Privacy Policy

Effective: 2026-05-09 · Version 1.1

Who we are

numero ("we", "us", "our") is operated by Shanu Tyagi, the data controller for the personal information described in this policy.

Privacy contact: numero.app@icloud.com.

What we collect

• Account info: email or third-party account ID (Google), display name, and any username you claim.
• Gameplay data: matches played, opponents, secret numbers entered, guesses, scores, timestamps, in-match reactions / emoji, and connection status.
• Wallet data: points balance, daily-spinner pulls, and stake history.
• Friends data: the user IDs you've added or been added by, and friendship state.
• Reports & moderation data: reports you file against other users (and reports filed against you), plus block lists.
• Push notification tokens: Firebase Cloud Messaging (FCM) tokens we register against your account so we can deliver notifications.
• Age data: birth year you enter at the age gate (used to enforce 13+ access and child-directed ad mode).
• Country: defaults to your device locale; editable in Settings → Profile → Country. Used for region-specific notifications and future leaderboards.
• Device & diagnostics: device model, app version, OS version, language, crash logs (Firebase Crashlytics), and a Firebase Installation ID.
• Analytics events: screen views, key in-app events (e.g. match started, room created, ad shown), session start, app foreground/background, and a Firebase app instance ID. Collected by Google Firebase Analytics. Approximate location (country/region) may be inferred from IP address.
• Performance metrics: screen render time, app start-up time, and the host, latency, and status of network requests the app makes to our backend. Collected by Google Firebase Performance Monitoring.
• Advertising identifiers: Google Advertising ID (collected by AdMob for ad delivery and frequency capping). You can reset or limit this via your device's privacy settings.

How we use it

• Run the game: matchmaking, real-time match state, friends list, presence, push notifications.
• Stop abuse: block, report, ban moderation, anti-cheat, multi-account detection.
• Improve reliability and product quality via Firebase Crashlytics (crashes), Firebase Performance Monitoring (slow screens / network), and Firebase Analytics (which screens are used, where users drop off).
• Show ads via Google AdMob (see "Ads" below).
• Send service notifications and (with your consent where required) broadcast announcements.

Legal bases (EEA / UK)

• Contractual necessity: account, matchmaking, gameplay, wallet.
• Legitimate interests: anti-abuse, security, service improvement.
• Consent: personalised ads (via the EU consent form on first launch).
• Legal obligation: response to lawful requests, age-gating.

Ads

We show banner, interstitial, and rewarded ads through Google AdMob. AdMob may collect device identifiers (advertising ID) and other signals per Google's AdMob policies.

Google's processing of advertising data is governed by Google's Privacy Policy. Google may share advertising data with the partners listed at Google's AdMob partners page.

Users in the EEA, UK, and Switzerland see a Google UMP consent prompt on first launch and can change their choice later by clearing app data. To opt out of personalised advertising on Android device-wide, go to Settings → Google → Ads → Opt out of Ads Personalisation; you can also reset your advertising ID from the same screen. Personalised ad opt-out is also available at adssettings.google.com.

If your declared age at the age gate is under 13, ads are served in COPPA-compliant child-directed mode with no behavioural targeting (tagForChildDirectedTreatment is set on every ad request).

Sharing

We don't sell your personal information.

Sub-processors:

• Google LLC — Firebase Authentication, Firestore, Realtime Database, Cloud Functions, Cloud Messaging, Crashlytics, Analytics, Performance Monitoring, Hosting, App Check, Remote Config, and Google Play (in-app updates).
• Google AdMob — ad serving and measurement.
• LottieFiles, Inc. — hosts the small animation files shown on the maintenance and force-update screens (served from lottie.host). Receives only your IP address and user-agent at the time of the request.

We may disclose data in response to lawful legal process or to protect our rights, users, or the public.

International transfers

Your data is processed by Firebase in the region selected for our project. If you access the service from outside that region (including from the EEA / UK), your data is transferred internationally. Where required, we rely on Google Cloud's Standard Contractual Clauses for cross-border transfers.

User-generated content & moderation

The service supports light user-generated content: the username you claim and the in-match reactions / emoji you send during a match. Reactions are visible to your opponent in real time and are stored alongside the match record so the original conversation is preserved.

Reactions and your username may be reviewed by moderators in response to a report filed by another user, or as part of routine abuse review. We retain the underlying records per the Reports & moderation records row in Data retention below — up to 24 months — even after you delete your account, to enforce our Terms.

You can report a user from the in-app friend profile screen. We act on reports under our Terms of Service — Behaviour rules.

Data retention

• Account data: kept while your account is active.
• Match history & wallet ledger: kept while your account is active; anonymised on account deletion.
• Crash logs: 90 days (Firebase Crashlytics default).
• Analytics events: 14 months (Firebase Analytics default), then aggregated.
• Performance traces: 90 days (Firebase Performance Monitoring default).
• FCM tokens: pruned automatically when invalid or on sign-out.
• Reports & moderation records: kept up to 24 months for safety review, even after account deletion (with personal identifiers removed where possible).
• Backups: incremental automated backups retained for up to 30 days.

Your rights (GDPR / UK GDPR)

If you are in the EEA, UK, or Switzerland you have the right to:

• access the personal data we hold about you,
• ask us to correct inaccurate data,
• ask us to delete your data ("right to erasure"),
• ask for your data in a portable format,
• restrict or object to certain processing,
• withdraw consent at any time, and
• complain to your local supervisory authority.

To exercise these rights email numero.app@icloud.com from the email address linked to your account.

Your rights (California — CCPA / CPRA)

California residents have the right to know what personal information we collect, to request deletion, to opt out of "sale" or "sharing" of personal information, and to be free from discrimination for exercising these rights.

We do not "sell" personal information for money. To the extent advertising via Google AdMob is considered "sharing" under the CCPA, you can opt out using your device's privacy controls (the Google UMP consent prompt only appears in the EEA / UK / Switzerland and is NOT the right opt-out path for California users):

• Android: Settings → Google → Ads → Opt out of Ads Personalisation. You can also reset your advertising ID from the same screen.
• Web (cross-device): visit adssettings.google.com and turn off Ad personalisation.
• To request access or deletion: email numero.app@icloud.com from the email tied to your account. We respond within 45 days as required by the CCPA.

Do Not Sell or Share My Personal Information — California users may exercise this right via the email contact above; we don't currently provide a separate web form because this app's data practices are described in full above.

Your rights (India — DPDP Act 2023)

If you are in India you have the right to access, correct, and erase your personal data, and to nominate a representative. Email numero.app@icloud.com to make a request.

Account deletion

In the app: Settings → Profile → Delete account. Your account and personal data are removed immediately. Your username is freed up. Your past matches are anonymised within 30 days; backups roll off within 30 days. Reports & moderation records are retained for safety review per the schedule above.

Without installing the app: use our account deletion page.

Children

The service is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has used the service, please email numero.app@icloud.com and we will delete the account.

Where required by local law, the minimum age is the higher of 13 or the local minimum age for processing personal data without parental consent.

Security

We use Firebase App Check, encrypted transport (HTTPS / TLS), Google-managed encryption at rest, and server-authoritative game state to limit the impact of any single device being compromised. Report suspected security issues to numero.app@icloud.com.

Changes

If we make material changes we will notify you via an in-app prompt and update the "Effective" date above. Continued use after the new effective date constitutes acceptance.

Contact

Questions, requests, or complaints: numero.app@icloud.com.