This policy explains what data we collect in the Crosswords
mobile app (the "App"), why and on what legal basis we process it, whom we share it with,
and what rights you have. It complies with Regulation (EU) 2016/679 (GDPR).
In short: the App is anonymous by design. We do not ask for your
email, real name, or password. Your account is created from a random identifier
generated by your device plus a username you choose. Optionally, you can link your
account to Google Play Games so you can recover your progress after reinstalling
the App.
1. Data Controller
The controller of your personal data is Krzysztof Wróbel, a
sole proprietor (jednoosobowa działalność gospodarcza) registered in Poland,
with registered address at ul. Fantazyjna 19/2, 03-580 Warszawa, Poland, Tax ID (NIP):
5140216607, REGON: 381251592, entered
in the Polish Central Business Register (CEIDG).
We only collect data that is strictly necessary to run the App:
Device identifier (device UUID): a random string generated by the
App on first launch and stored locally on your device. This is the primary identifier
of your account. It is not an IMEI, MAC address, or any other persistent
hardware identifier — uninstalling the App permanently loses this identifier, and
reinstalling creates a new one.
Username: a nickname of your choice, displayed on leaderboards.
We recommend choosing a nickname that does not contain any of your personal information.
Chosen difficulty level and account creation date.
Google Play Games player ID (optional): if you choose to link
your account to Google Play Games, we store the pseudonymous player ID returned by
Google. This is not your email address or your Google account ID —
it is a separate identifier used only within Google Play Games.
Gameplay data: identifiers of puzzles you played, start and submission
times, your solve time, correctness, grid state (saved progress), number of hints used.
Custom puzzle requests: theme, size, and status of any custom puzzle
you request (if you use this feature).
In-app notifications: the content of notifications sent to you.
Technical data: basic server logs (IP address, user-agent, request path)
automatically generated by our hosting provider.
We do not collect your email address, password, real name, date of
birth, phone number, precise location, payment details, or any special-category data
(Art. 9 GDPR).
3. Purposes and Legal Bases for Processing
Purpose
Legal basis (GDPR)
Creating and maintaining your account (device identifier + username), enabling
gameplay, saving progress
Art. 6(1)(b) — performance of a contract
Optional account linking to Google Play Games for progress recovery after
reinstall or device change
Art. 6(1)(b) — a feature you choose to use
Displaying your username on leaderboards
Art. 6(1)(b) — a feature of the App you agree to by creating an account
Securing the App and detecting abuse (server logs)
Art. 6(1)(f) — legitimate interest of the controller
Anonymous gameplay analytics (GameAnalytics) — measuring app launches and the
number of puzzles started and completed
Art. 6(1)(a) — your freely-given consent, requested when you first
open the App. You can withdraw consent at any time in the App settings; withdrawal does
not affect the lawfulness of processing carried out before withdrawal.
4. Recipients (Processors)
To operate the App, we rely on the following service providers. Each acts under a
data processing agreement (DPA) or the provider's applicable terms of service:
Hetzner Online GmbH (Germany, EU) — application server
hosting. Data remains within the EU.
Neon, Inc. — managed PostgreSQL database,
physically located in Frankfurt, Germany (EU). Your stored data never
leaves the EU.
Google Ireland Limited / Google LLC — App distribution through
Google Play and Google Play Games Services (optional account linking).
If you choose to link your account to Google Play Games, Google receives information
about your participation in the game; we only receive a pseudonymous player ID from
Google in return. For details on Google's own data processing, see
https://policies.google.com/privacy. Transfers to the USA rely on SCCs
and EU-U.S. Data Privacy Framework certification.
GameAnalytics ApS (Denmark, EU) — anonymous gameplay analytics,
collected only with your consent. GameAnalytics does not receive
your username, device identifier, or account identifier from our system. We send only
gameplay events: app launch, puzzle start (by puzzle ID), solve time, pass/fail.
GameAnalytics generates its own random device identifier used solely for aggregate
statistics.
Google LLC — Firebase Cloud Messaging (FCM) for delivering
push notifications to your device (e.g. when a new daily puzzle is published or your custom
puzzle request is fulfilled). Google receives the FCM registration token of your device
(generated by Google Play Services on your phone) and the notification payload (title, body,
and a link). We do not send your username, email, or account identifier in
push payloads. Transfers to the USA rely on SCCs and EU-U.S. Data Privacy Framework
certification.
We do not sell your data and do not share it for marketing purposes.
We do not use advertising tools.
5. Retention Periods
Account — until you delete it (the "Delete account" button in your
profile settings) or until you uninstall the App without a Google Play Games link
(in which case the device identifier is lost and the account becomes unreachable —
it will be cleaned up during periodic database maintenance). User-initiated deletion
is immediate and irreversible.
Google Play Games link — removed together with your account.
Note: deleting your account in the App does not revoke the OAuth
consent you granted to Google Play Games. To fully revoke access, visit
https://myaccount.google.com/permissions and remove the "Crosswords" entry.
Server logs — up to 30 days.
GameAnalytics statistics — in line with GameAnalytics' own retention
policy (typically up to 3 years), in aggregate form with no ability to identify a
specific individual.
6. Your Rights
Under the GDPR (Art. 15–22) you have the right to:
access your data (Art. 15);
rectify inaccurate data (Art. 16) — you can edit your username and
difficulty level directly in the App;
erase your data ("right to be forgotten", Art. 17) — the "Delete
account" button in your profile settings wipes all of your data immediately;
restrict processing (Art. 18);
data portability (Art. 20) — on request we will send you a JSON
file containing your full history;
object to processing based on legitimate interest (Art. 21);
withdraw consent for GameAnalytics at any time in the App settings;
lodge a complaint with the Polish Data Protection Authority
(Prezes Urzędu Ochrony Danych Osobowych, PUODO), ul. Stawki 2, 00-193 Warszawa,
Poland, https://uodo.gov.pl/en/, or with the supervisory authority of the
EU member state where you live, work, or where the alleged infringement took place.
Because we do not collect your email address, we cannot verify the identity of a
requester from an email message alone. To exercise rights under Art. 15–20, we may
ask you for your username and additional information that allows us to link your
request to your account (for example, account creation date or recently played puzzles).
Send requests to [email protected]. We will respond without undue
delay and in any event within 30 days.
7. Automated Decision-Making
We do not make decisions about you based solely on automated processing that produce
legal effects or similarly significantly affect you (Art. 22 GDPR).
8. Children
The App is not intended for children under 16 years of age. We do
not knowingly collect data from children. If we learn that a child's data has been
stored with us without the required consent of a parent or legal guardian, we will
delete it promptly.
9. Security
We do not store any passwords — the App does not use passwords.
All communication with the server uses HTTPS/TLS.
Session tokens (JWT) are cryptographically signed and valid for 14 days.
The device identifier is stored locally in the operating system's secure preferences
store (Capacitor Preferences / Android SharedPreferences) and is not shared with other
apps.
Database access is restricted to the necessary individuals and protected by a password.
In the event of a personal data breach, we will notify the Polish Data Protection
Authority within 72 hours (Art. 33 GDPR) and, where required, inform you directly
through the App (Art. 34 GDPR).
10. Changes to This Policy
We will announce material changes through an in-app notification at least 14 days in
advance. The current version is always available at /privacy/en.