Part I: Privacy Policy (Global Compliance Upgrade)

This Privacy Policy is signed and jointly established between our professional mobile application R&D team ("we", "our team") and you ("user", "you"). It applies to all actions related to downloading, installing, and using our mobile applications (collectively, "Application Products") released for global users through App Store, Google Play, and other compliant distribution channels. Our monetization model includes both IAA (in-app advertising) and IAP (in-app purchases). During the entire lifecycle, we strictly follow global privacy and data security rules, minor protection requirements, and store/partner policies, to protect your lawful rights and data security.

This agreement package consists of two complete and inseparable parts: Part I Privacy Policy and Part II User Service Agreement. Your use of any Application Product means you have completely read, fully understood, and voluntarily agreed to all terms.

I. Policy General Rules

1.1 Policy Objective and Legal Basis

This policy transparently discloses the specific scope, methods, and purposes of our collection, use, storage, transfer, and disclosure of personal information. We follow legality, legitimacy, necessity, and good faith principles, and align with global legal and platform requirements, including but not limited to PIPL, GDPR, CCPA/CPRA, LGPD, and applicable local regulations; App Store and Google Play privacy requirements; and monetization platform policy standards. We do not collect personal information unrelated to product functions, and we do not misuse or unlawfully disclose personal information.

1.2 Global Scope and Regional Priority

This policy applies to all users globally. We provide explicit adaptation clauses for different jurisdictions. If your country or region imposes stricter standards, local mandatory law and corresponding platform requirements take priority.

1.3 User Rights and Informed Consent

You have the right to access, correct, and delete personal information, withdraw consent, and request anonymization where legally applicable. We provide clear and efficient operation paths. Privacy policy and agreement popups are displayed with default unchecked options; we only begin related data processing after your active confirmation.

II. Scope and Method of Personal Information Collection

2.1 Core Necessary Information (Required for Core Functionality)

• Device Information: including but not limited to device model, OS version, device identifiers (such as IMEI, IDFA, Android ID, with anonymization/minimization controls), device MAC address, screen resolution, network type (Wi-Fi/mobile). Purpose: adaptation, core runtime, diagnostics, and security protection. Collection follows minimum-necessary standards required by App Store and Google Play.
• Application Usage Information: including but not limited to feature modules used, usage duration, operation logs, and feature preferences. Purpose: feature optimization, experience improvement, optional personalization (where available and user-controllable), and monetization statistics under minimum-necessary principles.

2.2 Optional Information (User Choice; No Impact on Core Function Use if Not Provided)

• Personal Identity Information: name, email, phone number; used for account registration, password retrieval, IAP validation, and support communication. Anonymous use is available where functionally feasible.
• Location Information: used only for certain scenario-based features and collected only after manual permission by you. Authorization can be withdrawn anytime in system settings. We do not actively track real-time location beyond authorized scope.
• Album/File Permission: used only for user-initiated save/upload and related functions. Access requires manual permission and can be revoked at any time. We do not access files or photos not actively selected by you.

2.3 Third-Party Information Collection (Monetization/Distribution Adaptation)

For IAA monetization, we may integrate compliant advertising/mediation platforms including but not limited to Google AdMob, AppLovin MAX, Unity Ads, Meta Audience Network, ironSource, Mintegral, Liftoff Monetize (Vungle), Chartboost, Pangle, InMobi, Smaato, Verve Group, DT Exchange (Fyber), and other compliant regional demand sources. These providers may process device signals, usage signals, and ad view/click records for ad delivery, frequency control, anti-fraud, and performance analysis according to their own privacy policies and applicable laws. We contractually constrain their data scope and prohibit collection unrelated to ad service purposes.

For IAP monetization, App Store, Google Play, and other compliant stores process payment information (for example payment account and transaction record). We do not directly receive your sensitive payment credentials, and only receive transaction verification outcomes needed to deliver paid services.

2.4 Collection Methods

Data collection occurs through your active authorization and actions (for example registration, upload, check-in, purchase), and automated technical collection limited to necessary information. We never collect personal information through hidden, fraudulent, misleading, or coercive means. Before collection, we provide purpose, scope, method, and retention notice and proceed only after explicit consent. We do not use default-checked or forced-bundled consent.

III. Purpose and Scope of Personal Information Use

3.1 Core Service Purpose

To provide all product functions, ensure stable operation, identify and resolve faults, and continuously optimize product quality for everyday utility and productivity scenarios.

3.2 Monetization-Related Use (IAA + IAP)

• IAA: ad delivery and ad effectiveness analysis under compliance rules. Ad formats may include app open ads, rewarded video ads, interstitial ads, and banner ads. Personalized ad controls are provided where required.
• IAP: purchase verification, order management, transaction query support, and entitlement delivery.
• We align with platform-level requirements such as ATT-related consent and applicable Android privacy and ad framework requirements.

3.3 Optimization and Security

We analyze product usage data to optimize interfaces and workflows; detect abnormal login, malicious operation, and fraud behavior; and protect account and ecosystem security.

3.4 Compliance and Audit

We retain required records in accordance with applicable legal and platform obligations to support compliance audits and lawful regulatory inspections.

3.5 Prohibited Uses

We do not sell, rent, or lend your personal information to any third party except lawful and necessary processors such as compliant monetization/distribution partners and legally authorized authorities. We do not use personal information for unrelated purposes or unlawful monetization activities, and do not leak, tamper with, or abuse user personal information.

IV. Personal Information Storage and Data Security

4.1 Storage Location

We follow a "local storage first, optional cloud backup" principle. By default, personal data is stored locally on your device. If you enable cloud backup, relevant data will be stored on compliant cloud infrastructure. Regional storage and localization obligations are adapted according to local law; for example, where EU storage localization applies, EU user data is handled in compliance with applicable EU requirements.

4.2 Retention Period

We retain data only for the reasonable period necessary to achieve stated purposes. After expiration, data is anonymized or deleted. You may delete personal data at any time. After account cancellation, we complete deletion within 15 working days unless legal retention obligations require otherwise.

4.3 Security Measures

• Encryption at rest (including AES-256 classes where applicable)
• Encryption in transit (HTTPS/TLS)
• Access control and audit logging
• Regular security inspection and risk assessment
• Confidentiality controls for employees and processors
• Security and privacy governance aligned with ISO27001 and ISO27701 practice frameworks

4.4 Data Breach Handling

If a personal data breach occurs, we will immediately launch emergency response, implement mitigation, prevent further expansion, and notify affected users and authorities within legal timelines where required (including 72-hour style requirements in applicable GDPR scenarios). We will disclose causes, remedial actions, and prevention plans, and cooperate with competent authorities.

V. Personal Information Transfer and Disclosure

5.1 Transfer Scope

Necessary transfer may occur only among Application Products, compliant infrastructure, monetization partners, and App Store/Google Play or other compliant distribution channels. Transfer is encrypted and strictly limited to minimum-necessary scope.

5.2 Disclosure Scenarios (Lawful and Necessary Only)

• Disclosure to third parties with your explicit authorization (for example authorized sign-in/share)
• Disclosure of necessary operational information to compliant monetization and distribution partners
• Disclosure required by law, judicial process, or administrative regulators
• Disclosure within reasonable necessity for rights protection, fraud prevention, and operation security

5.3 Cross-Border Transfer

Where cross-border transfer is involved, we follow applicable transfer requirements such as adequacy mechanisms, standard contractual safeguards, certification or security assessments where required, and do not transfer to non-compliant destinations unlawfully.

VI. Regional Privacy Adaptation Clauses

6.1 EU/EEA (GDPR)

We protect rights including information, access, correction, erasure, consent withdrawal, and data portability. We maintain dedicated governance workflows, breach response, and supervisory cooperation. Data handling follows GDPR principles and local supervisory expectations.

6.2 United States (CCPA/CPRA + COPPA)

Users may request disclosure of collection/use scope, deletion of personal information, and opt-out from relevant data-sharing contexts where applicable. We support "Do Not Sell or Share" controls where legally required. We strictly enforce COPPA-related restrictions for children under 13.

6.3 China (PIPL + Cross-Border Data Rules + Relevant Standards)

We follow legality, legitimacy, necessity, and integrity principles, obtain clear consent before collection, and provide query/correction/deletion/withdrawal rights. We align with applicable cross-border obligations and compliance audit expectations under relevant regulations and standards.

6.4 Brazil (LGPD)

We implement lawful basis management, rights response mechanisms, and security controls required by LGPD, and avoid operation behavior that would violate local filing or governance expectations.

6.5 Southeast Asia

We adapt operations to local requirements, including applicable filing and data compliance obligations in markets such as Thailand and Singapore when relevant.

6.6 Other Countries/Regions

We comprehensively adapt to local privacy regulations. If stricter local requirements exist, those stricter requirements prevail.

VII. Age Policy Adaptation (Global + Regional Supplement)

7.1 Global Unified Age Requirements

• Service for children under 13 is prohibited in contexts where law/policy requires restriction. If discovered, service is terminated and relevant data is deleted.
• Users aged 13-18 must use the product with guardian consent when required by law. Guardians have rights to query, correct, delete minor data, and request service termination.
• Application content and ad delivery must not include violent, sexual, vulgar, illegal, or otherwise harmful content to minors.
• We use machine and human review mechanisms for content safety and policy compliance.

7.2 Regional Supplemental Rules

If a country/region defines a higher age threshold (for example 16), local law prevails.

VIII. User Privacy Rights and Operation Paths

8.1 User Rights

You have rights including informed right, access, correction, deletion, withdrawal of consent, data portability where applicable, and complaint/report rights for suspected unlawful processing.

8.2 Practical Operation Paths

• Query/Correct/Delete Information: Open App -> My -> Privacy Settings -> Personal Information Management
• Withdraw Permissions: Open App -> My -> Privacy Settings -> Permission Management; or revoke permissions in device system settings
• Delete Account: Open App -> My -> Account Settings -> Delete Account; after completion we process deletion per this policy
• Privacy Complaint: Open App -> My -> Service Center -> Privacy Complaint; we respond within 3 working days and provide handling result within 7 working days

IX. Policy Updates and Notices

9.1 Update Triggers

We may update this policy based on legal updates, distribution and monetization policy changes, product function changes, and regulatory requirements. Updated policies will not reduce our data protection responsibilities.

9.2 Update Notice and User Choice

We notify changes via in-app popup, push message, or announcement. Continued use means acceptance of the updated policy. If you do not agree, you may stop using the product. We will stop corresponding processing and delete data as legally permitted except required retention.

X. Disclaimer Clauses

10.1 Force Majeure

For data incidents caused by force majeure events (for example natural disasters, network interruption, or unforeseeable server incidents), we may be exempt within legal limits, but we will still take reasonable remediation and notice actions.

10.2 User-Side Risk

Losses caused by your own unsafe operation (for example leaked password, trusted unauthorized third parties, lost device) are your responsibility. We recommend strict credential and device security management.

10.3 Third-Party Violations

If monetization partners, distribution platforms, or cloud providers violate legal requirements and unlawfully process data, the violating party bears corresponding liability. We will assist your rights protection and strengthen partner compliance review.

10.4 Lawful Disclosure

Where we disclose data based on statutory obligations and legal procedures, corresponding responsibility is handled under applicable law.

10.5 Authenticity of User-Provided Information

You are responsible for authenticity and completeness of voluntarily provided data. Losses caused by false or incomplete information are borne by you according to law.

Privacy Contact Information

Business Support Email: support@bytecoredigitallab.com
Contact Email: contact@bytecoredigitallab.com
Additional Legal Contact Channel Included in Original Draft: contact@rbytecoredigitallab.com
Contact Address: Hoa Lac Hi-Tech Park, Hanoi, Vietnam