Privacy Policy (Comprehensive)

Effective date: 2025-01-01

This comprehensive Privacy Policy explains how QuaesitumTech ("we", "us", "our") collects, uses, processes, and protects personal data when you use our websites, mobile applications, and games (collectively, the "Services").

Table of Contents

1. Data we collect
2. How we use data
3. Automated decision-making
4. Cookies and tracking
5. Legal bases for processing
6. Data processors
7. Data sharing and disclosure
8. Data retention
9. Security measures
10. Data breach procedures
11. International transfers
12. Your privacy rights
13. GDPR (EEA/UK) specifics
14. California privacy rights
15. Apple App Store integration
16. Children's privacy
17. Contact information
18. Policy changes

1. Data we collect

Categories and sources

• Identity & Contact data: Email address, display name, account identifiers (collected directly from you during registration)
• Device & Technical data: Device model, operating system version, app version, IP address (truncated for privacy), language settings, timezone, unique device identifiers (collected automatically)
• Usage & Behavioral data: Feature usage patterns, session duration, in-app actions, user preferences, gameplay statistics (collected automatically during service use)
• Communications data: Support messages, feedback submissions, survey responses, user-generated content (provided directly by you)
• Commercial data: Purchase receipts, transaction identifiers, subscription status, payment methods (from app store platforms)
• Diagnostic data: Crash reports, performance metrics, error logs with pseudonymized identifiers (collected automatically with appropriate consent)
• Derived/Inferred data: User segments, feature preferences, recommendations based on usage patterns (generated from analysis of other data)
• Location data: Country/region-level location from IP address (we do not collect precise geolocation without explicit consent)

2. How we use data

Primary purposes

• Service delivery: User authentication, account management, feature provision, cross-device synchronization
• Customer support: Respond to inquiries, troubleshoot technical issues, provide assistance
• Product improvement: Analyze usage patterns, conduct A/B testing, optimize performance and user experience
• Security & fraud prevention: Detect suspicious activity, prevent abuse, protect against security threats
• Communications: Send service updates, security notifications, respond to support requests
• Legal compliance: Tax reporting, regulatory compliance, responding to lawful requests
• Analytics (with consent): Understand user behavior, measure app performance, conduct research
• Marketing (with consent): Provide relevant content, measure campaign effectiveness

3. Automated decision-making and profiling

We may use automated processing for specific purposes including fraud detection, content personalization, and service optimization. We do not make solely automated decisions that produce legal effects or significantly affect you without human oversight, meaningful information about the logic involved, or your explicit consent where required by law.

You have the right to request human review of automated decisions, express your point of view, and contest such decisions where they significantly affect you.

4. Cookies and similar technologies

Types of cookies we use

• Strictly necessary cookies: Authentication, security, load balancing, fraud prevention (no consent required)
• Functional cookies: User preferences, language settings, accessibility features
• Analytics cookies: Usage statistics, performance monitoring (consent required in applicable jurisdictions)
• Marketing cookies: Attribution tracking, campaign effectiveness measurement (explicit consent required)

You can manage cookie preferences through your browser settings and our consent management platform. Disabling certain cookies may affect service functionality.

5. Legal bases for processing (GDPR)

Where applicable (e.g., EEA/UK), we rely on the following legal bases:

• Contract performance: Processing necessary to provide our services and fulfill our obligations to you
• Legitimate interests: Service improvement, security, fraud prevention, direct marketing (with opt-out option)
• Consent: Optional analytics, marketing communications, non-essential cookies
• Legal obligations: Tax reporting, regulatory compliance, law enforcement cooperation
• Vital interests: Protection of life or health in emergency situations

6. Data processors and sub-processors

We engage carefully vetted service providers who process personal data on our behalf under comprehensive data processing agreements (DPAs). All processors are required to implement appropriate technical and organizational security measures.

Processor categories

• Cloud infrastructure: Hosting, compute, storage, content delivery networks (EEA/UK, US, APAC regions)
• Communication services: Email delivery, customer support platforms, notification services
• Analytics providers: Privacy-focused analytics, crash reporting, performance monitoring (opt-in where required)
• Security services: Fraud detection, threat monitoring, vulnerability scanning
• Payment processors: Subscription management, transaction processing (via app store platforms)

A maintained list with specific vendor details is available for download: processors.txt

7. Data sharing and disclosure

We may share personal data in the following limited circumstances:

• With your consent: When you explicitly authorize sharing for specific purposes
• Service providers: With processors under contract for service delivery (see section 6)
• Legal requirements: To comply with laws, regulations, court orders, or lawful government requests
• Safety and security: To protect rights, property, safety of users, public, or our company
• Business transfers: In connection with mergers, acquisitions, or asset sales (with advance notice)
• Aggregated data: De-identified, aggregated statistics that cannot reasonably identify individuals

We do not sell personal data for monetary consideration.

8. Data retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy or as required by law.

Retention schedule

• Account data: Duration of account relationship plus 30 days for account recovery
• Usage analytics: Maximum 26 months, then aggregated or deleted
• Support communications: 24 months from case closure for quality assurance
• Security logs: 6 months for fraud detection, 90 days for routine monitoring
• Marketing data: Until consent withdrawal plus 30 days for processing
• Financial/tax records: 7 years as required by applicable tax laws
• Legal hold data: Until resolution of legal matters or disputes

9. Security measures

We implement comprehensive technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction.

Technical safeguards

• Encryption in transit (TLS 1.2+ for all connections)
• Encryption at rest for sensitive data
• Access controls and authentication systems
• Regular vulnerability scanning and penetration testing
• Secure software development lifecycle practices
• Network security monitoring and intrusion detection

Organizational measures

• Staff privacy and security training programs
• Background checks for personnel with data access
• Incident response and breach notification procedures
• Regular security audits and risk assessments
• Data minimization and purpose limitation practices
• Vendor security assessment and monitoring

10. Data breach notification

In the event of a personal data breach, we have established procedures to assess, contain, and respond appropriately:

• Immediate assessment of breach scope and risk level
• Notification to relevant supervisory authorities within 72 hours (where required by law)
• Direct notification to affected individuals for high-risk breaches
• Documentation and reporting of all breach incidents
• Post-incident review and security improvements

11. International data transfers

We aim to process data in the region closest to users where technically feasible. When international transfers are necessary, we implement appropriate safeguards:

Transfer mechanisms

• Adequacy decisions: Transfers to countries with European Commission adequacy decisions
• Standard Contractual Clauses (SCCs): EU-approved contractual safeguards for third-country transfers
• Supplementary measures: Additional technical and organizational protections (encryption, access controls)
• Certification schemes: Industry-standard certifications and codes of conduct
• Binding corporate rules: For transfers within multinational organizations

12. Your privacy rights

Subject to applicable law, you have the following rights regarding your personal data:

Universal rights

• Access: Request information about data processing and obtain copies of your data
• Rectification: Correct inaccurate or incomplete personal data
• Erasure: Request deletion of personal data under certain circumstances
• Restriction: Limit processing of your personal data in specific situations
• Objection: Object to processing based on legitimate interests or direct marketing
• Withdrawal: Withdraw consent at any time (where processing is based on consent)

How to exercise rights

To exercise your rights, contact us at privacy@quaesitumtech.com with:

1. Your specific request type and details
2. Account email address or identifier
3. Verification information if requested

We will respond within 30 days (extendable to 90 days for complex requests) and verify your identity before processing.

13. GDPR (EEA/UK) specifics

Additional GDPR rights

• Data portability: Receive your data in a structured, machine-readable format
• Automated decision-making: Rights regarding solely automated decisions with legal effects
• Supervisory authority complaints: Lodge complaints with your local data protection authority

Supervisory authorities

You may lodge complaints with data protection authorities in your country:

• EEA: See the European Data Protection Board member list
• UK: Information Commissioner's Office (ICO)

14. California privacy rights (CCPA/CPRA)

California residents have specific rights under the California Consumer Privacy Act and California Privacy Rights Act:

California rights

• Right to know: Categories and sources of personal information, business purposes, third-party sharing
• Right to delete: Request deletion of personal information (subject to legal exceptions)
• Right to correct: Request correction of inaccurate personal information
• Right to opt-out: Opt-out of "sale" or "sharing" for cross-context behavioral advertising
• Right to limit: Limit use and disclosure of sensitive personal information
• Non-discrimination: Equal service and pricing regardless of privacy choices

Note: We do not "sell" or "share" personal information as defined by California law.

15. Apple App Store integration

For services offered through Apple's App Store:

• Billing and subscription management is handled directly by Apple
• We receive transaction receipts and identifiers for entitlement verification
• We do not receive or store your complete payment card information
• Subscription management occurs through your Apple ID account settings
• Free trial conversions follow Apple's policies and timing
• Refund requests must be directed to Apple support

16. Children's privacy

Our Services are not directed to children under 13 (or the relevant age of digital consent in your jurisdiction). We do not knowingly collect personal information from children without appropriate consent.

Under GDPR, where processing is based on consent and the user is under 16 (or lower age set by member state law, but not below 13), consent must be given or authorized by the holder of parental responsibility.

If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete such information promptly.

17. Contact information

Data Controller

QuaesitumTech acts as the data controller for personal data processed through our Services.

Privacy inquiries

Email: privacy@quaesitumtech.com

Data Protection Officer

For GDPR-related matters: dpo@quaesitumtech.com

Regional representatives

• EU Representative: [To be appointed if required under GDPR Article 27]
• UK Representative: [To be appointed if required under UK GDPR Article 27]

18. Policy changes

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will:

• Post updated versions on this page with a new effective date
• Notify users of material changes via email or in-app notification
• Provide advance notice for changes requiring new consent
• Maintain previous versions for reference where legally required

Continued use of our Services after changes constitutes acceptance of the updated policy, unless additional consent is required.

---

This comprehensive policy provides detailed information about our privacy practices. For a summary version, see privacy.html. Text versions available: privacy-policy.txt and processors.txt.