Privacy Policy
1. Overview
This Privacy Policy ("Policy") explains how Vroxa ("Application", "we", "us") collects, uses, shares, and protects your personal data when you use the Application. By using the Application, you agree to this Policy.
2. Data Controller
Vroxa Games (legal entity in formation; currently operated under Engin Gülgör).
Contact: privacy@vroxa.app
3. Personal Data We Collect
3.1 Collected automatically
- Account data: Anonymous player ID (UUID) for guest accounts. For social sign-in: email and display name from Apple/Google.
- Game progress: Completed levels, stars earned, in-game currency balances, achievements.
- Device data: Device model, OS version, application version, language, country code, IP address (used for approximate region detection).
- Usage data: App opens, session length, levels played, in-game events (e.g., level start/complete, purchase).
- Ads and purchases: Ad view events, in-app purchase records (verified via Apple/Google).
3.2 Data you provide
- Support requests: email and message content.
- Optional social sign-in: Apple/Google account information.
- Push notification permission: device push token.
4. How We Use Your Data
- To provide the game service, save your progress, and sync across devices.
- To verify in-app purchases and prevent fraud.
- To generate leaderboards (display name and score only; email is never shown).
- For debugging, performance monitoring, and improving the user experience.
- To send optional push notifications for daily quests and events.
- To detect cheating, automation, and abuse.
- To comply with legal obligations.
5. Legal Basis
Processing is based on:
- Performance of a contract (providing the game service)
- Legal obligation (financial regulations, lawful authority requests)
- Legitimate interest (security, fraud prevention, service improvement)
- Your explicit consent (marketing push notifications)
For users in Türkiye, processing is conducted in accordance with Turkish Personal Data Protection Law No. 6698 ("KVKK") — see KVKK Aydınlatma Metni (Turkish only).
6. Data Retention
| Data type | Retention period |
|---|---|
| Account and progress data | Until account is deleted or 24 months of inactivity |
| Analytics / event data | 24 months (then anonymized or deleted) |
| Error logs | 90 days |
| Purchase records | 10 years (financial regulation) |
| Session IP address | 30 days |
7. Sharing with Third Parties
We share personal data only in these limited cases:
- Apple App Store / Google Play: For social sign-in and in-app purchase verification.
- Apple Push Notification Service / Firebase Cloud Messaging: For push notifications (device token only).
- Lawful authorities: When required by legal obligation upon written request from authorized public bodies.
We do not sell your personal data to third parties for marketing purposes.
8. Data Storage Location and International Transfer
Primary data storage is on our servers located in Türkiye (data residency). Data required for Apple/Google social sign-in and push notifications may be processed on the relevant providers' servers (e.g., US, EU). Such transfers are governed by those providers' compliance frameworks.
9. Children's Privacy
The Application is intended for users aged 13 and above. We do not knowingly collect personal data from children under 13. If we discover that we have collected such data, we will take steps to delete it promptly.
10. Security Measures
- All traffic is encrypted with HTTPS/TLS 1.3.
- Passwords are hashed with bcrypt; never stored in plain text.
- Admin interface access is protected by two-factor authentication (2FA/TOTP).
- Database backups are performed daily.
- Audit logs are maintained and unauthorized access attempts are monitored.
11. Your Rights
Depending on your jurisdiction, you may have rights to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Request deletion of your data
- Object to or restrict processing
- Receive a copy of your data in a portable format
- Withdraw consent at any time (where processing is based on consent)
- Lodge a complaint with your data protection authority
For Türkiye-based users, the rights under KVKK Article 11 apply (see KVKK Notice). Submit requests to privacy@vroxa.app. You can also permanently delete your account from Settings > Delete My Account inside the Application.
12. Cookies
The mobile Application does not use browser cookies. Our website (vroxa.app) uses only essential session cookies; no analytics or advertising third-party cookies are used.
13. Changes to This Policy
We may update this Policy. Material changes will be announced through in-app notifications and/or on our website. The "Effective" date reflects the most recent update.
14. Contact
For questions about this Policy or your personal data: privacy@vroxa.app