Privacy Policy for Fawazeer
Last updated: June 3, 2026
This Privacy Policy explains how IT Consulting and Expertise ("we", "us", "our") collects, uses, stores, shares, and protects information when you use Fawazeer (the "App"), our mobile application, and any related website or support pages that link to this policy.
Localized versions of this policy are available in:
In case of discrepancy between translations, the English version governs.
1. Who We Are
Fawazeer is provided by:
- Company: IT Consulting and Expertise
- Address: 42 Rue de la Py, 75020 Paris, France
- Website: https://www.itcexpertise.com
- Email: mehdi.jabri@itcexpertise.com
- Phone: +33 7 61 53 65 45
For the purposes of applicable privacy law, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA), IT Consulting and Expertise is the data controller for the personal data described in this policy.
2. Scope of This Policy
This policy applies to:
- The Fawazeer mobile app on iOS and Android
- Any website, landing page, or support page for Fawazeer that links to this policy
- Communications you send us about Fawazeer
This policy does not apply to third-party services that have their own privacy policies. Links to those policies are provided in Section 7.
3. Summary — at a glance
- The core game works offline and without an account. No personal data is required to play.
- Cloud sync, leaderboards, and analytics are optional. Analytics and crash reporting are off by default — you choose whether to turn them on (there is a setting when you set up your account, and you can change it anytime in Settings → Privacy). Ads are non-personalized; on iOS we show Apple's App Tracking Transparency prompt for the advertising identifier.
- You can delete your account and all associated data at any time from the Profile screen.
- We do not sell your personal data.
- We never access your contacts, photos, microphone, camera, calendar, precise GPS location, or biometric data.
4. Information We Collect
We only collect information needed to operate, improve, and support Fawazeer.
A. Information stored locally on your device
Fawazeer stores gameplay and preference data locally (via MMKV on-device storage). This information never leaves your device unless you enable cloud sync:
- Coin and hint balances
- Solved and skipped riddle IDs
- Unlocked packs and progression
- Streaks, scores, and gameplay statistics
- Settings (sound, haptics, language)
- Ad-removed flag (if you purchased the IAP)
- Cached consent decisions (your analytics opt-in choice, and the ATT result)
B. Account information (optional — only if you sign in or enable cloud sync)
If you sign in with Apple, Google, or continue as an anonymous cloud user, we collect:
- Anonymous or OAuth user ID — a random identifier created by Supabase Auth
- Email address — only if you sign in with Apple or Google and choose to share your email (Apple offers an email relay; Google may provide your account email)
- Display name — only if you voluntarily set one in the Profile screen (2–20 characters)
C. Gameplay sync data (optional — only if cloud sync is enabled)
If cloud sync is enabled, your game state and scores are synchronized to our backend:
- Full serialized game state (coins, hints, solved/skipped IDs, streaks, stats)
- Per-submission scores (total correct, total wrong, total skipped, best streak, total coins earned, packs completed)
- Daily challenge completion records (one per day)
Cloud sync and the leaderboard include server-side anti-cheat protections that validate submissions against your previous state.
D. Analytics and crash reporting (optional — only after you grant consent)
Analytics and crash reporting are off by default. Only if you turn them on — there is a clear opt-in when you set up your account, and you can change it anytime in Settings → Privacy — Fawazeer uses Firebase Analytics and Firebase Crashlytics (both provided by Google LLC) and PostHog (product analytics, hosted in the EU) to collect:
- Event data — product interactions such as
app_opened,riddle_started,riddle_answered,hint_used,pack_opened,pack_completed,iap_started,iap_completed,ad_impression,rewarded_ad_completed,language_changed,sign_in,sign_up - User properties — player level, player tier, streak bucket, ads-removed flag, first-open date, country (ISO code), locale (BCP-47)
- User ID — your Supabase ID, only after non-anonymous sign-in
- App-instance ID — a pseudonymous Firebase identifier tied to this install
- Device and session metadata — device model, OS version, app version, session duration
- Crash data — stack traces, breadcrumbs, device state at the moment of a crash or non-fatal error (collected via Firebase Crashlytics). Crash reports are attributed to the pseudonymous Firebase installation ID and do not include your name, email, or free-form content.
- Product-analytics events (PostHog) — the same kind of in-app interaction events as above, sent to PostHog's EU-hosted Cloud (Frankfurt, Germany) so we can understand feature usage and funnels. Session replay is not enabled. PostHog data is tied only to pseudonymous identifiers, never your name or email.
If you leave analytics off, none of this is collected — Firebase and PostHog stay disabled. You can turn analytics on or off at any time from Settings → Privacy in the app; turning it off stops collection immediately. This analytics choice is a single in-app control that applies on all platforms, and is separate from Apple's App Tracking Transparency (which only governs the advertising identifier used for ads).
E. Advertising (consent-based personalization)
We display ads served by Google AdMob (banner, interstitial, and rewarded formats). To deliver and measure ads, Google may process:
- The advertising identifier (IDFA on iOS) — only if you allow tracking via Apple's App Tracking Transparency prompt. Ads are otherwise non-personalized, and are currently non-personalized on Android.
- Ad interactions (impressions, clicks, reward completions)
- Approximate location inferred from IP or device region
- SKAdNetwork postbacks on iOS (privacy-preserving attribution, cannot be joined to an individual)
- Technical device information (model, OS, app version, language)
Purchasing the "Remove Ads" IAP disables all ad requests.
F. Purchases and subscriptions
In-app purchases (coin packs, hint packs, "Remove Ads") and the auto-renewable "Treasure of Riddles" subscription are processed end-to-end by Apple and Google's billing systems. We never see your payment card number. We receive and store:
- Product identifier (SKU)
- Transaction status
- Transaction timestamp
- Receipt token (used to verify and restore purchases)
For subscriptions specifically, we also use RevenueCat Inc. (USA) as our subscription-receipt validation processor. RevenueCat receives the App Store / Google Play receipt at the moment of purchase and on each renewal, validates it with Apple / Google, and returns the entitlement status (active / trial / grace / cancelled / expired), the expiration date, and the auto-renewal flag. We mirror this status to your account profile via a server-to-server webhook so the ad-free entitlement and exclusive cosmetics resolve consistently across devices and reinstalls.
RevenueCat does not receive your name, email address, or any direct identifier — only your anonymous Supabase user ID (used to link entitlements to your account when you sign in) and the platform receipt itself.
G. Location (only if you tap "Use my location")
Fawazeer does not request location on launch. If you tap "Use my location" on the Profile screen to suggest the correct content region, we request approximate (when-in-use) location once. Only the country code is kept and transmitted (to suggest content); precise GPS coordinates never leave your device. Background location is disabled on both platforms.
H. Push notifications (optional)
If you grant notification permission on your device, we send transactional and engagement notifications (for example: daily-challenge reminders, streak reminders, new pack releases, important service updates). To deliver them we process:
- Device push token — issued by Apple Push Notification service (APNs) on iOS or Firebase Cloud Messaging (FCM) on Android; stored on our Supabase backend and tied to your user ID
- Notification preferences — which channels you have enabled or disabled
- Delivery and open events — used to measure notification effectiveness and to avoid sending to inactive installs
You can disable notifications at any time in your device Settings or from Profile → Notifications. Revoking the OS permission stops all further notifications immediately.
I. Support correspondence
If you email us, we will collect your name, email address, and the contents of your message.
J. Cookies on our websites
Our marketing and support websites may use cookies for essential functionality, preferences, security, and, where consent is given, analytics. You can manage cookies in your browser settings or via the cookie banner.
5. Legal Bases for Processing (GDPR / UK GDPR)
| Purpose | Legal basis |
|---|---|
| Providing offline gameplay | Not applicable — data stays on your device |
| Creating a cloud account and syncing your game state | Performance of a contract (Art. 6(1)(b)) |
| Leaderboards and anti-cheat | Legitimate interest in fair play (Art. 6(1)(f)) |
| Analytics & crash reporting (Firebase Analytics, Firebase Crashlytics, PostHog) | Consent (Art. 6(1)(a)) — via the in-app analytics setting, off by default |
| Advertising identifier / personalized ads | Consent (Art. 6(1)(a)) — via Apple's App Tracking Transparency (iOS) |
| Push notifications | Consent (Art. 6(1)(a)) — obtained via the OS notification permission prompt |
| Non-personalized ads | Legitimate interest in sustaining a free app (Art. 6(1)(f)) |
| Processing purchases | Performance of a contract (Art. 6(1)(b)) |
| Handling your support requests | Legitimate interest / contract |
| Security, fraud prevention, anti-cheat | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
6. How We Use Information
We use information to:
- Provide and maintain Fawazeer
- Save and synchronize your progress across devices
- Operate global and weekly leaderboards
- Deliver and measure advertising (only per your consent choice)
- Analyze usage to improve the experience (only per your consent choice)
- Respond to support requests
- Process purchases and restore entitlements
- Protect against cheating, fraud, and abuse
- Comply with legal obligations
7. Who We Share Information With (Data Recipients)
We do not sell your personal data. We share limited information with the following processors, each acting under their own privacy policy:
| Processor | Purpose | Region | Policy |
|---|---|---|---|
| Google LLC — Firebase Analytics | Product analytics (consent-gated) | USA / global | https://firebase.google.com/support/privacy |
| Google LLC — Firebase Crashlytics | Crash and error reporting (consent-gated) | USA / global | https://firebase.google.com/support/privacy |
| PostHog | Product analytics (consent-gated) | EU Cloud (Frankfurt, Germany) | https://posthog.com/privacy |
| Google LLC — Firebase Cloud Messaging | Push-notification delivery on Android | USA / global | https://firebase.google.com/support/privacy |
| Apple Inc. — APNs | Push-notification delivery on iOS | USA / EU | https://www.apple.com/legal/privacy/ |
| Google LLC — Google AdMob | Ad serving, measurement, consent management (UMP) | USA / global | https://policies.google.com/technologies/ads |
| Supabase Inc. | Backend auth, cloud sync, leaderboards, RPC | EU (Stockholm, eu-north-1) | https://supabase.com/privacy |
| Apple Inc. | Sign in with Apple, iOS App Store billing, ATT framework | USA / EU | https://www.apple.com/legal/privacy/ |
| Google LLC | Sign-In with Google, Google Play billing | USA / global | https://policies.google.com/privacy |
| RevenueCat Inc. | Subscription receipt validation, customer-info webhooks | USA / global | https://www.revenuecat.com/privacy |
| Vercel Inc. | Hosting of the public policy and marketing pages | USA / global | https://vercel.com/legal/privacy-policy |
We may also share information with legal authorities when required by law, or in connection with a corporate transaction such as a merger, acquisition, or sale of assets (with appropriate safeguards).
8. International Data Transfers
Personal data may be processed in countries outside the European Economic Area, including the United States. When such transfers occur, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) published by the European Commission, and on our processors' self-certifications where applicable (e.g., EU–US Data Privacy Framework).
Our primary backend database (Supabase) is hosted in the EU (Stockholm, Sweden), and our product-analytics provider (PostHog) is hosted in the EU (Frankfurt, Germany), to minimize cross-border transfers for EU users.
9. Data Retention
| Data | Retention |
|---|---|
| Local on-device data | Until you uninstall the app or use Profile → Reset Progress |
| Cloud account and game state | Until you delete the account (Profile → Delete Account) — immediate cascade through profiles, weekly_scores, daily_completions, game_state |
| Weekly leaderboard scores | Rolling 12-month window for historical analysis; your row is deleted when you delete your account |
| Firebase Analytics user-level data | 14 months (maximum permitted by Firebase); aggregate reports retained indefinitely and cannot be tied back to an individual |
| Firebase Crashlytics crash data | 90 days after the last occurrence, per Firebase default retention |
| PostHog product-analytics data | Retained per our PostHog (EU) configuration; deleted on account deletion or on request |
| Push-notification tokens | Until you revoke notification permission, delete the app, or delete your cloud account |
| Advertising ID data at Google AdMob | Per Google's AdMob retention policy |
| Purchase receipts | As long as required by Apple / Google platform policies and tax law |
| Subscription entitlement state at RevenueCat | Until you delete your account or until RevenueCat's documented retention period elapses, whichever is sooner |
| Support correspondence | Up to 3 years after last interaction |
10. Data Security
We use HTTPS/TLS for all data in transit, row-level security (RLS) on the Supabase database, server-side anti-cheat validation on score submissions, and encrypted on-device storage (MMKV). No method of transmission or storage is completely secure, so we cannot guarantee absolute security.
11. Your Rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your personal data
- Object to or restrict certain processing
- Withdraw consent for analytics and personalized ads at any time (see below)
- Data portability — receive a copy of your data in a machine-readable format
- Lodge a complaint with your data protection authority (in France: CNIL)
- California residents: rights under the CCPA/CPRA, including the right to opt out of the "sharing" of personal information (we treat the advertising-ID flow to Google as "sharing" for CCPA purposes; you can opt out by declining App Tracking Transparency on iOS, by turning analytics off in Settings → Privacy, or by disabling "Personalized ads" in your Google account)
How to exercise your rights:
| Action | How |
|---|---|
| Turn analytics & crash reporting off (all platforms) | In the app: Settings → Privacy → Analytics → toggle off |
| Withdraw ad-tracking consent (iOS) | iOS Settings → Privacy & Security → Tracking → Fawazeer → off |
| Disable push notifications | OS Settings → Notifications → Fawazeer, or Profile → Notifications |
| Sign out (keep your cloud data) | Profile → Sign out |
| Delete your account and all cloud data | Profile → Delete Account (confirmation required; action is immediate and irreversible) |
| Reset local progress | Profile → Reset Progress |
| Any other request | Email mehdi.jabri@itcexpertise.com |
We respond to verified requests within one month (extendable by two months where the request is complex, per GDPR Art. 12(3)).
12. Consent Management
- Analytics & crash reporting: Off by default. You choose whether to turn them on when you set up your account during onboarding, and you can change your choice at any time in Settings → Privacy inside the app. Turning the setting off stops Firebase and PostHog collection immediately. This is a single in-app control that applies on all platforms and is independent of Apple's App Tracking Transparency.
- Advertising (iOS): On first foreground launch we present Apple's App Tracking Transparency (ATT) prompt, which controls use of the advertising identifier. Ads are non-personalized unless you allow tracking; on Android, ads are non-personalized.
- Push notifications: Delivered only if you grant the OS-level notification permission. You can revoke it at any time in your device Settings, or toggle categories from Profile → Notifications.
13. Children's Privacy
Fawazeer is a General Audiences app intended for players of all ages. It is not directed at children under 13 (or the equivalent minimum age in your country), and we do not knowingly collect personal data from such children. During onboarding we ask for your age range; analytics and personalized features are never enabled for anyone who indicates they are under 13. If you believe a child has provided us personal data, contact us and we will delete it.
14. Third-Party Services
Fawazeer relies on the third-party services listed in Section 7. Those services operate under their own terms and privacy policies. We encourage you to review them.
15. Changes to This Privacy Policy
We may update this policy from time to time. Material changes will be announced in the app and/or on our website, and the "Last updated" date above will be revised. Continued use of Fawazeer after such notice means you accept the updated policy.
Version history:
- June 3, 2026 — Added PostHog (EU Cloud, Frankfurt) as a product-analytics processor (Sections 4.D, 7, 8, 9). Clarified that analytics and crash reporting are an in-app opt-in, off by default (controlled in Settings → Privacy), applied on all platforms and separate from Apple's App Tracking Transparency — ATT is now described as governing the advertising identifier only.
- May 3, 2026 — Added the "Treasure of Riddles" auto-renewable subscription. RevenueCat Inc. added as a subscription-receipt validation processor (Section 4.F + Section 7). Subscription entitlement state retention added to Section 9.
- April 21, 2026 — v2.0 release. Added Firebase Analytics, Firebase Crashlytics, push notifications, cloud account and sync, Sign in with Apple / Google, named all data processors and retention periods, expanded GDPR / CCPA rights section, added Arabic and French translations.
- April 13, 2026 — Previous revision.
- March 24, 2026 — Initial v1 policy.
16. Contact Us
If you have questions, requests, or complaints about this Privacy Policy or our data practices, contact:
IT Consulting and Expertise 42 Rue de la Py, 75020 Paris, France Email: mehdi.jabri@itcexpertise.com Phone: +33 7 61 53 65 45 Website: https://www.itcexpertise.com
For GDPR matters, you may contact our representative at the same address.