Privacy Policy

Last updated: May 15, 2026

1. Data Controller

No data protection officer has been appointed, as the statutory thresholds under § 38 BDSG (at least 20 persons continuously engaged in automated processing) are not met.

2. Scope

This privacy policy applies to the app "Uppilo" (iOS) and the website uppilo.de.

3. Website Hosting (Vercel)

The website uppilo.de is hosted by Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, USA), primarily out of the Frankfurt (fra1) region. Only static pages are served; there is no database, no cookies, and no client-side analytics.

When accessing the website, technically necessary connection data is recorded in server log files, in particular:

• IP address (truncated / briefly stored)
• Time of the request
• Requested path
• Referrer, user agent
• HTTP status code

These log files serve security, abuse prevention, and technical availability. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a stable, secure website). Storage is short-term; Vercel acts as a processor under Art. 28 GDPR. Since Vercel Inc. is a US company, data transfers to the USA may occur; Vercel is certified under the EU-US Data Privacy Framework, and Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR apply as a supplementary safeguard. Provider's privacy notice: vercel.com/legal/privacy-policy.

Fonts are served locally from the Vercel edge node. No connection to Google Fonts or other external font providers takes place. The website sets no cookies and uses no tracking.

4. Locally Stored Data (App)

We store game and app data locally on your device to provide the app:

• High scores, statistics and game progress
• Achievements and unlocked content
• Settings and preferences
• Purchase status (e.g. remove ads, VIP subscription)

Sensitive data such as purchase status and account balances are stored encrypted in the iOS Keychain. Other data is stored in the local app settings (UserDefaults). A device-internal identifier (IDFV) is used for app functionality and is not shared with third parties.

You can optionally enable anonymous usage data in the app settings. This data (e.g. game starts, game results) is logged exclusively on your device and is not transmitted to external servers.

5. Third-Party Services (App)

Apple Game Center

When you sign in to Game Center, Apple processes profile and game information. We submit high scores, achievements and display names to Apple's leaderboard and achievement systems.

In multiplayer mode, game data (scores, combos, placements) is exchanged in real time with your opponent via Apple's peer-to-peer connection.

Apple App Store / StoreKit

In-app purchases are handled by Apple. We only receive the purchase status (transaction ID, product ID, timestamp) for local activation of purchased content. Payment data is processed exclusively by Apple.

Google AdMob (Advertising)

We use Google AdMob to display advertising (rewarded ads and interstitials). AdMob may process the following data to serve ads, measure reach, and prevent fraud:

• Device IDs — advertising ID (IDFA, only with ATT consent) and vendor identifier (IDFV)
• Approximate location — derived from IP address (no GPS); used for regional ad targeting
• Product interaction — which ads were displayed, viewed, or tapped
• Advertising data — information on ad delivery and measurement
• Diagnostics and performance data — ad load times, crash reports, and technical error logs from the ad SDK

For anonymized measurement of ad conversions, Apple's SKAdNetwork is used. No personal data is transmitted — attribution is handled exclusively by Apple.

Google UMP (Consent Management)

To obtain and manage your advertising consent in accordance with GDPR, we use Google's User Messaging Platform (UMP). Your consent preferences are processed and stored locally.

You can withdraw or change your advertising consent at any time via "Manage Ad Consent" in the app settings (Art. 7(3) GDPR). Withdrawal is as easy as giving consent. After withdrawal, no further ads will be loaded.

Apple Push Notification Service (APNs)

When you enable notifications, a device token is registered with Apple. We exclusively use local notifications (e.g. reminders for daily challenges). No push messages are sent from an external server.

Some of the mentioned providers (Apple, Google) may process data in the USA. Apple and Google are certified under the EU-US Data Privacy Framework. Additionally, Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR apply.

6. Tracking & Advertising (ATT)

Personalized advertising only occurs with your explicit consent via Apple's App Tracking Transparency (ATT). If you decline tracking, the advertising ID (IDFA) will not be transmitted to advertising partners and you will only receive non-personalized advertising.

7. Legal Basis

• Art. 6(1)(b) GDPR — Contract performance (game operation, in-app purchases)
• Art. 6(1)(a) GDPR — Consent (ad tracking, notifications)
• Art. 6(1)(f) GDPR — Legitimate interests (website hosting, fraud prevention)

8. Data Retention & Deletion

Local app data remains stored until you delete it in the app settings under "Delete All Data" or uninstall the app. Data stored in the Keychain (purchase status) may persist after uninstallation and will be restored upon reinstallation.

Data managed by Apple (Game Center scores, purchase history) is subject to Apple's own retention policies.

Server log files of the website are automatically deleted, typically within 14 days.

9. Your Rights

You have the right at any time to:

• Access your stored data (Art. 15 GDPR)
• Rectification of inaccurate data (Art. 16 GDPR)
• Erasure of your data (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Object to processing (Art. 21 GDPR)

You can remove local app data via "Delete All Data" in the app settings.

No automated decision-making / no profiling: No solely automated decision-making — including profiling — within the meaning of Art. 22 GDPR takes place.

10. Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The supervisory authority responsible for us is:

11. Contact

For privacy-related questions, reach us at info@uppilo.de.