Tubu Logo games

سياسة الخصوصية

تاريخ النفاذ: 17 يوليو 2026 · Türkçe sürüm

This Privacy Policy explains how Tubu Arge (the studio operating under the Tubu Games brand) collects, uses, stores, and shares personal data when you play mobile games published under the Tubu Games label (collectively, the "App", "Games" or "Service"). The policy is designed to be compliant with Türkiye's KVKK (Law no. 6698), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA / CPRA), and the U.S. Children's Online Privacy Protection Act (COPPA).

Table of contents
  1. Data Controller
  2. Data Collected
  3. Purposes of Processing
  4. Third-Party Services
  5. SDK Identifiers
  6. Data Retention
  7. Your Rights
  8. Data Deletion Request
  9. Children's Privacy
  10. International Transfers
  11. Changes to this Policy
  12. Effective Date
  13. Contact

Data Controller

These Games are developed and published by Tubu Arge, a Turkish entity. Tubu Arge is the data controller within the meaning of GDPR article 4 and KVKK article 3. Tubu Games is a studio brand owned and operated by Tubu Arge and is not a separate legal entity.

EU / UK representative: Tubu Arge is established in Türkiye. If you are an EU or UK data subject, you may exercise your rights directly with us via the privacy email above. We will respond within 30 days.

Data Collected

The data categories below match the iOS PrivacyInfo.xcprivacy manifest and the Google Play Data Safety form.

2.1 Device identifiers

  • IDFA (Identifier for Advertisers, iOS) — collected only if you answer "Allow" to the App Tracking Transparency (ATT) prompt. Used for ad personalization, attribution, and analytics; shared with AppLovin MAX, Singular, and Firebase.
  • IDFV (Identifier for Vendor, iOS) — collected regardless of ATT; used for fraud prevention, in-app analytics, and crash context.
  • GAID / AAID (Google Advertising ID, Android) — used for ad personalization, attribution, and analytics.
  • Anonymous device fingerprint — device model, OS version, screen size, language; used for non-personalized fraud prevention.

2.2 Crash and performance data

  • Crash logs (stack trace, error type, timestamp)
  • Device model and OS version
  • App version and build number
  • Anonymous session duration (aggregate)

This data is processed anonymously through Firebase Crashlytics.

2.3 Gameplay progress data

  • Completed level numbers and star counts
  • Virtual goods balances (coins, gems, items, progress states)
  • Achievements and weekly mission progress
  • Battle Pass tier and XP
  • Live ops event participation records

This data is stored on Microsoft PlayFab keyed by an anonymous device identifier. We do not collect your name, email address, or phone number; account creation is not required.

2.4 In-app purchase (IAP) records

  • Transaction ID (issued by Apple or Google)
  • Product ID (e.g. remove_ads, vip_pass_season1)
  • Purchase date and amount (local currency)
  • Receipt validation data returned by Apple or Google

Purchase records are kept on our backend via RevenueCat and on Apple's / Google's official IAP infrastructure for fraud prevention, customer support, and tax obligations. Your payment details are never transmitted to Tubu Arge; payment is handled entirely by Apple App Store / Google Play.

2.5 Event and telemetry data

  • Level start / end, success / failure events
  • Ad impression, click, completion events
  • IAP funnel events (store open, purchase attempt, completion)
  • A/B test experiment variant assignments

Telemetry is processed via Firebase Analytics, GameAnalytics, and Singular. All events are keyed to an anonymous device identifier and do not contain direct personal identifiers.

Purposes of Processing

We process the data above only for the following purposes:

  • Service delivery — saving your gameplay progress.
  • Advertising — showing ads in the free version of the Games; personalized or contextual depending on your ATT / consent choice.
  • Analytics — aggregate product metrics.
  • Fraud prevention — preventing multi-account reward abuse and cheats.
  • IAP validation — server-side verification of receipts to prevent fraud.
  • A/B testing — statistical comparison of game balance, monetization, and UI variants.
  • Customer support — responding to tickets at support@tubu.io.
  • Legal compliance — KVKK, tax, and consumer protection.

Legal bases (GDPR article 6)

ActivityLegal basis
Service delivery, IAP processingPerformance of a contract (art. 6(1)(b))
Non-personalized analytics, fraud preventionLegitimate interests (art. 6(1)(f))
Personalized ads, IDFA / GAIDExplicit consent via ATT / UMP (art. 6(1)(a))
Tax record retentionLegal obligation (art. 6(1)(c))

Third-Party Services

The Games use the following third-party SDKs and services:

Service Purpose Provider / Privacy URL
Apple App Store Distribution, IAP, receipt validation Apple Inc. — apple.com/legal/privacy
Google Play Store Distribution, IAP, receipt validation Google LLC — policies.google.com/privacy
AppLovin MAX Ads mediation (primary) AppLovin — applovin.com/privacy
Google AdMob Ads bidder Google LLC — policies.google.com/privacy
Meta Audience Network Ads bidder Meta Platforms — facebook.com/about/privacy
Mintegral Ads bidder Mintegral — mintegral.com/en/privacy
Unity Ads Ads bidder Unity Technologies — unity.com/legal/privacy-policy
ironSource Ads bidder fallback ironSource (Unity) — is.com/privacy-policy
Firebase Analytics Event telemetry Google LLC — firebase.google.com/support/privacy
Firebase Crashlytics Crash reporting Google LLC — firebase.google.com/support/privacy
GameAnalytics Game-specific analytics GameAnalytics ApS — gameanalytics.com/privacy
Singular Attribution and UA measurement Singular Labs — singular.net/privacy-policy
PlayFab Cloud save, live ops, leaderboards Microsoft — privacy.microsoft.com
RevenueCat Purchase management RevenueCat Inc. — revenuecat.com/privacy
Cloudflare CDN, static page hosting Cloudflare Inc. — cloudflare.com/privacypolicy

SDK Identifiers

Mobile apps do not use traditional browser cookies. Instead, the SDKs listed above may create their own device-side identifiers:

  • AppLovin SDK Key — for ad requests
  • Firebase Installation ID — Crashlytics + Analytics session
  • GameAnalytics User ID — persistent anonymous player ID
  • Singular Install ID — attribution matching
  • PlayFab Anonymous ID — anonymous account mapping

On iOS, all such identifiers are subject to App Tracking Transparency (ATT); on Android, the Google Mobile Ads UMP SDK collects analogous consent.

Data Retention

  • Gameplay progress: retained for as long as your account is active (dormant accounts are auto-anonymized after 18 months).
  • Crash logs: 90 days (Firebase Crashlytics default).
  • Analytics events: 14 months on Firebase Analytics and GameAnalytics.
  • IAP receipts: retained for 10 years per Turkish Tax Procedure Law.
  • Support correspondence: 24 months after ticket closure.

Your Rights

GDPR (EU / UK)

  • Right of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection.
  • Right to lodge a complaint with a supervisory authority.

CCPA / CPRA (California)

  • Right to know what personal information is collected, correct inaccurate info, delete, and opt out of "sale" or "sharing" (we do not sell info; opt-out of sharing is managed via ATT or in-game Privacy toggles).

KVKK (Türkiye)

Article 11 grants the right to information, correction, deletion, and damages. Contact privacy@tubu.io.

Data Deletion Request

  1. Send an email titled "Data Deletion Request" to privacy@tubu.io.
  2. Include your in-app Anonymous ID (found in Settings → Privacy → Device ID).
  3. All active data is deleted within 30 days.

Note: deletion is irreversible. Your gameplay progress, items, and levels will be lost.

Children's Privacy

The Games are not directed to children under 13. On Google Play, the age rating is Everyone 12+ or family-friendly depending on the region.

If we learn that we have collected personal data from a child under 13, we delete it immediately. If you believe your child has provided data, contact privacy@tubu.io.

International Transfers

Most third-party providers operate servers in the U.S. or E.U. This constitutes an international transfer of data from Türkiye. We rely on Standard Contractual Clauses (SCC) and signed Data Processing Agreements (DPAs) with Apple, Google, and Microsoft.

Changes to this Policy

We may update this policy when adding new SDKs or features. For material changes, the effective date is updated and an in-app notice may be shown.

Effective Date

This policy is effective from 17 July 2026.

Contact