Privacy Policy

1. Preamble & Operating Principles

This Privacy Policy (the “Policy”) is issued by arkdevbitrealm (“we”, “our”, “us”), a United Kingdom mobile-research and development studio headquartered at St John’s Innovation Centre, Cambridge CB4 0WS, United Kingdom. It applies to every mobile application, website, SDK, and service that we publish under the arkdevbitrealm name, including but not limited to Pet Health Archive, Home Renovation Engine, Language Memory, Wardrobe Planner, Sheet Music Archive, Monthly Finance Suite, and any successor or ancillary application (collectively, the “Services”).

This document is the 2026 Global Compliance Edition. It supersedes all prior versions. In addition to this Policy, every Service links to it from (a) the App Store / Google Play description page, (b) the in-app first-launch screen, and (c) the in-app Settings » About menu, as required by the European Digital Services Act (DSA), the Apple App Store Review Guidelines, and the Google Play Store data-safety requirements.

We operate on a single, structural commitment: data lives where it belongs — with the user. User-generated content is, by default, stored on the device, encrypted at rest with AES-256, and never transmitted to our servers unless the user explicitly enables cloud sync. The information we collect below is collected only to keep the IAA (in-app advertising) and IAP (in-app purchase) systems running safely, to prevent fraud, and to comply with the laws of the regions in which we operate.

2. Data Collection — Specific Granularity and Purpose

We strictly follow the “minimum necessary” principle. Through compliant technical means we collect the information set out below, exclusively for the purposes of operating the IAA (advertising monetisation) and IAP (in-app purchase) systems, optimising user experience, preventing fraud, and complying with regional regulations. We do not collect any personal information unrelated to the Services.

2.1 Device Fingerprint and Identifier

• IDFA (Identifier for Advertisers) on iOS devices — collected only after explicit user consent via the App Tracking Transparency (ATT) framework, and only used for advertising attribution and frequency capping.
• GAID (Google Advertising ID) on Android devices — subject to the user’s Android advertising preferences and the Android 14 / Android 15 Privacy Sandbox framework where applicable.
• OAID (Open Anonymous Device Identifier) for Android devices distributed in mainland China, used solely for advertising and anti-fraud purposes within the Chinese regulatory perimeter.
• Device brand, model, screen resolution, operating system version, language setting, battery state, and system clock offset (used to detect time-zone cheating and to prevent cross-regional price fraud).
• Device unique identifier (encrypted, not associated with the user’s real-world identity).

2.2 Network Environment Data

• IP address — used only for geographic compliance filtering (to determine the user’s region for the purpose of applying local regulations, content, and pricing), and not for precise geolocation.
• Mobile network operator name, Wi-Fi connection state, network type (4G / 5G / Wi-Fi), used to ensure service stability and to perform regional compliance checks.

2.3 Behavioural Data (IAA and UX)

• Advertising behaviour: advertising display ID, click timestamp, conversion path, rewarded-video watch duration and whether the user exited mid-video, dwell time on ad units. Used to optimise ad delivery, prevent ad fraud, and shared in desensitised form with our third-party monetisation partners listed in section 3.
• Application / game logic: count of core-loop triggers, click-through rate on paywall prompts, drop-off points in the first-time experience, frequency-of-use of individual features. Used to optimise product interaction, adjust feature layout, and improve user convenience. We do not collect the actual content of user actions or any private data.

2.4 Financial Transaction Data (IAP)

We receive transaction receipts exclusively through the official App Store / Google Play APIs. We do not access, store, or process your bank-card number, CVV, payment password, or card expiry date. All payment operations are completed by Apple or Google payment systems.

• Order number, item purchased, quantity, payment currency, payment amount, country code, transaction timestamp, whether the transaction is a sandbox test order, order status (success / failed / refunded).
• Used for order validation, refund processing, financial reconciliation, and the prevention of payment fraud.

3. Deep Third-Party Data-Sharing Architecture

To operate legal monetisation, optimise the Services, and prevent fraud, we share strictly necessary data with the third-party ecosystem set out below. Sharing is governed by the “minimum necessary, encrypted in transit, fully controllable” principle. We do not share sensitive personal information with any third party. You can review each partner’s data-handling practices via their own privacy policy.

3.1 Mediation Layer (Ad Serving)

These partners perform real-time bidding (RTB), fill optimisation, and yield management for the ad inventory in our apps. Data shared: desensitised device information, advertising display / click data. No real-world identity binding.

3.2 Attribution and Anti-Fraud (MMP)

These partners track advertising install attribution and detect fraudulent installations, click-injection, and SDK spoofing. Data shared: desensitised device information, install attribution data, post-install events. No private user information.

3.3 Payment Processors

Data shared: order-related information only (no sensitive payment information). Used for transaction reconciliation and order validation, in full compliance with Apple and Google data-handling requirements.

4. Global Region-Specific Legal Notices

We strictly comply with the privacy regulations of every country and region in which we operate. The following region-specific clauses are additive to the rest of this Policy. Where local law provides a higher protection standard than this Policy, the local law prevails.

4.1 European Union (GDPR) and United Kingdom (UK-GDPR)

4.1.1 Legal basis for processing

The legal bases on which we process user data are: performance of a contract with the user; the user’s explicit consent; our legitimate interests (such as fraud prevention, service optimisation, and security), subject to a balancing test; and compliance with legal obligations. All processing activities comply with Article 6 of the GDPR and Article 6 of the UK-GDPR.

4.1.2 EU and UK representative

EU and UK users may direct data-related requests (access, rectification, erasure, withdrawal of consent, data portability, objection, restriction of processing) to our appointed representative at the address published on our website. We respond to all valid requests within 7 working days.

4.1.3 DSA transparency obligations

We strictly comply with the latest European Digital Services Act (DSA) transparency requirements. We publish our ad-placement rules, algorithmic-recommendation logic, and content-moderation standards, and we issue periodic transparency reports documenting our data-processing flows and third-party partnerships. We accept oversight by EU regulatory authorities. Where a Service involves user-generated content (UGC), we publish the moderation mechanism, complaint-handling workflow, and the standard for removing non-compliant content, and we ensure users are fully informed of their rights.

4.1.4 Rights of EU and UK users

• Right of access — obtain a copy of personal data we hold about you.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”).
• Right to withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal.
• Right to data portability — receive a machine-readable copy of your data.
• Right to lodge a complaint with the European Data Protection Board (EDPB) or the UK Information Commissioner’s Office (ICO).

4.2 United States (CCPA, CPRA, VCDPA, and other state laws)

4.2.1 No sale of personal information

We do not sell your personal information to any third party, including advertisers and data brokers. Note: under the California CPRA and Virginia VCDPA, sharing device IDs and similar non-sensitive information with third parties for the purpose of personalised advertising may technically be classified as “sharing.” Where applicable, we provide clear in-app notice and a right to opt-out of such sharing.

4.2.2 Do Not Track (DNT)

We honour the device-level “Do Not Track” setting. If a user enables DNT, we stop collecting behavioural data for personalised advertising and recommendations, retaining only the minimum data required to operate the Services.

4.2.3 State-by-state compliance

• California (CPRA): Users may request disclosure of personal information collected, used, or shared over the preceding 12 months; may request deletion; and may opt out of targeted advertising. We respond to valid requests within 45 calendar days.
• Texas (CCPA-TX): Strengthened access rights; users may query collection records free of charge; we may not impose unreasonable barriers. Sharing of sensitive information (biometric, financial) requires written consent.
• Virginia (VCDPA): Users may request correction of inaccurate personal data and may request cessation of sharing with third parties. We complete correction or cessation within 30 calendar days.
• Other states: We adapt to the latest Washington, Colorado, Connecticut, Utah, and other state privacy laws, clearly defining user data rights and our compliance obligations.

4.3 Brazil (LGPD)

We comply with Brazil’s Lei Geral de Proteção de Dados (LGPD). Personal data is collected only with the user’s explicit authorisation, with the purpose, scope, and method clearly disclosed. We guarantee the rights of access, rectification, deletion, and withdrawal of consent, and we maintain a dedicated compliance officer for Brazilian-user requests. User data is stored on servers located within Brazil, and cross-border transfers require approval from the Autoridade Nacional de Proteção de Dados (ANPD).

4.4 Other key regions

• China: We comply with the Personal Information Protection Law (PIPL), Data Security Law (DSL), and the Provisions on Promoting and Regulating Cross-border Data Flows. Personal information is collected only with explicit user consent. Data of mainland-China users is stored on servers within the Chinese mainland. We cooperate with the Cyberspace Administration of China (CAC) in regulatory inspections.
• India: We comply with the Digital Personal Data Protection Act (DPDP Act). Data collection is bounded, and written consent is obtained prior to collection. A Data Protection Officer (DPO) is appointed. Users may request deletion. Cross-border transfer requires approval from the Ministry of Electronics and Information Technology (MeitY).
• Saudi Arabia: We comply with the Personal Data Protection Law (PDPL). Data is stored on servers within Saudi Arabia and is not transferred abroad without authorisation. We accept oversight by the National Data Management Office (NDPA).
• Canada & Japan: We comply with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and Japan’s Act on the Protection of Personal Information (APPI), defining data-handling rules, protecting user rights, and cooperating with local regulators.

5. Auto-Renewing Subscription Disclosure

For Services that offer auto-renewing subscriptions, we strictly follow Apple App Store and Google Play Store rules and global compliance requirements. The following disclosures apply to every subscription offered in our apps.

5.1 Information we collect

We collect only the information necessary for subscription management: subscription period, trial-eligibility status, subscription state (active / expired / paused), renewal date. No unrelated information is collected.

5.2 Transparency obligations

• Before subscription: We clearly disclose the billing period (weekly / monthly / yearly), subscription price, trial duration (if any), renewal rules, and cancellation method. No hidden clauses.
• Pre-billing reminder: At least 24 hours before each auto-renewal charge, we surface a clear in-app and / or push notification stating the upcoming charge amount, the charge date, and a direct path to cancel.
• Subscription management: Users can cancel auto-renewal at any time via the in-app Settings » Subscription Management menu, the App Store / Google Play subscription page, or the system-level subscription management. Cancellation stops all future charges. Cancellation during a free trial incurs no fee.

5.3 Free trial

If a free trial is offered, the subscription will automatically convert to a paid plan at the end of the trial. Users may cancel during the trial without charge. If the user has used subscription-only features during the trial and then cancels, those features will be deactivated immediately upon cancellation.

6. AI-Generated Content Disclosure

Where a Service includes AI-generated content (text, audio, image, interactive scenes, or other output), we strictly follow global AI-compliance requirements and disclose the following.

• Clear labelling: All AI-generated content is labelled “AI-generated” or equivalent, so it is distinguishable from human-authored content and does not mislead the user, in compliance with the EU AI Act and US state-level AI transparency requirements.
• Content compliance: AI output is filtered against global content standards. We prohibit generation of violent, pornographic, vulgar, misleading, politically sensitive, or discriminatory content. We operate a dual “AI generation + human review” mechanism to ensure compliance.
• Liability boundary: AI-generated content is provided as an assistive function. It does not constitute professional advice, a commitment, or a guarantee. We are not liable for losses arising from a user’s reliance on AI output. If AI output infringes the intellectual property, reputational, or other legal rights of a third party, we accept responsibility and will promptly remove the offending content.
• Data security: Data used to train our AI models is either compliantly sourced or authorised for use; it is not personal or private data of our users. We never use user-generated content to train AI models.

7. Children and Age-Related Provisions

Our Services are designed for a general audience. We do not knowingly collect personal data from children under 13 (or the higher age threshold defined by the user’s jurisdiction, e.g., 14 in the EU/UK under the GDPR, 16 in certain EU member states, 13 in the US under COPPA, 18 in mainland China under PIPL). If we learn that we have inadvertently collected data from a child below the applicable age threshold, we will delete the data as soon as possible.

Users aged 13 to 17 (or the local equivalent age of digital consent) may use our Services only with the verifiable consent of a parent or legal guardian. If you believe a child has provided us with personal data without appropriate consent, please contact us at contact@arkdevbitrealm.com and we will delete the data within 7 working days.

8. Cookies, SDKs and Tracking Technologies

Our mobile applications do not use browser cookies. We use a small set of SDKs to deliver the core functions described in this Policy, all of which are listed in section 3. On our website (this website), we use a minimal set of first-party cookies for session management and accessibility preferences. We do not use third-party advertising cookies on this website, and we do not use cross-site tracking cookies.

For users in the EU and UK, the SDKs in our mobile apps that may qualify as “cookies” under local ePrivacy rules (such as the AppLovin MAX SDK and the AppsFlyer SDK) are only activated after the user provides explicit consent via the in-app consent dialog and the iOS ATT framework (where applicable).

9. Do Not Track and Global Privacy Control

We fully honour the device-level “Do Not Track” (DNT) setting and the Global Privacy Control (GPC) signal. When a user has DNT or GPC enabled, we:

• Disable IDFA / GAID collection and any subsequent advertising personalisation.
• Stop transmitting behavioural data to our mediation partners for the purpose of personalised advertising.
• Continue collecting only the minimum data required to operate the core functions of the Services (e.g., fraud prevention, error reporting).

10. Your Data Rights

Regardless of where you are located, you have the following rights. We respond to all valid requests within 30 days, free of charge.

• Right of access — request a copy of personal data we hold about you.
• Right of rectification — correct inaccurate or incomplete data.
• Right of erasure — request deletion of your personal data.
• Right to restrict processing.
• Right to data portability — receive a machine-readable export.
• Right to object to processing based on legitimate interest.
• Right to withdraw consent at any time.
• Right to lodge a complaint with your local data-protection authority.

To exercise any of these rights, write to contact@arkdevbitrealm.com from the email address associated with your account. For security, we may request additional verification information before processing the request.

11. Security and Storage

We use industry-standard technical and organisational measures to protect your data, including TLS 1.3 in transit, AES-256 at rest, role-based access control (RBAC), full audit logging, ISO/IEC 27001-aligned processes, and annual third-party penetration testing. In the event of a data breach affecting your personal information, we will notify you and the relevant supervisory authority without undue delay and within the timeframes required by applicable law (72 hours under GDPR Article 33).

12. Data Retention

We retain personal data only for as long as is necessary for the purposes described in this Policy or as required by law.

• User-generated content (e.g., pet records, wardrobe inventory, finance entries) — retained on-device until the user deletes the app or manually clears the data.
• Advertising identifiers and behavioural data — retained for a maximum of 13 months, in line with French CNIL guidance and EU best practice.
• IAP receipts and order records — retained for a minimum of 10 years, in line with applicable tax and accounting law.
• Support correspondence — retained for 3 years from the last interaction.

13. International Data Transfers

Because our servers are located in the United Kingdom and the European Union, with backup infrastructure in Canada and Japan, personal data may be transferred across borders. For transfers from the EU / UK to a third country, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA), supplemented by transfer impact assessments (TIAs) and supplementary technical measures (encryption, pseudonymisation). We do not transfer personal data to any country that has been the subject of an adequacy refusal without such safeguards in place.

14. Changes to this Policy

We update this Policy as our practices evolve, new regulations come into force, or third-party partners change. The “Effective” date at the top of this document reflects the most recent update. For material changes, we will notify you via in-app message and, where required by law, request renewed consent.

15. Contact and Data Protection Officer

For any questions, requests, or complaints regarding this Policy or our data-handling practices, please contact us at:

• General inquiries: contact@arkdevbitrealm.com
• Business support: support@arkdevbitrealm.com
• Post: Data Protection Officer, arkdevbitrealm, St John’s Innovation Centre, Cowley Road, Cambridge CB4 0WS, United Kingdom

EU and UK users may also contact our appointed EU/UK representative; details are available on request.