======= REPLACE
Table of Contents
- Data Collection — Specific Granularity & Purpose
- In-Depth Third-Party Sharing Architecture (Data Mapping)
- Global Region-Specific Legal Notices (GDPR, CCPA, LGPD, PIPL, DPDP, PDPL, etc.)
- Auto-Renewing Subscription Disclosure
- AI-Generated Content Disclosure
- Cookies & Tracking Technologies
- Children's Privacy (COPPA / GDPR-K)
- DMCA Notice & Takedown
- Contact & Data Protection Officer
- Data Retention & Deletion Policies
- Automated Decision-Making & Profiling
- International Data Transfer Mechanisms
- Biometric Data Processing
- Health, Wellness & Sensitive Data
- Financial Data & Payment Security
- Behavioral Advertising Opt-Out & Limit Ad Tracking
- Third-Party Login & Social Features
- Cookies, Local Storage & Similar Technologies
- Session Replay, A/B Testing & Analytics Technologies
- Voice, Audio & Biometric Capture
- Geolocation Data
- AR / VR & Camera Data
- IoT, Connected Devices & Companion Apps
- Marketing Communications
- Data Protection Officer & EU/UK Representative
- U.S. State-Specific Privacy Rights (Detailed)
- Data Breach Notification Procedures
- Changes to This Privacy Policy
- Miscellaneous Provisions
SEC 01Data Collection — Specific Granularity & Purpose
We strictly follow the "minimum necessary" principle and collect the following information only through compliant technical means, used exclusively to maintain the operation of our IAA (in-app advertising) and IAP (in-app purchase) systems, optimize user experience, prevent fraud, and comply with global regional privacy regulations. We do not collect any personal information unrelated to the service:
1.1 Device Fingerprints & Identifiers
- IDFA (iOS device) — used solely for ATT-authorized advertising measurement
- GAID (Android device) — used solely for advertising measurement where consented
- OAID (Android devices in mainland China) — used solely for advertising measurement where permitted
- Device brand, model, screen resolution, system version, language setting, battery status
- System clock offset (used to detect timezone cheating and prevent cross-region price fraud)
- Device unique identifier (encrypted, not linked to real user identity)
1.2 Network Environment Data
- IP address — used ONLY for geographic compliance filtering to determine user region for regulatory adaptation and service suitability. Not used for precise geolocation.
- Mobile carrier name, Wi-Fi connection status, network type (4G/5G/Wi-Fi) — used to ensure service stability and regional compliance governance
1.3 Behavioral Trajectories (IAA & UX)
All behavioral data is collected only with user consent, used solely for ad performance optimization, fraud prevention, and product iteration. Users may withdraw consent at any time via in-app settings.
Advertising Behavior
- Ad display ID, click time, conversion path, rewarded video watch duration and whether the user exited early
- Ad dwell time, used to optimize ad delivery effectiveness and prevent advertising fraud
- Data is used only for internal analysis and to synchronize necessary information with third-party monetization platforms (desensitized)
Game / App Logic
- Core feature loop trigger count, paywall popup click-through rate, onboarding drop-off points, feature usage frequency
- Used to optimize product interaction experience, adjust feature layout, improve user convenience
- We do NOT collect specific user operation content or private data
1.4 Financial Transaction Data (IAP)
CRITICAL PRIVACY PRINCIPLE
We only receive transaction receipts via App Store/Google Play official APIs. We never touch, store, or have access to your bank card number, CVV code, payment password, bank card expiration date, or any other sensitive payment information. All payment operations are completed exclusively through Apple or Google official payment systems.
- Items recorded: order number, purchased item name and quantity, payment currency, payment amount, country code, transaction time, whether it is a sandbox test order, order status (success / failure / refund)
- Used for: order verification, refund processing, financial reconciliation, and payment fraud prevention
DATA SECURITY ADDENDUM
All collected data is encrypted, stored on compliant servers, and accessible only to authorized personnel. All access is fully logged for audit purposes, ensuring data security and controllability.
SEC 02In-Depth Third-Party Sharing Architecture (Data Mapping)
To achieve legitimate monetization, service optimization, and anti-fraud purposes, we share necessary data only with the following compliant third-party ecosystem. The sharing process strictly follows the "minimum necessary, encrypted transmission, fully controllable" principle and does not share any sensitive personal information. You may review the privacy policies of each platform on their official websites to understand the details of data processing:
2.1 Aggregation Layer (Mediation)
| Partner |
Purpose |
Data Shared |
Region |
| AppLovin MAX | Real-time bidding (RTB), fill rate optimization, monetization efficiency | Desensitized device info, ad display/click data | Global |
| Google AdMob | Ad serving, mediation waterfall, GAM integration | Desensitized device info, contextual signals | Global (excl. CN mainland) |
| Unity LevelPlay | Header bidding, cross-promotion, mediation analytics | Desensitized device info, ad impression data | Global |
| Pangle / TikTok | APAC rewarded video inventory, header bidding | Desensitized device info | APAC |
| Meta Audience Network | Native, banner, interstitial, rewarded | Desensitized device info, contextual signals | Global (region-restricted) |
| Vungle / Liftoff | Rewarded video, interstitial, exchange bidding | Desensitized device info | Global |
| BidMachine | Header bidding wrapper, unified auction | Desensitized device info, bid signals | Global |
| InMobi | Banner, native, interstitial, rewarded | Desensitized device info | India, SEA |
| Mintegral | APAC fill, rewarded inventory | Desensitized device info | APAC |
| Fyber (Digital Turbine) | FairBid mediation, Offer Wall, Rewarded | Desensitized device info | Global |
| Moloco | ML-driven programmatic DSP, retargeting | Desensitized device info | Global |
| Chartbeat | Real-time analytics, viewability | Desensitized session data | Global |
2.2 Attribution & Anti-Fraud (MMP)
| Partner | Purpose | Data Shared |
|---|
| AppsFlyer | Install attribution, SKAdNetwork 4, Protect360 anti-fraud | Desensitized device info, install attribution data |
| Adjust | Fraud Prevention Suite, conversion API, cohort analysis | Desensitized device info, attribution signals |
| Singular | ETL-free attribution, ROI analytics, SKAN reporting | Desensitized device info, attribution data |
2.3 Payment Processors
| Partner | Purpose | Data Shared |
|---|
| Apple Inc. | In-app purchase processing, App Store Server API, transaction verification | Order-related info (excluding sensitive payment data), transaction reconciliation |
| Google LLC | In-app purchase processing, Google Play Billing Library v7+, Real-time Developer Notifications | Order-related info (excluding sensitive payment data), transaction reconciliation |
THIRD-PARTY COMPLIANCE COMMITMENT
We sign strict confidentiality agreements and data processing agreements with all third-party partners, clearly defining the scope, duration, and security responsibilities of data use. We regularly audit third-party compliance. If a third party engages in illegal data processing, we will immediately terminate cooperation and pursue their relevant responsibilities. Users may view the third-party sharing list and data sharing scope via in-app settings, and have the right to withdraw relevant authorization (after withdrawal, advertising monetization and some normal service usage may be affected).
SEC 03Global Region-Specific Legal Notices
We strictly adapt to privacy regulations of countries and regions around the world. Combined with the latest policy changes in 2026, we have developed differentiated compliance terms for key regions to ensure full compliance throughout the service:
3.1 European Union (GDPR) & United Kingdom (UK-GDPR)
- Legal basis: The legal grounds for our processing of user data include: performance of service agreements with users, obtaining explicit user consent, safeguarding our legitimate interests (such as anti-fraud, service optimization). All data processing activities comply with Article 6 of GDPR/UK-GDPR.
- Representative office: [EU/UK statutory representative contact and registered address reserved here], responsible for receiving data-related requests from EU/UK users (access, correction, deletion, withdrawal of consent, etc.), with response time not exceeding 7 business days.
- DSA transparency addendum: We strictly comply with the latest transparency requirements of the EU Digital Services Act (DSA), disclose ad delivery rules, algorithm recommendation logic, and content review standards, regularly publish transparency reports, clarify data processing workflows and third-party cooperation details, accept supervision by EU regulatory authorities. If our apps involve user-generated content (UGC), we will publicly disclose content review mechanisms, complaint handling processes, and violation content disposal standards to ensure users' right to know.
- User rights guarantee: EU/UK users have the right to access, correct, delete personal data at any time, withdraw data processing authorization, request a copy of personal data (data portability), and lodge complaints with the European Data Protection Board (EDPB) or the UK Information Commissioner's Office (ICO) regarding illegal data processing.
3.2 United States (CCPA/CPRA/VCDPA and other state-differentiated terms)
- No sale of personal information: We explicitly commit not to sell user personal information to any third party (including advertisers, data brokers, etc.). However, according to legal definitions such as California CPRA and Virginia VCDPA, sharing device IDs and other non-sensitive information with third parties to achieve ad personalization may be deemed "data sharing." We will clearly inform users of such sharing behavior within the app. Users have the right to opt out of such sharing at any time.
- Do Not Track: We fully respect the "Do Not Track" setting of the device system. If users enable this setting, we will stop collecting user behavioral trajectory data and will not use it for ad precision targeting or personalized recommendations, retaining only the necessary data required to maintain normal service operation.
- State-differentiated adaptation:
- California (CPRA): Users have the right to request disclosure of personal information collected, used, and shared in the past 12 months, request deletion of personal information, and refuse use of personal information for targeted advertising. We will respond within 45 business days.
- Texas (CCPA-TX): Strengthened user data access rights. Users may query personal data collection records free of charge; we must not set unreasonable barriers. Sharing sensitive user information (e.g., biometric data, financial information) with third parties is prohibited unless explicit written consent is obtained.
- Virginia (VCDPA): Users have the right to request correction of inaccurate personal data and cessation of sharing with third parties. We must complete correction or cessation within 30 business days and provide feedback to the user.
- Other states: Adapt to the latest privacy laws of Washington, Colorado, Connecticut, Utah, and other states, clarify user data rights and our compliance obligations, ensuring compliance nationwide.
3.3 Brazil (LGPD)
We strictly comply with Brazil's General Data Protection Law (LGPD). Personal information of Brazilian users must be stored on servers within Brazil. We do not transmit such data abroad without approval from the Brazilian National Data Protection Authority (ANPD). A dedicated compliance officer handles data requests from Brazilian users.
3.4 Other Key Regions
- China: We comply with the Personal Information Protection Law (PIPL), Data Security Law (DSL), and Provisions on Promoting and Regulating Cross-border Data Flows. Personal information of users in mainland China is stored on servers located within China. We do not collect sensitive personal information in violation of regulations, and we cooperate with the Cyberspace Administration of China for regulatory inspection.
- India: We comply with the Digital Personal Data Protection Act (DPDP Act). We clearly define data collection boundaries, collect data only after obtaining the user's written consent, and appoint a Data Protection Officer (DPO). Cross-border data transfer requires approval from the Ministry of Electronics and Information Technology (MeitY).
- Saudi Arabia: We comply with the Personal Data Protection Law (PDPL), implement data localization requirements. User data is stored on servers within Saudi Arabia. We do not transmit data abroad without authorization and accept supervision from the Saudi National Data Management Office (NDMO).
- Canada & Japan: We adapt to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Japan's Act on the Protection of Personal Information (APPI), clarify data processing standards, protect user data rights, cooperate with local regulatory authority audits, and respond to 2026 global data sovereignty upgrade requirements.
SEC 04Auto-Renewing Subscription Disclosure (Subscription Transparency)
If our apps include auto-renewing subscription services, we strictly follow Apple and Google app store rules and global regional compliance requirements, and make the following clear statements to protect users' right to know and right to choose:
4.1 Information Collected
We only collect subscription-related necessary information, including subscription period, remaining trial time, subscription status (active / expired / paused), and renewal time. This information is used for subscription management and service provision. We do not collect any unrelated information.
4.2 Transparency Guarantees
- Before subscription: We clearly inform users of the subscription period (weekly/monthly/yearly), subscription price, trial period length (if any), renewal rules, and how to cancel the subscription. There are no hidden clauses.
- Billing reminder: 24 hours before each auto-renewal billing, we send a billing reminder to the user via in-app popup, system push notification, or other means, clearly stating the billing amount, billing time, and the direct path to cancel the subscription.
- Subscription management: Users may cancel auto-renewal at any time via in-app "Settings → Subscription Management" or the App Store / Google Play subscription management page. No further charges will occur after cancellation. No fees will be charged if the subscription is canceled during the trial period.
4.3 Trial Period Explanation
If a free trial is provided, the subscription will automatically renew and be billed after the trial period ends. Users may cancel the subscription at any time during the trial period to avoid being charged. If a user has used subscription-exclusive features during the trial period, those features will be disabled immediately upon cancellation.
SEC 05AI-Generated Content Disclosure (If Applicable)
If our apps include AI-generated content (including but not limited to text, audio, images, and interactive scenes), we strictly comply with global AI compliance requirements and make the following clear statements to protect users' right to know and legitimate rights:
5.1 Clear Labeling
All AI-generated content is clearly labeled "AI Generated" to distinguish it from human-created content, avoiding misleading users. This complies with the EU AI Act and U.S. state-level AI transparency requirements.
5.2 Content Compliance
AI-generated content strictly follows global content review standards. Generating violent, pornographic, vulgar, false information, politically sensitive, racially discriminatory, or otherwise illegal content is prohibited. We implement an "AI generation + human review" dual mechanism to ensure content compliance.
5.3 Liability Definition
- AI-generated content is provided as an auxiliary function only and does not constitute any advice, commitment, or guarantee. We bear no responsibility for any losses arising from user reliance on AI-generated content.
- If AI-generated content infringes the intellectual property rights, reputation rights, or other legitimate rights and interests of others, we assume corresponding responsibility and delete the infringing content promptly.
- Data used to train AI models is either compliantly collected or authorized for use, is non-sensitive, and does not include user personal information or private data.
5.4 Data Security
Data used for training AI models is compliantly collected or authorized non-sensitive data. We do not use user personal information or private data to train AI models, strictly protecting user data security.
SEC 06Cookies & Tracking Technologies
Our website and apps use cookies and similar tracking technologies to ensure service functionality, analyze traffic, and remember user preferences. You can control cookie behavior through your browser settings or in-app preferences. We categorize cookies into strictly necessary (always active), functional (preferences), analytics (opt-in), and advertising (opt-in, region-dependent).
- Strictly necessary cookies: session, security, load-balancing — cannot be disabled
- Functional cookies: language preference, theme — opt-out available
- Analytics cookies: aggregated, anonymized — opt-in required in EU/UK
- Advertising cookies: only set after explicit consent — fully revocable
SEC 07Children's Privacy (COPPA, GDPR-K, China PIPL minors)
Our apps are not directed to children under 13 (or under 16 in the EU/UK under GDPR-K, or under 14 in China). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact privacy@webgridsoftprime.com and we will delete it within 7 business days. Age-gating is implemented where required by regional law.
SEC 08DMCA Notice & Takedown
If you believe content hosted or distributed through our services infringes your copyright, please send a DMCA notice to dmca@webgridsoftprime.com including: (1) identification of the copyrighted work, (2) identification of the infringing material, (3) your contact information, (4) a good-faith statement, (5) a statement under penalty of perjury, and (6) your physical or electronic signature. We respond to valid notices within 5 business days.
======= REPLACE
DOCUMENT CONTINUITY
Due to the continuously evolving global legal environment (especially U.S. state privacy laws and EU DSA implementation rules), and ongoing updates to app store policies and technical standards, we recommend a routine review of this agreement and our compliance posture every 6 months. The next scheduled review is July 1, 2026. Material changes will be communicated via in-app notification and email (where consent exists) at least 30 days in advance.
SEC 10Data Retention & Deletion Policies
We retain personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law. Our retention framework is documented below:
| Data Category | Retention Period | Justification |
|---|
| Account profile & authentication | Active account + 180 days post-deletion | Service continuity, fraud prevention |
| Local user-generated content | Until user-initiated deletion | User-controlled |
| IAP transaction records | 7 years post-transaction | Tax & accounting compliance |
| Aggregated analytics | 26 months (rolling) | Trend analysis, never personally identifiable |
| Server-side access logs | 90 days | Security incident investigation |
| Encrypted backups | 30 days rolling, then purged | Disaster recovery only |
| GDPR Art. 17 erasure requests | 30 days to execute, then immediate purge from active systems | Right to be forgotten compliance |
| Legal hold records | Until legal matter resolved | Litigation preservation obligations |
At the end of the retention period, data is either irreversibly deleted, anonymized (such that it can no longer be associated with an individual), or archived in a form that prevents re-identification, in accordance with GDPR Art. 5(1)(e) storage limitation principle.
SEC 11Automated Decision-Making & Profiling
We use automated systems for content personalization, ad targeting, and feature recommendations. These systems may qualify as "profiling" under GDPR Art. 4(4) or "automated decision-making" under GDPR Art. 22.
- Logic involved: machine-learning models that infer user preferences from contextual signals, on-device behavior patterns, and aggregated cohort data.
- Significance and consequences: automated decisions affect (a) which ads are shown, (b) which content is featured, and (c) which subscription tier is offered. We do NOT use automated decision-making for purposes that produce legal or similarly significant effects on users (e.g., credit eligibility, employment).
- Right to human review: EU/UK users have the right to obtain human intervention in any decision based solely on automated processing that materially affects them. Contact privacy@webgridsoftprime.com to invoke this right.
- Right to contest: you may express your point of view and contest the decision at any time.
- Safeguards: we maintain model cards, regular bias audits, and human-in-the-loop review for all production ML systems.
SEC 12International Data Transfer Mechanisms
Our infrastructure spans multiple regions. To lawfully transfer personal data across borders, we rely on the following mechanisms:
- EU Standard Contractual Clauses (SCCs): the 2021 EU SCCs (Module 1, 2, and 3) are executed with all non-adequate-jurisdiction subprocessors. The UK International Data Transfer Addendum applies to UK data exports.
- EU-U.S. Data Privacy Framework (DPF): for transfers to U.S.-based subprocessors certified under the DPF, we rely on the framework's adequacy decision.
- Adequacy decisions: for transfers from the EU/UK to countries with adequacy decisions in force (e.g., UK, Switzerland, Canada, Japan, South Korea, Israel, New Zealand), we rely on the corresponding adequacy regulations.
- Transfer Impact Assessments (TIAs): we conduct and document TIAs for every cross-border transfer flow, evaluating local surveillance laws, government access risks, and supplementary technical measures.
- Supplementary safeguards: end-to-end encryption, pseudonymization, strict access controls, and data minimization ensure transferred data is unreadable to unauthorized third parties.
- China PIPL outbound transfers: for data of mainland China users, we cooperate with the CAC security assessment, standard contract filing, or certification path as applicable.
- India DPDP cross-border transfers: we obtain approval from the central government where required by the Data Protection Board for restricted cross-border flows.
SEC 13Biometric Data Processing
Where our apps use biometric authentication (Face ID, Touch ID, Android BiometricPrompt), the following principles apply:
- Biometric data is processed exclusively on-device via Secure Enclave / TEE. Raw biometric templates NEVER leave the user's device.
- We do NOT store, transmit, or share biometric identifiers with any third party.
- Biometric data is not used for advertising, marketing, or any commercial purpose beyond authentication.
- Users may opt out of biometric authentication and use a strong passcode or hardware security key instead, without loss of core functionality.
- Illinois BIPA, Texas CUBI, Washington biometric statutes, and equivalent regional laws are complied with; users in those jurisdictions are not required to provide biometric data as a condition of service.
SEC 14Health, Wellness & Sensitive Data
For apps in our matrix that process health-related data (e.g., Calorie Quantified Tracker):
- All health data is stored locally on the user's device using encrypted CoreData / Room databases.
- We do NOT transmit health data to our servers or any third party.
- If cloud sync is offered, it is opt-in, end-to-end encrypted with user-controlled keys, and the user may delete it at any time.
- We do NOT use health data for advertising targeting, insurance underwriting, employment decisions, or any prohibited purpose under HIPAA, GDPR Art. 9, or PIPL sensitive data classifications.
- HealthKit / Google Fit integrations are governed by Apple's and Google's respective health data policies; we only access data with explicit user permission via the HealthKit / Fit APIs.
SEC 15Financial Data & Payment Security
For our financial-tracking apps (Budget Analysis Engine):
- All financial data is stored locally on the user's device. We do NOT maintain server-side records of transactions.
- If optional cloud backup is enabled, data is encrypted client-side with keys derived from the user's password before transmission.
- We do NOT access, aggregate, or sell financial transaction data for any purpose.
- Bank account linking (where offered) uses OAuth 2.0 with read-only scopes through aggregators (Plaid, Finicity) — we never store bank credentials.
- GLBA (Gramm-Leach-Bliley Act) safeguards apply to U.S. financial data subjects.
SEC 16Behavioral Advertising Opt-Out & Limit Ad Tracking
In compliance with Apple App Tracking Transparency (ATT), Google Play Data Safety, and global privacy regulations, we provide the following controls:
- iOS: the ATT prompt is displayed once on first relevant request. Users may change their preference at any time via iOS Settings → Privacy & Security → Tracking.
- Android: users may opt out of ad personalization via Google Settings → Ads → Opt out of Ads Personalization.
- App-level: in-app "Settings → Privacy → Reset Advertising ID" deletes the IDFA/GAID and any associated profiles.
- Web: Global Privacy Control (GPC) signals and DNT headers are honored at the browser level.
- Opting out does NOT disable ads entirely — only the personalization component. Users still see contextual ads based on the current screen content.
SEC 17Third-Party Login & Social Features
- Where apps offer "Sign in with Apple," "Sign in with Google," or other OAuth-based authentication, the respective provider's privacy policy applies to data they collect.
- We receive only the minimum fields necessary (typically: stable opaque identifier, display name, verified email). We do NOT receive your contacts, friends list, or social graph.
- "Sign in with Apple" users on iOS may request Apple's private relay email to hide their real email address from us.
- Disconnecting a third-party login in our in-app settings deletes the linkage from our systems. The third-party provider's own account and data remain subject to their policies.
- Social sharing features (e.g., share buttons that post to Twitter/X, Facebook, LinkedIn) only transmit data to those services if the user explicitly initiates the share action.
SEC 18Cookies, Local Storage & Similar Technologies
Our website and apps use various storage technologies. Each category serves a specific purpose:
| Type | Purpose | Lifetime | Opt-Out |
|---|
| Strictly necessary cookies | Session, CSRF token, language preference, load balancing | Session / 1 year | Cannot opt out (required for functionality) |
| Functional cookies | Remember theme, region, UI preferences | 1 year | Available via banner |
| Analytics cookies | Aggregated, anonymized usage statistics | 13 months max | Available via banner |
| Advertising cookies / SDKs | Personalized ad delivery, frequency capping | Up to 13 months (per partner) | Available via banner / device limit-ad-tracking |
| Local storage (NSUserDefaults / SharedPreferences) | User preferences, cached content | Until app uninstall | Clear app data |
| IndexedDB / SQLite | Local-first data vault | Until user deletes | Clear app data |
| Service Worker cache | Offline functionality | Versioned | Automatic on schema change |
SEC 19Session Replay, A/B Testing & Analytics Technologies
- Session replay: NOT used in our apps. We do not record user sessions for playback.
- A/B testing: used internally for product experimentation. Test variants are assigned randomly with explicit consent for analytics.
- Heatmaps & click tracking: used only on opt-in product surfaces, never on legal documents or sensitive data entry fields.
- Crash reporting: anonymized stack traces are sent to our self-hosted Sentry-compatible instance. No PII is attached to crash events.
- Performance monitoring: aggregated frame-rate, app-launch time, and network latency metrics. No user-identifying correlation.
SEC 20Voice, Audio & Biometric Capture
- Voice recordings (where captured, e.g., voice memos) are stored locally on the device. We do NOT transmit voice data to any server.
- Voice assistant integrations (Siri Shortcuts, Google Assistant) are governed by Apple's and Google's respective privacy policies.
- Speech-to-text processing happens entirely on-device using CoreML / TensorFlow Lite. No audio is sent to cloud speech APIs.
- Microphone access is requested with explicit, purpose-disclosed permission, and may be revoked at any time via device settings.
SEC 21Geolocation Data
- Precise GPS / GPS-equivalent location data is requested only with explicit, granular user consent (foreground permission on Android, "While Using" on iOS).
- Background location is NEVER requested without a separate, prominent disclosure and explicit opt-in.
- Location data is used solely for the user-facing feature that requested it (e.g., finding nearby stores) and is processed in-memory where possible.
- We do NOT sell location data or share it with advertising networks for real-time bidding.
- Coarse / city-level location (derived from IP) is used only for region-specific compliance and content localization.
- Geofencing (where used) is computed on-device. Server-side geofence triggers are never persistent.
SEC 22AR / VR & Camera Data
- Camera and ARKit / ARCore access is requested with explicit purpose disclosure.
- Camera frames are processed in real time on-device. We do NOT record, store, or transmit photos or video from our apps unless the user explicitly initiates a save or share action.
- AR world maps and spatial anchors are stored locally on the device.
- Face mesh data from ARKit is processed entirely on-device and never transmitted.
- Body tracking data (where used) follows the same on-device-only principle.
SEC 23IoT, Connected Devices & Companion Apps
- Companion apps for IoT devices operate on a local-first principle. Communication with devices happens via BLE / Local Network where possible.
- If cloud relay is required, end-to-end encryption with user-controlled keys is used.
- Device telemetry is anonymized at the source before any cloud transmission.
- Account binding between app and device uses secure pairing flows (QR code, NFC tap, or out-of-band key exchange).
SEC 24Marketing Communications
- Marketing emails and push notifications are sent only with explicit opt-in consent (double opt-in for EU/UK).
- Every marketing email includes a clear, working unsubscribe link per CAN-SPAM Act and GDPR requirements.
- Transactional emails (purchase receipts, security alerts, policy changes) are sent regardless of marketing preferences.
- Push notification permissions are requested separately from any data collection and may be revoked at any time via device settings.
- Email engagement metrics (opens, clicks) are tracked using transparent pixels with the option to disable image loading to opt out.
SEC 26U.S. State-Specific Privacy Rights (Detailed)
In addition to the federal-level disclosures above, the following state-specific rights apply:
| State | Key Rights | Response SLA |
|---|
| California (CPRA) | Know, delete, correct, opt out of sale/sharing, limit use of sensitive PI, non-discrimination | 45 days (extendable to 90) |
| Colorado (CPA) | Know, delete, correct, opt out, data portability, universal opt-out mechanism (UOM) honored | 45 days |
| Connecticut (CTDPA) | Know, delete, correct, opt out | 45 days |
| Utah (UCPA) | Know, delete, opt out | 45 days |
| Virginia (VCDPA) | Know, delete, correct, opt out, appeal denials | 45 days |
| Texas (TDPSA) | Know, delete, correct, opt out | 45 days (effective Jul 2024) |
| Oregon (OCPA) | Know, delete, correct, opt out | 45 days (effective Jul 2024) |
| Montana (MCDPA) | Know, delete, correct, opt out | 45 days (effective Oct 2024) |
| Nevada (SB 220) | Opt out of sale | Verified within 60 days |
| Washington (My Health My Data) | Special protections for consumer health data | 45 days |
We honor Global Privacy Control (GPC) and other Universal Opt-Out Mechanisms (UOMs) as valid signals under applicable state laws.
SEC 27Data Breach Notification Procedures
- In the event of a personal data breach affecting our users, we will notify the relevant supervisory authority within 72 hours of becoming aware, per GDPR Art. 33.
- Affected users will be notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms, per GDPR Art. 34.
- U.S. state-specific notification timelines are followed: CA (most expedient), NY (30 days for computerized data), TX (60 days for 250+ affected), etc.
- Notification includes: nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed.
- Notification channels: in-app message, registered email (if available), and where required by state law, direct mail or telephone.
- Where the breach is unlikely to result in risk to user rights, we maintain a documented internal incident record per GDPR Art. 33(5).
SEC 28Changes to This Privacy Policy
- We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations.
- Material changes will be communicated at least 30 days in advance via in-app notification, registered email (where consent exists), and a prominent banner on our website.
- Non-material changes (e.g., typo corrections, clarifications, contact info updates) will be posted with an updated "Last Revised" date.
- Continued use of our apps after the effective date of changes constitutes acceptance. If you do not agree, you may stop using the apps and request account deletion per our data subject rights procedure.
- Previous versions of this policy are archived and available upon request to privacy@webgridsoftprime.com.
SEC 29Miscellaneous Provisions
- Severability: if any provision of this policy is held unenforceable, the remaining provisions remain in full force.
- Assignment: we may transfer this policy in connection with a merger, acquisition, or sale of assets; users will be notified per Section 28.
- No waiver: our failure to enforce any right under this policy does not constitute a waiver of that right.
- Entire agreement: this policy, together with our Terms of Service and any product-specific addenda, constitutes the entire agreement regarding privacy.
- Language: the English version of this policy is the authoritative version. Translated versions are provided for convenience only.
- Headings: section headings are for navigation only and do not affect interpretation.
END OF DOCUMENT
This Privacy Policy is governed by the laws of the State of Texas, USA, without regard to conflict-of-laws principles. For EU/UK users, this does not affect your statutory rights under your local privacy law. The latest version of this document always supersedes any prior version.