Privacy Policy

1. App Store & Google Play Privacy Categorization

To assist with platform transparency requirements, we disclose our data practices as follows:

• Identifiers (Device ID, User ID): Linked to User: Yes. Used to Track: No. Purpose: App Functionality, Cloud Save synchronization.
• Contact Info (Email): Linked to User: Yes. Used to Track: No. Purpose: Account Functionality (Sign in with Apple, Google Sign-In). May be an Apple Hide My Email relay address.
• Purchases (Purchase History): Linked to User: Yes. Used to Track: No. Purpose: App Functionality, verifying content entitlements. Our Games include random-item purchases (loot boxes) with clearly disclosed odds; see §3.
• Usage Data (Product Interactions): Linked to User: No (pseudonymized and aggregated). Used to Track: No. Purpose: Analytics, service improvement.
• Gameplay History: Linked to User: Yes. Used to Track: No. Purpose: App Functionality. We collect and store records of significant gameplay events (first championship wins, rare card acquisitions, achievement milestones, account anniversaries) to support features such as personal timelines, recaps, and similar account-history experiences. This data is tied to your Redwood Arcade Account.
• Diagnostics (Crash Logs, Performance Data): Linked to User: Yes (crash reports may be associated with a Redwood Arcade Account identifier for troubleshooting). Used to Track: No. Purpose: App Functionality, identifying technical bugs.
• User Content (Names and Text You Submit): Linked to User: Yes. Used to Track: No. Purpose: App Functionality, Product Personalization. Names and other text you submit are stored in your Redwood Arcade Account.

2. Data We Do Not Collect

We explicitly do not collect: real names (unless voluntarily provided), uploaded photos or images, physical addresses or phone numbers, payment information (handled exclusively by Apple/Google), precise location data (GPS), camera or microphone access, contacts, biometric, health, or fitness data, or browsing history outside of our Games.

3. Loot Box Transparency

Our Games include loot boxes (random-item purchases) such as Booster Packs and Promo Packs. Drop rates and odds for each rarity tier (Common, Uncommon, Rare, Epic, Legendary, Mythic) are displayed in-app before purchase, near the purchase button. This complies with UK CAP, Apple App Store, and Google Play Store transparency requirements. App Store and Google Play listings disclose "contains random-item purchases."

Specific mechanics, including any duplicate handling and pity timer systems, are detailed in each game's Help section. Players can review odds at any time before making a purchase decision.

4. Third-Party Service Providers

We transfer specific data to third-party service providers to facilitate core game functions. Each provider processes data strictly on our behalf under written agreements that prohibit use of the data for their own purposes.

• Platform Providers: We work with platform providers for authentication, cloud saves, and purchase processing. Currently this includes Apple (iCloud / App Store / Sign in with Apple) and Google (Google Play Games / Store / Google Sign-In). When we launch on additional platforms in the future, additional platform providers and their respective services will be disclosed through updates to this Privacy Policy.
• Backend Infrastructure: Account data, save state, and entitlements are stored on managed backend infrastructure (Firebase and/or Supabase) hosted in the United States and Canada. Data is encrypted in transit (TLS) and at rest.
• Sentry (Error Tracking): We use Sentry to capture crash reports and runtime errors so we can fix bugs. Sentry receives device model, OS version, app version, your Redwood Arcade Account identifier (for troubleshooting), and stack traces. Sentry does not receive your email address or purchase data. See sentry.io/privacy.

5. Children's Privacy (COPPA)

The Games are not directed at children under 13 (Rated 12+/Teen). We do not knowingly collect data from children under 13. If we discover data from a user under 13, it will be deleted within 7 days. Parents may contact privacy@redwoodarcade.ca for verified deletion requests.

6. Lawful Basis for Processing (GDPR)

We process personal data on the following lawful bases under GDPR Article 6. Where we rely on legitimate interests, we have conducted a balancing assessment and concluded that our interests do not override your fundamental rights.

7. Your Privacy Rights

Subject to applicable law and verification of identity, you have the following rights. We respond to verifiable rights requests within 30 days (with one 30-day extension where permitted by law). To exercise any right, email privacy@redwoodarcade.ca.

• Right of access: You may request a copy of the personal data we hold about you.
• Right to correction: You may request that inaccurate or incomplete data be corrected. For most account data, you can correct directly via in-app settings.
• Right to deletion: You may request deletion of your personal data, subject to retention exceptions described in §11.
• Right to portability: You may request your data in a structured, commonly used, machine-readable format.
• Right to withdraw consent: Where we rely on consent (such as marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to object to processing: You may object to processing based on legitimate interests.
• Right to restrict processing: You may request that we limit how we process your data in certain circumstances.
• Right to non-discrimination: We will not deny services, charge different prices, or provide a different level of quality because you exercised your rights.
• Right to appeal: If we deny a rights request, you may appeal the decision by replying to our response. We will review the appeal and respond within 30 days.
• Right to lodge a complaint: You may lodge a complaint with your local supervisory authority (EU/UK), the Office of the Privacy Commissioner of Canada (PIPEDA), the Commission d'accès à l'information du Québec (Quebec Law 25), or the California Attorney General (CCPA/CPRA). We encourage you to contact us first so we can attempt to resolve your concern directly.

8. Region-Specific Rights

8.1 California (CCPA / CPRA)

California Notice at Collection. The categories of personal information we collect are: identifiers, contact information, commercial information (purchase history), internet and electronic network activity (in-app usage), user-generated content (names and text you submit), and inferences (gameplay-based personalization signals). Purposes are described in §1, §4, and §6. We do not sell or share personal information as defined under the CCPA. Retention is described in §11.

Categories of sources: directly from you (account creation, support tickets), automatically from your device (app usage, diagnostics), from platform providers (authentication, purchases), and from other players (reports of your content).

Categories of third parties to whom we disclose: platform providers (Apple, Google), cloud and backend infrastructure providers, error tracking providers, customer support contractors, and content moderation contractors. Each is contractually a service provider and processes data only on our behalf.

Right to Limit Use of Sensitive Personal Information: We do not collect Sensitive Personal Information as defined by CPRA, beyond account credentials processed strictly for authentication. If this changes, we will provide a "Limit the Use of Sensitive Personal Information" mechanism.

Authorized agents: California residents may authorize an agent to make verifiable consumer requests on their behalf. To do so, the agent must provide signed written permission and we may require you to verify your identity directly.

Do Not Track signals: Our Games are native mobile applications that do not respond to browser-based Do Not Track signals because they do not apply. Our website (redwoodarcade.ca) does not engage in cross-context behavioural advertising and does not act on or honour DNT signals as a matter of routine operations.

8.2 European Union, EEA, and United Kingdom (GDPR / UK GDPR)

We rely on the lawful bases described in §6. International transfers are described in §9. You may request a copy of applicable transfer safeguards by emailing privacy@redwoodarcade.ca.

Where applicable, we appoint an EU representative under GDPR Article 27. Our EU representative details will be published here once appointed.

Automated decision-making is described in §13.

8.3 Canada (PIPEDA) and Provinces

We comply with PIPEDA's 10 Fair Information Principles. We have designated a Privacy Officer (James Cumpson, privacy@redwoodarcade.ca) responsible for compliance with this Policy and Canadian privacy law.

Alberta PIPA and BC PIPA: Residents of Alberta and British Columbia have the same rights as PIPEDA, plus provincial breach reporting where applicable (see §14).

8.4 Quebec (Law 25)

The Person in Charge of Personal Information at Redwood Arcade Ltd. is James Cumpson, reachable at privacy@redwoodarcade.ca.

Quebec residents have additional rights under Law 25, including:

• Right to data portability: Receive personal data in a structured technological format.
• Right to be informed of automated decision-making: See §13.
• Right to de-indexation: Request the cessation of dissemination or de-indexation of personal information that causes serious injury, where the conditions for de-indexation under Law 25 are met. To make a de-indexation request, email privacy@redwoodarcade.ca with a description of the content and the basis for your request.
• Right to be informed of cross-border transfers and applicable safeguards (see §9).

You may also lodge a complaint with the Commission d'accès à l'information du Québec.

8.5 Other Jurisdictions

We acknowledge consumer privacy rights under additional US state laws (including Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, Montana CDPA, Tennessee TIPA, Iowa CDPA, Indiana CDPA, Delaware PDPA, New Hampshire, New Jersey, Maryland, Minnesota, Kentucky, and Rhode Island), Australia Privacy Act, Japan APPI, and Brazil LGPD. These rights generally include access, correction, deletion, portability, opt-out of targeted advertising or profiling, and appeal of denied requests. Email privacy@redwoodarcade.ca to exercise any applicable right.

We do not engage in targeted advertising or profiling that produces legal or similarly significant effects.

9. International Data Transfers

Your data may be transferred to and processed in countries outside your residence. Primary processing locations: United States and Canada. Sentry processing may occur on US-based servers. Apple and Google services may transfer data internationally as part of cloud save and IAP infrastructure.

• EU/UK users: We rely on Standard Contractual Clauses (SCCs) or adequacy decisions as the legal basis for international transfers. Copies of the applicable SCCs are available on request to privacy@redwoodarcade.ca.
• Canadian users (including Quebec residents): All transfers are handled with appropriate safeguards under PIPEDA and Quebec Law 25, including contractual protections requiring equivalent data protection standards.
• Brazilian users: Compliance with LGPD requirements regarding international data transfers.
• All users: We require third-party service providers to maintain equivalent data protection standards through written agreements.

10. Cookies and Tracking Technologies

• Device Identifiers: We use IDFV (iOS Identifier for Vendor) and AAID (Android Advertising ID). These are used solely for account linkage, fraud prevention, and crash diagnostics. We do not use them for cross-app advertising tracking, profiling, or any cross-context behavioural advertising. We do not request App Tracking Transparency permission.
• Local Storage: We use AsyncStorage on your device to store local settings (e.g., audio mute status).
• No Web Cookies: As native mobile apps, we do not use traditional browser cookies. Our website (redwoodarcade.ca) uses minimal essential cookies for site functionality only.

11. Data Retention

Where retention periods are not specifically listed below, we retain data only for as long as necessary to fulfill the purposes described in this Policy, comply with our legal obligations, resolve disputes, and enforce our agreements.

• Account Data: Deleted within 30 days of a deletion request.
• IAP Records: 7 years (Canadian tax compliance).
• Crash Reports: 90 days.
• Analytics Data: Retained in pseudonymized and aggregated form for service improvement and historical analysis.
• Support Tickets: 24 months from ticket closure; see §12.
• Moderation Records: 24 months from moderation event; see §13.
• Suspended Account Records: Retained for as long as required to enforce suspension terms; see §15.
• Server logs (status page and website): 30 days.

Exceptions: Some records may be retained longer than the periods above where required for legal compliance, safety records, ongoing disputes, or fraud prevention. Such exceptions are referenced in the specific sections below.

12. Customer Support Data

When you contact Redwood Arcade for support (via email, in-app support, or any other channel), we collect and retain:

• Your message contents, attachments, and metadata (subject line, send time);
• Your contact email address (which may be an Apple Hide My Email relay);
• Your Redwood Arcade Account identifier, where you have provided it, to link the ticket to your account;
• Diagnostic information you voluntarily provide (device model, OS version, in-game screenshots).

Retention: Support tickets are retained for 24 months from the date the ticket is closed, after which they are deleted or anonymized. Tickets that document refund decisions, abuse reports, or legal/safety matters may be retained longer where required for record-keeping, dispute resolution, or legal compliance.

Access: Support tickets are accessible to Redwood Arcade Ltd. staff and to authorized contractors engaged to provide customer support services. Contractor access is governed by role-based access controls and is limited to data necessary to perform support functions. Contractors are bound by written confidentiality and data-protection obligations consistent with this Policy.

Deletion request: You may request deletion of your support ticket history at any time by emailing privacy@redwoodarcade.ca. Tickets associated with unresolved disputes, suspected fraud, or legal/regulatory holds may be retained until those matters conclude.

13. Content Moderation and Automated Decision-Making

User-submitted content in our Games — including any names or other text you submit — is subject to moderation:

• Automated screening: Content is screened by automated filters at submission and may be blocked before reaching other systems. These are automated decisions within the meaning of GDPR Article 22 and Quebec Law 25.
• Logic and consequences: Our automated filters detect content that violates our community guidelines (such as content depicting violence, sexual content, hateful content, or content depicting real persons without authorization). Content that violates these guidelines may be blocked at submission or removed.
• Human review: Content blocked or removed by automated systems may be reviewed by Redwood Arcade Ltd. staff or authorized contractors in response to user reports, automated flags, or routine audits. Reviewers see the content, your Redwood Arcade Account identifier, and any associated metadata. Contractors are bound by written confidentiality and data-protection obligations consistent with this Policy.
• Account-affecting actions: Decisions that suspend or terminate an account are not made solely by automated systems. A human reviewer evaluates the underlying evidence before any account suspension or termination is applied.
• Your rights: You may (a) submit observations about an automated decision affecting you, (b) request human review, and (c) appeal by emailing privacy@redwoodarcade.ca. We will review appeals and respond as soon as reasonably practical, generally within 14 days. We may take longer for complex cases or where required by legal or safety considerations.
• Reports: Players may report content via in-app report flows. Reports are stored with the reporting account identifier and the reported content; the identity of reporters is not disclosed to the subject of the report. Personal data about you may be collected indirectly when other players submit reports involving your content; such reports are processed under our legitimate interest in protecting users and the service.
• Notification: You will be notified in-app or by email when your content is actioned, with a brief reason and a link to appeal.

Moderation data (reports, decisions, reviewer notes) is retained for 24 months from the moderation event, except where retained longer for safety, legal, or appeals purposes.

14. Security and Breach Notification

We implement reasonable security arrangements appropriate to the sensitivity of the personal data we hold, including:

• Encryption of data in transit (TLS) and at rest;
• Role-based access controls limiting access to authorized personnel and contractors;
• Written data protection agreements with all service providers and contractors;
• Regular review of security practices and vendor relationships;
• Logging and monitoring of access to support and moderation data.

No security measures are perfect. In the event of a security incident that affects personal data, we will:

• Investigate the incident promptly;
• Notify affected individuals where required by applicable law (including PIPEDA, Quebec Law 25, Alberta PIPA, GDPR Article 33-34, and applicable US state laws), within the timelines those laws require;
• Notify applicable regulatory authorities where required (including the Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information du Québec, the Alberta Information and Privacy Commissioner, and EU supervisory authorities), within the timelines those laws require;
• Take reasonable steps to mitigate harm and prevent recurrence;
• Document the incident and our response.

To report a suspected security issue, email security@redwoodarcade.ca.

15. Account Suspension and Enforcement

Where your Redwood Arcade Account is suspended (temporary loss of access pending review) or terminated (permanent loss of access), the following data handling applies:

• During suspension: Your account data is retained in full. You may continue to exercise privacy rights (access, deletion) during the suspension period.
• After termination: Account data follows the deletion schedule in §17 (Account Deletion Process). Some data may be retained where required for safety records, legal compliance, or enforcement against the suspended account (for example, to prevent the same account-holder from circumventing a permanent ban).
• Appeals: You may appeal a suspension or termination by emailing support@redwoodarcade.ca. Appeal communications are stored as support tickets per §12.

16. Service Status and Communications

Redwood Arcade Ltd. operates a public service status page (URL to be published in-app and at redwoodarcade.ca) to communicate planned maintenance, ongoing incidents, and post-incident summaries. The status page does not require an account. Server logs (IP address, user agent, timestamp) are retained for 30 days for security and abuse-prevention purposes.

Critical security or privacy notices may also be delivered in-app, by email to the address associated with your Redwood Arcade Account, or through both channels.

17. Account Deletion Process

• Method: In-app "Delete Account" button or email to privacy@redwoodarcade.ca. Web-based deletion request methods will be published at redwoodarcade.ca.
• Timeline: Deactivation is immediate; full deletion within 30 days.
• Effect: Account data and progress are permanently erased.
• Exceptions: Certain records are retained beyond deletion: IAP records for tax compliance (§11), support tickets associated with unresolved disputes (§12), moderation records associated with safety matters (§13), and records required to enforce suspensions or comply with legal obligations.

This cannot be undone.

18. Authentication and the Redwood Arcade Account

Sign-in to our Games uses Sign in with Apple and Google Sign-In.

• Sign in with Apple: We support Apple's "Hide My Email" relay. When used, we communicate via Apple's relay address and do not receive or store your real email.
• Google Sign-In: We receive a Google account identifier and your email address. We do not receive your Google password or your full Google profile.
• Redwood Arcade Account: A single Redwood Arcade Account is designed to support your progress and entitlements across Redwood Arcade games as they launch. Sign in with the same Apple ID or Google account in any of our Games to maintain a unified account. You can unlink or delete the account at any time via in-app settings.

19. Networked Features (Future)

If we launch networked or multiplayer features in the future where your content may become visible to other players, we will update this Privacy Policy to describe what data becomes visible, what controls and opt-outs are available, and any additional consents required. We will provide notice of such changes per §20.

20. Changes to This Policy

When we make material changes to this Policy, we will:

• Update the "Last Updated" date at the top of this Policy;
• Increment the version number;
• Notify you through in-app announcements, email to the address associated with your Redwood Arcade Account, or both, where the change is material;
• Where required by law, obtain renewed consent before the change takes effect.

Non-material changes (formatting, clarifications, contact information updates) may be made without notice.

21. Contact Information

• Privacy Officer / Person in Charge of Personal Information: James Cumpson, privacy@redwoodarcade.ca
• General Support and Account Issues: support@redwoodarcade.ca
• Legal Matters, IP Concerns, and DMCA Notices: legal@redwoodarcade.ca
• Security Issues: security@redwoodarcade.ca

Response Time: We aim to respond to general inquiries within 5 business days. We respond to verifiable privacy rights requests within 30 days, with one 30-day extension where permitted by law.

Business: Redwood Arcade Ltd., a Canadian federal corporation, registered in Ontario, Canada. Registered address: 1338 Wellington Street West, Unit 10, Ottawa, ON K1Y 3B7.