Privacy Policy

Our commitment to protecting your privacy and data security. Last updated: January 2026

1. Introduction

AINODE DEVBASE ("we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile applications, websites, and related services.

This policy is a comprehensive 2026 global compliance version, fully aligned with:

  • EU General Data Protection Regulation (GDPR) & UK-GDPR
  • EU Digital Services Act (DSA)
  • California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)
  • Virginia Consumer Data Protection Act (VCDPA)
  • Texas Data Privacy and Security Act (TDPSA)
  • Colorado Privacy Act (CPA)
  • Connecticut Data Privacy Act (CTDPA)
  • Brazil Lei Geral de Proteção de Dados (LGPD)
  • China Personal Information Protection Law (PIPL)
  • India Digital Personal Data Protection Act (DPDP)
  • Saudi Arabia Personal Data Protection Law
  • Apple App Store & Google Play Developer Guidelines
  • EU AI Act (for AI-generated content features)

2. Data Collection

We strictly adhere to the "minimum necessary" principle and collect only information essential for service operation, advertising monetization (IAA), in-app purchases (IAP), and fraud prevention.

2.1 Device Fingerprint & Identifiers

  • IDFA (Identifier for Advertisers) - iOS devices
  • GAID (Google Advertising ID) - Android devices
  • OAID (Open Anonymous Device Identifier) - Android devices for Chinese market
  • IDFV (Identifier for Vendors) - iOS devices (for same vendor apps)
  • Device Brand - Manufacturer name (e.g., Apple, Samsung)
  • Device Model - Model identifier (e.g., iPhone 15, Pixel 8)
  • Screen Resolution - Display dimensions in pixels
  • System Version - iOS/Android version numbers
  • Language Settings - Device language and locale preferences
  • Battery Status - Battery level and charging state
  • System Clock Offset - Time zone detection for fraud prevention
  • Encrypted Device Identifiers - Hashed identifiers not linked to real identity

2.2 Network Environment Data

  • IP Address - Geographic compliance filtering only (not precise location)
  • Mobile Network Carrier - Carrier name and network type
  • Wi-Fi Status - Connection state and SSID (if permitted)
  • Network Type - 4G, 5G, LTE, Wi-Fi connection classification
  • VPN/Proxy Detection - For fraud and regional compliance

2.3 Advertising Behavior Data (IAA)

  • Ad Impression ID - Unique identifier for each ad view
  • Click Timestamp - Exact time of ad interactions
  • Conversion Path - User journey from impression to action
  • Rewarded Video Duration - Total watch time and early exit points
  • Ad Dwell Time - Time spent viewing each ad
  • Skip Behavior - When and how users skip ads
  • Interaction Events - Clicks, swipes, and engagement metrics

2.4 User Experience Data (UX Analytics)

  • Feature Usage Frequency - Which app features are used most
  • Core Loop Triggers - Application interaction patterns
  • Paywall Click-Through Rate - Response to purchase prompts
  • Onboarding Drop-off Points - Where new users abandon the app
  • Session Duration - Length of app usage sessions
  • Navigation Patterns - User flow through app screens

2.5 Financial Transaction Data (IAP)

  • Order Number - Unique transaction identifier
  • Product SKUs - Purchased item identifiers
  • Quantity - Number of items purchased
  • Currency - Payment currency (USD, EUR, etc.)
  • Amount - Transaction value in local currency
  • Country Code - Purchase region (ISO 3166-1)
  • Transaction Timestamp - Date and time of purchase
  • Sandbox Status - Whether test/development purchase
  • Order Status - Success, failed, refunded, pending
  • Receipt Data - App Store/Play Store transaction receipts

2.6 Sensitive Data We Do NOT Collect

We NEVER collect:

  • Real names, addresses, or physical location
  • Social security numbers or national ID numbers
  • Bank account details or credit card numbers
  • CVV codes or payment passwords
  • Medical records or health information
  • Biometric data (fingerprints, face data) unless explicitly required and disclosed
  • Private messages or communication content
  • Contacts or calendar information (unless app feature requires)

3. Data Usage

All collected data undergoes encrypted processing with the following safeguards:

3.1 Processing Principles

  • Encryption at Rest - AES-256 encryption for stored data
  • Encryption in Transit - TLS 1.3 for all data transmission
  • Access Control - Role-based access with audit logging
  • Data Minimization - Only collecting necessary data
  • Purpose Limitation - Data used only for stated purposes
  • Storage Limitation - Retaining data only as long as necessary

3.2 Specific Use Cases

  • Maintaining IAA system operations and ad delivery
  • Processing IAP transactions and receipts
  • Optimizing user interface and experience
  • Preventing and detecting fraudulent activities
  • Ensuring service stability and security
  • Regional compliance verification and enforcement
  • Attribution analytics for advertising campaigns
  • Personalized content and recommendations (with consent)

4. Third-Party Data Sharing

We share only anonymized, aggregated, or pseudonymized data with third parties under strict data processing agreements. All sharing follows "minimum necessary, encrypted transmission, full control" principles.

4.1 Ad Mediation Platforms

  • AppLovin MAX - Real-time bidding, fill rate optimization, audience targeting
  • Google AdMob - Ad serving, mediation, performance optimization
  • Unity LevelPlay - Ad mediation, waterfall management
  • Meta Audience Network - Facebook/Meta ad integration
  • IronSource - Ad mediation, user acquisition
  • Pangle - Ad serving (ByteDance/TikTok ecosystem)
  • Mintegral - Cross-promotion and ad serving
  • Chartboost - Game ad network and mediation
  • Vungle (Digital Turbine) - Video ad placement and optimization
  • InMobi - Mobile advertising and monetization
  • Unity Ads - Game-focused advertising
  • Liftoff - Mobile ad optimization
  • Ogury - Consent-based mobile advertising
  • AdColony - Mobile video advertising
  • Tapjoy - Rewarded ads and monetization

4.2 Attribution & Analytics Platforms

  • AppsFlyer - Install attribution, multi-touch attribution, fraud detection
  • Adjust - Mobile attribution, analytics, automation
  • Singular - Attribution, ROI optimization, analytics
  • Branch - Deep linking, attribution, link generation
  • Kochava - Attribution analytics and fraud prevention
  • Amplitude - Product analytics and user behavior
  • Mixpanel - Event tracking and user analytics
  • Firebase Analytics - Google analytics platform

4.3 Payment Processors

  • Apple Inc. - App Store IAP processing, receipt verification
  • Google LLC - Google Play billing, order verification
  • Stripe - Web payment processing (if applicable)
  • PayPal - Alternative payment method (if applicable)

4.4 Cloud & Infrastructure Providers

  • Amazon Web Services (AWS) - Cloud hosting and storage
  • Google Cloud Platform - Server infrastructure
  • Microsoft Azure - Cloud services
  • Firebase - Backend services, crash reporting

4.5 Data Shared with Third Parties

Shared Data Types:

  • Anonymized device information (non-identifiable)
  • Advertising IDs (IDFA/GAID) for ad targeting
  • Ad impression and click data (aggregated)
  • Install attribution data (timestamp, source, campaign)
  • Order receipts (excluding payment card details)
  • Crash reports and performance metrics

Never Shared: Real names, physical addresses, payment card numbers, passwords, or any data that could identify a specific individual without additional information.

5. Advertising & Monetization

5.1 Ad Types We Display

  • Splash Ads - Full-screen branded experiences displayed during app launch (2-5 seconds)
  • Rewarded Video Ads - User-initiated video viewing for in-app rewards (coins, features, content)
  • Interstitial Ads - Full-screen ads at natural transition points (level complete, pause menu)
  • Banner Ads - Persistent display ads (320x50, 728x90) at screen top or bottom
  • Native Ads - Content-matched ads integrated into app feeds and content streams
  • Playable Ads - Interactive demo ads allowing users to try before installing
  • AR Ads - Augmented reality advertising experiences (where supported)

5.2 How Advertising Works

Our advertising ecosystem operates as follows:

  1. Ad Request - App requests ads from our mediation platform
  2. Real-Time Bidding (RTB) - Multiple advertisers bid for the impression
  3. Ad Selection - Highest bidder's ad is selected
  4. Ad Display - Ad is rendered and displayed to user
  5. Engagement Tracking - User interactions (views, clicks) are recorded
  6. Attribution - Conversion attribution to advertising campaigns

5.3 Ad-Related Data Processing

Advertising data is used for:

  • Delivering relevant advertisements based on user preferences
  • Measuring ad campaign effectiveness and ROI
  • Detecting and preventing ad fraud
  • Optimizing ad timing, placement, and frequency
  • Attributing app installs and conversions to advertising sources
  • A/B testing ad creative and formats
  • Frequency capping to avoid overexposure

5.4 Your Ad Choices

  • Do Not Track - We respect browser/app DNT settings
  • Limit Ad Tracking (iOS) - Setting to restrict advertising ID usage
  • Opt Out of Personalization - Many ad networks offer opt-out mechanisms
  • Ad Choices - Industry-standard opt-out via www.aboutads.info

6. Ad Network Partners - Complete List

Our applications integrate the following advertising SDKs. Each SDK may collect data according to its own privacy policy:

6.1 Primary Ad Networks

NetworkPurposeData Shared
Google AdMobPrimary ad monetizationDevice ID, ad interactions
AppLovin MAXAd mediation, RTBDevice ID, impressions
Unity AdsGame advertisingDevice ID, gameplay data
Meta Audience NetworkFacebook ad ecosystemDevice ID, Meta account
IronSourceAd mediation, UADevice ID, install data
Unity LevelPlayAd mediation, waterfallDevice ID, ad data

6.2 Regional Ad Networks

  • Pangle - Asia-Pacific ad network (TikTok/ByteDance)
  • Mintegral - Global cross-promotion
  • AdColony - Premium mobile video
  • Vungle - Video advertising (Digital Turbine)
  • InMobi - Global mobile advertising
  • Chartboost - Gaming-focused network
  • Tapjoy - Rewarded engagement
  • Liftoff - Performance advertising
  • Ogury - Consent-based advertising
  • Smaato - Global mobile advertising
  • StartApp - Mobile ad monetization
  • Fyber - Ad monetization platform
  • Facebook Audience Network - Meta ad integration
  • Twitter MoPub - Mobile ad exchange
  • Amazon Ads - e-commerce advertising

6.3 Attribution & MMP Partners

  • AppsFlyer - Install attribution, fraud detection
  • Adjust - Attribution, analytics
  • Singular - Attribution, ROI tracking
  • Branch - Deep linking, attribution
  • Kochava - Attribution analytics
  • Tenjin - Game attribution
  • Adobe Analytics - Enterprise analytics
  • Flurry - Mobile analytics

6.4 SDK Data Collection Transparency

Each third-party SDK operates under its own privacy policy. We require all SDKs to:

  • Comply with applicable privacy laws
  • Provide transparent data collection disclosure
  • Support user opt-out mechanisms
  • Maintain reasonable data security measures
  • Not collect data beyond stated purposes

7. Data Security

7.1 Technical Safeguards

  • AES-256 Encryption - Military-grade encryption for stored data
  • TLS 1.3 - Latest transport security for data in transit
  • End-to-End Encryption - For sensitive communications
  • Hashing & Salting - Password and identifier protection
  • API Authentication - OAuth 2.0, API keys, JWT tokens
  • Firewall Protection - Network perimeter security
  • Intrusion Detection - Real-time threat monitoring
  • DDoS Mitigation - Distributed attack protection

7.2 Organizational Safeguards

  • Role-Based Access Control (RBAC) - Principle of least privilege
  • Audit Logging - Complete access trails
  • Security Training - Regular employee security awareness
  • Incident Response - Documented breach procedures
  • Vendor Management - Third-party security assessments
  • Penetration Testing - Annual security audits
  • OWASP Compliance - Secure development practices

7.3 Local Processing Philosophy

We prioritize local data processing to minimize data exposure:

  • Core app logic runs on-device where possible
  • Sensitive calculations performed locally
  • Data synchronization minimized
  • Cloud dependency reduced
  • User control over data sharing

8. Cookies & Tracking Technologies

8.1 App-Based Tracking

Our mobile apps use the following tracking technologies:

  • Advertising IDs - IDFA, GAID for ad personalization
  • SDK Analytics - Integrated tracking SDKs
  • Device Fingerprinting - Combination of device attributes
  • Session Tracking - App usage patterns
  • Event Tracking - In-app actions and interactions

8.2 Website Cookies

If you visit our websites, we may use:

  • Essential Cookies - Required for site functionality
  • Analytics Cookies - Usage pattern analysis
  • Preference Cookies - Language, theme settings
  • Marketing Cookies - Ad targeting (with consent)

8.3 Controlling Tracking

  • iOS: Settings > Privacy > Tracking > Control app tracking
  • Android: Settings > Privacy > Ads > Opt out of ads personalization
  • Browser: Clear cookies, use private/incognito mode

9. EU/UK Compliance (GDPR & UK-GDPR)

9.1 Legal Basis for Processing

We process personal data under the following GDPR Article 6 lawful bases:

  • Contract (Art. 6(1)(b)) - Processing necessary for contract performance
  • Consent (Art. 6(1)(a)) - Explicit consent for specific purposes
  • Legitimate Interest (Art. 6(1)(f)) - Fraud prevention, service optimization (balanced against user rights)
  • Legal Obligation (Art. 6(1)(c)) - Compliance with legal requirements

9.2 EU/UK Representative

  • Organization: AINODE DEVBASE
  • Contact: contact@ainodedevbase.com
  • Address: Hoa Lac High-Tech Park, Hanoi, Vietnam
  • Response Time: Within 7 business days

9.3 Digital Services Act (DSA) Compliance

We comply with EU Digital Services Act requirements:

  • Transparency - Clear disclosure of advertising rules and algorithms
  • Content Moderation - Published content policy and enforcement
  • User Complaints - Accessible complaint handling mechanisms
  • Trusted Flaggers - Priority handling for verified reports
  • Algorithmic Transparency - Explanation of recommendation systems
  • Data Access - Publication of data access policies

9.4 EU/UK-Specific Rights

  • Right to Access - Receive copy of personal data
  • Right to Rectification - Correct inaccurate data
  • Right to Erasure - "Right to be forgotten" requests
  • Right to Restriction - Limit processing in certain cases
  • Right to Portability - Receive data in machine-readable format
  • Right to Object - Object to specific processing activities
  • Right to Withdraw Consent - At any time, without detriment
  • Automated Decisions - Right to human intervention for automated decisions

Supervisory Authority: Right to lodge complaint with EDPB (EU) or ICO (UK)

10. US Compliance (State Privacy Laws)

10.1 Our Commitments

We do NOT sell personal information. Per CCPA/CPRA definitions, we may "share" device data with advertising partners for targeted ads, which you may opt out of.

10.2 California Privacy Rights Act (CPRA)

  • Right to know data collected in past 12 months
  • Right to delete personal information
  • Right to correct inaccurate data
  • Right to opt out of "sharing" for targeted advertising
  • Right to limit use of sensitive personal information
  • Right to non-discrimination for exercising rights

Response Time: 45 business days

10.3 Virginia Consumer Data Protection Act (VCDPA)

  • Right to access personal data
  • Right to correct inaccuracies
  • Right to delete data
  • Right to data portability
  • Right to opt out of data sale
  • Right to opt out of targeted advertising
  • Right to opt out of profiling

Response Time: 30 business days

10.4 Texas Data Privacy and Security Act (TDPSA)

  • Right to access personal data (free of charge)
  • Right to correct inaccuracies
  • Right to delete data
  • Right to data portability
  • Right to opt out of sale, targeted advertising, profiling
  • Protection of sensitive data (biometric, financial) requires consent

10.5 Colorado Privacy Act (CPA)

  • Right to opt out of data processing
  • Right to access personal data
  • Right to correct inaccuracies
  • Right to delete data
  • Right to data portability
  • Right to opt out of targeted advertising

10.6 Connecticut Data Privacy Act (CTDPA)

  • Similar rights to CPA and VCDPA
  • Right to opt out of automated decision-making

10.7 Washington Privacy Act & Other States

We comply with applicable state privacy laws including Washington, Florida, Oregon, Texas, Montana, and other states with enacted privacy legislation.

10.8 Do Not Track (DNT)

We honor DNT browser signals. When DNT is enabled, we disable behavioral tracking for advertising purposes.

11. Global Compliance

11.1 Brazil (LGPD)

  • Explicit consent required before data processing
  • Clear disclosure: purpose, type, duration of processing
  • Data subject rights: access, correction, deletion, portability
  • Data Protection Officer (DPO) designation
  • Data stored in Brazil or countries with adequate protection
  • Data breach notification within reasonable time

11.2 China (PIPL & DSL)

  • Personal Information Protection Law compliance
  • Data Security Law requirements
  • Data localization for Chinese users
  • Explicit consent for data collection
  • Security assessment for cross-border transfers
  • Compliance with CAC regulations

11.3 India (DPDP Act 2023)

  • Written consent before data collection
  • Clear purpose specification
  • Data Protection Officer (DPO) designation
  • User right to erasure and correction
  • Significant Data Fiduciary obligations
  • Cross-border transfer restrictions

11.4 Saudi Arabia (PDPL)

  • Personal Data Protection Law compliance
  • Data localization requirements
  • Consent and transparency requirements
  • Supervision by NDPA (National Data Protection Authority)

11.5 Canada (PIPEDA)

  • Consent required for data collection
  • Purpose limitation
  • Access and correction rights
  • Accountability and transparency

11.6 Japan (APPI)

  • Personal Information Protection Act compliance
  • Opt-out mechanisms for third-party sharing
  • Breach notification requirements

11.7 Australia (Privacy Act 1988)

  • Australian Privacy Principles (APPs) compliance
  • Notifiable Data Breaches scheme
  • Access and correction rights

11.8 South Korea (PIPA)

  • Personal Information Protection Act compliance
  • Strict consent requirements
  • Data localization for sensitive data

11.9 Russia (152-FZ)

  • Personal Data Law compliance
  • Data localization requirements
  • Consent for data processing

12. Children's Privacy

Our apps are NOT designed for children under 13 (US) or 16 (EU/EEA).

12.1 Our Commitment

  • We do NOT knowingly collect personal information from children
  • Our apps do not contain content inappropriate for adults
  • We do NOT engage in behavioral advertising to children
  • We do NOT create child-focused profiles

12.2 Age Verification

We rely on:

  • App Store age ratings (13+, 17+)
  • User self-declaration
  • Parental controls and supervision

12.3 If We Learn of Children's Data

If we discover we have collected data from a child without verified parental consent:

  • We will delete the data promptly
  • We will not use or disclose the data
  • We will notify parents/guardians
  • We will investigate how the data was collected

12.4 Legal Compliance

  • US COPPA - Children's Online Privacy Protection Act
  • EU GDPR Article 8 - Age of consent (16, or 13 with parental consent)
  • UK Age Appropriate Design Code - Children's code of practice
  • California AB 2273 - Age-Appropriate Design Code Act

13. AI-Generated Content

Applicable if your apps use AI features:

13.1 AI Content Disclosure

If our apps include AI-generated content:

  • Clear Labeling - All AI-generated content is clearly marked "AI-Generated"
  • Distinction from Human Content - AI content is separated from human-created content
  • EU AI Act Compliance - Transparency requirements for AI systems
  • US State AI Laws - Compliance with emerging AI transparency regulations

13.2 AI Content Standards

  • No generation of violent, sexual, or harmful content
  • No generation of discriminatory or biased content
  • No generation of misinformation or deepfakes
  • Content moderation with AI + human review

13.3 AI Training Data

  • Training data is lawfully obtained
  • No personal information used in training
  • No user-generated content used without consent
  • Respect for copyright and intellectual property

13.4 AI-Related Data Processing

  • User inputs to AI features may be processed
  • Processing occurs under appropriate legal basis
  • Users can request deletion of their AI inputs
  • AI processing does not create profiles for advertising

14. Data Retention

14.1 Retention Periods

  • Account Data - Retained while account is active, deleted within 30 days of account closure
  • Transaction Records - Retained for 7 years for financial compliance
  • Advertising Data - Aggregated data retained for 2 years, individual impressions for 90 days
  • Analytics Data - Aggregated for 3 years, individual events for 1 year
  • Security Logs - Retained for 1 year
  • Legal Compliance - Retained as required by applicable laws

14.2 Data Deletion

  • Upon user request, data is deleted within 30 days
  • Deleted data is overwritten or destroyed securely
  • Backup systems are updated within 90 days

15. Data Breach Notification

15.1 Breach Response

In case of a data breach:

  • 72-Hour Notification - Notify supervisory authority within 72 hours (GDPR requirement)
  • User Notification - Notify affected users without undue delay
  • Breach Documentation - Document all breaches and responses
  • Remediation - Take immediate steps to mitigate breach effects

15.2 Breach Notification Content

Notifications will include:

  • Nature of the breach
  • Categories and number of affected users
  • Potential consequences
  • Remediation measures taken
  • Contact information for data protection officer

16. Your Rights

You have comprehensive rights regarding your personal data:

16.1 Access Rights

  • Access - Request a copy of your personal data
  • Portability - Receive data in structured, machine-readable format
  • Transparency - Request information about data processing activities

16.2 Correction Rights

  • Rectification - Request correction of inaccurate data
  • Completion - Request completion of incomplete data

16.3 Deletion Rights

  • Erasure - Request deletion of your data ("right to be forgotten")
  • Withdrawal - Withdraw consent at any time
  • Objection - Object to specific processing activities

16.4 Restriction Rights

  • Restriction - Request restriction of processing in certain circumstances
  • Processing Limitation - Limit how we use your data

16.5 Complaint Rights

  • Lodge Complaint - File complaint with local data protection authority
  • Judicial Remedy - Right to effective judicial remedy

16.6 Exercising Your Rights

To exercise any of these rights:

  • Email: contact@ainodedevbase.com
  • We will verify your identity before processing requests
  • Standard response time: 30 days
  • EU/UK users: 7 business days for urgent requests

17. Policy Updates

We may update this Privacy Policy periodically to reflect:

  • Changes in our practices or technologies
  • New legal requirements or regulatory changes
  • App Store or Google Play policy updates
  • Security best practice improvements

17.1 Notification of Changes

  • In-app notifications for significant changes
  • Email notifications to registered users
  • Updated "Last Updated" date at policy top
  • 30 days' notice before significant changes take effect

17.2 Version History

Previous versions of this policy are available upon request.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices:

18.1 General Contact

  • Organization: AINODE DEVBASE
  • Email: contact@ainodedevbase.com
  • Business Support: support@ainodedevbase.com
  • Address: Hoa Lac High-Tech Park, Hanoi, Vietnam

18.2 Data Protection Inquiries

For privacy-specific inquiries:

  • Email: contact@ainodedevbase.com
  • Subject Line: "Privacy Request"
  • Response Time: Within 30 days

18.3 EU/UK Representative

  • Contact via: contact@ainodedevbase.com
  • Subject: "EU/UK Data Request"

18.4 US State Residents

For California, Virginia, Texas, and other state-specific privacy requests:

  • Email: contact@ainodedevbase.com
  • Include your state of residence
  • Response within legally required timeframe

Note: We may need to verify your identity before processing your request. We will not discriminate against you for exercising your privacy rights.