Privacy Policy

Privacy Policy Terms of Service
  • English
  • Português

Effective date: April 17, 2026 Controller: Upbeat Games Desenvolvimento de Software Ltda. - EPP (doing business as "Upbeat Games"), Alameda Dos Ciprestes, 51, Pinheirinho, Vinhedo - SP, 13281-684, Brasil

1. Plain-English summary

This Privacy Policy applies to all websites, mobile apps, games, and other offerings provided by Upbeat Games (collectively, the "Services"). Certain sections below apply only where a Service is a mobile game — for example, references to Apple Game Center, Google Play Games Services, cloud saves, leaderboards, and in-app purchases.

We do not collect, store, or process any personal information about you on servers we operate. When a Service is a mobile game, account, leaderboard, achievement, and cloud-save data is handled by Apple Game Center / iCloud (iOS) or Google Play Games Services (Android) under Apple's and Google's own privacy policies. When any Service fetches configuration files or content from servers, your IP address is briefly visible to our content delivery network (Cloudflare) but not retained by us.

This policy explains the details.

2. Who we are and how to contact us

Controller: Upbeat Games Desenvolvimento de Software Ltda. - EPP (doing business as "Upbeat Games") Postal address: Alameda Dos Ciprestes, 51, Pinheirinho, Vinhedo - SP, 13281-684, Brasil Email: legal@upbeatgames.com

For data-subject requests (access, deletion, objection, etc.), either of the above methods is acceptable; please include "Data Request" in the subject or message so we can route it appropriately.

Encarregado pelo Tratamento de Dados Pessoais (DPO under LGPD Article 41): Given the small-scale nature of our processing under ANPD Resolution CD/ANPD Nº 2/2022, we have not appointed a dedicated Encarregado. For LGPD-related matters, please write to legal@upbeatgames.com with "LGPD" in the subject line.

We have not appointed a Data Protection Officer under GDPR Article 37 either, because our processing does not meet the Article 37 threshold for a mandatory DPO.

3. What personal data we do and do not collect

Data we operate on directly: none. We run no account system, no analytics, no ad SDK, no crash-reporting service, no email or newsletter system. We do not collect your name, email, phone, address, location, contacts, photos, calendar, advertising ID, or in-game behavior on any server of ours.

Data handled by Apple and Google on our behalf (as processors / independent controllers under their own terms): when you use Game Center or Play Games Services, Apple and Google process your platform-assigned user ID, your game progress, your achievements, your leaderboard scores, and any display name you have set. We receive only an opaque identifier from these services, not your name or email. Their privacy policies govern this processing:

Data briefly visible to our CDN: when any Service fetches configuration files, content, or LiveOps events from servers, Cloudflare, Inc. sees your IP address for routing and DDoS protection. Cloudflare's privacy policy governs what they do with it: https://www.cloudflare.com/privacypolicy/. We do not retain or receive these logs.

Data stored on your device: Services that run on your device (mobile apps and games) store your progress, settings, and unlocked content on the device itself. Uninstalling the Service deletes this local data.

4. Lawful basis for processing (GDPR Article 6 / LGPD Article 7)

To the extent Apple, Google, or Cloudflare process your data in connection with our game, the lawful bases under the EU GDPR are:

  • Performance of a contract (GDPR Art. 6(1)(b)): providing cloud saves, achievements, and leaderboards that a Service's functionality depends on (for our mobile games), plus delivering Service configuration and content.
  • Legitimate interests (GDPR Art. 6(1)(f)): operating the CDN in a way that resists abuse (DDoS protection, basic routing logs). You may object to this processing at any time using the contact details above.

Under the Brazilian LGPD (Law 13.709/2018, Article 7), the corresponding legal bases are:

  • Art. 7, V — execution of a contract to which the data subject is a party (cloud saves, game configuration delivery).
  • Art. 7, IX — legitimate interests of the controller or a third party (CDN abuse protection and routing).
  • Art. 7, II — compliance with a legal or regulatory obligation (e.g., responding to lawful requests or store-operator demands).

We do not process special-category data or sensitive personal data (LGPD Art. 11). We do not process data for marketing, profiling, or automated decision-making.

5. International transfers

Our CDN provider (Cloudflare) is headquartered in the United States and operates a global edge network. Transfers of EU/UK personal data to the US rely on:

  • the EU-US Data Privacy Framework certification held by Cloudflare, and
  • Standard Contractual Clauses in the data processing addendum that Cloudflare offers to its customers, and
  • a Transfer Impact Assessment we rely on from Cloudflare's published documentation.

For transfers of personal data from Brazil, we rely on the bases in LGPD Article 33, specifically Art. 33(II) — transfers authorized under contractual clauses (the Cloudflare DPA) — and Art. 33(V) — execution of a contract to which the data subject is a party (Game Center / Play Games Services cloud saves).

We have not entered into separate transfer agreements because we do not export personal data ourselves; the CDN traffic is the only touchpoint, and Cloudflare is the data importer.

6. Data retention

  • On our servers: we have none.
  • By Apple / Google: per their policies; typically until you delete your platform account or game data.
  • By Cloudflare: per their policies; typically short operational log retention.
  • On your device: until you uninstall the Service or clear its data.

7. Your rights

Because we hold no personal data about you, we have nothing to disclose, correct, export, or delete in response to a rights request. For completeness and compliance, you have the right to:

  • access any data we hold (we hold none);
  • correct inaccurate data;
  • delete your data ("right to be forgotten");
  • restrict or object to processing;
  • port your data to another service;
  • withdraw any consent you have given;
  • lodge a complaint with a supervisory authority in your country (EU: your national DPA; UK: the ICO; California: the CPPA).

To manage data held by Apple or Google under their services, use:

8. Regional notices

California (CCPA/CPRA). We do not "sell" or "share" personal information as defined by California law. We do not collect personal information directly. You have the right to know, to delete, to correct, and to limit use of sensitive information. Requests can be made using the contact details above and will be acknowledged within 10 business days and substantively answered within 45 days.

Colorado, Virginia, Connecticut, Texas, and other US states with comprehensive privacy laws: our practices and your rights mirror those described for California above; contact us using the same methods to exercise them.

Brazil (LGPD). Under Law 13.709/2018 (LGPD) Article 18, you have the right to: (i) confirm the existence of processing; (ii) access your data; (iii) correct incomplete, inaccurate, or outdated data; (iv) anonymize, block, or delete unnecessary or excessive data, or data processed in noncompliance with the LGPD; (v) port your data to another service or product provider; (vi) delete personal data processed with your consent; (vii) obtain information about public and private entities with which we have shared your data; (viii) obtain information about the possibility of refusing consent and the consequences of refusal; and (ix) revoke consent. Contact: legal@upbeatgames.com. You may also lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at https://www.gov.br/anpd.

Other regions. Local data protection laws may give you additional rights; we will honor them on request.

9. Children

Our Services are general-audience offerings and are not directed to children under 13 within the meaning of COPPA, under 16 in EU member states with that threshold, or under 12 within the meaning of Brazil's LGPD Article 14. Under LGPD Article 14, the processing of personal data of children under 12 in Brazil requires specific parental consent; processing for adolescents (ages 12 to under 18) must serve their best interests. We do not knowingly collect personal information from children or adolescents.

If you believe a child has been using one of our Services in a way that requires our attention, or you are a parent wishing to inquire about any activity involving your child, contact legal@upbeatgames.com. We will respond and, if applicable, work with Apple or Google to delete relevant data from their services.

10. Security

We do not store personal data, so the main security concern on our side is the integrity of the Services' code and the CDN traffic. We use HTTPS for all CDN fetches and, for our mobile games, standard Apple/Google platform authentication (Game Center, Play Games) for cloud saves.

11. Automated decision-making and cookies

We do not engage in automated decision-making that produces legal or similarly significant effects on you. We do not use cookies or set tracking technologies. Our Services respect Do Not Track signals by default (we set no trackers).

12. Third-party services used by the Services

For our mobile games on iOS and Android:

  • Apple Game Center + iCloud Key-Value Store (iOS only)
  • Google Play Games Services + Saved Games (Android only)
  • Apple In-App Purchase (iOS) / Google Play Billing (Android)

For all Services:

  • Cloudflare (CDN)

No other third-party SDK is embedded in any of our Services. No advertising, no third-party analytics, no third-party crash reporting.

13. Changes to this policy

Material changes will be posted here with an updated "Effective date". We will make reasonable effort to reflect material changes in the Services or via store listing updates. Under LGPD Article 9, where a change affects the legal bases or purposes of processing, we will communicate the change before it takes effect to the extent feasible.

14. Governing law

This policy is governed by the laws of Brazil. Nothing here waives rights you have under mandatory consumer protection or data protection laws in your country.