Privacy Policy

1. Data Collection: Scope & Purpose

VexGridLinkNode strictly adheres to the principle of data minimization. We collect only the information necessary to operate IAA (In-App Advertising) and IAP (In-App Purchases) systems, optimize user experience, and prevent fraud. No personal information unrelated to our services is collected. All data collection is performed through compliant technical means and aligns with global privacy regulations across all regions.

1.1 Device Fingerprints & Identifiers

We collect the following device-level technical data solely for ad delivery, fraud detection, and regional compliance filtering:

• IDFA (Identifier for Advertisers — iOS devices) — used only after explicit user opt-in via the App Tracking Transparency (ATT) framework. If the user declines, no IDFA is accessed.
• GAID (Google Advertising ID — Android devices) — used per Google Play policies, with user opt-out honored.
• OAID (Open Anonymous Device Identifier — Android devices in China market) — used only for the China market as a privacy-compliant alternative.
• Device Brand, Model, Screen Resolution, OS Version, Language Settings, Battery Status — used for ad format optimization and regional service adaptation.
• System Clock Offset — used to detect timezone-based fraud and prevent cross-regional pricing manipulation. Does not track or record actual location.
• Device Unique Identifier (encrypted, not linked to real user identity) — used internally for fraud prevention and service continuity.

1.2 Network Environment Data

• IP Address — used exclusively for geographic compliance filtering (determining which regional regulations apply) and service stability. Not used for precise geolocation tracking.
• Mobile Network Operator Name, Wi-Fi Connection Status, Network Type (4G/5G/Wi-Fi) — used to ensure service stability and regional compliance control.

1.3 Behavioral Data (IAA & UX)

Advertising Behavior:

• Ad impression ID, click timestamp, conversion path
• Rewarded video ad view duration and mid-exit detection
• Ad dwell time — used exclusively for ad performance optimization and fraud detection
• All advertising data is de-identified before being synchronized with third-party monetization platforms

Application Logic:

• Core feature trigger frequency — used for UX optimization
• Paywall popup click-through rate — used to refine placement and timing
• Onboarding flow drop-off points — used to improve first-time user experience
• Feature usage frequency — used to adjust functional layout
• We do NOT collect specific user operation content, private data, or any user-generated content.

1.4 Financial Transaction Data (IAP)

We exclusively receive transaction receipts through the official App Store / Google Play APIs. We do not access, process, or store any sensitive payment information including:

• Bank card numbers, CVV codes, payment passwords, or card expiration dates
• All payment operations are handled entirely by Apple and Google's official payment systems

We record the following non-sensitive transaction metadata for order verification, refund processing, financial reconciliation, and payment fraud prevention:

• Order number, item name and quantity, currency, amount
• Country code, transaction timestamp
• Sandbox test order flag
• Order status (successful / failed / refunded)

2. Third-Party Data Sharing Architecture (Data Mapping)

To achieve lawful monetization, service optimization, and fraud prevention, we share only necessary data with the following compliant third-party ecosystems. All sharing follows the principles of data minimization, encrypted transmission, and full controllability. No sensitive personal information is shared. Users may review each platform's privacy policy for detailed data handling information.

2.1 Mediation Layer (Ad Mediation)

• AppLovin (MAX) — Real-time bidding (RTB), ad fill rate optimization, monetization efficiency. Shared data: de-identified device information, ad impression/click data (not linked to user identity).
• Google AdMob — Ad serving and mediation. Supports banner, interstitial, rewarded video, and native ad formats. Shared data: advertising ID, device info, ad interaction data.
• Unity LevelPlay (ironSource) — In-app bidding and waterfall mediation. Shared data: de-identified device data, ad performance metrics.

2.2 Attribution & Anti-Fraud (MMP — Mobile Measurement Partners)

• AppsFlyer — Ad install attribution tracking, fraud detection (fake installs, click injection, SDK spoofing). Shared data: de-identified device info, install attribution data.
• Adjust — Campaign attribution, fraud prevention, SKAdNetwork conversion value management. Shared data: de-identified attribution parameters.
• Singular — Cross-channel attribution, fraud detection, cost aggregation. Shared data: install referrer data, de-identified device parameters.

2.3 Payment Processors

• Apple Inc. — Processes in-app purchases on iOS via StoreKit. Only order-related metadata is received; Apple handles all payment processing.
• Google LLC — Processes in-app purchases on Android via Google Play Billing. Only order receipts are received.

2.4 Additional Ad Platforms & SDKs

Our applications may integrate additional advertising platforms depending on regional availability and optimization requirements. All integrated platforms are vetted for compliance:

• Meta Audience Network — Facebook/Instagram ad inventory. Supports banner, interstitial, native, and rewarded video ads.
• ByteDance Pangle — Global programmatic advertising platform (primarily for non-China markets). Supports rewarded video, interstitial, splash, and banner ads.
• Vungle (Liftoff) — Video-focused ad platform. Supports rewarded video and interstitial formats.
• Chartboost — Mobile game and app advertising. Supports rewarded video, interstitial, and banner ads.
• Mintegral — Global programmatic ad platform. Supports splash ads, rewarded video, interstitial, banner, and native ads.
• InMobi — Global mobile advertising platform. Supports banner, interstitial, native, and rewarded video ads.
• Tapjoy — Rewarded ad and offerwall platform. Users opt-in to view content in exchange for in-app rewards.
• Fyber (Digital Turbine) — Programmatic ad exchange. Supports rewarded video, interstitial, and banner ads.
• Smaato — Global real-time advertising exchange. Supports all major ad formats.
• PubMatic — Sell-side programmatic advertising platform.
• OpenX — Programmatic advertising exchange with global reach.

3. Global & Regional Legal Statements

We strictly comply with privacy regulations across all countries and regions, incorporating the latest 2026 policy changes. The following differentiated compliance provisions are provided for key regions:

3.1 European Union (GDPR) & United Kingdom (UK-GDPR)

Legal Basis: Our lawful bases for processing user data include: performance of a contract with the user, the user's explicit consent, and our legitimate interests (fraud prevention, service optimization). All data processing complies with GDPR/UK-GDPR Article 6.

EU/UK Representative: [EU/UK Legal Representative contact details and registered address to be provided — responsible for receiving data-related requests from EU/UK users, including access, rectification, erasure, and consent withdrawal. Response time shall not exceed 7 business days.]

DSA Transparency Supplement

In strict compliance with the EU Digital Services Act (DSA) transparency requirements, we publicly disclose:

• Advertising delivery rules and targeting logic
• Algorithmic recommendation mechanisms
• Content moderation standards and procedures
• Regular transparency reports detailing data processing flows and third-party cooperation
• For applications involving User-Generated Content (UGC): content moderation mechanisms, complaint handling procedures, and violation content disposal standards are publicly available

User Rights (EU/UK): Users have the right to access, rectify, and delete personal data; withdraw data processing authorization; request a copy of personal data (data portability); and lodge complaints with the European Data Protection Board (EDPB) or the UK Information Commissioner's Office (ICO) regarding any data processing violations.

3.2 United States (CCPA / CPRA / VCDPA & State-Specific Provisions)

No Sale of Personal Information: We explicitly commit that we do not sell users' personal information to any third party (including advertisers and data brokers). However, per California CPRA, Virginia VCDPA, and similar state law definitions, sharing device IDs and other non-sensitive information with third parties for ad targeting may be classified as "data sharing." We clearly inform users of such sharing within the application and users may opt-out at any time.

Do Not Track: We fully honor device-level "Do Not Track" settings. If a user enables this setting, we will cease collecting behavioral tracking data and will no longer use such data for targeted advertising or personalized recommendations, retaining only the minimum data required for core service functionality.

State-Specific Adaptation

• California (CPRA): Users have the right to request disclosure of personal information collected, used, and shared over the preceding 12 months; the right to request deletion of personal information; the right to opt-out of the use of personal information for targeted advertising. We will respond within 45 business days.
• Texas (CCPA-TX): Enhanced data access rights — users may access their personal data collection records free of charge, and we shall not impose unreasonable barriers. Sharing of sensitive user information (biometric data, financial information) with third parties is prohibited without written user consent.
• Virginia (VCDPA): Users have the right to request correction of inaccurate personal data and the right to demand cessation of personal data sharing with third parties. We must complete corrections or halt sharing within 30 business days and inform the user of the outcome.
• Washington, Colorado, Connecticut, Utah: We comply with the latest privacy laws of each state, clearly defining user data rights and our compliance obligations to ensure lawful operations across the United States.

3.3 Brazil (LGPD)

We strictly follow Brazil's General Data Protection Law (Lei Geral de Protecao de Dados — LGPD):

• Explicit user authorization is obtained prior to collecting personal information
• The purpose, scope, and method of information collection are clearly communicated
• Brazilian users' rights to access, correct, delete, and withdraw consent are fully protected
• A dedicated compliance officer handles data requests from Brazilian users
• User data is stored on servers located within Brazil; cross-border transfers require approval from the Brazilian Data Protection Authority (ANPD)

3.4 Other Key Regions

• China: Compliance with the Personal Information Protection Law (PIPL), Data Security Law (DSL), and the Provisions on Promoting and Regulating Cross-Border Data Flows. Explicit user consent obtained prior to data collection. Domestic user data is stored within China-based servers. No unauthorized collection of sensitive personal information. Cooperation with Cyberspace Administration of China (CAC) regulatory inspections.
• India: Compliance with the Digital Personal Data Protection Act (DPDP Act). Clear data collection boundaries defined. Written user consent required. Data Protection Officer (DPO) appointed. Users have the right to request data deletion. Cross-border data transfers require approval from the Ministry of Electronics and Information Technology (MeitY).
• Saudi Arabia: Compliance with the Personal Data Protection Law (PDPL). Local data storage required — user data stored on servers within Saudi Arabia. No unauthorized cross-border transfers. Subject to Saudi Data and Artificial Intelligence Authority (SDAIA / NDPA) oversight.
• Canada: Adaptation to the Personal Information Protection and Electronic Documents Act (PIPEDA). Clear data processing standards established. User data rights protected. Cooperation with Office of the Privacy Commissioner of Canada (OPC) audits.
• Japan: Compliance with the Act on the Protection of Personal Information (APPI). Transparent data handling. User rights protection aligned with 2026 data sovereignty requirements. Cooperation with the Personal Information Protection Commission (PPC).
• South Korea: Compliance with the Personal Information Protection Act (PIPA). Strict consent mechanisms. Data subject rights fully implemented.
• Australia: Compliance with the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs). Transparent collection notices. Cross-border disclosure rules honored.
• Switzerland: Compliance with the revised Federal Act on Data Protection (nFADP). Adequate level of protection ensured.

4. Automatic Renewal Subscription Transparency

If our applications include auto-renewable subscription services, we strictly follow Apple App Store and Google Play rules as well as global regional compliance requirements, ensuring users' right to informed consent and choice:

4.1 Data Collection

We collect only necessary subscription-related information: subscription period, trial period remaining, subscription status (active/expired/paused), and renewal date. No unrelated information is collected.

4.2 Transparency Guarantees

• Before Subscription: Users are clearly informed of the subscription period (weekly/monthly/annual), pricing, trial period duration (if any), renewal rules, and cancellation methods. No hidden terms.
• Charge Notification: 24 hours before each automatic renewal charge, users receive in-app popup and system push notifications clearly stating the charge amount, charge time, and a direct path to cancel the subscription.
• Subscription Management: Users may cancel auto-renewal at any time via the in-app "Settings → Subscription Management" page or the App Store / Google Play subscription management page. No further charges will occur after cancellation. Cancellation during a trial period incurs no fees.

4.3 Trial Period Terms

If a free trial period is offered, the trial will automatically convert to a paid subscription at the end of the trial period unless cancelled. Users may cancel at any time during the trial to avoid charges. If a user has used subscription-exclusive features during the trial, those features will immediately become unavailable upon cancellation.

5. AI-Generated Content Declaration

If our applications include AI-generated content (including but not limited to text, audio, images, and interactive scenarios), we strictly comply with global AI compliance requirements and provide the following declarations:

5.1 Clear Identification

All AI-generated content will be clearly labeled as "AI-Generated" and distinguished from human-created content to avoid misleading users. This complies with the EU AI Act and US state-level AI transparency requirements.

5.2 Content Compliance

AI-generated content strictly follows global content moderation standards. Generation of violent, pornographic, vulgar, false, politically sensitive, racially discriminatory, or otherwise violative content is prohibited. A dual "AI Generation + Human Review" mechanism is implemented to ensure compliance.

5.3 Liability Delineation

AI-generated content serves only as an auxiliary feature and does not constitute professional advice, promises, or guarantees. We bear no liability for losses arising from reliance on AI-generated content. Where AI-generated content infringes upon third-party intellectual property rights, reputation rights, or other legitimate rights, we assume corresponding responsibility and will promptly remove the offending content.

5.4 Data Security

Data used to train AI models consists solely of compliant, authorized, non-sensitive data. Users' personal information and private data are never used to train AI models. User data security is strictly protected.

6. Technical Compliance: Apple App Store (iOS 18+)

6.1 Privacy Labels

Privacy Nutrition Labels must be accurately completed in App Store Connect. We strictly check "Data Linked to User" because IDFA, purchase records, and similar data are linked to user profiles. Data linkage relationships must not be concealed. Data collection scope, usage, and third-party sharing must be accurately reported, consistent with this Privacy Policy. False information will result in app review rejection and potential removal.

6.2 ATT Framework Enforcement (2026 Upgrade)

• Before accessing device_id (IDFA), requestTrackingAuthorization must be called to present the opt-in dialog. The authorization text must clearly state the purpose (e.g., ad targeting) without misleading users.
• If the user denies authorization, allow_tracking = false must be propagated to all third-party SDKs. IDFA must not be accessed or used through alternative means.
• iOS 18 requirement: The ATT authorization dialog may be shown only once. Repeated prompts are prohibited after refusal. Users may only be guided to enable authorization through device system settings.
• Non-ATT channels for obtaining device identifiers are prohibited. Other device parameters (e.g., MAC address) must not be used as IDFA substitutes to circumvent privacy policy requirements.

6.3 Additional iOS Compliance

• No hidden features or non-compliant code. No circumvention of App Store review rules (e.g., hidden payment portals, false feature descriptions).
• iOS 18 privacy compliance: Access to sensitive data (photos, contacts) requires per-instance user authorization. Default or forced authorization is prohibited.
• In-app purchase items must clearly display pricing and subscription periods. Deceptive purchase traps and misleading payment prompts are prohibited.
• If AI-generated content is included, it must be clearly disclosed in the App Store product page per Apple's AI compliance requirements.

7. Technical Compliance: Google Play (Android 15+)

7.1 Data Safety Form

The Data Safety form must be accurately completed in Google Play Console. We explicitly declare encryption of data in transit (HTTPS protocol) and data at rest (AES-256 encryption). Data collection scope, usage, and third-party sharing must be truthfully reported. False information will result in app review rejection and potential removal.

7.2 SDK Transparency (2026 Upgrade)

• Google requires developers to bear full responsibility for all integrated third-party SDK behavior. All SDKs must support the latest Android 14+ Privacy Sandbox. Outdated SDKs with potential privacy vulnerabilities must not be used.
• All integrated third-party SDKs must be publicly disclosed in Google Play Console, including SDK name, purpose, and data collection scope. SDK data handling behavior must be compliant. SDKs found to collect data in violation must be immediately removed and remediation must be performed.
• Android 15 requirements: Integrated SDKs must not request permissions unrelated to app functionality. Unauthorized collection of personal information is prohibited. SDKs must not interfere with normal device operation.
• For apps supporting Android 15 Private Space: Medical apps must clearly inform users not to install in Private Space to avoid impacts on core functionality. Launcher apps must declare relevant permissions for Private Space display requirements.

7.3 Additional Android Compliance

• Android 15 privacy protections: Dynamic OTP hiding during screen sharing, sensitive content obfuscation, and manual marking of sensitive app fields to protect user privacy.
• No malicious code or adware. No forced ad delivery or deceptive ad-click mechanisms. Ad display must comply with Google Play advertising policies.
• 64-bit architecture support required. 32-bit-only builds are not permitted. Must support the latest Android devices.
• Subscription services must include a clearly labeled subscription management entry point within the app, supporting cancellation at any time per Google Play subscription policies.

8. 2026 Data Residency Compliance

In response to rising global data sovereignty awareness in 2026, multiple countries and regions have enacted stricter data localization requirements. We commit to the following:

• Where applications have a substantial user base in specific countries/regions (China, India, Saudi Arabia, Brazil, EU, Canada — thresholds defined by local law), local user data will be stored on compliant in-country/region servers. Unauthorized cross-border transfer is prohibited.
• Cross-border data transfers strictly follow local regulatory requirements, including: EU GDPR adequacy decisions; China's security assessment / standard contract requirements under the Provisions on Cross-Border Data Flows; India DPDP Act cross-border transfer approval requirements. No cross-border data transfer without proper authorization.
• Regarding the 2026 US Trade Representative report on global data sovereignty: compliance risks arising from cross-border data transfers must be avoided. For US users, CLOUD Act requirements are followed, and cooperation with US regulatory data access requests (where applicable) is provided.
• Periodic audits of data storage locations ensure alignment with evolving regulations. Countries with new 2026 data localization requirements (Canada, Japan, Bolivia, Colombia, etc.) are monitored and storage strategies are adjusted accordingly to maintain compliance.
• A data residency compliance ledger is maintained, recording user data storage locations and transfer activities. Regular compliance self-assessments are conducted to support cooperation with local regulatory inspections.

9. Interaction Design & Accessibility Compliance

9.1 Dual Confirmation Mechanism

• For large IAP purchases (suggested threshold: single transaction ≥ $50 / €50), an in-app secondary confirmation dialog must be presented, clearly stating the purchase amount, item name, and payment method. The user must manually tap "Confirm Purchase" before being redirected to the payment page.
• For auto-renewable subscriptions, after the user taps the "Subscribe" button, a confirmation dialog must appear again, clearly stating the subscription period, price, and renewal rules to prevent accidental subscriptions.

9.2 Privacy Policy Accessibility (Mandatory)

The Privacy Policy link must be simultaneously present in all three of the following locations:

1. App Store listing page (prominent position in App Store / Google Play description)
2. App splash/launch screen (or login page) — with "Agree" and "Decline" buttons; user cannot use the app without consent
3. In-app "Settings" or "About" menu — link in a prominent position for direct, anytime access

9.3 Additional Interaction Compliance

• Permission Requests: When requesting permissions (camera, photos, location), the purpose must be clearly stated. Default or forced authorization is prohibited. Users may withdraw authorization at any time within the app or through device system settings.
• Ad Interactions: Rewarded video ads must be clearly labeled as "Watch full ad to earn reward." A "Skip Ad" button (available after 5 seconds of playback) must be provided. Forced ad viewing is prohibited.
• Complaint Channels: Accessible complaint channels within the app, including privacy complaints, ad complaints, and UGC complaints, with clear processing timelines (not exceeding 7 business days) and result feedback to the user.
• Transparency Display: Prominent in-app display of ad delivery rules, algorithmic recommendation logic, and a simplified data processing flow chart, meeting DSA transparency requirements.
• Screen Sharing Notice: Per Android 15 requirements, during screen sharing, casting, or recording, a visible indicator label is displayed in the status bar, alerting the user to the active sharing state. Users may tap the label to quickly stop sharing.

10. Compliance Risk Management & Periodic Review

10.1 Compliance Risk Prevention Measures

• Compliance Review Mechanism: Before development and release, comprehensive compliance review of app code, privacy policy, terms of service, and interaction design to ensure alignment with App Store / Google Play policies and global regional regulations.
• Knowledge Updates: Designated personnel monitor the latest changes in global privacy regulations and app store policies (US state privacy laws, EU DSA updates, Android 15 / iOS 18 system policy changes) and promptly adjust apps and agreements.
• Third-Party Partner Management: Regular compliance audits of third-party ad platforms, SDK providers, and payment processors. Compliance agreements are signed, clearly defining data handling responsibilities. Non-compliant partners are immediately terminated.
• User Request Handling: A mechanism for handling user data requests (access, correction, deletion, complaints) is established, ensuring response and resolution within prescribed timeframes. Processing records are maintained for user and regulatory oversight.
• Security Protection: Enhanced data security through encrypted storage, transport encryption, and access control. Prevention of data leakage, tampering, and loss. Regular data security testing and risk assessment.
• Employee Training: Regular compliance training for R&D, operations, and customer service personnel covering privacy regulations, app store policies, and anti-fraud rules to raise compliance awareness and prevent operational non-compliance.

10.2 Periodic Review Requirements

Due to the continuously evolving global legal landscape (particularly US state privacy laws and EU DSA implementation rules) and ongoing app store policy and technical standard updates, we recommend a routine review of this agreement and app compliance every 6 months, covering:

• Agreement Terms: Verify alignment with latest regulations and app store policies; identify needed supplements or modifications (e.g., new regional compliance provisions, updated fraud penalty rules).
• App Compliance: Verify code, SDK versions, and interaction design against latest technical compliance requirements (Android 15 / iOS 18 adaptation, ATT framework implementation).
• Data Handling: Verify compliance of data collection, storage, transfer, and sharing processes; data residency alignment; third-party data sharing controllability.
• Anti-Fraud Mechanisms: Verify completeness of advertising and IAP anti-fraud rules; update penalty measures based on emerging fraud methods.
• User Requests: Review handling of user data requests for timeliness and appropriateness; optimize processing workflows.

11. Contact & User Rights

If you have any questions, feedback, complaints, or wish to exercise your data subject rights, please contact us through the following channels:

EU/UK users may also contact our designated representative (contact details to be provided). California residents may exercise their CPRA rights through the contact methods above.