PRIVACY POLICY
Application: Piano Keyboard, Learn Piano
Platform: Apple iOS (App Store)
Effective Date: June 16, 2026
Last Updated: June 19, 2026
Piano Keyboard – Learn & Play — Support
Need help? We're here for you.
Contact us: support@boomstudio.vn
We usually respond within 24–48 hours.
Frequently Asked Questions
How do I manage or cancel my subscription?
Subscriptions are managed through your Apple ID. Go to Settings → [your name] → Subscriptions on your iPhone or iPad to view, change, or cancel.
How do I restore my purchase?
Open the app, go to the Premium/Settings screen, and tap "Restore Purchases."
The app isn't working correctly. What should I do?
Please email us at support@boomstudio.vn with your device model, iOS version, and a short description of the problem. Screenshots help us fix it faster.
How can I request a refund?
Refunds are handled by Apple. Visit reportaproblem.apple.com to request one.
Legal:
Privacy Policy: https://sites.google.com/boomstudio.vn/piano-keyboard-learn-and-play/home
Terms of Use (EULA): https://www.apple.com/legal/internet-services/itunes/dev/stdeula/
─────────────────────────────────────────────
SECTION 1. INTRODUCTION
─────────────────────────────────────────────
This Privacy Policy ("Policy") describes how BOOM GAMES JOINT STOCK COMPANY ("Company", "we", "us", or "our") collects, uses, discloses, and protects information when you ("you", "your", or "User") install or use the Piano Keyboard, Learn Piano mobile application (the "App") on Apple iOS devices distributed exclusively through the Apple App Store.
This Policy is written to comply with:
(a) Apple App Store Review Guideline 5.1 (Privacy);
(b) Apple Developer Program License Agreement, including Sections 3.3.9, 3.3.10, 3.3.11, and 3.3.12;
(c) The General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR");
(d) The UK General Data Protection Regulation and Data Protection Act 2018;
(e) The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code §§ 1798.100–1798.199.100) ("CCPA/CPRA");
(f) The California Online Privacy Protection Act (Cal. Bus. & Prof. Code §§ 22575–22579) ("CalOPPA");
(g) The Children's Online Privacy Protection Act (15 U.S.C. §§ 6501–6506) ("COPPA");
(h) Brazil's Lei Geral de Proteção de Dados (Federal Law No. 13.709/2018) ("LGPD");
(i) Other applicable data protection and privacy laws.
By installing or using the App, you acknowledge that you have read, understood, and agreed to the practices described in this Policy. If you do not agree, you must not install or use the App, and you should uninstall the App from your device.
─────────────────────────────────────────────
SECTION 2. DATA CONTROLLER AND CONTACT
─────────────────────────────────────────────
The data controller responsible for processing your personal data is:
Legal Entity: BOOM GAMES JOINT STOCK COMPANY
Registered Address: 33 Bt4-3 Section, Trung Van Residential Area, Trung Thu Street, Trung Van Ward, Nam Tu Liem District, Ha Noi, Vietnam
Apple Developer Team ID: 8675YWQ399
Telephone: +84-838991990
Email for all privacy inquiries: dev@boomstudio.vn
For GDPR purposes, BOOM GAMES JOINT STOCK COMPANY acts as a joint controller with its SDK providers (Google LLC and AppsFlyer Ltd.) for data collected via their SDKs integrated within the App. The respective scopes of responsibility are described in the SDK providers' own privacy policies (linked in Section 8).
─────────────────────────────────────────────
SECTION 3. KEY FACTS — AT A GLANCE
─────────────────────────────────────────────
For your convenience, here is a plain-language summary of our data practices. The detailed legal disclosures follow in Sections 4 through 22.
(a) The App does NOT require account registration, sign-in, or any form of user-identifying input.
(b) The App does NOT collect your real name, email address, phone number, postal address, date of birth, age, gender, or any contact details.
(c) The App offers auto-renewable subscriptions ("Premium") sold through Apple's In-App Purchase system. All payment processing is handled entirely by Apple; we do NOT collect, receive, or store your credit card number, billing address, or any payment credentials. We receive only Apple-provided, anonymized subscription status and transaction identifiers.
(d) The App displays in-app advertisements through Google AdMob.
(e) The App uses Google Firebase Analytics for app usage analytics and crash reporting.
(f) The App uses AppsFlyer for install attribution and marketing measurement.
(g) The App requests Microphone and Photo Library (add-only) permissions for specific in-app features.
(h) The App does NOT upload, transmit, or share your microphone audio or your recorded performances with any party. Recordings are saved solely on your device.
(i) The App does NOT upload your saved recordings or media files to any party. They remain solely on your device.
(j) The App complies with Apple's App Tracking Transparency (ATT) framework on iOS 14.5 and later.
(k) We do NOT sell personal information. We DO share certain identifiers (specifically IDFA) with Google AdMob and AppsFlyer for cross-context behavioral advertising when ATT permission is granted. This activity qualifies as "sharing" under California CPRA.
(l) We do NOT use device fingerprinting or any technique to identify users that circumvents Apple's ATT framework.
(m) The App is rated 4+ on the App Store and is not directed to or targeted at children, though it is suitable for general audiences.
─────────────────────────────────────────────
SECTION 4. DEFINITIONS
─────────────────────────────────────────────
The following terms used in this Policy have the meanings set forth below:
"AdAttributionKit" means Apple's privacy-preserving install attribution framework, formerly known as SKAdNetwork, used for measuring ad campaign performance without identifying individual users.
"App-Bounded Identifier" means an identifier scoped to a single app or single developer account that cannot be used to identify a user across other developers' apps.
"Coarse Location" means approximate geographic location at the city or country level, derived from IP address, without GPS coordinates.
"IDFA" means the Identifier for Advertisers, a randomized device-level identifier provided by Apple iOS for advertising purposes, accessible only after the user grants permission through the App Tracking Transparency framework.
"IDFV" means the Identifier for Vendors, an identifier scoped to apps from the same vendor, which cannot be used to track users across other vendors' apps.
"Personal Data" or "Personal Information" means any information that relates to an identified or identifiable natural person, as defined in GDPR Article 4(1), CCPA Cal. Civ. Code § 1798.140(v), and similar provisions in applicable law.
"Process" or "Processing" means any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, transmission, or deletion.
"SDK" means Software Development Kit, third-party code libraries integrated into the App.
"Sharing" or "Share" has the meaning given in California Cal. Civ. Code § 1798.140(ah), referring to the disclosure of personal information to a third party for cross-context behavioral advertising, whether or not for monetary consideration.
"Tracking" has the meaning given by Apple's App Tracking Transparency framework and Apple's App Store Review Guidelines, specifically: linking user or device data collected from this App with user or device data collected from other companies' apps, websites, or offline properties for the purposes of targeted advertising or advertising measurement, or sharing user or device data with data brokers.
─────────────────────────────────────────────
SECTION 5. NATURE AND PURPOSE OF THE APP
─────────────────────────────────────────────
The App is a music education and entertainment application. It provides a virtual 88-key piano keyboard, step-by-step piano lessons, chord and scale tutorials, practice modes, customizable themes, and an in-app recorder that allows you to record and play back your own performances. The App is designed for beginners, hobbyists, and experienced players who wish to learn, practice, or play piano on their iOS device. The audio playback, lessons, and recording features are generated locally on your device. (This notice is provided here for transparency about the App's data inputs and features.)
─────────────────────────────────────────────
SECTION 6. CATEGORIES OF DATA COLLECTED
─────────────────────────────────────────────
This Section enumerates every category of data collected by the App and its integrated SDKs, using the standard data-type taxonomy that Apple uses in App Store Connect Privacy Nutrition Labels. Any category not listed below is NOT collected by the App.
6.1 IDENTIFIERS — COLLECTED
(a) Device ID — IDFA (Identifier for Advertisers)
- Collected by: Google AdMob SDK, AppsFlyer SDK
- Conditions of collection: Only when the User grants permission via Apple's App Tracking Transparency prompt. If permission is denied, IDFA is returned as 00000000-0000-0000-0000-000000000000 (zeros) and is not used.
- Linked to user identity: Yes
- Used for tracking: Yes
(b) Device ID — IDFV (Identifier for Vendors)
- Collected by: AppsFlyer SDK, Google Firebase Analytics SDK
- Conditions: Collected at App launch.
- Linked to user identity: Yes (within our App and other apps from the same vendor only)
- Used for tracking: No
(c) AppsFlyer ID (vendor pseudonymous identifier)
- Collected by: AppsFlyer SDK
- Linked to user identity: Yes
- Used for tracking: Yes, when ATT is granted
(d) Firebase Installation ID
- Collected by: Google Firebase Analytics SDK
- Linked to user identity: No (treated as not-linked in Privacy Nutrition Label)
- Used for tracking: No
(e) Google Mobile Ads SDK Rotating Instance ID
- Collected by: Google AdMob SDK
- Linked to user identity: No
- Used for tracking: No
6.2 LOCATION — COLLECTED (COARSE ONLY)
(a) Coarse Location (IP-derived, city/country level)
- Collected by: Google AdMob SDK, AppsFlyer SDK, Google Firebase Analytics SDK
- Conditions: Derived automatically from the IP address attached to network requests.
- Linked to user identity: Yes (in combination with IDFA when ATT is granted)
- Used for tracking: Yes, when ATT is granted (by AdMob and AppsFlyer); No (by Firebase Analytics)
(b) Precise Location — NOT COLLECTED
The App does not request iOS Location Services permission (NSLocationWhenInUseUsageDescription or NSLocationAlwaysAndWhenInUseUsageDescription) and does not access GPS coordinates.
6.3 USAGE DATA — COLLECTED
(a) Product Interaction
- Includes: App launches, session start and end timestamps, screen views, button taps, feature interactions, lesson-start and lesson-complete events, recording events, ad-impression events, ad-click events.
- Collected by: Google Firebase Analytics SDK, AppsFlyer SDK
- Linked to user identity: No (Firebase); Yes when combined with IDFA via AppsFlyer when ATT is granted
- Used for tracking: No (Firebase); Yes by AppsFlyer when ATT is granted
(b) Advertising Data
- Includes: Ad-impression count, ad-click count, ad type (banner, interstitial, rewarded, native), ad-network identifier, ad-unit identifier, ad-engagement timestamps, advertiser-audience inferences derived by Google AdMob.
- Collected by: Google AdMob SDK
- Linked to user identity: Yes when ATT is granted; No otherwise
- Used for tracking: Yes when ATT is granted; No otherwise (contextual ads only)
6.4 DIAGNOSTICS — COLLECTED
(a) Crash Data
- Includes: Crash logs, stack traces, exception types, the App version at time of crash.
- Collected by: Google Firebase Crashlytics SDK
- Linked to user identity: No
- Used for tracking: No
(b) Performance Data
- Includes: App launch time, frame rendering performance, network request latency, memory usage metrics.
- Collected by: Google Firebase Analytics SDK
- Linked to user identity: No
- Used for tracking: No
(c) Other Diagnostic Data
- Includes: SDK initialization status, SDK error events, runtime configuration values.
- Collected by: All integrated SDKs
- Linked to user identity: No
- Used for tracking: No
6.5 OTHER TECHNICAL DATA — COLLECTED
The following technical attributes are transmitted by the SDKs:
- Device model (e.g., "iPhone 14 Pro")
- Device manufacturer ("Apple")
- Operating system name and version (e.g., "iOS 17.4.1")
- Device language and region setting
- Time zone
- Screen size and pixel density
- Mobile carrier name (if applicable)
- Network connection type (Wi-Fi or cellular)
- IP address (used to derive Coarse Location; truncated for storage by SDK providers per their retention policies)
- User-Agent string
These attributes are collected by all three SDKs listed in Section 8.
6.6 CATEGORIES EXPLICITLY NOT COLLECTED
For the avoidance of doubt, the App does NOT collect any of the following data categories defined by Apple's Privacy Nutrition Label taxonomy:
(a) Contact Info — Name, Email Address, Phone Number, Physical Address, Other User Contact Info: NOT COLLECTED.
(b) Health & Fitness — Health, Fitness: NOT COLLECTED.
(c) Financial Info — Payment Info, Credit Info: NOT COLLECTED. The App offers auto-renewable subscriptions, but all payment data (card number, billing details) is collected and processed solely by Apple. We never receive or have access to your payment information.
(d) Location — Precise Location: NOT COLLECTED.
(e) Sensitive Info — Sensitive personal information as defined in CPRA Cal. Civ. Code § 1798.140(ae) and GDPR Article 9 (racial or ethnic origin, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, sexual orientation, political opinions, citizenship or immigration status, government identifier): NOT COLLECTED.
(f) Contacts — Address book, contact list: NOT COLLECTED.
(g) User Content — Emails or text messages, Photos or Videos, Audio Data, Gameplay content, Customer support content, Other user content: NOT COLLECTED BY US OR ANY THIRD PARTY. Specifically:
- Audio recordings of your performances that you choose to create remain in local storage on your device and are never transmitted to us or any third party.
- Microphone audio is processed in real-time on-device and is never uploaded or transmitted off the device.
- The App does not contain any chat, comment, forum, customer support form, or user-generated content sharing feature.
(h) Browsing History — Browsing history outside of the App: NOT COLLECTED.
(i) Search History — In-App search history: NOT COLLECTED.
(j) Identifiers — Account-level User ID: NOT COLLECTED. The App has no account system.
(k) Purchases — Purchase History: COLLECTED (limited). We receive from Apple your subscription status (active/expired) and anonymized transaction identifiers solely to unlock Premium features and validate entitlements. This data is not linked to your real-world identity and is not used for advertising. See Section 6.7 for details.
(l) Other Data — Government IDs, Biometric data (FaceID/TouchID never leaves the device per Apple's design), Inferences not used by AdMob for ads: NOT COLLECTED.
6.7 SUBSCRIPTION / PURCHASE DATA — COLLECTED (LIMITED)
(a) Subscription Status & Transaction Identifiers
Collected by: Apple StoreKit (App Store)
Includes: subscription product ID, subscription status (active/expired/in trial), Apple transaction ID, original transaction ID.
Purpose: to unlock and validate access to Premium features and to support "Restore Purchases."
Linked to user identity: No
Used for tracking: No
Note: All purchase and payment processing is performed by Apple. We do not collect or have access to your payment card details.
─────────────────────────────────────────────
SECTION 7. iOS PERMISSIONS REQUESTED BY THE APP
─────────────────────────────────────────────
The App requests the following iOS permissions, each accompanied by a purpose string in the App's Info.plist. You may grant or deny any permission, and you may change your decision at any time in iOS Settings > Privacy & Security > [permission name] > Piano Keyboard, Learn Piano.
7.1 Microphone (NSMicrophoneUsageDescription)
Purpose: To capture audio when you use the in-app recording feature to record your own piano performances for playback.
Data flow: The microphone audio is processed by Apple's AVFoundation framework on your device. When you choose to record a performance, the resulting audio file is saved only to local storage on your device. The App does NOT upload audio to any server, and does NOT share audio with any SDK or third party. No microphone data leaves your device under any circumstance.
7.2 Photo Library (Add Only) (NSPhotoLibraryAddUsageDescription)
Purpose: To save recordings or exported media files that you explicitly choose to export from a practice or recording session, where applicable.
Data flow: The App requests "Add Only" permission, which by Apple's design grants the App write-only access to your Photo Library. The App does NOT have permission to read, browse, list, or access any existing content in your Photo Library. Media saved by the App contains no GPS metadata, no device identifiers, no user identifiers, and no information about you. The App does not maintain any record of what files you have saved.
7.3 App Tracking Transparency (NSUserTrackingUsageDescription)
Purpose: To request your consent to access the IDFA for personalized advertising and install attribution, as required by Apple App Store Review Guideline 5.1.1(iv) and Apple Developer Program License Agreement Section 3.3.10.
The App displays Apple's standard system-level ATT prompt the first time you open the App after fresh install. You may choose:
(a) "Allow" — The App and the integrated SDKs (Google AdMob, AppsFlyer) may access the IDFA and use it for the purposes described in Section 8.
(b) "Ask App Not to Track" — The App and the integrated SDKs may not access the IDFA. Google AdMob will serve non-personalized contextual advertisements. AppsFlyer will use AdAttributionKit (formerly SKAdNetwork) for privacy-preserving aggregated attribution only. Firebase Analytics continues to operate using pseudonymous identifiers that are not used for cross-app tracking.
All App features remain fully functional regardless of your ATT choice. We do not condition any App feature on granting tracking permission, in compliance with App Store Review Guideline 5.1.2(i).
─────────────────────────────────────────────
SECTION 8. THIRD-PARTY SDKs AND DATA RECIPIENTS
─────────────────────────────────────────────
The App integrates the following three (3) third-party SDKs. No other SDK is integrated. Each SDK is described in detail below.
8.1 Google AdMob (Google Mobile Ads SDK)
Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, United States.
Function in the App: Serves in-app advertisements (banner, interstitial, rewarded, native formats).
Data processed:
- IDFA (only when ATT is granted)
- IP address
- Coarse location (derived from IP)
- Device model, OS version, language, time zone, screen size, carrier, connection type
- App-bounded identifiers
- Rotating SDK instance ID
- Ad-impression and ad-interaction events
- AdAttributionKit / SKAdNetwork postbacks
- Audience-segment inferences (when ATT is granted)
Used for tracking (per Apple's definition): YES, when ATT is granted; NO when ATT is denied (in which case AdMob serves non-personalized contextual ads only).
Tracking domains contacted by this SDK:
- googleadservices.com
- googlesyndication.com
- doubleclick.net
- googletagservices.com
- googletagmanager.com
- google-analytics.com
- pagead2.googlesyndication.com
- tpc.googlesyndication.com
- admob.com
Privacy policies and resources:
- Google Privacy Policy: https://policies.google.com/privacy
- How Google uses data from sites and apps that use Google services: https://policies.google.com/technologies/partner-sites
- Google Ads Data Processing Terms: https://privacy.google.com/businesses/processorterms/
- AdMob Privacy Manifest: https://developers.google.com/admob/ios/privacy/manifest
8.2 AppsFlyer
Provider: AppsFlyer Ltd., 14 Maskit Street, Herzliya 4673314, Israel.
Function in the App: Mobile measurement, install attribution, in-app event tracking, marketing campaign performance measurement, and ad-fraud prevention.
Data processed:
- IDFA (only when ATT is granted)
- IDFV
- AppsFlyer ID (vendor-specific pseudonymous identifier)
- IP address (truncated by AppsFlyer per their retention policy)
- Device model, OS version, language, time zone, carrier, connection type
- App install timestamp and source attribution metadata
- In-app event names and timestamps
- AdAttributionKit / SKAdNetwork postbacks
Used for tracking (per Apple's definition): YES, when ATT is granted; NO when ATT is denied (in which case AppsFlyer uses only aggregated AdAttributionKit / SKAdNetwork attribution).
Tracking domains contacted by this SDK:
- appsflyer.com
- app.appsflyer.com
- events.appsflyer.com
- t.appsflyer.com
- conversions.appsflyer.com
Privacy policies and resources:
- AppsFlyer Services Privacy Policy: https://www.appsflyer.com/legal/services-privacy-policy/
- AppsFlyer User Privacy Portal (opt-out for end users): https://www.appsflyer.com/optout
- AppsFlyer GDPR & CCPA compliance information: https://www.appsflyer.com/legal/
8.3 Google Firebase Analytics and Firebase Crashlytics
Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, United States. (Firebase is a Google product.)
Function in the App: App usage analytics, performance monitoring, and crash reporting.
Data processed:
- Firebase Installation ID (pseudonymous, app-installation-scoped)
- IDFV
- IP address
- Device model, OS version, language, time zone, carrier, connection type
- App version, build number
- App-event names and parameters (e.g., screen_view, app_open)
- Screen view durations and sequences
- Crash stack traces, exception names, exception messages, App state at crash
- Performance metrics (launch time, frame rendering time, network latency)
Used for tracking (per Apple's definition): NO. The Firebase Analytics SDK in this App is configured with Google Signals disabled and personalized advertising features disabled, so the data is not used to link with other Google services for cross-app advertising or measurement.
Tracking domains contacted by this SDK:
- app-measurement.com
- firebaselogging-pa.googleapis.com
- firebaseinstallations.googleapis.com
- firebase-settings.crashlytics.com
- crashlytics.com
Privacy policies and resources:
- Firebase Privacy and Security: https://firebase.google.com/support/privacy
- Firebase Data Processing and Security Terms: https://firebase.google.com/terms/data-processing-terms
- How to request data deletion: https://firebase.google.com/support/privacy/manage-user-data
8.4 Apple-Provided Frameworks (Not Third-Party SDKs)
For completeness, the App also uses standard iOS frameworks provided by Apple, including:
- AVFoundation (audio playback and microphone access)
- Photos (saving exported media to Photo Library)
- AdAttributionKit / SKAdNetwork (privacy-preserving install attribution)
- AppTrackingTransparency (consent prompt)
Data processed by Apple's frameworks is governed by Apple's Privacy Policy: https://www.apple.com/legal/privacy/. BOOM GAMES JOINT STOCK COMPANY is not a controller of data processed solely by Apple's frameworks.
─────────────────────────────────────────────
SECTION 9. PRIVACY MANIFEST AND REQUIRED REASON APIs
─────────────────────────────────────────────
In compliance with Apple's requirements effective May 1, 2024 and subsequent updates, the App includes a Privacy Manifest file (PrivacyInfo.xcprivacy) that declares:
(a) The categories of data collected (matching Section 6 of this Policy);
(b) The tracking status of each data category (matching Section 6);
(c) The tracking domains contacted by the App and its SDKs (listed in Section 8);
(d) The Required Reason APIs used by the App, with their corresponding Apple-approved reason codes:
- UserDefaults API: reason code "CA92.1" (access UserDefaults to read/write within the app)
- File timestamp APIs: reason code "C617.1" (display file timestamps to the user where applicable)
- System boot time APIs: reason code "35F9.1" (measure time elapsed since app launch for performance monitoring)
- Disk space APIs: reason code "E174.1" (check available disk space before saving recorded audio)
Each integrated SDK provides its own Privacy Manifest signed by its vendor, in compliance with Apple's signed-SDK requirement.
─────────────────────────────────────────────
SECTION 10. PURPOSES OF PROCESSING
─────────────────────────────────────────────
We and our SDK providers process the data described in Section 6 strictly for the following purposes:
(a) To operate and maintain the App's core features (virtual piano keyboard, lessons, chord and scale tutorials, practice modes, themes, and the in-app recorder).
(a-bis) To process, validate, and restore your Premium auto-renewable subscription purchased through Apple's In-App Purchase system, including unlocking Premium features and supporting the "Restore Purchases" function.
(b) To display in-app advertisements through Google AdMob, in either personalized form (when ATT permission is granted) or non-personalized contextual form (otherwise).
(c) To measure the effectiveness of our user acquisition advertising campaigns through AppsFlyer, including install attribution and in-app event measurement.
(d) To analyze aggregate App usage patterns, identify popular features, measure feature engagement, and inform product improvement decisions through Firebase Analytics.
(e) To detect, diagnose, and resolve App crashes and performance issues through Firebase Crashlytics.
(f) To detect and prevent fraudulent activity, including invalid ad traffic and abusive use of the App.
(g) To comply with applicable legal obligations, respond to lawful requests from competent authorities, and exercise or defend legal claims.
We do not process your data for any purpose not listed above. We do not use your data for automated decision-making producing legal or similarly significant effects on you, within the meaning of GDPR Article 22.
─────────────────────────────────────────────
SECTION 11. LEGAL BASES FOR PROCESSING (GDPR, UK GDPR)
─────────────────────────────────────────────
If you are located in the European Economic Area, the United Kingdom, Switzerland, or any other jurisdiction applying GDPR-equivalent rules, the legal bases under Article 6 of GDPR (and equivalents in UK GDPR) for our processing are:
(a) Consent (Article 6(1)(a)): For accessing the IDFA via the App Tracking Transparency framework, for personalized advertising through Google AdMob, and for cross-context tracking by AppsFlyer when ATT permission is granted. You may withdraw consent at any time by changing your ATT setting in iOS Settings > Privacy & Security > Tracking.
(b) Legitimate Interests (Article 6(1)(f)): For non-personalized advertising, basic app analytics, crash reporting, performance monitoring, fraud prevention, and App security. Our legitimate interests are the operation, monetization, and improvement of the App, balanced against your reasonable expectations as a User of a free ad-supported entertainment application. You have the right to object to processing based on legitimate interests at any time by contacting dev@boomstudio.vn.
(c) Legal Obligation (Article 6(1)(c)): To comply with applicable laws and respond to lawful requests by public authorities.
We do not process special categories of personal data under GDPR Article 9. We do not process personal data of children under 16 (or the applicable national age of digital consent) in reliance on consent under Article 8.
─────────────────────────────────────────────
SECTION 12. SHARING AND DISCLOSURE OF DATA
─────────────────────────────────────────────
We disclose the data described in Section 6 only to the recipients listed below. No other party receives your data through this App.
12.1 To the SDK Providers Listed in Section 8
Each SDK provider receives only the categories of data listed in its respective subsection. The SDK providers act as independent controllers or joint controllers for the data they collect, in accordance with their own privacy policies and the data processing terms they have established with us.
12.2 To Legal and Regulatory Authorities
We may disclose data when required by Vietnamese law or by valid legal process from a competent jurisdiction, including court orders, subpoenas, search warrants, or government requests. We will notify Users of such requests where legally permitted to do so.
12.3 In a Business Transfer
If BOOM GAMES JOINT STOCK COMPANY undergoes a merger, acquisition, reorganization, asset sale, or bankruptcy proceeding, User data may be transferred to the successor or acquiring entity. We will provide notice through an update to this Privacy Policy at least 30 days before such transfer takes effect, except where confidentiality requirements of the transaction prevent advance disclosure.
12.4 We Do NOT Sell Personal Information
We do not sell personal information in exchange for monetary consideration. We have not sold personal information in the preceding 12 months, and we have no plans to sell personal information.
12.5 We DO Share Personal Information (CPRA Sense)
For the avoidance of doubt under California CPRA, the disclosure of the IDFA and related advertising identifiers to Google AdMob and AppsFlyer for cross-context behavioral advertising purposes, when ATT permission is granted, qualifies as "sharing" within the meaning of Cal. Civ. Code § 1798.140(ah). You may opt out of this sharing at any time by selecting "Ask App Not to Track" in the ATT prompt or by toggling tracking off in iOS Settings > Privacy & Security > Tracking > Piano Keyboard, Learn Piano.
─────────────────────────────────────────────
SECTION 13. APP TRACKING TRANSPARENCY (ATT) — DETAILED DISCLOSURE
─────────────────────────────────────────────
In compliance with Apple App Store Review Guideline 5.1.1(iv) and Apple Developer Program License Agreement Section 3.3.10, the App implements Apple's App Tracking Transparency framework.
13.1 When the ATT Prompt is Displayed
The App displays the ATT prompt the first time the User opens the App on iOS 14.5 or later. The prompt is the standard system-provided ATT alert and includes our purpose string explaining why we are requesting tracking permission.
13.2 The Tracking Definition Applicable to This App
Per Apple's published definition, the following activities are considered "tracking" and require ATT permission:
(a) The use of the IDFA by Google AdMob to deliver personalized advertisements in this App based on data Google has collected about you across other apps and websites.
(b) The sharing of the IDFA with AppsFlyer to attribute App installs to specific advertising campaigns across other apps and websites.
(c) The sharing of the IDFA with Google AdMob for the purpose of advertising audience-segment building based on your activity across other Google-served apps and websites.
13.3 Activities NOT Considered Tracking
The following App activities are not considered tracking and do not require ATT permission:
(a) The use of IDFV for analytics scoped to BOOM GAMES JOINT STOCK COMPANY's own apps only.
(b) The use of Firebase Installation ID for analytics of this App alone, with no linkage to other Google services for cross-app advertising.
(c) AdAttributionKit / SKAdNetwork attribution, which uses aggregated postbacks and does not identify individual users.
(d) Fraud detection where data shared with a fraud-prevention service is used solely for fraud detection, prevention, or security purposes.
13.4 No Fingerprinting
We do not, and our SDK providers are contractually prohibited from, deriving user or device identifiers through fingerprinting techniques (such as combinations of device attributes, IP address, screen dimensions, fonts, or other signals) for the purpose of uniquely identifying you when ATT permission has not been granted. This commitment is required by Apple Developer Program License Agreement Section 3.3.10.
─────────────────────────────────────────────
SECTION 14. YOUR RIGHTS — CALIFORNIA RESIDENTS (CCPA / CPRA)
─────────────────────────────────────────────
This Section applies to California residents under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code §§ 1798.100–1798.199.100).
14.1 Categories of Personal Information Collected in the Preceding 12 Months
Mapped to the categories enumerated in Cal. Civ. Code § 1798.140(v):
(a) Identifiers: IDFA (when ATT granted), IDFV, AppsFlyer ID, Firebase Installation ID, IP address.
(b) Internet or other electronic network activity information: App usage events, ad-impression and ad-click events, screen views.
(c) Geolocation data: Coarse location only (city/country level derived from IP).
(d) Inferences drawn from other personal information: Advertising audience-segment inferences (created by Google AdMob, when ATT is granted, for personalized advertising).
(e) Professional or employment-related information: NOT COLLECTED.
(f) Education information: NOT COLLECTED.
(g) Biometric information: NOT COLLECTED.
(h) Audio, electronic, visual, thermal, olfactory, or similar information: NOT COLLECTED (microphone audio and recorded performances are processed and stored on-device only and never transmitted).
(i) Sensitive personal information (Cal. Civ. Code § 1798.140(ae)): NOT COLLECTED.
14.2 Sources of Personal Information
The personal information described in Section 14.1 is collected directly from your device when you use the App, via the SDKs listed in Section 8.
14.3 Business and Commercial Purposes
The personal information described in Section 14.1 is collected for the purposes listed in Section 10 of this Policy.
14.4 Categories Sold or Shared
(a) Sold: None.
(b) Shared (cross-context behavioral advertising under CPRA): Identifiers (specifically IDFA when ATT is granted) and inferences are shared with Google AdMob and AppsFlyer.
14.5 Your Rights Under CCPA / CPRA
You have the right to:
(a) Know what personal information we collect about you, the categories of sources, the business purposes, and the categories of third parties with whom we share.
(b) Request a copy of the specific pieces of personal information we have collected about you.
(c) Request deletion of personal information we have collected from you, subject to statutory exceptions (Cal. Civ. Code § 1798.105(d)).
(d) Correct inaccurate personal information.
(e) Opt out of the sale or sharing of personal information.
(f) Limit the use and disclosure of sensitive personal information (not applicable here, as we do not collect sensitive personal information).
(g) Non-discrimination — we will not discriminate against you for exercising your CCPA/CPRA rights. We will not deny App functionality, charge different prices, or provide a different level of service because you exercised your rights.
14.6 How to Exercise Your Rights
(a) To opt out of "sharing" for cross-context behavioral advertising: Open iOS Settings > Privacy & Security > Tracking > Piano Keyboard, Learn Piano, and toggle "Allow Tracking" off. This action immediately disables the sharing of IDFA with Google AdMob and AppsFlyer.
(b) To submit a Right to Know, Right to Delete, or Right to Correct request: Email dev@boomstudio.vn with the subject line "California Privacy Request". Include in your email: your iOS device model, the approximate date of your first install of the App, and your country of residence. We will use this information to attempt to locate any data associated with your device. We will respond within 45 days. If we cannot verify your identity or locate data associated with your device, we will explain this in our response.
14.7 Authorized Agent Requests
You may use an authorized agent to submit a request on your behalf. We will require: (i) a written authorization signed by you, and (ii) verification of the agent's identity. We may deny requests submitted by an agent who does not provide proof of authorization.
14.8 Children Under 16 (Cal. Civ. Code § 1798.120(c))
We do not knowingly sell or share the personal information of consumers under 16 years of age. As stated in Section 16, the App is not directed to children.
14.9 Retention of California Personal Information
We retain California personal information only for as long as necessary to fulfill the purposes described in Section 10, as further described in Section 17.
14.10 Notice of Financial Incentive
We do not offer financial incentives or differential pricing in exchange for the retention or sale of personal information.
─────────────────────────────────────────────
SECTION 15. ADDITIONAL CALIFORNIA — CalOPPA DISCLOSURES
─────────────────────────────────────────────
In addition to CCPA/CPRA, the following CalOPPA disclosures (Cal. Bus. & Prof. Code §§ 22575–22579) apply:
(a) Identification: The categories of personally identifiable information collected through the App, the categories of third parties with whom we may share, the rights of the User to review and request changes, and the process by which we notify Users of material changes — are all described in Sections 6, 8, 14.5, and 19 of this Policy respectively.
(b) Do Not Track Signals: The App does not respond to browser-level "Do Not Track" signals, as no uniform standard for DNT signals has been adopted for iOS native applications. Instead, the App honors the User's choices through Apple's App Tracking Transparency framework, which serves as the iOS-native mechanism for the equivalent purpose.
(c) Third-Party Behavioral Tracking: Third parties listed in Section 8 — specifically Google AdMob and AppsFlyer — may collect personally identifiable information about your activity in this App over time, when you have granted ATT permission. Firebase Analytics does not engage in cross-app behavioral tracking, as configured in this App.
(d) Effective Date: This Privacy Policy's effective date is shown at the top of this document.
─────────────────────────────────────────────
SECTION 16. CHILDREN'S PRIVACY (COPPA AND APPLE KIDS CATEGORY)
─────────────────────────────────────────────
16.1 Age Rating and Target Audience
The App is rated 4+ on the Apple App Store based on the App Store Connect Age Rating questionnaire. While the App is suitable for general audiences, it is not directed to, marketed to, or primarily intended for use by children, and it is not designated for the App Store Kids Category. The App does not contain child-directed advertising configurations.
16.2 No Knowing Collection from Children Under 13
We do not knowingly collect personal information from children under the age of 13. The App does not request age, date of birth, or any information from which a User's age could be inferred.
16.3 Parental Notice and Right to Delete
If you are a parent or legal guardian and believe that a child under the age of 13 has used the App and that personal information has been collected from that child, please contact us immediately at dev@boomstudio.vn with the subject line "COPPA Request". Upon verification of your relationship to the child and reasonable identification of the device, we will:
(a) Take steps to delete from our records any personal information associated with that child, to the extent we hold such information;
(b) Instruct our SDK providers (Google LLC and AppsFlyer Ltd.) to delete any personal information they hold associated with that child, in accordance with their COPPA procedures.
16.4 No Third-Party Data Sharing for Children
Because the App is not directed to children and we do not knowingly collect personal information from children under 13, we do not enable third-party advertising or analytics features designed for child-directed apps. We have not configured this App with the "Tag for Child-Directed Treatment" flag in Google AdMob or AppsFlyer.
─────────────────────────────────────────────
SECTION 17. DATA RETENTION
─────────────────────────────────────────────
17.1 We Do Not Operate Our Own User Database
BOOM GAMES JOINT STOCK COMPANY does not operate any server or database that stores User personal data collected from the App. All data described in Section 6 is processed and stored exclusively by the SDK providers listed in Section 8, in accordance with their respective retention policies. Your recorded performances are stored solely on your own device and are not held by us.
17.2 Retention by SDK Providers
The retention period for each category of data is governed by the SDK provider's published retention policy:
(a) Google AdMob: Retention policies described at https://policies.google.com/technologies/retention. Advertising data is generally retained for the period necessary for ad-fraud detection, ad-attribution accuracy, and Google's contractual and legal obligations.
(b) AppsFlyer: Retention policies described at https://www.appsflyer.com/legal/services-privacy-policy/. Attribution data is generally retained for the duration of the campaign measurement window plus a reasonable period for fraud analysis and contractual obligations.
(c) Google Firebase Analytics: Retention is configurable per Firebase project. We have configured this App's Firebase project with a default User-and-event-data retention period in accordance with Firebase's defaults. See https://firebase.google.com/support/privacy.
17.3 Crash Logs
Crash logs collected via Firebase Crashlytics are retained per Firebase's retention policy and are used only for App stability improvement.
17.4 Legal Holds
In the event of pending legal proceedings, retention may be extended to comply with legal-hold obligations.
─────────────────────────────────────────────
SECTION 18. SECURITY MEASURES
─────────────────────────────────────────────
18.1 Encryption in Transit
All network communication between the App and our SDK providers' servers uses HTTPS with TLS 1.2 or higher, enforced by Apple's App Transport Security (ATS).
18.2 Encryption at Rest
Locally stored data (such as App preferences in NSUserDefaults and recorded audio files) is protected by iOS Data Protection at the "Complete File Protection" level when the device is locked.
18.3 No Proprietary Encryption
The App does not implement any proprietary or non-standard encryption algorithm. The App relies exclusively on Apple-provided cryptographic frameworks (CryptoKit, CommonCrypto, Security framework). The App qualifies for the export compliance exemption under Apple's "App Uses Non-Exempt Encryption" flag set to false in Info.plist.
18.4 App Distribution Integrity
The App is signed with the Company's Apple Developer certificate and distributed exclusively through the Apple App Store. The App does not enable side-loading, jailbreak detection bypass, or any mechanism that compromises Apple's distribution integrity.
18.5 SDK Security
The SDK providers listed in Section 8 are SOC 2 Type II certified or hold equivalent industry-standard security certifications, as published in their respective security documentation.
18.6 Limitations
No method of internet transmission or electronic storage is 100% secure. While we and our SDK providers employ commercially reasonable security measures consistent with industry standards, we cannot guarantee absolute security.
18.7 Data Breach Notification
In the event of a data breach affecting your personal data, we will notify affected Users and applicable supervisory authorities in accordance with GDPR Article 33 (within 72 hours where required), CCPA breach-notification provisions, LGPD Article 48, and other applicable laws.
─────────────────────────────────────────────
SECTION 19. INTERNATIONAL DATA TRANSFERS
─────────────────────────────────────────────
19.1 Where Data Is Processed
The data described in Section 6 is processed by SDK providers operating servers in multiple countries, including the United States (Google LLC, Firebase), Israel (AppsFlyer Ltd.), and other countries where the SDK providers operate data centers.
19.2 Safeguards for EEA, UK, and Swiss Users
For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to third countries (including the United States), our SDK providers rely on the following safeguards:
(a) European Commission Standard Contractual Clauses (Decision 2021/914);
(b) Adequacy decisions where applicable (e.g., EU-US Data Privacy Framework for transfers to certified US recipients);
(c) Binding Corporate Rules where applicable;
(d) Supplementary measures including encryption and pseudonymization.
The specific safeguards used by each SDK provider are described in their respective privacy documentation:
- Google: https://policies.google.com/privacy/frameworks
- AppsFlyer: https://www.appsflyer.com/legal/services-privacy-policy/
19.3 Your Consent to Transfer
By using the App, you acknowledge that your data may be transferred to and processed in jurisdictions outside your country of residence, and you provide informed consent to such transfers to the extent consent is the applicable legal basis under the laws of your jurisdiction.
─────────────────────────────────────────────
SECTION 20. YOUR RIGHTS UNDER GDPR, UK GDPR, AND SWISS DPA
─────────────────────────────────────────────
If you are located in the EEA, the UK, or Switzerland, you have the following rights:
(a) Right of Access (GDPR Article 15): You may request confirmation of whether we process your personal data and, if so, obtain a copy of the data.
(b) Right to Rectification (GDPR Article 16): You may request correction of inaccurate or incomplete personal data.
(c) Right to Erasure ("Right to be Forgotten") (GDPR Article 17): You may request deletion of your personal data, subject to legal exceptions.
(d) Right to Restriction of Processing (GDPR Article 18): You may request restriction of processing in certain circumstances.
(e) Right to Data Portability (GDPR Article 20): You may request a copy of your personal data in a structured, commonly used, machine-readable format.
(f) Right to Object (GDPR Article 21): You may object to processing based on legitimate interests at any time.
(g) Right to Withdraw Consent (GDPR Article 7(3)): Where processing is based on consent, you may withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
(h) Right to Lodge a Complaint (GDPR Article 77): You may lodge a complaint with the supervisory authority in your country of residence, your place of work, or the place of the alleged infringement.
To exercise these rights, contact dev@boomstudio.vn with the subject line "GDPR Request". We will respond within 30 days. We may extend this period by two further months where necessary, taking into account the complexity and number of requests, in which case we will inform you of the extension and the reasons within 30 days of receipt of the request.
─────────────────────────────────────────────
SECTION 21. YOUR RIGHTS UNDER LGPD (BRAZIL)
─────────────────────────────────────────────
If you are located in Brazil, under the Lei Geral de Proteção de Dados Pessoais (Federal Law No. 13.709/2018), you have the rights to:
(a) Confirmation of processing (LGPD Article 18(I));
(b) Access to your data (LGPD Article 18(II));
(c) Correction of incomplete, inaccurate, or outdated data (LGPD Article 18(III));
(d) Anonymization, blocking, or deletion of unnecessary or excessive data (LGPD Article 18(IV));
(e) Portability of data (LGPD Article 18(V));
(f) Deletion of data processed under consent (LGPD Article 18(VI));
(g) Information about public and private entities with which we share your data (LGPD Article 18(VII));
(h) Information about the possibility of refusing consent and its consequences (LGPD Article 18(VIII));
(i) Revocation of consent (LGPD Article 18(IX)).
To exercise these rights, contact dev@boomstudio.vn with the subject line "LGPD Request". We will respond within 15 days as required by ANPD guidelines. Our Data Protection Officer for LGPD inquiries can be reached at the same email.
─────────────────────────────────────────────
SECTION 22. CHANGES TO THIS PRIVACY POLICY
─────────────────────────────────────────────
22.1 Updates
We may revise this Privacy Policy from time to time to reflect changes in our practices, the SDKs we integrate, legal requirements, or other circumstances. When we revise this Policy, we will update the "Last Updated" date at the top of the document.
22.2 Material Changes
For changes that materially affect your rights or our processing of your personal data (such as adding a new SDK, changing the categories of data collected, or changing the purposes of processing), we will provide additional advance notice through:
(a) An in-app notification on the next App launch following the revision; and
(b) A prominent notice in the App's "About" or "Settings" screen for at least 30 days after the revision.
22.3 Continued Use
Your continued use of the App after the effective date of revisions constitutes acknowledgment of the revised Privacy Policy. If you do not agree with revisions, you should uninstall the App.
22.4 Version History
The current version of this Privacy Policy supersedes all previous versions. Previous versions are available upon request to dev@boomstudio.vn.
─────────────────────────────────────────────
SECTION 23. APPLE-SPECIFIC NOTICES
─────────────────────────────────────────────
23.1 Not an Apple Document
This Privacy Policy is a document of BOOM GAMES JOINT STOCK COMPANY. Apple Inc. is not a party to this Policy. Apple's own data practices regarding the App Store and Apple services are described at https://www.apple.com/legal/privacy/ and https://www.apple.com/legal/privacy/data/en/app-store/.
23.2 App Store Connect Privacy Nutrition Label
The App's Privacy Nutrition Label on the App Store summarizes the data collection described in this Policy in Apple's standardized format. The Privacy Nutrition Label and this Privacy Policy are designed to be consistent. If you identify any apparent inconsistency, please contact dev@boomstudio.vn so we may investigate and correct.
23.3 Apple Developer Program License Agreement Compliance
We comply with our obligations under the Apple Developer Program License Agreement, including but not limited to Sections 3.3.9 (data collection and use), 3.3.10 (no fingerprinting or non-consensual tracking), 3.3.11 (privacy and personal data), and 3.3.12 (App Tracking Transparency).
─────────────────────────────────────────────
SECTION 24. CONTACT INFORMATION
─────────────────────────────────────────────
For all privacy-related inquiries, requests, complaints, or concerns regarding this Privacy Policy or our data practices, contact:
BOOM GAMES JOINT STOCK COMPANY
Postal address: 33 Bt4-3 Section, Trung Van Residential Area, Trung Thu Street, Trung Van Ward, Nam Tu Liem District, Ha Noi, Vietnam
Telephone: +84-838991990
Email: dev@boomstudio.vn
Please use the following subject lines for faster routing:
- "California Privacy Request" — CCPA/CPRA matters (45-day response)
- "GDPR Request" — EEA, UK, or Swiss residents (30-day response)
- "LGPD Request" — Brazilian residents (15-day response)
- "COPPA Request" — Matters involving children under 13 (immediate priority response)
- "Data Breach Inquiry" — Suspected data security incidents
- "Privacy Request" — All other privacy inquiries (30-day response)
If you are dissatisfied with our response, you may lodge a complaint with:
(a) For EEA residents: the data protection supervisory authority in your country (list available at https://edpb.europa.eu/about-edpb/about-edpb/members_en).
(b) For UK residents: the Information Commissioner's Office (ICO) at https://ico.org.uk.
(c) For California residents: the California Privacy Protection Agency at https://cppa.ca.gov.
(d) For Brazilian residents: the Autoridade Nacional de Proteção de Dados (ANPD) at https://www.gov.br/anpd.
(e) For Vietnamese residents: the Ministry of Public Security cybersecurity division per Decree 13/2023/ND-CP.
─────────────────────────────────────────────
END OF PRIVACY POLICY
─────────────────────────────────────────────
Document Version: 1.0
Effective Date: June 16, 2026
Last Updated: June 19, 2026
Governing Law: Vietnam (with respect to BOOM GAMES JOINT STOCK COMPANY's obligations as data controller)