Privacy Policy

Last updated: April 19, 2026

We operate the Exposed mobile application (the “App”). This Privacy Policy explains how we collect, use, and protect your information when you use the App.

1. Data We Collect

1.1 On Your Device (Local Only)

The following data is stored only on your device and never transmitted to our servers:

Player Profile: Name and avatar (emoji and color) you choose during setup
Game History: Record of games played, including date, player count, and round count
Preferences: Sound effects, haptic feedback, reduce motion, and other settings
Seen Questions: Which questions you have already encountered (for variety tracking)
Game Configurations: Selected categories and deck choices

No email address, phone number, or real name is required to use the App.

The following data is collected only when you opt in to analytics (GDPR Article 6(1)(a)):

Analytics Events (Mixpanel, EU data residency): Anonymous screen views, game lifecycle events, and error occurrences. IP addresses are used only to derive coarse geolocation (country, region, city) at ingestion and are then discarded; Mixpanel does not store the IP address itself.
Crash Reports (Sentry): Error logs, stack traces, device model, OS version, and performance metrics. No personally identifying information is collected.

Your Support ID — a random anonymous identifier generated at first launch — is attached to these services only when you opt in, so we can correlate support requests with anonymous data.

1.3 Subscription Data

Subscription Data (RevenueCat): Purchase history and subscription status, linked to an anonymous RevenueCat user ID. Required for premium feature access.

1.4 Multiplayer and Photo Data

Game Sessions: Player names and game progress are temporarily stored on our servers to enable real-time multiplayer functionality. All session data is automatically deleted after 4 hours.
Profile Photo: If you upload a profile photo, it is temporarily uploaded during multiplayer sessions and automatically deleted afterward.

No account is required. Sessions are anonymous and temporary.

1.5 Ad Attribution Data

All data described in this section is processed on the basis of your consent under GDPR Article 6(1)(a), obtained through the single Analytics consent toggle in Settings. Toggling off Analytics stops all new data collection to these services immediately, except for the Apple AdServices attribution token described in the final bullet. No device advertising identifiers are collected on either platform.

Meta SDK (Facebook): Anonymous identifier (fbAnonId), an app-generated ID that is not a device advertising identifier, and app install events. Auto-logging of app events is disabled; purchase events are sent server-side via RevenueCat Conversions API (see Section 1.3).
TikTok Business SDK: App install events and in-app purchase events (auto-captured from StoreKit on iOS and Play Billing on Android).
Firebase Analytics (Google): Anonymous app instance identifier and app install events, used for Google Ads campaign attribution. No custom events are logged client-side; purchase events are forwarded server-side from RevenueCat to Google Ads via the Firebase integration.
Apple AdServices (iOS only): An anonymous, campaign-level attribution token provided by the iOS operating system. The token contains no personal data or device identifier. Collection is initialized only when the in-app Analytics consent toggle is enabled and takes effect on the next app launch after a toggle change. Users can additionally disable it system-wide via iOS Settings → Privacy & Security → Apple Advertising → Personalized Ads.

Purchase events are forwarded server-side from RevenueCat to Meta via the Conversions API. This does not involve additional client-side data collection beyond the anonymous identifier described above.

1.6 Question Feedback

Question Reports (Supabase): If you report a question, the report is submitted to our cloud backend with your anonymous device ID.

2. Third-Party Sub-Processors

Service	Purpose	Data Region	Privacy Policy
Mixpanel	Anonymous analytics (opt-in)	European Union	Privacy Policy
Sentry	Crash reporting (opt-in)	European Union	Privacy Policy
RevenueCat	Subscription management	United States (under Standard Contractual Clauses)	Privacy Policy
Supabase	Multiplayer sessions, content delivery, question feedback	European Union	Privacy Policy
Meta Platforms, Inc.	Ad attribution (opt-in): anonymous identifier (fbAnonId), install events, server-side purchase events	United States	Privacy Policy
TikTok (ByteDance)	Ad attribution (opt-in): install events, purchase events	United States	Privacy Policy
Google (Firebase Analytics)	Ad attribution (opt-in): anonymous app instance ID, install events, server-side purchase events	United States	Privacy Policy
Apple (AdServices)	Apple Search Ads attribution (iOS only, anonymous)	United States	Privacy Policy
Apple / Google	App distribution and payments	Per their policies	Apple / Google

Each service processes only the data described above. Where data is transferred to the United States, the safeguard is described in Section 6 (International Data Transfers).

3. Data Storage and Retention

Data	Retention
Local data (profile, history, settings)	Persists until deleted in-app or via uninstall
Photos on servers	Deleted when the game session ends
Game room data (Supabase)	Auto-deleted after 4 hours
Crash reports (Sentry)	Auto-expire within 30—90 days; no self-service deletion
Analytics data (Mixpanel)	Deleted via in-app button (processing may take up to 30 days)
Question feedback (Supabase)	Retained until you request deletion via the in-app button or by contacting us
Ad attribution data (Meta, TikTok, Firebase)	Retained per each service’s data retention policy; disabling analytics stops new data collection immediately
Subscription data (RevenueCat)	Retained for contract performance and legal obligations per GDPR Article 6(1)(b); not deleted by the in-app button

4. Your Rights

Under the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), you have the following rights:

Right	How to Exercise
Access / Download your data	Open Exposed → Settings → Privacy → “Download My Data”
Delete your data	(1) Open Exposed → Settings → Privacy → “Delete All My Data” (2) Uninstall the app (3) Email us at epictimesapps@gmail.com
Withdraw consent	Toggle off analytics/crash reporting in Settings (this also disables ad attribution)
Data portability	PDF export via “Download My Data”
Lodge a complaint (GDPR)	Contact your local data protection authority

What “Delete All My Data” removes: All local data (profile, game history, settings, seen questions), cloud-stored question feedback (Supabase), and analytics data (Mixpanel deletion request sent).

What it does not remove: Subscription data (RevenueCat) is retained under GDPR Article 6(1)(b) as it is necessary to manage your subscription. Crash reports (Sentry) auto-expire within 30—90 days; disabling crash reporting stops new data collection immediately.

California residents (CCPA / CPRA): In addition to the rights described above, you have the right to opt out of the “sharing” of your personal information, as that term is defined under the California Privacy Rights Act (Cal. Civ. Code §1798.140(ah)), for purposes of cross-context behavioral advertising. We do not engage in cross-context behavioral advertising that uses device advertising identifiers. Anonymous app-generated identifiers (such as fbAnonId and Firebase App Instance ID) and install events shared with Meta, TikTok, and Google (Firebase) when you opt in to analytics may fall within the CPRA’s definition of “sharing”. You can opt out at any time by toggling off Analytics in Settings, which stops all new data collection to these services immediately. We do not sell personal information.

Response times: In-app actions are immediate. Email requests are responded to within 30 days (GDPR) or 45 days (CCPA).

5. Children’s Privacy

The App is not directed at children. You must be at least 17 years old to use the App, matching the App Store and Google Play age rating. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately at epictimesapps@gmail.com.

6. International Data Transfers

RevenueCat, Meta, TikTok, and Google (Firebase) process data in the United States under the European Commission’s Standard Contractual Clauses (SCCs, Commission Implementing Decision (EU) 2021/914), as described in each sub-processor’s publicly available Data Processing Addendum. Sentry and Mixpanel use European Union data residency, so analytics and crash data remain within the EU.

7. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy and update the “Last updated” date at the top of this page. Your continued use of the App after changes constitutes acceptance of the updated policy.

8. Contact and Data Protection

Developer: Mustafa Berkay Mutlu Email: epictimesapps@gmail.com Location: Berlin, Germany

For GDPR requests that cannot be handled in-app, we will respond within 30 days.

For data deletion steps, visit our Support page.

9. Language

This Privacy Policy is written in English. If translated, the English version prevails in the event of conflict.