Privacy Policy

Preamble & Scope

This Privacy Policy (the "Policy") is issued by devflowbytegrid.com ("devflowbytegrid", "we", "our", "us"), a software research and development studio registered in the United Kingdom, with operational offices at Warwick Software Industrial Park, Warwick, CV34, United Kingdom.

This Policy applies to all software published by devflowbytegrid on the Apple App Store, the Google Play Store, and any future distribution channel. Currently published applications include but are not limited to: Pet Health Archive, Home Cost Engine, Offline Language Memory, Wardrobe Inventory Planner, Audio Sheet Music Archive, Monthly Consumption Suite. Collectively referred to as the "Applications" or the "App".

Part I — Data Collection: Specific Granularity & Purpose

We strictly follow the minimum-necessary principle. We collect only the information listed below through compliant technical means, and only for the purposes of operating our In-App Advertising (IAA) and In-App Purchase (IAP) systems, optimising the user experience, preventing fraud, and meeting the legal requirements of every jurisdiction in which our Applications are distributed. We do not collect any personal information unrelated to the service.

1. Device Fingerprint & Identification Codes

• Apple IDFA (Identifier for Advertisers) on iOS devices — only collected after explicit ATT (App Tracking Transparency) consent;
• Google GAID / AAID (Google Advertising ID) on Android devices;
• OAID (Open Anonymous Device Identifier) for Android devices distributed in the People's Republic of China market, in compliance with the Personal Information Protection Law (PIPL);
• Device brand, model, screen resolution, operating system version, language settings, battery status;
• System clock offset — used solely to detect timezone-based cheating and cross-region price-arbitrage fraud;
• Encrypted device unique identifier (not linked to user real-world identity).

2. Network Environment Data

• IP address — used only for geographic compliance filtering to determine the user's region for the purpose of applying local regulation and service; never used for precise geolocation;
• Mobile carrier name;
• Wi-Fi connection status (connected / not connected — not the SSID);
• Network type (4G / 5G / Wi-Fi).

3. Behavioural Telemetry (IAA & UX Optimisation)

Advertising behaviour (IAA):

• Ad display ID, click timestamp, conversion path;
• Rewarded video ad watch duration and whether the user exited mid-video;
• Interstitial and open-screen ad display and dwell-time;
• Banner ad impressions and viewable time;
• Used to optimise ad delivery, prevent advertising fraud, and synchronise necessary information with third-party monetisation platforms (after desensitisation / pseudonymisation).

Application / game logic (UX):

• Core functional loop trigger counts;
• Paywall pop-up click-through rate;
• Onboarding drop-off points;
• Feature usage frequency.

Used solely to optimise product interaction, adjust feature layout and improve usability. We never collect specific content entered by users or private data.

4. Financial Transaction Data (IAP)

We receive transaction receipts exclusively through the official Apple App Store / Google Play APIs. We never touch, store, transmit or otherwise process your bank card number, CVV, payment password, card expiration date or any other sensitive payment data. All payment operations are completed by the official Apple or Google payment systems.

The records we receive include:

Part II — Third-Party Sharing Architecture (Data Mapping)

To achieve legitimate monetisation, service optimisation and anti-fraud, we share only the necessary data with the compliant third-party ecosystems listed below. The sharing process strictly follows the "minimum-necessary, encrypted in transit, fully controllable" principle. We never share any sensitive personal information. You can review each platform's privacy practices on their respective official websites.

1. Ad Mediation Layer (RTB & Fill Optimisation)

Purpose: Real-time bidding (RTB), fill-rate optimisation, waterfall monetisation. Shared data only includes desensitised device information and ad display / click data; never linked to user real-world identity.

2. Attribution & Anti-Fraud (MMP)

Purpose: Track advertising install attribution, identify fraudulent installs, prevent install-injection / click-injection / SDK-spoofing attacks, and protect advertising budgets. Shared data only includes desensitised device information and install attribution data — never personal data.

3. Payment Processors

Purpose: Process in-app purchase transactions, verify receipt validity, perform financial reconciliation. We share only order-related information (no sensitive payment data) under strict adherence to Apple and Google official data-processing rules.

• Apple Inc. — App Store StoreKit 2 + App Store Server API;
• Google LLC — Google Play Billing Library v6+ with Real-Time Developer Notifications (RTDN).

Part III — Regional & Jurisdictional Compliance

1. European Union (GDPR) & United Kingdom (UK-GDPR)

Legal basis: We process your data under one or more of the following lawful bases defined in Article 6 GDPR / UK-GDPR: (a) performance of a contract with you; (b) your explicit consent; (c) our legitimate interests (such as fraud prevention, service optimisation, security), provided these interests are not overridden by your fundamental rights.

EU / UK representative: We have appointed a statutory representative for both the EU and the UK. The representative's contact details are made available within each application's "Privacy → Representative" screen and can also be obtained by emailing privacy-eu@devflowbytegrid.com (EU) or privacy-uk@devflowbytegrid.com (UK). Response time is no more than 7 working days.

User rights (Chapter III GDPR): EU / UK users have the right to (i) access their personal data; (ii) rectify inaccurate data; (iii) erasure ("right to be forgotten"); (iv) restrict processing; (v) data portability; (vi) object to processing; (vii) withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal; (viii) lodge a complaint with the European Data Protection Board (EDPB), the UK Information Commissioner's Office (ICO), or the competent national supervisory authority.

2. United States — State-by-State Compliance

We do not sell personal information. We explicitly commit that we will not sell your personal information to any third party (including advertisers, data brokers, or affiliates). However, under California CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TIPA, Oregon OCPA, Montana MCDPA, New Jersey NJDPA, New Hampshire NHPA and similar laws, sharing device IDs and other non-sensitive information with ad-tech partners for the purpose of "cross-context behavioural advertising" may be classified as a "share" rather than a "sale". We explicitly notify users of this sharing within the in-app consent flow, and users have an absolute right to opt-out at any time.

"Do Not Track" (DNT) & Global Privacy Control (GPC): We fully respect the device-level "Limit Ad Tracking" (iOS) / "Opt out of Ads Personalisation" (Android) system settings, as well as the Global Privacy Control (GPC) browser signal. When enabled, we stop collecting behavioural-trail data, suspend use for personalised ad targeting and recommendation, and retain only the data necessary to maintain core service operation.

State-specific nuances:

3. Brazil (LGPD)

We strictly comply with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados, LGPD). We obtain explicit user authorisation before collecting any personal information, clearly stating the purpose, scope and method of collection. Brazilian users' data is stored on servers located within Brazil and is not transferred abroad without approval from the Autoridade Nacional de Proteção de Dados (ANPD). We appoint a designated compliance officer (Encarregado) to handle Brazilian users' data requests.

4. Other Key Regions

• China (PIPL, DSL, Cross-border Data Flow Provisions): Explicit consent before collection, local storage of PRC-resident data on PRC servers, cooperation with Cyberspace Administration of China (CAC) inspections;
• India (DPDP Act): Defined data-collection boundaries, written consent, Data Protection Officer (DPO) appointment, deletion rights, MeitY approval for cross-border transfer;
• Saudi Arabia (PDPL): Local data storage on Saudi servers, oversight by National Data Management Office (NDMO);
• Canada (PIPEDA & Quebec Law 25): Compliance with Personal Information Protection and Electronic Documents Act, explicit consent, breach notification;
• Japan (APPI): Compliance with Act on the Protection of Personal Information, opt-in for sensitive data, PPC oversight;
• South Korea (PIPA): Explicit consent, local representative appointment, KISA oversight;
• Australia (Privacy Act 1988): APP compliance, OAIC oversight;
• Russia (152-FZ): Local storage, Roskomnadzod compliance;
• Switzerland (FADP): FDPIC oversight, equivalent GDPR protections;
• Other emerging markets (Mexico LFPDPPP, Argentina PDPA, Colombia Law 1581, Turkey KVKK, Israel Privacy Protection Law, Singapore PDPA, Hong Kong PDPO, Taiwan PDPA, Thailand PDPA, Indonesia PDP Law, Philippines DPA, Vietnam PDPD, Malaysia PDPA 2010, Nigeria NDPR, Kenya DPA, South Africa POPIA): local compliance review on a per-app basis, with regulatory updates incorporated within 90 days of effective date.

Part IV — Auto-Renewal Subscription Transparency

For Applications that contain auto-renewing subscriptions, we strictly follow Apple App Store and Google Play Store rules and global regional compliance requirements.

1. Information Collected

We only collect subscription-related information strictly necessary for subscription management and service delivery, including: subscription period, remaining trial time, subscription status (active / expired / paused), renewal time.

2. Transparency Commitments

• Pre-subscription: We clearly inform the user of subscription period (week / month / year), subscription price, trial period (if any), renewal rules, and cancellation method. No hidden clauses;
• Pre-renewal reminder: 24 hours before each automatic renewal, we send the user a reminder via in-app banner and / or system push notification, clearly stating the renewal amount, renewal time and direct cancellation path;
• Subscription management: Users can cancel auto-renewal at any time through the in-app "Settings → Subscription Management" screen, or via the App Store / Google Play subscription management page. After cancellation, no further charges are made. Cancellation during the trial period incurs no fees;
• Trial period: If a free trial is provided, the subscription will automatically renew and charge at the end of the trial period. Users may cancel at any time during the trial period to avoid charges. If subscription-exclusive features have been used, those features will be immediately disabled upon cancellation.

Part V — AI-Generated Content Declaration

For Applications that include AI-generated content (including but not limited to text, audio, images, interactive scenes), we strictly follow global AI compliance requirements.

• Explicit labelling: All AI-generated content is clearly marked as "AI-generated" and visually distinguished from human-authored content. This complies with the EU AI Act and US state-level AI transparency requirements;
• Content compliance: AI-generated content is subject to "AI generation + human review" dual-layer moderation. Prohibited categories include: violence, sexual / erotic content, vulgarity, disinformation, politically sensitive content, hate speech, content that infringes the intellectual property, reputation, or privacy rights of others;
• Liability demarcation: AI-generated content is provided solely as an assistive feature and does not constitute professional advice, a warranty or a guarantee. We are not liable for any loss arising from user reliance on AI-generated content. Where AI-generated content infringes third-party rights, we bear the corresponding responsibility and promptly remove the offending content;
• Data security: Data used to train our AI models is either compliance-collected or properly licensed. We do not use personal information or private user data to train AI models.

Part VI — Your Rights & How to Exercise Them

Regardless of your jurisdiction, you have the following rights with respect to your personal data:

1. Right of access — request a copy of the personal data we hold about you;
2. Right of rectification — correct inaccurate or incomplete data;
3. Right of erasure — request deletion of your personal data (subject to legal retention obligations);
4. Right to restrict processing — request that we limit how we use your data;
5. Right to data portability — receive your data in a structured, commonly used and machine-readable format;
6. Right to object — object to certain types of processing, including profiling;
7. Right to withdraw consent — at any time, without affecting the lawfulness of processing carried out before withdrawal;
8. Right to lodge a complaint — with your local data protection authority.

To exercise any of these rights, please use the in-app "Settings → Privacy → Your Data Rights" screen, or email privacy@devflowbytegrid.com. We will acknowledge receipt within 7 working days and respond substantively within the time limits defined by your jurisdiction (default: 30 calendar days).

Part VII — Children's Privacy & Age

Our Applications are designed for a general audience and are not directed at children under the age of 13 (or a higher age where required by local regulation: 14 in China / South Korea, 16 in the EU under GDPR for information society services, 13 in California under COPPA / CCPA, 18 in India for certain processing under DPDP).

We do not knowingly collect personal information from children below the applicable age threshold. If we become aware that we have inadvertently collected such information, we will delete it within 7 days. Parents or guardians who believe their child has provided us with personal information may contact privacy@devflowbytegrid.com for immediate deletion.

For Applications that include IAA / IAP, age-gating is enforced at the device / store level. We additionally implement behavioural targeting exclusions for users flagged as under-age by the platform.

Part VIII — Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

Part IX — Security Measures

• Encryption in transit: TLS 1.3 minimum, HSTS preload;
• Encryption at rest: AES-256-GCM for all stored user data; keys held exclusively in iOS Secure Enclave / Android Keystore (StrongBox where available);
• Access control: Role-based access, mandatory MFA, just-in-time access provisioning;
• Penetration testing: Annual third-party penetration test, continuous internal automated security testing;
• Vulnerability disclosure: Responsible disclosure programme at security@devflowbytegrid.com with a 90-day coordinated disclosure commitment;
• Incident response: 72-hour breach notification commitment to regulators (GDPR Art. 33), user notification without undue delay where the breach is likely to result in a high risk to user rights.

Part X — International Data Transfers

Where personal data is transferred outside the user's home jurisdiction, we rely on one or more lawful transfer mechanisms:

• For EU / UK → third countries: European Commission Standard Contractual Clauses (SCCs, 2021 modules) + UK International Data Transfer Addendum + Transfer Impact Assessment (TIA);
• For China outbound: CAC Security Assessment, Standard Contract, or Certification as required by the Cross-border Data Flow Provisions;
• For India outbound: DPDP Act Section 16 governmental approval, or to jurisdictions on the central government's "negative list" exemption;
• For Brazil outbound: ANPD authorisation or standard contractual clauses;
• For US: where applicable, the EU-US Data Privacy Framework (where the recipient is certified);
• For other regions: contractual safeguards + supplementary technical measures (pseudonymisation, encryption).

Part XI — App Store Policies

1. Apple App Store

We accurately disclose all required data in App Store Connect Privacy Labels. Because device identifiers, purchase records and behavioural telemetry are linked to user profiles, we mark "Data Linked to User" accurately and never misrepresent data linkage. Privacy label content is reconciled with this Policy each release.

2. ATT Enforcement (iOS 14.5+, including iOS 18 updates)

• The requestTrackingAuthorization prompt is shown before any IDFA is read. Consent text clearly states the purpose of the request (e.g. personalised advertising);
• If the user denies, allow_tracking = false is propagated to all third-party SDKs. No covert means of recovering IDFA is used;
• The ATT prompt is shown at most once per app installation per Apple's iOS 18 enforcement. Subsequent prompts direct the user to system Settings;
• We do not fingerprint MAC address, IMEI or other device parameters as a substitute for IDFA;
• We respect iOS 18 sensitive-data access requirements (Photos, Contacts, Calendar) with per-use prompts and never default-grant.

3. Google Play (Android 14+, Android 15)

• We accurately complete the Google Play Data Safety form, declaring HTTPS encryption in transit and AES-256 at rest;
• All integrated SDKs support the latest Android Privacy Sandbox APIs. Outdated SDKs are removed;
• The integrated SDK manifest is published on the Google Play Console. SDK data-collection behaviour is audited each release;
• We support Android 15's Private Space feature, the OTP-hiding API, and the screen-share notification requirement;
• App supports 64-bit architecture and excludes 32-bit-only releases.

Part XII — DSA & Algorithmic Transparency

Where our Applications are made available in the European Union and constitute a Very Large Online Platform (VLOP) or Very Large Online Search Engine (VLOSE) under DSA Articles 33 / 34, we comply with the enhanced transparency, risk assessment, and independent audit obligations.

For Applications that include a recommender system: we publish a non-technical explanation of the main parameters used and the reasons for the parameter's importance. Users are provided with at least one non-profiling option. We publish an annual transparency report and accept oversight by the relevant Digital Services Coordinator.

Part XIII — Ad Type Inventory & Controls

Across our Applications, the following ad types may be displayed via the mediation stack listed in Part II. All are subject to ATT consent (iOS) and equivalent platform-level opt-outs (Android).

Part XIV — Changes to this Policy & Contact

We review this Policy at least every six months and on the occurrence of any material change in our processing activities. Material changes will be communicated via in-app banner (at least 30 days in advance where the change expands our processing scope) and via the version history link in the in-app "Settings → Privacy" screen.

For any question, request, complaint or report concerning this Policy or our processing of your personal data, please contact:

• Email: privacy@devflowbytegrid.com
• EU representative: privacy-eu@devflowbytegrid.com
• UK representative: privacy-uk@devflowbytegrid.com
• Postal address: Data Protection Officer, devflowbytegrid.com, Warwick Software Industrial Park, Warwick, CV34, United Kingdom
• App store opt-out: In-app "Settings → Privacy → Consent" at any time