Privacy Policy for Fawazeer
Last updated: May 3, 2026
This Privacy Policy explains how IT Consulting and Expertise ("we", "us", "our") collects, uses, stores, shares, and protects information when you use Fawazeer (the "App"), our mobile application, and any related website or support pages that link to this policy.
Localized versions of this policy are available in:
In case of discrepancy between translations, the English version governs.
1. Who We Are
Fawazeer is provided by:
- Company: IT Consulting and Expertise
- Address: 42 Rue de la Py, 75020 Paris, France
- Website: https://www.itcexpertise.com
- Email: mehdi.jabri@itcexpertise.com
- Phone: +33 7 61 53 65 45
For the purposes of applicable privacy law, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA), IT Consulting and Expertise is the data controller for the personal data described in this policy.
2. Scope of This Policy
This policy applies to:
- The Fawazeer mobile app on iOS and Android
- Any website, landing page, or support page for Fawazeer that links to this policy
- Communications you send us about Fawazeer
This policy does not apply to third-party services that have their own privacy policies. Links to those policies are provided in Section 7.
3. Summary — at a glance
- The core game works offline and without an account. No personal data is required to play.
- Cloud sync, leaderboards, and analytics are optional. We ask for your consent before enabling analytics and personalized ads (via Apple's App Tracking Transparency on iOS and Google's User Messaging Platform on Android).
- You can delete your account and all associated data at any time from the Profile screen.
- We do not sell your personal data.
- We never access your contacts, photos, microphone, camera, calendar, precise GPS location, or biometric data.
4. Information We Collect
We only collect information needed to operate, improve, and support Fawazeer.
A. Information stored locally on your device
Fawazeer stores gameplay and preference data locally (via MMKV on-device storage). This information never leaves your device unless you enable cloud sync:
- Coin and hint balances
- Solved and skipped riddle IDs
- Unlocked packs and progression
- Streaks, scores, and gameplay statistics
- Settings (sound, haptics, language)
- Ad-removed flag (if you purchased the IAP)
- Cached consent decision (ATT / UMP result)
B. Account information (optional — only if you sign in or enable cloud sync)
If you sign in with Apple, Google, or continue as an anonymous cloud user, we collect:
- Anonymous or OAuth user ID — a random identifier created by Supabase Auth
- Email address — only if you sign in with Apple or Google and choose to share your email (Apple offers an email relay; Google may provide your account email)
- Display name — only if you voluntarily set one in the Profile screen (2–20 characters)
C. Gameplay sync data (optional — only if cloud sync is enabled)
If cloud sync is enabled, your game state and scores are synchronized to our backend:
- Full serialized game state (coins, hints, solved/skipped IDs, streaks, stats)
- Per-submission scores (total correct, total wrong, total skipped, best streak, total coins earned, packs completed)
- Daily challenge completion records (one per day)
Cloud sync and the leaderboard include server-side anti-cheat protections that validate submissions against your previous state.
D. Analytics and crash reporting (optional — only after you grant consent)
When you grant tracking consent via App Tracking Transparency (iOS) or User Messaging Platform (Android), Fawazeer uses Firebase Analytics and Firebase Crashlytics (both provided by Google LLC) to collect:
- Event data — product interactions such as
app_opened,riddle_started,riddle_answered,hint_used,pack_opened,pack_completed,iap_started,iap_completed,ad_impression,rewarded_ad_completed,language_changed,sign_in,sign_up - User properties — player level, player tier, streak bucket, ads-removed flag, first-open date, country (ISO code), locale (BCP-47)
- User ID — your Supabase ID, only after non-anonymous sign-in
- App-instance ID — a pseudonymous Firebase identifier tied to this install
- Device and session metadata — device model, OS version, app version, session duration
- Crash data — stack traces, breadcrumbs, device state at the moment of a crash or non-fatal error (collected via Firebase Crashlytics). Crash reports are attributed to the pseudonymous Firebase installation ID and do not include your name, email, or free-form content.
If you decline consent, none of this is collected. Firebase Analytics and Crashlytics collection remain disabled for the entire lifetime of that install unless you change your choice in iOS Settings → Privacy → Tracking, or re-open the UMP consent modal from Profile → Privacy → Manage consent on Android.
E. Advertising (consent-based personalization)
We display ads served by Google AdMob (banner, interstitial, and rewarded formats). To deliver and measure ads, Google may process:
- The advertising identifier (IDFA on iOS, Advertising ID on Android) — only if you grant ATT / UMP consent; otherwise ads are non-personalized
- Ad interactions (impressions, clicks, reward completions)
- Approximate location inferred from IP or device region
- SKAdNetwork postbacks on iOS (privacy-preserving attribution, cannot be joined to an individual)
- Technical device information (model, OS, app version, language)
Purchasing the "Remove Ads" IAP disables all ad requests.
F. Purchases and subscriptions
In-app purchases (coin packs, hint packs, "Remove Ads") and the auto-renewable "Treasure of Riddles" subscription are processed end-to-end by Apple and Google's billing systems. We never see your payment card number. We receive and store:
- Product identifier (SKU)
- Transaction status
- Transaction timestamp
- Receipt token (used to verify and restore purchases)
For subscriptions specifically, we also use RevenueCat Inc. (USA) as our subscription-receipt validation processor. RevenueCat receives the App Store / Google Play receipt at the moment of purchase and on each renewal, validates it with Apple / Google, and returns the entitlement status (active / trial / grace / cancelled / expired), the expiration date, and the auto-renewal flag. We mirror this status to your account profile via a server-to-server webhook so the ad-free entitlement and exclusive cosmetics resolve consistently across devices and reinstalls.
RevenueCat does not receive your name, email address, or any direct identifier — only your anonymous Supabase user ID (used to link entitlements to your account when you sign in) and the platform receipt itself.
G. Location (only if you tap "Use my location")
Fawazeer does not request location on launch. If you tap "Use my location" on the Profile screen to suggest the correct content region, we request approximate (when-in-use) location once. Only the country code is kept and transmitted (to suggest content); precise GPS coordinates never leave your device. Background location is disabled on both platforms.
H. Push notifications (optional)
If you grant notification permission on your device, we send transactional and engagement notifications (for example: daily-challenge reminders, streak reminders, new pack releases, important service updates). To deliver them we process:
- Device push token — issued by Apple Push Notification service (APNs) on iOS or Firebase Cloud Messaging (FCM) on Android; stored on our Supabase backend and tied to your user ID
- Notification preferences — which channels you have enabled or disabled
- Delivery and open events — used to measure notification effectiveness and to avoid sending to inactive installs
You can disable notifications at any time in your device Settings or from Profile → Notifications. Revoking the OS permission stops all further notifications immediately.
I. Support correspondence
If you email us, we will collect your name, email address, and the contents of your message.
J. Cookies on our websites
Our marketing and support websites may use cookies for essential functionality, preferences, security, and, where consent is given, analytics. You can manage cookies in your browser settings or via the cookie banner.
5. Legal Bases for Processing (GDPR / UK GDPR)
| Purpose | Legal basis |
|---|---|
| Providing offline gameplay | Not applicable — data stays on your device |
| Creating a cloud account and syncing your game state | Performance of a contract (Art. 6(1)(b)) |
| Leaderboards and anti-cheat | Legitimate interest in fair play (Art. 6(1)(f)) |
| Firebase Analytics, Firebase Crashlytics, and personalized ads | Consent (Art. 6(1)(a)) — obtained via ATT (iOS) and UMP (Android) |
| Push notifications | Consent (Art. 6(1)(a)) — obtained via the OS notification permission prompt |
| Non-personalized ads | Legitimate interest in sustaining a free app (Art. 6(1)(f)) |
| Processing purchases | Performance of a contract (Art. 6(1)(b)) |
| Handling your support requests | Legitimate interest / contract |
| Security, fraud prevention, anti-cheat | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
6. How We Use Information
We use information to:
- Provide and maintain Fawazeer
- Save and synchronize your progress across devices
- Operate global and weekly leaderboards
- Deliver and measure advertising (only per your consent choice)
- Analyze usage to improve the experience (only per your consent choice)
- Respond to support requests
- Process purchases and restore entitlements
- Protect against cheating, fraud, and abuse
- Comply with legal obligations
7. Who We Share Information With (Data Recipients)
We do not sell your personal data. We share limited information with the following processors, each acting under their own privacy policy:
| Processor | Purpose | Region | Policy |
|---|---|---|---|
| Google LLC — Firebase Analytics | Product analytics (consent-gated) | USA / global | https://firebase.google.com/support/privacy |
| Google LLC — Firebase Crashlytics | Crash and error reporting (consent-gated) | USA / global | https://firebase.google.com/support/privacy |
| Google LLC — Firebase Cloud Messaging | Push-notification delivery on Android | USA / global | https://firebase.google.com/support/privacy |
| Apple Inc. — APNs | Push-notification delivery on iOS | USA / EU | https://www.apple.com/legal/privacy/ |
| Google LLC — Google AdMob | Ad serving, measurement, consent management (UMP) | USA / global | https://policies.google.com/technologies/ads |
| Supabase Inc. | Backend auth, cloud sync, leaderboards, RPC | EU (Stockholm, eu-north-1) | https://supabase.com/privacy |
| Apple Inc. | Sign in with Apple, iOS App Store billing, ATT framework | USA / EU | https://www.apple.com/legal/privacy/ |
| Google LLC | Sign-In with Google, Google Play billing | USA / global | https://policies.google.com/privacy |
| RevenueCat Inc. | Subscription receipt validation, customer-info webhooks | USA / global | https://www.revenuecat.com/privacy |
| Vercel Inc. | Hosting of the public policy and marketing pages | USA / global | https://vercel.com/legal/privacy-policy |
We may also share information with legal authorities when required by law, or in connection with a corporate transaction such as a merger, acquisition, or sale of assets (with appropriate safeguards).
8. International Data Transfers
Personal data may be processed in countries outside the European Economic Area, including the United States. When such transfers occur, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) published by the European Commission, and on our processors' self-certifications where applicable (e.g., EU–US Data Privacy Framework).
Our primary backend database (Supabase) is hosted in the EU (Stockholm, Sweden) to minimize cross-border transfers for EU users.
9. Data Retention
| Data | Retention |
|---|---|
| Local on-device data | Until you uninstall the app or use Profile → Reset Progress |
| Cloud account and game state | Until you delete the account (Profile → Delete Account) — immediate cascade through profiles, weekly_scores, daily_completions, game_state |
| Weekly leaderboard scores | Rolling 12-month window for historical analysis; your row is deleted when you delete your account |
| Firebase Analytics user-level data | 14 months (maximum permitted by Firebase); aggregate reports retained indefinitely and cannot be tied back to an individual |
| Firebase Crashlytics crash data | 90 days after the last occurrence, per Firebase default retention |
| Push-notification tokens | Until you revoke notification permission, delete the app, or delete your cloud account |
| Advertising ID data at Google AdMob | Per Google's AdMob retention policy |
| Purchase receipts | As long as required by Apple / Google platform policies and tax law |
| Subscription entitlement state at RevenueCat | Until you delete your account or until RevenueCat's documented retention period elapses, whichever is sooner |
| Support correspondence | Up to 3 years after last interaction |
10. Data Security
We use HTTPS/TLS for all data in transit, row-level security (RLS) on the Supabase database, server-side anti-cheat validation on score submissions, and encrypted on-device storage (MMKV). No method of transmission or storage is completely secure, so we cannot guarantee absolute security.
11. Your Rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your personal data
- Object to or restrict certain processing
- Withdraw consent for analytics and personalized ads at any time (see below)
- Data portability — receive a copy of your data in a machine-readable format
- Lodge a complaint with your data protection authority (in France: CNIL)
- California residents: rights under the CCPA/CPRA, including the right to opt out of the "sharing" of personal information (we treat the advertising-ID flow to Google as "sharing" for CCPA purposes; you can opt out via UMP or by disabling "Personalized ads" in your Google account)
How to exercise your rights:
| Action | How |
|---|---|
| Withdraw analytics / crash-reporting / ad-personalization consent (iOS) | Settings → Privacy → Tracking → Fawazeer → toggle off |
| Withdraw analytics / crash-reporting / ad-personalization consent (Android) | Profile → Privacy → Manage consent |
| Disable push notifications | OS Settings → Notifications → Fawazeer, or Profile → Notifications |
| Sign out (keep your cloud data) | Profile → Sign out |
| Delete your account and all cloud data | Profile → Delete Account (confirmation required; action is immediate and irreversible) |
| Reset local progress | Profile → Reset Progress |
| Any other request | Email mehdi.jabri@itcexpertise.com |
We respond to verified requests within one month (extendable by two months where the request is complex, per GDPR Art. 12(3)).
12. Consent Management
- iOS: On first launch, when the app is in the foreground, we present Apple's App Tracking Transparency (ATT) prompt. If you decline, Firebase Analytics and Firebase Crashlytics stay disabled for the lifetime of the install and AdMob serves only non-personalized ads. We never re-prompt.
- Android: On first launch, Google's UMP SDK determines whether a consent form is required for your region (EEA, UK, Switzerland, California). Your choices control Firebase Analytics collection, Crashlytics collection, and AdMob personalization. You can re-open the consent modal at any time from Profile → Privacy → Manage consent.
- Push notifications: Delivered only if you grant the OS-level notification permission. You can revoke it at any time in your device Settings, or toggle categories from Profile → Notifications.
13. Children's Privacy
Fawazeer is a General Audiences app intended for players of all ages. It is not directed at children under 13 (or the equivalent minimum age in your country), and we do not knowingly collect personal data from such children. If you believe a child has provided us personal data, contact us and we will delete it.
14. Third-Party Services
Fawazeer relies on the third-party services listed in Section 7. Those services operate under their own terms and privacy policies. We encourage you to review them.
15. Changes to This Privacy Policy
We may update this policy from time to time. Material changes will be announced in the app and/or on our website, and the "Last updated" date above will be revised. Continued use of Fawazeer after such notice means you accept the updated policy.
Version history:
- May 3, 2026 — Added the "Treasure of Riddles" auto-renewable subscription. RevenueCat Inc. added as a subscription-receipt validation processor (Section 4.F + Section 7). Subscription entitlement state retention added to Section 9.
- April 21, 2026 — v2.0 release. Added Firebase Analytics, Firebase Crashlytics, push notifications, cloud account and sync, Sign in with Apple / Google, named all data processors and retention periods, expanded GDPR / CCPA rights section, added Arabic and French translations.
- April 13, 2026 — Previous revision.
- March 24, 2026 — Initial v1 policy.
16. Contact Us
If you have questions, requests, or complaints about this Privacy Policy or our data practices, contact:
IT Consulting and Expertise 42 Rue de la Py, 75020 Paris, France Email: mehdi.jabri@itcexpertise.com Phone: +33 7 61 53 65 45 Website: https://www.itcexpertise.com
For GDPR matters, you may contact our representative at the same address.