Last updated: June 3, 2026
We operate the Exposed mobile application (the “App”). This Privacy Policy explains how we collect, use, and protect your information when you use the App.
The following data is stored only on your device and never transmitted to our servers:
No email address, phone number, or real name is required to use the App.
The following data is collected only when you opt in to analytics (GDPR Article 6(1)(a)):
Your Support ID — a random anonymous identifier generated at first launch — is attached to these services only when you opt in, so we can correlate support requests with anonymous data.
No account is required. Sessions are anonymous and temporary.
We do not use any third-party advertising SDKs and do not share data with advertising networks for tracking. The App does not track you across other companies’ apps or websites. No device advertising identifiers are collected on either platform.
| Service | Purpose | Data Region | Privacy Policy |
|---|---|---|---|
| Mixpanel | Anonymous analytics (opt-in) | European Union | Privacy Policy |
| Sentry | Crash reporting (opt-in) | European Union | Privacy Policy |
| RevenueCat | Subscription management | United States (under Standard Contractual Clauses) | Privacy Policy |
| Supabase | Multiplayer sessions, content delivery, question feedback | European Union | Privacy Policy |
| Apple (AdServices) | Apple Search Ads attribution (iOS only, anonymous) | United States | Privacy Policy |
| Apple / Google | App distribution and payments | Per their policies | Apple / Google |
Each service processes only the data described above. Where data is transferred to the United States, the safeguard is described in Section 6 (International Data Transfers).
| Data | Retention |
|---|---|
| Local data (profile, history, settings) | Persists until deleted in-app or via uninstall |
| Photos on servers | Deleted when the game session ends |
| Game room data (Supabase) | Auto-deleted after 4 hours |
| Crash reports (Sentry) | Auto-expire within 30—90 days; no self-service deletion |
| Analytics data (Mixpanel) | Deleted via in-app button (processing may take up to 30 days) |
| Question feedback (Supabase) | Retained until you request deletion via the in-app button or by contacting us |
| Subscription data (RevenueCat) | Retained for contract performance and legal obligations per GDPR Article 6(1)(b); not deleted by the in-app button |
Under the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), you have the following rights:
| Right | How to Exercise |
|---|---|
| Access / Download your data | Open Exposed → Settings → Privacy → “Download My Data” |
| Delete your data | (1) Open Exposed → Settings → Privacy → “Delete All My Data” (2) Uninstall the app (3) Email us at epictimesapps@gmail.com |
| Withdraw consent | Toggle off analytics/crash reporting in Settings (this also disables ad attribution) |
| Data portability | PDF export via “Download My Data” |
| Lodge a complaint (GDPR) | Contact your local data protection authority |
What “Delete All My Data” removes: All local data (profile, game history, settings, seen questions), cloud-stored question feedback (Supabase), and analytics data (Mixpanel deletion request sent).
What it does not remove: Subscription data (RevenueCat) is retained under GDPR Article 6(1)(b) as it is necessary to manage your subscription. Crash reports (Sentry) auto-expire within 30—90 days; disabling crash reporting stops new data collection immediately.
California residents (CCPA / CPRA): In addition to the rights described above, you have the right to opt out of the “sharing” of your personal information, as that term is defined under the California Privacy Rights Act (Cal. Civ. Code §1798.140(ah)), for purposes of cross-context behavioral advertising. We do not engage in cross-context behavioral advertising, do not use device advertising identifiers, and do not share your personal information with any third-party advertising network. We do not sell personal information.
Response times: In-app actions are immediate. Email requests are responded to within 30 days (GDPR) or 45 days (CCPA).
The App is not directed at children. You must be at least 17 years old to use the App, matching the App Store and Google Play age rating. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately at epictimesapps@gmail.com.
RevenueCat processes data in the United States under the European Commission’s Standard Contractual Clauses (SCCs, Commission Implementing Decision (EU) 2021/914), as described in its publicly available Data Processing Addendum. Sentry and Mixpanel use European Union data residency, so analytics and crash data remain within the EU.
We may update this Privacy Policy from time to time. We will post the updated policy and update the “Last updated” date at the top of this page. Your continued use of the App after changes constitutes acceptance of the updated policy.
Developer: Mustafa Berkay Mutlu Email: epictimesapps@gmail.com Location: Berlin, Germany
For GDPR requests that cannot be handled in-app, we will respond within 30 days.
For data deletion steps, visit our Support page.
This Privacy Policy is written in English. If translated, the English version prevails in the event of conflict.