Privacy Policy

Privacy Policy

Effective date: 24 April 2026 Last updated: 24 April 2026

1. Who we are

This Privacy Policy describes how Illia Terekhov, acting as data controller ("we", "us", "our"), collects, uses, stores, and protects personal data when you use the Dungeon Storycraft & Quest AI mobile application (the "App" or "Service") on iOS and Android.

Controller details:

  • Name: Illia Terekhov
  • Capacity: Natural person (individual) resident in the Republic of Cyprus, acting in a personal capacity as an independent app developer
  • Tax Identification Code (TIC): 08151413V
  • Contact address: Riga Feraiou 16A, 6013 Larnaca, Cyprus
  • Email (privacy matters): iterekhov2023@gmail.com
  • Email (general legal): iterekhov2023@gmail.com

We are established in the Republic of Cyprus. Our processing is governed primarily by the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR") and Cyprus Law 125(I)/2018 on the Protection of Natural Persons with regard to the Processing of Personal Data.

2. About the App

Dungeon Storycraft & Quest AI is a single-player mobile role-playing game inspired by tabletop Dungeons & Dragons. The App uses a large language model (Google Gemini) to generate dynamic fantasy narrative in response to your text and voice input. Gameplay includes turn-based tactical combat, character progression, and story campaigns. The App offers auto-renewable subscriptions for narrative credits through Apple In-App Purchase and Google Play Billing. It supports anonymous, Google, and Apple sign-in.

3. Age requirements

The App is rated for users aged 14 and older. Content includes fantasy violence, mild horror themes, and AI-generated narrative.

  • We do not knowingly collect personal data from children under 14.
  • Under GDPR Article 8, the age at which a minor may consent to data processing by an information-society service varies between 13 and 16 across EU/EEA Member States. In Cyprus this age is 14. In countries where national law sets a higher threshold (for example, France: 15; Germany, Ireland, the Netherlands: 16), users below that threshold must obtain verifiable consent from a parent or legal guardian before using the App.
  • Where parental consent is required, the parent or guardian should contact us at iterekhov2023@gmail.com so that we can record the consent against the user's account.
  • If we become aware that we have collected personal data from a child below the applicable minimum age without proper consent, we will delete that data without undue delay. To report such a case, contact iterekhov2023@gmail.com.

Parents and guardians can restrict in-app purchases and access to the App using Apple Screen Time (iOS) or Google Family Link (Android).

4. What data we collect

We only collect what we need to operate the Service. The tables below describe every category of personal data we process, its source, purpose, legal basis under the GDPR, and retention period.

4.1 Account and identity data

4.2 Payment and subscription data

Data Source Purpose Legal basis Retention Apple original transaction ID / Google purchase token Apple StoreKit / Google Play Billing Validating subscriptions, enabling "Restore Purchases" Contract 7 years (Cyprus accounting and tax law) Subscription tier and status Our server (validated receipts) Access control Contract 7 years Credit balance and consumption log Our server Delivery of the paid service Contract 2 years after last activity We never receive or store your payment card number, CVV, or bank details. Payments are processed exclusively by Apple or Google, which act as independent data controllers for payment data under their own policies.

4.3 Gameplay content

4.4 Voice and audio

Data Source Purpose Legal basis Retention Microphone audio, transcribed to text for player input Device microphone, with your permission Voice-to-text for gameplay actions Explicit consent — Art. 6(1)(a), given when you grant microphone permission Audio is not stored. It is transcribed, and only the resulting text is retained as gameplay content. On iOS 17 and later, speech recognition runs on-device via Apple's Speech framework; audio does not leave your device. On older iOS versions and on Android, speech recognition may use the operating system's cloud service (Apple or Google), in which case the audio is processed by that OS provider under its own privacy policy. We do not retain raw audio in any case.

You can revoke microphone access at any time in your device settings.

4.5 Technical and device data

Data Purpose Legal basis Retention Product events (screen views, feature usage, funnel steps, retention signals) Understanding how players use the App so we can improve it In the EU/EEA/UK: your consent — Art. 6(1)(a). Elsewhere: legitimate interest with opt-out. 5 years Pseudonymous analytics user ID Linking events from the same user across sessions Same as above Same Device model, OS version, app version, coarse country (derived from IP address, which is then discarded by Mixpanel) Cohort analysis, compatibility Same as above Same We use the Mixpanel EU data residency endpoint so that analytics data from EU users is stored on EU servers.

4.8 Marketing attribution data (Meta SDK)

Data Purpose Legal basis Retention App install and in-app event signals (install, sign-up, purchase, subscription_start, level_up) Measuring effectiveness of Meta advertising campaigns In the EU/EEA/UK: your consent. On iOS: additionally, your App Tracking Transparency permission. Per Meta retention schedule Identifier for Vendor (IDFV) / Android Advertising ID Attribution Same Per Meta IDFA (iOS Advertising Identifier) Cross-app attribution Processed only if you grant App Tracking Transparency permission on iOS Per Meta Hashed email (Advanced Matching, where enabled) Conversion matching Your explicit consent Per Meta If you do not grant App Tracking Transparency permission on iOS, we fall back to Apple's privacy-preserving SKAdNetwork framework, which measures ad effectiveness without identifying you. If you withdraw consent in the EU/EEA/UK, we stop sending events to Meta from your device.

4.9 Data we do not collect

We do not collect or use:

  • Precise or approximate location data
  • Your contacts, calendar, or photo library
  • Health, fitness, or biometric data
  • Financial data beyond what Apple or Google provides for receipt validation
  • Browsing history outside the App
  • Data from advertising networks other than those listed above

5. How we use your data

We use personal data only for the purposes set out in Section 4 and, specifically, to:

  1. Create and maintain your account and subscription.
  2. Operate gameplay, including generating AI narrative in response to your input.
  3. Process and validate in-app purchases and manage credit balances.
  4. Provide customer support and respond to your requests.
  5. Detect, prevent, and address fraud, abuse, and security incidents.
  6. Comply with legal obligations (tax, accounting, lawful orders from competent authorities).
  7. With your consent where required, analyse product usage to improve the App.
  8. With your consent where required, measure advertising performance.

We do not use your gameplay content or personal data to train AI models. Google Gemini is used as an inference API only; inputs and outputs are governed by Google's terms applicable to our account tier and are not used by Google to train generally available models, per those terms as of the effective date of this Policy.

We do not sell your personal data within the meaning of the California Consumer Privacy Act or any equivalent law, and we do not share your data with third parties for their own marketing purposes.

Purpose Legal basis Account, gameplay, subscriptions, customer support Performance of a contract — Art. 6(1)(b) Microphone access for speech-to-text Explicit consent — Art. 6(1)(a) Product analytics (EU/EEA/UK users) Consent — Art. 6(1)(a) Advertising attribution (EU/EEA/UK users) Consent — Art. 6(1)(a), plus iOS ATT where applicable Security, fraud prevention, debugging Legitimate interest — Art. 6(1)(f) Tax and accounting records Legal obligation — Art. 6(1)(c) Where processing relies on legitimate interest, we have performed a balancing test and concluded that our interest (operating a secure, functional service) does not override your rights and freedoms. You may object to such processing at any time — see Section 10.

7. Third-party service providers (sub-processors)

We share personal data only with the service providers listed below, strictly for the purposes indicated, and under written data-processing terms that comply with GDPR Article 28.

Processor Role Data shared Location Transfer safeguards Supabase Inc. Backend, database, authentication, edge functions All account and gameplay data EU (Frankfurt) Supabase DPA; data hosted in the EU Google LLC (Gemini API) AI narrative generation Your text input (character actions) and in-context gameplay state US / EU Google Cloud DPA, EU-US Data Privacy Framework, Standard Contractual Clauses Apple Inc. App distribution, in-app purchases, Sign in with Apple, on-device speech recognition Purchase receipts, Apple ID email (only if you choose to share), on-device audio (for STT on iOS 17+) US Apple Developer Agreement, EU-US Data Privacy Framework Google LLC (Google Sign-In) OAuth authentication Email and name (only if you consent during sign-in) US Google API terms, EU-US Data Privacy Framework Google LLC (Google Play Billing) Android in-app purchases Purchase tokens US Same as above Mixpanel Inc. Product analytics (EU users: only with consent) Event data, pseudonymous user ID, device info, coarse country EU (Frankfurt — EU residency endpoint) Mixpanel DPA, Standard Contractual Clauses for any onward transfer Meta Platforms, Inc. Advertising attribution (EU users: only with consent) Install and event signals, device/advertising identifiers US Meta Business Tools Terms, EU-US Data Privacy Framework, Standard Contractual Clauses If we add, remove, or replace a sub-processor, we will update this list and, where the change is material, notify you in advance through the App or by email.

8. International data transfers

Some of our sub-processors are located outside the European Economic Area, primarily in the United States. When we transfer personal data from the EEA, UK, or Switzerland to a country that has not received an adequacy decision from the European Commission, we rely on one or more of the following safeguards under GDPR Chapter V:

  • EU-US Data Privacy Framework certification of the recipient (Apple, Google, Meta), where applicable;
  • Standard Contractual Clauses approved by the European Commission, supplemented where appropriate by additional technical and organisational measures;
  • Your explicit consent, where other grounds are not available and the transfer is occasional.

You may request a copy of the relevant safeguards by contacting iterekhov2023@gmail.com.

9. Data retention

Retention periods for each category of data are set out in the tables in Section 4. In summary:

  • Data tied to an active account: retained while the account is active.
  • Purchase and subscription records: 7 years, to comply with tax and accounting obligations in Cyprus.
  • Gameplay narrative and voice transcripts: up to 2 years after last activity, to let you resume long-running campaigns.
  • Server logs and IP addresses: 30 days.
  • Content moderation reports: 2 years, for audit.
  • Analytics and advertising event data: as described in Sections 4.7 and 4.8 and in the respective processor's policies.

When you delete your account, we delete or irreversibly anonymise all personal data associated with it, except data we are legally required to retain (primarily tax and accounting records for 7 years, kept in isolated storage with restricted access).

10. Your rights

If you are located in the EU, EEA, UK, or Switzerland, you have the following rights under the GDPR:

  • Right of access (Art. 15) — obtain confirmation of whether we process your data, and a copy of it. You can request an export by emailing iterekhov2023@gmail.com; we will provide the data in a structured, machine-readable format (JSON or CSV).
  • Right to rectification (Art. 16) — have inaccurate or incomplete data corrected.
  • Right to erasure — "right to be forgotten" (Art. 17) — have your data deleted. You can delete your account directly in the App (Settings → Account → Delete Account), which removes all associated data subject to the legal retention periods in Section 9.
  • Right to restrict processing (Art. 18).
  • Right to data portability (Art. 20) — receive your data in a portable format and, where technically feasible, have it transmitted to another controller.
  • Right to object (Art. 21) — object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)) — withdraw consent at any time, without affecting the lawfulness of processing before the withdrawal. You can:Revoke microphone permission in your device settings.
  • Toggle product analytics and advertising attribution off in Settings → Privacy.
  • Opt out of App Tracking Transparency in iOS Settings → Privacy & Security → Tracking.
  • Right not to be subject to automated decision-making (Art. 22) — we do not make legally significant decisions about you using automated processing.

To exercise any right, email iterekhov2023@gmail.com. We will respond within one month of receipt, extendable by two further months in complex cases. There is no charge for reasonable requests.

Right to lodge a complaint. If you believe we have processed your data unlawfully, you have the right to lodge a complaint with a data protection supervisory authority. In Cyprus, this is the Office of the Commissioner for Personal Data Protection:

  • Website: https://www.dataprotection.gov.cy
  • Address: 1 Iasonos Street, 1082 Nicosia, Cyprus
  • Phone: +357 22 818 456
  • Email: commissioner@dataprotection.gov.cy

You may also complain to the supervisory authority in your country of residence or place of the alleged infringement.

California residents — CCPA / CPRA

If you are a California resident, you have the rights to know, delete, correct, and limit the use of sensitive personal information, and to non-discrimination for exercising those rights. We do not sell or share personal information within the meaning of the CCPA, and we do not use sensitive personal information for purposes other than those permitted by CCPA § 1798.121. To exercise your CCPA rights, email iterekhov2023@gmail.com.

11. Security

We apply appropriate technical and organisational measures to protect personal data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256 for our database);
  • Strict access controls and audit logging on production systems;
  • Authentication tokens with limited lifetime and scope;
  • Principle of least privilege for all service accounts;
  • Regular dependency and vulnerability updates.

No system is perfectly secure. If a breach affects your personal data in a way likely to result in a high risk to your rights and freedoms, we will notify you and the competent supervisory authority in accordance with GDPR Articles 33 and 34.

If you are located in the EU, EEA, or UK, we will ask for your consent on first launch (and again if the categories of processing change) for:

  • Product analytics (Mixpanel)
  • Advertising attribution (Meta SDK)

You can accept all, reject all, or manage categories individually. You can change your choices at any time in Settings → Privacy. Rejecting consent does not affect core gameplay.

On iOS, we additionally request App Tracking Transparency permission before any tracking identifier (such as IDFA) is used for advertising attribution. You can revoke this permission at any time in iOS Settings → Privacy & Security → Tracking.

13. Cookies and similar technologies

The App does not use browser cookies. It uses standard mobile SDK storage (such as NSUserDefaults on iOS and SharedPreferences on Android) to keep your session active and remember your consent choices. These identifiers do not leave your device except as described in Section 4.

The App may contain links to third-party websites or reference third-party services (for example, Apple support pages for managing subscriptions). Those sites and services are governed by their own privacy policies. We are not responsible for their content or practices.

15. Automated decision-making

The App uses Google Gemini to generate fictional narrative in response to your input. This is not automated decision-making that produces legal or similarly significant effects about you, within the meaning of GDPR Article 22. No human-impacting decisions (such as credit, employment, or eligibility) are made on the basis of AI output.

16. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top. If the change is material — for example, a new category of data or a new sub-processor with a significant role — we will notify you through the App, by email, or both, at least 30 days before the change takes effect. Continued use of the App after the effective date constitutes acceptance of the updated Policy.

17. Contact

For any question, request, or complaint concerning this Privacy Policy or your personal data:

  • Email: iterekhov2023@gmail.com
  • Contact address: Riga Feraiou 16A, 6013 Larnaca, Cyprus

We are not currently required to appoint a Data Protection Officer under GDPR Article 37.

Report Page