Privacy Policy

Last updated: June 3, 2026

We operate the Exposed mobile application (the “App”). This Privacy Policy explains how we collect, use, and protect your information when you use the App.


1. Data We Collect

1.1 On Your Device (Local Only)

The following data is stored only on your device and never transmitted to our servers:

No email address, phone number, or real name is required to use the App.

The following data is collected only when you opt in to analytics (GDPR Article 6(1)(a)):

Your Support ID — a random anonymous identifier generated at first launch — is attached to these services only when you opt in, so we can correlate support requests with anonymous data.

1.3 Subscription Data

1.4 Multiplayer and Photo Data

No account is required. Sessions are anonymous and temporary.

1.5 Search Ads Attribution (iOS only)

We do not use any third-party advertising SDKs and do not share data with advertising networks for tracking. The App does not track you across other companies’ apps or websites. No device advertising identifiers are collected on either platform.

1.6 Question Feedback


2. Third-Party Sub-Processors

Service Purpose Data Region Privacy Policy
Mixpanel Anonymous analytics (opt-in) European Union Privacy Policy
Sentry Crash reporting (opt-in) European Union Privacy Policy
RevenueCat Subscription management United States (under Standard Contractual Clauses) Privacy Policy
Supabase Multiplayer sessions, content delivery, question feedback European Union Privacy Policy
Apple (AdServices) Apple Search Ads attribution (iOS only, anonymous) United States Privacy Policy
Apple / Google App distribution and payments Per their policies Apple / Google

Each service processes only the data described above. Where data is transferred to the United States, the safeguard is described in Section 6 (International Data Transfers).


3. Data Storage and Retention

Data Retention
Local data (profile, history, settings) Persists until deleted in-app or via uninstall
Photos on servers Deleted when the game session ends
Game room data (Supabase) Auto-deleted after 4 hours
Crash reports (Sentry) Auto-expire within 30—90 days; no self-service deletion
Analytics data (Mixpanel) Deleted via in-app button (processing may take up to 30 days)
Question feedback (Supabase) Retained until you request deletion via the in-app button or by contacting us
Subscription data (RevenueCat) Retained for contract performance and legal obligations per GDPR Article 6(1)(b); not deleted by the in-app button

4. Your Rights

Under the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), you have the following rights:

Right How to Exercise
Access / Download your data Open Exposed → Settings → Privacy → “Download My Data”
Delete your data (1) Open Exposed → Settings → Privacy → “Delete All My Data” (2) Uninstall the app (3) Email us at epictimesapps@gmail.com
Withdraw consent Toggle off analytics/crash reporting in Settings (this also disables ad attribution)
Data portability PDF export via “Download My Data”
Lodge a complaint (GDPR) Contact your local data protection authority

What “Delete All My Data” removes: All local data (profile, game history, settings, seen questions), cloud-stored question feedback (Supabase), and analytics data (Mixpanel deletion request sent).

What it does not remove: Subscription data (RevenueCat) is retained under GDPR Article 6(1)(b) as it is necessary to manage your subscription. Crash reports (Sentry) auto-expire within 30—90 days; disabling crash reporting stops new data collection immediately.

California residents (CCPA / CPRA): In addition to the rights described above, you have the right to opt out of the “sharing” of your personal information, as that term is defined under the California Privacy Rights Act (Cal. Civ. Code §1798.140(ah)), for purposes of cross-context behavioral advertising. We do not engage in cross-context behavioral advertising, do not use device advertising identifiers, and do not share your personal information with any third-party advertising network. We do not sell personal information.

Response times: In-app actions are immediate. Email requests are responded to within 30 days (GDPR) or 45 days (CCPA).


5. Children’s Privacy

The App is not directed at children. You must be at least 17 years old to use the App, matching the App Store and Google Play age rating. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately at epictimesapps@gmail.com.


6. International Data Transfers

RevenueCat processes data in the United States under the European Commission’s Standard Contractual Clauses (SCCs, Commission Implementing Decision (EU) 2021/914), as described in its publicly available Data Processing Addendum. Sentry and Mixpanel use European Union data residency, so analytics and crash data remain within the EU.


7. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy and update the “Last updated” date at the top of this page. Your continued use of the App after changes constitutes acceptance of the updated policy.


8. Contact and Data Protection

Developer: Mustafa Berkay Mutlu Email: epictimesapps@gmail.com Location: Berlin, Germany

For GDPR requests that cannot be handled in-app, we will respond within 30 days.

For data deletion steps, visit our Support page.


9. Language

This Privacy Policy is written in English. If translated, the English version prevails in the event of conflict.