Privacy Policy

VACOZ (“we”, “us”, “our”) acts as the controller for applications and related services released worldwide. This global privacy notice describes what personal data we collect, the reasons we process it, and the safeguards we apply.

• Applies to mobile games, the official website, community and customer support channels, and marketing campaigns.
• Supplements marketplace disclosures (Google Play, App Store) and any agreements you accept when you play our games.
• Should be read together with the regional addenda below for location-specific rights and requirements.

We collect information directly from you, automatically through the application, and from service providers who help us operate the game.

• Account and contact data: email address, display name, age range, social login identifiers (Google or Apple), and guardian consent records where required.
• Device and technical data: operating system, device model, language, country/region, mobile network, advertising identifier, installation source, crash logs, and diagnostic information.
• Usage data: gameplay events, session duration, achievements, in-app purchases, reward redemption, communication preferences, and support history.
• Location data: approximate city/country derived from IP address or device location when you grant permission.
• Support content: messages, screenshots, or attachments you provide to our customer support team.

We process personal data for the following purposes and only when we have a lawful basis to do so:

• To keep services running smoothly: we provide and operate core features such as account creation and maintenance, matchmaking, cloud saves, leaderboards, and payment verification.
• To make the experience more fun and fair: we personalize your play experience by appropriately adjusting in-game economy, difficulty, and recommendations.
• To maintain a safe and clean play environment: we perform performance analysis, bug fixes, anti-cheat and fraud prevention, and infrastructure security enhancements.
• To provide help and updates: we offer customer support, process purchases and rewards, and provide consent-based marketing and promotional communications.
• To comply with the law: we fulfill legal obligations such as taxation, accounting, and regulatory reporting, and respond to lawful requests from public authorities.

We keep personal data only for as long as it is necessary for the purposes described above or to meet legal requirements. After that, we delete or anonymise it.

• Gameplay and account records: retained while your account remains active and for up to 24 months after your last activity to support reactivation and dispute handling.
• Purchase and payment data: retained for 5 years (or longer where law requires) for accounting, taxation, and consumer-protection obligations.
• Crash diagnostics and analytics: retained for up to 24 months, and deleted sooner if you exercise your rights to erasure.
• Security or fraud logs: kept as long as reasonably necessary to investigate and prevent abuse.

We rely on vetted processors to deliver analytics, advertising, crash diagnostics, and platform services. Each partner processes your data under contractual obligations that require confidentiality, security, and compliance with applicable laws.

User data may be processed in countries where partner infrastructure is located, including the Republic of Korea, the European Union, the United States, Japan, and others.

For regions with cross-border transfer regulations such as the EU and UK, we apply internationally recognized safeguards (e.g., Standard Contractual Clauses, SCC) that meet the standards of global businesses such as Google and Unity.

If you need detailed information regarding cross-border transfers, please contact us via the email address below.

User personal information is encrypted when stored, and external partners (Google, Unity, etc.) including advertising and analytics data follow each company's international standard security policies.

Depending on your jurisdiction, you may exercise the following rights: access (including copies), correction, deletion, restriction or suspension of processing, objection to processing, data portability, and withdrawal of consent. Some regions, including California, grant additional rights such as opt-out of sale or sharing, limitation of sensitive information use, and non-discrimination. For children's accounts (Korea: under 14 / US: under 13), legal guardians may exercise the same rights on their behalf.

How to Exercise Your Rights

Submit your request via the email address below. We may require account login and email verification for identity confirmation. Authorized agent requests may require a power of attorney and identity verification documents.

Response Timeframes

EU/UK: 1 month (with notification if extended to 2 months), California: 45 days (with reason if extended), other regions: within a reasonable period (typically 30 days) for initial response.

Consent and Ad Personalization

EEA/UK regions can reset or withdraw consent through the consent management banner (UMP), and only non-personalized ads will be shown after withdrawal. Advertising identifiers can be reset or personalized restrictions activated in OS settings, and personalized ads can be disabled in AdMob/Unity Ads SDK consent screens.

Exceptions

Data required by law (accounting, dispute resolution, security logs) may be retained for the applicable period even after deletion requests. Repetitive or excessive requests may be limited or subject to fees within legally permitted scope.

If you suspect your rights have been infringed, you may file a complaint with the relevant supervisory authority (Korea: KISA, EU/UK supervisory authorities, California: CPPA, etc.).

We do not use automated decision-making that produces legal or similarly significant effects. We only use analytics to understand aggregate trends and to improve balancing, anti-cheat systems, and service quality.

If you have questions about this policy or wish to exercise your privacy rights, please contact us.

We update this notice when we launch new features, integrate new SDKs, or when laws change. Significant updates will be announced in-app or on our official website at least 7 days in advance, and earlier where required by law.

This section supplements the global notice to satisfy the Personal Information Protection Act (PIPA) of the Republic of Korea.

• Controller: VACOZ (Representative: Doyeop Lee). Please contact us for inquiries.
• Purposes and retention: gameplay/account data (until account deletion plus 1 year); payment and settlement data (5 years); dispute records (3 years); customer service records (3 years).
• Third-party sharing: Google Play Services, Google LLC; Google Asia Pacific Pte. Ltd.; Unity Technologies SF. Data is transferred overseas under SCCs and stored in secure data centres.
• Children under 14: we obtain consent from a legal guardian before collecting personal data. If consent is not provided, access may be limited to non-personalised features.
• Personal information manager (DPO): Doyeop Lee. Please contact us for inquiries.

We provide additional disclosures for U.S. residents, especially under the California Consumer Privacy Act (CCPA/CPRA) and the Children's Online Privacy Protection Act (COPPA).

• We do not store or use personal information of children under 13 without separate parental consent, and delete it immediately upon discovery (COPPA compliance).
• Personalized advertising (profiling) is not provided to users under 13.
• This app does not "sell" user personal information. Users in the United States (including California) may exercise rights including access, correction, deletion, portability, and opt-out (Do Not Sell or Share My Personal Information).

EU, UK, Switzerland and other GDPR-applicable regions follow this policy.

• Advertising identifiers and personalized advertising can be directly set to consent/deny/non-personalized ads through in-game consent banners (UMP).
• As a data subject, you may exercise GDPR rights including access, rectification, deletion, restriction/objection to processing, and withdrawal of consent (Subject Access Rights).
• International transfers are conducted with safeguards such as Standard Contractual Clauses (SCC), and relevant documents can be provided upon request.
• Complaints and rights exercise can be submitted via email or to the relevant regional data protection supervisory authority.

We comply with Japan (APPI) and other major privacy protection laws.

• If you need detailed information regarding local legal requirements such as additional explanations, clarification of purposes of use, retention periods, or rights exercise, please contact us via the email address below.
• If there are no platform integrations or social login features (such as login/community), joint processing and third-party provision items do not need to be separately disclosed.
• Overseas transfers: protective measures are implemented in accordance with contracts with overseas service providers such as Google, Apple, and Unity.

We comply with Taiwan (PDPA) and other major privacy protection laws.

• If you need detailed information regarding local legal requirements such as additional explanations, clarification of purposes of use, retention periods, or rights exercise, please contact us via the email address below.
• If there are no platform integrations or social login features (such as login/community), joint processing and third-party provision items do not need to be separately disclosed.
• Overseas transfers: protective measures are implemented in accordance with contracts with overseas service providers such as Google, Apple, and Unity.

We comply with Hong Kong (PDPO) and other major privacy protection laws.

• If you need detailed information regarding local legal requirements such as additional explanations, clarification of purposes of use, retention periods, or rights exercise, please contact us via the email address below.
• If there are no platform integrations or social login features (such as login/community), joint processing and third-party provision items do not need to be separately disclosed.
• Overseas transfers: protective measures are implemented in accordance with contracts with overseas service providers such as Google, Apple, and Unity.