Privacy Policy

This policy describes what SudoRush ("we", "our") collects when you play the SudoRush Android app or visit the SudoRush website (sudorush.com), why we collect it, and your rights. Contact: [email protected].

1. Data We Collect

• Account identifiers. Firebase Authentication user ID, Google Play Games player ID and display name.
• Profile data (Firestore). Display name, coin balance, XP, level, ranked ELO per difficulty, unlocked sabotages, themes, and music packs.
• Match state (Realtime Database). Puzzle round seeds, board positions, sabotage effects in flight, solve timestamps, trap locations. Cleared at match end.
• Match history (Firestore). Opponent ID, mode, outcome, ELO delta, timestamp, difficulty.
• Queue state (Realtime Database). Transient matchmaking state, deleted on match start.
• Purchase records. Google Play purchase token, product ID, validation status.
• Crash diagnostics (Firebase Crashlytics). Stack traces, device model, OS version, locale, install ID, app breadcrumbs.
• Advertising identifiers. Android Advertising ID (AAID) collected by Google AdMob for ad serving, frequency capping, and measurement.
• Ad interaction data. Ad impressions, clicks, and rewarded ad completions, collected by Google AdMob.
• Consent state. Your ad consent choices (IAB TCF string) stored locally on your device by Google's User Messaging Platform.
• Auto-collected by Firebase SDK. Firebase Installation ID, IP address (used by Google for approximate geolocation; not stored by us directly).

2. Website Visitors (sudorush.com)

The SudoRush website (sudorush.com) uses Cloudflare Web Analytics, a privacy-first analytics service operated by Cloudflare, Inc. Cloudflare Web Analytics does not use cookies and does not track visitors across websites.

Cloudflare Web Analytics collects the following data from website visitors:

• Page views and pages visited
• Approximate visit duration
• Referring URL
• Browser type and version
• Operating system and screen resolution
• Country (derived from IP address; the IP address itself is not stored in identifiable form by Cloudflare)

This data is not linked to SudoRush app user accounts and is not used for advertising. For full details, see Cloudflare's Privacy Policy.

3. Why We Collect It

We collect data to provide: matchmaking and live gameplay, anti-cheat enforcement, leaderboards, customer support, crash diagnostics, in-app purchase fulfillment, and serving and measuring advertisements.

4. Advertising

SudoRush uses Google AdMob, a service operated by Google LLC, to serve advertisements. AdMob serves three types of ads in SudoRush: banner ads during gameplay, interstitial ads between matches, and optional rewarded ads you choose to watch for in-game coin rewards.

To serve and measure ads, AdMob collects:

• Android Advertising ID (AAID) and other device identifiers
• IP address
• App usage data and ad interaction data (impressions, clicks, completions)
• Device and account information
• Cookies, web beacons, mobile device identifiers (including AAID), and similar tracking technologies

AdMob may use this data to serve personalized ads based on your interests and to measure ad performance. If you are in the EU/EEA or a CCPA-regulated US state, a consent form is shown before any ad request is made. You may update or withdraw consent at any time via Settings in the app.

You can opt out of personalized advertising by resetting your Android Advertising ID in your device settings (Settings > Google > Ads > Reset advertising ID) or by enabling "Opt out of Ads Personalization".

Purchasing the Remove Ads in-app purchase removes banner and interstitial ads. Rewarded ads remain available as an opt-in feature and are not served without your action.

Rewarded ads and financial incentives. When you choose to watch a rewarded ad, SudoRush awards in-game coins as a reward. Watching a rewarded ad involves AdMob processing your AAID and ad interaction data. Under the California Consumer Privacy Act (CCPA/CPRA), this constitutes a financial benefit tied to the use of personal data. You may decline to watch rewarded ads at any time with no impact on core gameplay.

For full details of how Google processes data for advertising, see Google's Privacy Policy and Google AdMob's privacy FAQ.

5. Who We Share Data With

We share personal data with Google LLC and its subsidiaries only:

• Firebase Authentication, Realtime Database, Firestore, Crashlytics. Used for authentication, live game state, persistent player data, and crash reporting.
• Google AdMob. Used for ad serving, measurement, and fraud prevention as described in Section 3.
• Google Play. Handles in-app purchase payment processing and delivers purchase records to our app.

We do not sell personal data. We do not share data with any other third parties, analytics providers, or data brokers.

6. Retention

• RTDB match and queue state: cleared at match end or on dequeue.
• Profile and match history: kept while your account is active. Deleted within 30 days of an email deletion request, or immediately via in-app account deletion.
• Crashlytics logs: retained 90 days (Google default).
• AdMob data: retained per Google's advertising data retention policies. See Google's Privacy Policy.

7. Security Practices

• In transit. All data transmitted between the SudoRush app and Google Firebase is encrypted using TLS 1.2 or higher.
• At rest. Firebase services (Realtime Database, Firestore, Authentication) encrypt stored data using AES-256.
• App integrity. Firebase App Check verifies that requests to our backend services originate from legitimate SudoRush app installations, preventing unauthorized access.
• Access control. Access to production Firebase data is restricted to authenticated service accounts governed by least-privilege security rules.
• Payment data. We do not process or store credit card or payment information. All in-app purchases are handled entirely by Google Play.

8. Data Breach Notification

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required under GDPR Article 33.

If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay using the contact information associated with your account where available.

9. Your Rights

• Access. Request a copy of your data by emailing [email protected].
• Delete. Delete your account and all associated data in-app or via Delete Data.
• Withdraw ad consent. Update or withdraw your advertising consent at any time via Settings in the app.
• Opt out of crash reporting. Request opt-out by emailing [email protected].

10. GDPR: EU/EEA Users

If you are located in the European Union or European Economic Area, the following applies in addition to the rest of this policy.

• Data controller. Calvin Iyer (individual), Bangalore, India. Contact: [email protected].
• Lawful basis. Consent (for advertising and analytics); legitimate interest (for fraud prevention, anti-cheat, and security).
• International transfers. Google may transfer your personal data to servers in the United States. Google relies on Standard Contractual Clauses approved by the European Commission as a transfer safeguard.
• Your rights. You have the right to access, rectify, erase, port, and object to processing of your personal data. You may withdraw consent at any time via Settings in the app. These rights do not affect the lawfulness of processing before withdrawal.
• Complaints. You have the right to lodge a complaint with the data protection supervisory authority in your EU/EEA member state.
• Data Protection Officer. We are an individual developer. A Data Protection Officer is required under GDPR Article 37(1) only for public authorities, large-scale systematic monitoring, or large-scale processing of special categories of data. None of these apply to SudoRush. Privacy inquiries are handled directly by the data controller at [email protected].
• Automated decision-making. SudoRush uses an automated ELO ranking algorithm to calculate your competitive rating based on match outcomes. This affects matchmaking and leaderboard position. You have the right to request human review of any ELO calculation you believe is erroneous by contacting [email protected]. No other automated decision-making or profiling with legal or similarly significant effects is performed.

11. CCPA: California Users

If you are a California resident, the following applies.

• Do Not Sell or Share My Personal Information. We do not sell personal information. We do share the Android Advertising ID (AAID) with Google AdMob for cross-context behavioral advertising. To opt out of this sharing, update your ad consent via Settings in the app, or reset or disable your Advertising ID in device settings (Settings > Google > Ads > Reset advertising ID or enable "Opt out of Ads Personalization").
• You have the right to know what personal information we collect and to request deletion of your data.
• We do not discriminate against users who exercise their CCPA rights.
• To exercise your rights, email [email protected].

12. Children

SudoRush is intended exclusively for users aged 18 and older. The app is not directed at children. We do not knowingly collect personal data from users under 18. If we become aware that a user under 18 has created an account, we will terminate the account and delete all associated personal data. If you believe a user under 18 has registered, contact [email protected].

13. DPDP Act: Indian Users

Under India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), we are the Data Fiduciary and you are the Data Principal.

• Purpose. We process your personal data only for the purposes stated in this policy. We do not use your data for any other purpose without your consent.
• Consent. By installing and using SudoRush, you provide consent to process your data as described in this policy. You may withdraw consent by deleting your account.
• Your rights. You have the right to access a summary of your personal data, correct inaccurate data, and erase your data. Email [email protected] to exercise these rights. We will respond within 30 days.
• Grievance. If you are dissatisfied with our response, you may file a complaint with the Data Protection Board of India once it is operational.

14. Updates

Material changes to this policy will be notified via in-app announcement. The "Last updated" date at the top of this page reflects the current version.

15. Contact

Questions, requests, or complaints: [email protected]