Privacy Policy
This Privacy Policy describes how Dominik Ornat, sole proprietor doing business as Numgeek (hereinafter "NumGeek", "we", "us", or "our"), collects, uses, shares, and protects personal data when you use the NumGeek mobile application available on Google Play under the name NumGeek: SumFind Chronicles (the "App").
We are the data controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, "GDPR").
Contact for privacy matters:
privacy@numgeek.com
Place of business: Poland
1. Data we collect
We collect only the data necessary to operate the App, deliver the gameplay experience, fulfil purchases, prevent abuse, and comply with applicable law.
1.1 Account data
- Email address — when you create an account or sign in with email/password or with your Google account.
- Username (nickname) — chosen by you on first sign-in. Your username is publicly visible on the in-app leaderboard.
- Authentication identifier (Firebase UID) — assigned automatically; used internally to link your data across devices.
1.2 Game data
- Level completion status, best score, best time, attempts, and stars earned.
- In-progress puzzle state (saved when you leave a level so you can resume).
- App preferences (e.g. sound on/off, fair-play toggles).
- Aggregated metric: total stars earned (used for leaderboard ranking).
1.3 Purchase data
- Identifiers of purchases you have made through Google Play Billing (e.g.
remove_ads,unlock_all_levels) and the resulting entitlements (boolean flags such as "ads removed"). - We do not store your payment card details, billing address, or transaction amounts. These are processed by Google and the payment provider; we only receive a confirmation that a given purchase was completed.
1.4 Device and advertising data
- Advertising ID — used by Google AdMob to serve advertisements while you have not purchased the "Remove Ads" entitlement. You can reset or limit this identifier in your device settings.
- Standard technical data sent automatically by your device to our service providers (IP address, device model, OS version, crash diagnostics) — used for security, fraud prevention, and basic stability monitoring.
2. Purposes and legal bases
| Purpose | Data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Creating and operating your account | Email, username, Firebase UID | Performance of a contract — Art. 6(1)(b) |
| Saving and synchronising game progress across devices | Game data, account data | Performance of a contract — Art. 6(1)(b) |
| Displaying the public leaderboard | Username, total stars | Performance of a contract — Art. 6(1)(b) |
| Processing in-app purchases and granting entitlements | Purchase identifiers, Firebase UID | Performance of a contract — Art. 6(1)(b) |
| Serving personalised or non-personalised ads | Advertising ID, technical data | Consent (personalised ads) — Art. 6(1)(a) / Legitimate interest (non-personalised ads) — Art. 6(1)(f) |
| Security, fraud prevention, abuse mitigation | Technical data, account data | Legitimate interest — Art. 6(1)(f) |
| Compliance with tax and accounting obligations | Purchase identifiers | Legal obligation — Art. 6(1)(c) |
3. Third-party services and data sharing
We do not sell your personal data. We share data with the following processors and service providers solely to operate the App:
| Provider | Role | Data shared |
|---|---|---|
| Google Ireland Ltd. — Firebase Authentication, Cloud Firestore, Cloud Functions | Authentication, database, server-side processing | Email, username, Firebase UID, game data, purchase entitlements |
| Google Ireland Ltd. — Google Play Billing | Payment processing for in-app purchases | Purchase intent (the rest is handled directly by Google) |
| Google Ireland Ltd. — Google AdMob | Serving advertisements (banner and interstitial) | Advertising ID, technical data — only when you have not purchased "Remove Ads" |
| RevenueCat, Inc. (United States) | Subscription / purchase reconciliation between Google Play and our backend | Firebase UID, purchase identifiers |
Each of these providers acts under its own privacy policy and is bound to us by a Data Processing Agreement (DPA) where required.
4. Data retention
- Account data and game data — kept for as long as your account exists. If you request account deletion (see Section 6), we delete your data within 30 days, except where we are required to retain it for legal reasons.
- Purchase records — kept for the period required by Polish tax and accounting law (currently 5 calendar years from the end of the year in which the transaction occurred).
- Server logs — kept for up to 30 days, then automatically deleted by Google Cloud.
5. International data transfers
Some of our processors are located outside the European Economic Area (notably RevenueCat in the United States). Where personal data is transferred outside the EEA, the transfer is protected by the European Commission's Standard Contractual Clauses (SCCs) or another lawful transfer mechanism under the GDPR.
6. Your rights under the GDPR
You have the following rights with respect to your personal data:
- Right of access (Art. 15) — obtain a copy of the data we hold about you.
- Right to rectification (Art. 16) — have inaccurate or incomplete data corrected.
- Right to erasure ("right to be forgotten", Art. 17) — request deletion of your account and personal data.
- Right to restriction of processing (Art. 18).
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — to processing based on legitimate interests, including ad personalisation.
- Right to withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of processing performed before withdrawal.
- Right to lodge a complaint with the Polish supervisory authority — Prezes Urzędu Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa (uodo.gov.pl).
To exercise any of these rights, contact us at privacy@numgeek.com. We respond within one month, in line with Art. 12(3) GDPR.
7. Children
The App is not directed at children under the age of 13 (or 16 in jurisdictions where that is the applicable digital age of consent). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data without parental consent, please contact us at privacy@numgeek.com and we will delete it promptly.
8. Security
- All communication between the App and our servers is encrypted using TLS (HTTPS).
- Authentication is delegated to Firebase Authentication, which applies industry-standard credential hashing and rate limiting.
- Database access is restricted by Firestore Security Rules so that each user can read and write only their own data.
- Privileged operations (granting purchase entitlements, mirroring leaderboard data) are performed exclusively by server-side Cloud Functions; the App itself is not authorised to write those fields.
9. Advertising and consent
When you have not purchased the "Remove Ads" or "Premium Bundle" entitlement, the App displays advertisements served by Google AdMob. For users in the European Economic Area, the United Kingdom, and Switzerland, on first launch the App presents a Google-certified consent message (Google User Messaging Platform) that allows you to accept or decline personalised advertising.
If you decline, AdMob serves only non-personalised, contextual advertisements. You can change your choice at any time from the in-app Settings screen.
Removing advertising entirely is also possible by purchasing the "Remove Ads" or "Premium Bundle" product.
10. Changes to this Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when the latest revision was published. Material changes will be communicated through the App or by email to the address associated with your account.
11. Contact
Numgeek — Dominik Ornat
Email: privacy@numgeek.com
Country: Poland