개인정보 처리방침
This Privacy Policy explains how Tubu Arge (the studio operating under the Tubu Games brand) collects, uses, stores, and shares personal data when you play mobile games published under the Tubu Games label (collectively, the "App", "Games" or "Service"). The policy is designed to be compliant with Türkiye's KVKK (Law no. 6698), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA / CPRA), and the U.S. Children's Online Privacy Protection Act (COPPA).
Table of contents
Data Controller
These Games are developed and published by Tubu Arge, a Turkish entity. Tubu Arge is the data controller within the meaning of GDPR article 4 and KVKK article 3. Tubu Games is a studio brand owned and operated by Tubu Arge and is not a separate legal entity.
- Data controller: Tubu Arge (Türkiye)
- Studio: Tubu Games
- Privacy contact: privacy@tubu.io
- Support contact: support@tubu.io
- Website: tubu.io
EU / UK representative: Tubu Arge is established in Türkiye. If you are an EU or UK data subject, you may exercise your rights directly with us via the privacy email above. We will respond within 30 days.
Data Collected
The data categories below match the iOS PrivacyInfo.xcprivacy
manifest and the Google Play Data Safety form.
2.1 Device identifiers
- IDFA (Identifier for Advertisers, iOS) — collected only if you answer "Allow" to the App Tracking Transparency (ATT) prompt. Used for ad personalization, attribution, and analytics; shared with AppLovin MAX, Singular, and Firebase.
- IDFV (Identifier for Vendor, iOS) — collected regardless of ATT; used for fraud prevention, in-app analytics, and crash context.
- GAID / AAID (Google Advertising ID, Android) — used for ad personalization, attribution, and analytics.
- Anonymous device fingerprint — device model, OS version, screen size, language; used for non-personalized fraud prevention.
2.2 Crash and performance data
- Crash logs (stack trace, error type, timestamp)
- Device model and OS version
- App version and build number
- Anonymous session duration (aggregate)
This data is processed anonymously through Firebase Crashlytics.
2.3 Gameplay progress data
- Completed level numbers and star counts
- Virtual goods balances (coins, gems, items, progress states)
- Achievements and weekly mission progress
- Battle Pass tier and XP
- Live ops event participation records
This data is stored on Microsoft PlayFab keyed by an anonymous device identifier. We do not collect your name, email address, or phone number; account creation is not required.
2.4 In-app purchase (IAP) records
- Transaction ID (issued by Apple or Google)
- Product ID (e.g.
remove_ads,vip_pass_season1) - Purchase date and amount (local currency)
- Receipt validation data returned by Apple or Google
Purchase records are kept on our backend via RevenueCat and on Apple's / Google's official IAP infrastructure for fraud prevention, customer support, and tax obligations. Your payment details are never transmitted to Tubu Arge; payment is handled entirely by Apple App Store / Google Play.
2.5 Event and telemetry data
- Level start / end, success / failure events
- Ad impression, click, completion events
- IAP funnel events (store open, purchase attempt, completion)
- A/B test experiment variant assignments
Telemetry is processed via Firebase Analytics, GameAnalytics, and Singular. All events are keyed to an anonymous device identifier and do not contain direct personal identifiers.
Purposes of Processing
We process the data above only for the following purposes:
- Service delivery — saving your gameplay progress.
- Advertising — showing ads in the free version of the Games; personalized or contextual depending on your ATT / consent choice.
- Analytics — aggregate product metrics.
- Fraud prevention — preventing multi-account reward abuse and cheats.
- IAP validation — server-side verification of receipts to prevent fraud.
- A/B testing — statistical comparison of game balance, monetization, and UI variants.
- Customer support — responding to tickets at support@tubu.io.
- Legal compliance — KVKK, tax, and consumer protection.
Legal bases (GDPR article 6)
| Activity | Legal basis |
|---|---|
| Service delivery, IAP processing | Performance of a contract (art. 6(1)(b)) |
| Non-personalized analytics, fraud prevention | Legitimate interests (art. 6(1)(f)) |
| Personalized ads, IDFA / GAID | Explicit consent via ATT / UMP (art. 6(1)(a)) |
| Tax record retention | Legal obligation (art. 6(1)(c)) |
Third-Party Services
The Games use the following third-party SDKs and services:
| Service | Purpose | Provider / Privacy URL |
|---|---|---|
| Apple App Store | Distribution, IAP, receipt validation | Apple Inc. — apple.com/legal/privacy |
| Google Play Store | Distribution, IAP, receipt validation | Google LLC — policies.google.com/privacy |
| AppLovin MAX | Ads mediation (primary) | AppLovin — applovin.com/privacy |
| Google AdMob | Ads bidder | Google LLC — policies.google.com/privacy |
| Meta Audience Network | Ads bidder | Meta Platforms — facebook.com/about/privacy |
| Mintegral | Ads bidder | Mintegral — mintegral.com/en/privacy |
| Unity Ads | Ads bidder | Unity Technologies — unity.com/legal/privacy-policy |
| ironSource | Ads bidder fallback | ironSource (Unity) — is.com/privacy-policy |
| Firebase Analytics | Event telemetry | Google LLC — firebase.google.com/support/privacy |
| Firebase Crashlytics | Crash reporting | Google LLC — firebase.google.com/support/privacy |
| GameAnalytics | Game-specific analytics | GameAnalytics ApS — gameanalytics.com/privacy |
| Singular | Attribution and UA measurement | Singular Labs — singular.net/privacy-policy |
| PlayFab | Cloud save, live ops, leaderboards | Microsoft — privacy.microsoft.com |
| RevenueCat | Purchase management | RevenueCat Inc. — revenuecat.com/privacy |
| Cloudflare | CDN, static page hosting | Cloudflare Inc. — cloudflare.com/privacypolicy |
SDK Identifiers
Mobile apps do not use traditional browser cookies. Instead, the SDKs listed above may create their own device-side identifiers:
AppLovin SDK Key— for ad requestsFirebase Installation ID— Crashlytics + Analytics sessionGameAnalytics User ID— persistent anonymous player IDSingular Install ID— attribution matchingPlayFab Anonymous ID— anonymous account mapping
On iOS, all such identifiers are subject to App Tracking Transparency (ATT); on Android, the Google Mobile Ads UMP SDK collects analogous consent.
Data Retention
- Gameplay progress: retained for as long as your account is active (dormant accounts are auto-anonymized after 18 months).
- Crash logs: 90 days (Firebase Crashlytics default).
- Analytics events: 14 months on Firebase Analytics and GameAnalytics.
- IAP receipts: retained for 10 years per Turkish Tax Procedure Law.
- Support correspondence: 24 months after ticket closure.
Your Rights
GDPR (EU / UK)
- Right of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection.
- Right to lodge a complaint with a supervisory authority.
CCPA / CPRA (California)
- Right to know what personal information is collected, correct inaccurate info, delete, and opt out of "sale" or "sharing" (we do not sell info; opt-out of sharing is managed via ATT or in-game Privacy toggles).
KVKK (Türkiye)
Article 11 grants the right to information, correction, deletion, and damages. Contact privacy@tubu.io.
Data Deletion Request
- Send an email titled "Data Deletion Request" to privacy@tubu.io.
- Include your in-app Anonymous ID (found in Settings → Privacy → Device ID).
- All active data is deleted within 30 days.
Note: deletion is irreversible. Your gameplay progress, items, and levels will be lost.
Children's Privacy
The Games are not directed to children under 13. On Google Play, the age rating is Everyone 12+ or family-friendly depending on the region.
If we learn that we have collected personal data from a child under 13, we delete it immediately. If you believe your child has provided data, contact privacy@tubu.io.
International Transfers
Most third-party providers operate servers in the U.S. or E.U. This constitutes an international transfer of data from Türkiye. We rely on Standard Contractual Clauses (SCC) and signed Data Processing Agreements (DPAs) with Apple, Google, and Microsoft.
Changes to this Policy
We may update this policy when adding new SDKs or features. For material changes, the effective date is updated and an in-app notice may be shown.
Effective Date
This policy is effective from 17 July 2026.
Contact
- Data controller: Tubu Arge
- Studio: Tubu Games
- Privacy email: privacy@tubu.io
- Support email: support@tubu.io
- Website: tubu.io