked to your Componi user ID after sign-in
• Device country, platform (iOS / Android), store (App Store / Google Play), and app version

How It Works:

• When you tap Purchase, the Apple or Google payment sheet handles your card details directly — Componi and RevenueCat never see them
• After payment, the store returns a receipt; the RevenueCat SDK forwards that receipt to RevenueCat's servers for validation
• RevenueCat tells Componi whether your Lifetime Ad-Free entitlement is active so the app can apply it immediately and stay accurate across reinstalls and device switches
• We do not send your name, email, precise location, or advertising ID to RevenueCat

Your Control:

• Restore your Lifetime Ad-Free Purchase anytime via the in-app Restore Purchase button — see our Purchase Terms for full restore steps
• Request refunds through Apple or Google, who are the merchants of record
• Deleting your Componi account submits a deletion request to RevenueCat for your linked purchase record; historical receipts may be retained where required for tax, audit, or chargeback defense

Data Retention:

• RevenueCat retains purchase records for the life of your account and, after deletion, for the period required by applicable tax and financial-records laws (typically 7 years)
• RevenueCat privacy policy: https://www.revenuecat.com/privacy

3.6 In-App Event Logs (Supabase Backend)

What We Track:

• Server-side records of account events (sign-in, sign-out, account deletion request)
• Crystal ledger entries and Lounge match results (required for game integrity and anti-fraud)
• Authenticated API requests and rate-limit counters
• These records are separate from Amplitude (product analytics) and RevenueCat (purchases) — Supabase stores the data the app itself needs to function

How It Works:

• Our backend (Supabase) logs operational events when you interact with the app
• Events are timestamped and associated with your user ID
• Backend data is used to run the game correctly, prevent fraud, and satisfy audit requirements

Your Control:

• No direct opt-out (these records are necessary for app function and account integrity)
• You can delete your account to remove associated event logs (see Account Deletion Policy)

Data Retention:

• Event logs are retained for 90 days in active storage
• Immutable financial records (Crystal ledger, purchase history) are retained for 7+ years for legal/tax compliance

3.7 Crash Reporting and Diagnostics

What We Track:

• App crashes and error messages
• Stack traces and diagnostic information
• Device state at time of crash (memory, battery, network)
• User actions preceding the crash
• App performance metrics (frame rate, load times)

How It Works:

• Crash reports are automatically sent when the app encounters a fatal error
• Reports are encrypted and sent to Supabase's error tracking service
• Used to identify and fix bugs, improve stability

Your Control:

• No opt-out for crash reporting (necessary for app stability)
• Reports do not contain personal information beyond your user ID

Data Retention:

• Crash reports are retained for 30 days
• Older reports are aggregated and archived

3.8 Push Notification Tracking

What We Track:

• Whether a notification is delivered to your device
• Whether you open (click) the notification
• Device push token
• Notification type and timestamp
• Device type and OS version (for compatibility)

How It Works:

• We send push notifications to your device via Apple or Google's push notification services
• We track whether notifications are delivered and whether you interact with them
• This data helps us understand engagement and improve messaging

Your Control:

• iOS: Settings > Notifications > Componi (toggle on/off, or customize notification style)
• Android: Settings > Apps > Componi > Notifications (toggle on/off, or customize by category)
• Disabling notifications prevents delivery and tracking of those notifications

Data Retention:

• Push token is retained while your account is active
• Engagement metrics are retained for 90 days in active storage

4. Apple App Tracking Transparency (ATT)

4.1 ATT Consent Flow

When you first launch Componi on iOS, you will see an Apple system alert:

Alert Text:
"Componi" would like permission to track your activity across other apps and websites.

Your Options:

• Ask App Not to Track: Componi cannot access your IDFA; you opt out of cross-app tracking
• Allow: Componi can access your IDFA and may pass it to advertising partners like Google AdMob

4.2 Your ATT Choice Matters

• If you select "Ask App Not to Track":
  • Your IDFA is not shared with AdMob
  • Ads are contextual (based on app usage, not cross-app behavior)
  • You see fewer personalized ads
  • You have more privacy but may see less relevant ads
• If you select "Allow":
  • Your IDFA is shared with Google AdMob
  • Ads are personalized based on your activity across apps and websites
  • AdMob builds a profile of your interests
  • You may see more relevant ads but less privacy

4.3 Changing Your ATT Preference

You can change your ATT choice at any time:

1. Open Settings on your iPhone or iPad
2. Scroll down and select the app list, or go to Privacy
3. Select App Tracking
4. Find Componi in the list
5. Toggle the switch on (to allow tracking) or off (to deny tracking)

Changes take effect immediately the next time you launch the app.

4.4 Resetting Your ATT Preference

If you want the ATT prompt to appear again:

1. Open Settings
2. Go to Privacy > Apple Advertising
3. Toggle Personalized Ads off
4. Toggle it back on
5. Uninstall and reinstall Componi
6. Launch the app; the ATT prompt will reappear

5. Google Play Tracking and Privacy Controls

5.1 Android-Specific Tracking

On Android, Google's privacy controls are more granular:

Google Play Services:

• Google Advertising ID (GAID) is automatically provided to the app
• Google Play Services collects diagnostics and crash data
• Google Analytics may be integrated for app performance tracking

Your Controls:

• Opt Out of Personalized Ads: Settings > Google > Manage your Google Account > Data & Privacy > Ad Settings > Personalization
• Reset Google Advertising ID: Settings > Google > Manage your Google Account > Data & Privacy > Ad ID > Generate new ID
• Disable Analytics Sharing: Some settings are in Settings > Apps > Componi > Permissions

5.2 Tracking and Analytics Transparency

Google requires apps to disclose tracking practices in the Data Safety section on Google Play:

• Componi's data safety label is visible on the Componi app store page
• The label lists data categories we collect (device info, activity, etc.)
• The label indicates whether data is sold or shared with third parties
• The label shows security practices (encryption, data deletion, etc.)

6. How to Opt Out of Tracking

6.1 iOS Opt-Out Options

Option 1: Disable ATT/IDFA Tracking

1. Settings > Privacy > App Tracking
2. Toggle Componi to OFF
3. This prevents AdMob from accessing your IDFA
4. Ads will be contextual, not personalized

Option 2: Disable Personalized Ads Globally

1. Settings > Privacy > Apple Advertising
2. Toggle Personalized Ads to OFF
3. Apple will not personalize ads across apps

Option 3: Reset Your IDFA

1. Settings > Privacy > Apple Advertising
2. Tap Reset Advertising ID
3. Apple generates a new IDFA
4. Advertisers cannot track you via the old ID

6.2 Android Opt-Out Options

Option 1: Opt Out of Personalized Ads

1. Settings > Google > Manage your Google Account
2. Select Data & Privacy
3. Scroll to Ad Settings
4. Toggle Personalized ads to OFF
5. Google will show contextual, non-personalized ads

Option 2: Reset Your Google Advertising ID

1. Settings > Google > Manage your Google Account
2. Select Data & Privacy
3. Scroll to Ad ID
4. Tap Reset advertising ID
5. Android generates a new ID

6.3 Global Privacy Control (GPC)

If your browser or device supports Global Privacy Control:

• Componi respects GPC signals
• GPC is a privacy preference you set in your browser or OS
• When enabled, GPC signals to apps that you opt out of data sharing
• You can enable GPC in privacy-focused browsers (Firefox, Brave, DuckDuckGo, etc.)

6.4 Disable Notifications

To stop push notification tracking:

• iOS: Settings > Notifications > Componi > toggle OFF
• Android: Settings > Apps > Componi > Notifications > toggle OFF

Disabling notifications stops all notification delivery and tracking.

7. What Data Is Not Tracked

Componi does not track or collect:

• Real-time GPS location or precise geolocation
• Your browsing history outside the Componi app
• Content of your messages or communications
• Contacts, photos, or other personal files
• Health or fitness data (unless you explicitly share it)
• Microphone or camera data (unless you grant app permission and use a feature)
• Biometric data (fingerprint, face recognition) — this is handled by your device, not Componi
• Financial account information (bank accounts, credit cards)
• Social security numbers or government IDs

8. Transparency and Compliance

8.1 Apple App Store Privacy Labels

Componi maintains accurate privacy labels in the Apple App Store:

• Data types collected (device identifiers, gameplay activity, etc.)
• Whether data is linked to your identity
• Whether data is sold or shared with third parties
• Data security practices
• User controls (tracking opt-out, account deletion)

These labels are updated whenever our tracking practices change.

8.2 Google Play Data Safety

Componi maintains accurate data safety information in Google Play:

• Categories of data we collect
• How data is used
• Whether data is shared with third parties
• Commitment to security and privacy

Data safety labels are updated whenever practices change.

8.3 Privacy Shield and Cross-Border Transfers

Componi is registered in the UAE but serves US users. Personal information is transferred to US cloud servers (Supabase/AWS) and may be processed in the UAE.

• We implement encryption and other safeguards for international transfers
• Your data is protected in transit by TLS/HTTPS encryption
• See the Privacy Policy for full details on data transfers

9. Third-Party Tracking

9.1 Google AdMob Tracking

• Privacy Policy: https://policies.google.com/privacy
• Opt-Out: https://myaccount.google.com/data-and-privacy/ad-settings
• Google may track you across multiple apps that use AdMob
• Google's data practices are governed by their privacy policy, not Componi's

9.2 Apple Sign-In Tracking

• If you sign in via Apple ID, Apple may retain sign-in logs
• See Apple's privacy policy for details: https://www.apple.com/privacy/
• Apple does not share your identity with Componi directly

9.3 Google Sign-In Tracking

• If you sign in via Google Account, Google may retain sign-in logs
• See Google's privacy policy: https://policies.google.com/privacy
• Google does not share detailed personal information with Componi, only your account identifier

9.4 Amplitude (Product Analytics)

• Amplitude receives in-app event data as described in Section 3.4
• Amplitude acts as our data processor under applicable privacy laws
• See Amplitude's privacy policy: https://amplitude.com/privacy
• To submit a data-subject request directly to Amplitude: https://amplitude.com/privacy/personal-data-request

9.5 RevenueCat (Purchase Management)

• RevenueCat receives store receipts and purchase metadata as described in Section 3.5
• RevenueCat acts as our data processor for in-app purchase records
• See RevenueCat's privacy policy: https://www.revenuecat.com/privacy

10. Modifications to Tracking Practices

10.1 We May Change Tracking

Componi may:

• Add new tracking SDKs or services
• Remove or disable existing tracking
• Change how data is used or shared

Notice: We will notify you of material changes via in-app notice or email.

10.2 Opting Out of Future Tracking

If we introduce new tracking:

• You will have the opportunity to opt out (where legally required)
• Existing opt-outs (ATT denial, GPC signals) will be respected
• You can delete your account if you do not accept the new tracking

11. Contact Us for Tracking Questions

For questions about tracking, cookies, or your privacy options:

Email: admin@acena.cc
Subject: "Tracking Disclosure Question" or "Opt-Out Request"
Include: Your device type (iOS or Android), app version, and specific question

We will respond within 7-14 business days.