TileWorks | Privacy Policy

The Ultimate Word Strategy Game

Privacy Policy for TileWorks

Effective Date: June 18, 2025

This Privacy Policy describes how TileWorks ("the App," "we," "us," or "our") collects, uses, stores, and shares your information when you use our Android word strategy game. We are committed to protecting your privacy and handling your data transparently and in compliance with applicable U.S. federal and state privacy laws, including the Federal Trade Commission (FTC) guidelines, the Children's Online Privacy Protection Act (COPPA), the California Online Privacy Protection Act (CalOPPA), and the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA).

1. Introduction

This privacy policy is a critical legal document that explains how TileWorks collects, utilizes, stores, and shares your data. We believe that a meticulously crafted privacy policy is not merely a regulatory obligation but a foundational element for cultivating and sustaining user trust.

Our data privacy practices are built upon several core principles:

Transparency: We clearly explain our data practices in plain, straightforward language, ensuring it is easily discoverable and comprehensible. This includes outlining the types of data collected, the precise purposes of collection, and any data sharing practices.
Data Minimization: We collect only the data strictly necessary for the App's stated functionality and services. This practice mitigates the risk of data breaches and enhances user adoption.
User Control: We provide clear and accessible mechanisms for you to manage your data, including obtaining explicit consent for sensitive data collection, offering visible opt-out options, and providing a straightforward method to withdraw consent.

2. Data Collection and Usage

TileWorks collects various types of data to provide its word strategy gaming functionalities and to serve advertisements.

2.1. Types of Personal Information Collected

We collect the following categories of data:

Account and Profile Data: This includes information you voluntarily provide during account registration and profile creation, such as your username, email address, unique user ID, chosen avatar or profile picture, self-declared age and gender, and friend lists. For social features, this also extends to data related to friend connections and requests within the App's ecosystem.
Usage and Gameplay Data: Information automatically collected about how you interact with the App. This includes app activity logs, game progress (e.g., unlocked achievements, high scores, saved game data), engagement statistics (e.g., content viewed, features used, pages visited, clicks, scrolls), time of day browsed, and specific in-game actions and interactions.
Device and Technical Data: Automatically collected information about your device and network connection. This comprises your IP address, device identifier, advertising ID (e.g., Android ID), device type, operating system, browser type and version, language settings, and internet service provider.
Advertising Data: Data specifically collected by AdMob and other integrated third-party advertising platforms to facilitate ad serving and optimization. This typically includes online identifiers, device data, and information about user habits or device characteristics relevant to ad targeting. This collection may involve the use of cookies and web beacons.
User-Generated Content (UGC): Any content created and shared by you within the application. This encompasses in-game chat messages, public postings (e.g., in forums, comment sections), and shared gameplay content. This content can be in various formats, including text. Our social features, such as friend lists and in-game chat, are central to the App's appeal but inherently involve data collection and sharing among users. The privacy policy must explicitly and clearly address the public or semi-public nature of social interactions and user-generated content, setting clear expectations for users about what information may be visible to others. Chat may be monitored for safety and moderation.

2.2. Methods of Data Collection

Data is collected through various methods:

Information Voluntarily Provided by Users: Data collected directly from you when you actively input it, such as during account registration, profile setup, adding friends, participating in chat, posting messages, or submitting feedback.
Information Automatically Collected: Data gathered passively through the App's interaction with your device's built-in tools (e.g., device identifiers), cookies, web beacons, tracking pixels, advertising identifiers, and integrated analytics tools.
Information Collected via Third Parties: Data received from external services integrated with the App, such as AdMob, other analytics providers (e.g., Google Analytics, Firebase), or social networking platforms (e.g., Google Play Games Services for friend lists or authentication), or other business partners.

2.3. Purposes of Data Use

The collected data serves multiple purposes essential for the App's operation and improvement:

To Provide and Maintain App Functionality: To enable core features such as user login, profile management, friend connections, social interactions, and gameplay. This also includes authenticating user access and providing customer support.
To Personalize User Experience and Improve App Features: To enhance app functionality, offer personalized recommendations, and deliver relevant updates and new content.
To Serve and Optimize Advertisements (AdMob): Data is used to deliver targeted or contextual ads, measure ad impressions, track ad interactions, and ensure the presentation of appropriate advertising content. AdMob inherently collects personally identifiable information (PII) to function, even for free applications. We explicitly disclose that PII is collected, how it is used (for advertising), and that third parties (Google/AdMob) may utilize cookies and web beacons for this purpose. A dedicated, detailed section within this privacy policy for advertising practices is essential, including a direct link to AdMob's own privacy policy.
For Analytics, Research, and App Performance Improvement: To understand user behavior patterns and trends, gather demographic insights about the user base, analyze gameplay metrics, and generate reports for research or business intelligence purposes.
For Security, Fraud Prevention, and Legal Compliance: To safeguard user data, prevent unauthorized access, detect and mitigate illegal or malicious activities, and enforce the App's terms of service and legal obligations.
To Communicate with Users: To send important updates, push notifications, and respond to user inquiries or support requests.

We minimize permission requests and obtain explicit consent for sensitive data. You are given granular control over which specific data points you share. The App's design incorporates clear, context-sensitive permission prompts, and this privacy policy explains how you can review and manage these permissions both within the App and through your device settings.

2.4. Table 1: Types of Data Collected and Their Purpose

Category of Data Collected

Specific Examples of Data Points

Purpose(s) of Collection

Personal Identifiers

Username, Email, Device ID, IP Address, Advertising ID

To provide and maintain user accounts, authenticate access, personalize experience, serve relevant advertisements, for app analytics, security, and fraud prevention.

Profile Data

Avatar, Self-declared Age/Gender, Friends List, Profile Picture

To create and manage user profiles, enable social features (adding friends, playing games with friends), personalize gaming experience, and for app analytics.

Gameplay Data

Scores, Achievements, Game Progress, In-game actions, Session length

To provide core gaming functionality, track user progress, improve game features, for app analytics, and to enhance user engagement.

User-Generated Content

Chat messages, Public postings (e.g., in forums), Shared gameplay content

To enable social interaction, facilitate communication between users, for content moderation, and to enforce terms of service.

Technical Data

Device type, Operating System, Browser, Crash logs, App version

To ensure app compatibility and optimal performance, diagnose and fix bugs, for app analytics, and for security and fraud prevention.

Ad Interaction Data

Ad views, Ad clicks, Ad impressions

To serve and optimize advertisements, measure ad effectiveness, and for revenue generation.

Export to Sheets

This table directly addresses legal requirements for clear disclosure of what data is collected and why, enhancing legal compliance and user trust.

3. Data Sharing and Disclosure

TileWorks may share user data with various third parties and other users to facilitate its services and operations.

3.1. Sharing with Third Parties

Advertising Services (AdMob): Data, including online identifiers, device information, and ad interaction data, is shared with AdMob for the purpose of serving and optimizing advertisements. AdMob may utilize cookies and web beacons for this purpose. You can review AdMob's privacy policy at [Insert AdMob Privacy Policy Link Here].
Analytics Providers: Data may be shared with third-party analytics services (e.g., Google Analytics, Firebase) to gain insights into user behavior, improve app performance, and support business intelligence efforts. This shared data is often aggregated or anonymized to protect individual privacy.
Cloud Services and Infrastructure Providers: User data may be stored and processed on third-party cloud servers for essential services such as hosting, data storage, and content delivery.
Other Service Providers: Disclosure extends to sharing data with other service providers for specific functions, such as customer support, account integrity and security services, community filtering and moderation, and potentially future payment processing.
Legal Obligations and Business Transfers: Personal data may be disclosed if mandated by law, court order, or in response to valid subpoenas. Furthermore, data may be transferred as part of a business transaction, such as a merger, acquisition, or in the unlikely event of bankruptcy.

Google Play's Data Safety section distinguishes between data "collected" (data retrieved off your device by the developer) and data "shared" (data transferred to a third party). There are specific exceptions where data might technically leave the device but is not considered "shared" under Google's criteria, such as transfers based on explicit user consent after clear disclosure, transfers to a service provider acting on the developer's behalf, data that is fully anonymized, or data processed ephemerally or end-to-end encrypted. This privacy policy aligns with these nuances, clarifying scenarios where data leaves the device but is not "shared" in the regulatory sense.

3.2. Sharing with Other Users

Profile Visibility: Information shared via user profiles, such as usernames, avatars, game activity, and high scores, may be visible to other users, either to designated friends or publicly, depending on user privacy settings.
Social Features (Friend Lists, In-Game Chat): When you add friends, your display name and potentially other profile information may be shared with your approved friends. In-game chat messages and other user-generated content may be viewed by all participants in a chat or, if publicly posted, by all App users and potentially distributed outside the application. It is crucial to explicitly state that chat sessions and user-generated content may be monitored or recorded for safety, moderation, and enforcement of terms of service.
Gameplay Information: Gameplay information (e.g., in-game name, actions) may be made available to other players, particularly in a social gaming context.

In a social gaming environment, you may not fully comprehend that your in-game actions, chat communications, and profile details can be widely visible to others, or even recorded for moderation purposes. Therefore, this privacy policy proactively manages user expectations by using clear, unambiguous language about the public or semi-public nature of social interactions and the possibility of monitoring for safety and moderation.

4. User Rights and Control

Empowering users with control over their personal information is a cornerstone of modern privacy regulations. This privacy policy clearly articulates these rights and provides accessible mechanisms for their exercise.

4.1. Overview of User Privacy Rights

You are afforded several fundamental privacy rights:

Right to Access: You have the fundamental right to know what personal information is collected about you and to request a copy of this information.
Right to Correction/Rectification: You are entitled to request that any inaccurate or incomplete personal information held about you be corrected or updated.
Right to Deletion/Erasure: You have the right to request the deletion of your personal information and associated accounts. This right may be subject to certain exceptions, such as legal obligations for data retention. This mandates the comprehensive removal of all associated personal data, including from backups, and the secure overwriting of identifiers where possible. Google Play also requires the ability to delete accounts both within and outside the app. This includes ensuring that data held by all integrated third-party service providers is also deleted.
Right to Opt-Out: You can opt-out of specific data collection or sharing practices, particularly those related to advertising or marketing purposes. For CCPA/CPRA, this includes the right to opt-out of the "sale" or "sharing" of personal information, often facilitated by a "Do Not Sell My Data" link.
Right to Data Portability: In certain circumstances, you have the right to receive your personal information in a structured, commonly used, and machine-readable format, and to transmit this data to another service provider without hindrance.
Right to Object/Restrict Processing: You may have the right to object to or request the restriction of processing your personal information under specific conditions, such as when data is processed based on legitimate interests or for direct marketing.

While users possess broad rights to delete their data, the nature of social gaming implies that certain information visible through gameplay (e.g., username, high scores, chat messages) might be cached on other players' devices. In such instances, the App developer may not be able to remove or update that information from those external devices. This privacy policy transparently communicates these inherent limitations to users to manage expectations and prevent potential disputes or misunderstandings. Explicitly stating that some data, once shared in a social context, may persist on other users' devices is crucial for maintaining trust.

4.2. Mechanisms for Exercising Rights

To ensure these rights are actionable, the App provides clear mechanisms:

In-App Controls and Settings: We provide clear and intuitive features within the App that allow you to manage your profile information, privacy settings, and opt-out preferences directly.
Dedicated Contact Methods: We offer a specific email address bdmlabs@gmail.com or a designated contact form for you to submit privacy-related requests.
Identity Verification Procedures: We implement secure and reasonable methods to verify your identity when you make a data request to prevent unauthorized access to personal information.
Response Timelines: We adhere to all legally mandated response deadlines for data requests, such as the 45-day period for CCPA deletion requests.

4.3. Table 2: User Rights and Exercise Mechanisms

User Right

Description of Right

How to Exercise

Response Timeline

Important Considerations/Exceptions

Right to Access

Obtain a copy of personal information held about them.

In-app data dashboard, dedicated privacy request form, or email to [contact email].

Within 45 days (CCPA/CPRA) or promptly/without undue delay (general).

Identity verification required to prevent unauthorized access.

Right to Correction/Rectification

Request correction of inaccurate or incomplete personal information.

In-app profile settings, dedicated privacy request form, or email to [contact email].

Promptly/without undue delay.

Identity verification required.

Right to Deletion/Erasure

Request deletion of personal information and associated account.

In-app account deletion option, dedicated privacy request form, or email to [contact email].

Within 45 days (CCPA/CPRA) or promptly/without undue delay.

Subject to legal obligations (e.g., fraud prevention, financial records). Some social data cached on other users' devices may not be removable.

Right to Opt-Out

Opt-out of specific data collection/sharing (e.g., for advertising).

In-app privacy settings (e.g., "Do Not Sell/Share My Data" link for CCPA/CPRA), device privacy settings, or email to [contact email].

Immediately available for opt-out links.

Opt-out requests for data sales typically last 12 months (CCPA/CPRA).

Right to Data Portability

Receive personal information in a machine-readable format and transmit it to another service.

Dedicated privacy request form or email to [contact email].

Promptly/without undue delay.

Applies to data provided directly by the user.

Right to Object/Restrict Processing

Object to or request restriction of processing under specific conditions.

Dedicated privacy request form or email to [contact email].

Promptly/without undue delay.

Applies to processing based on legitimate interests or direct marketing.

Export to Sheets

This table significantly enhances user experience and transparency by clearly presenting user rights and their exercise mechanisms. It also fulfills requirements from laws like CCPA/CPRA to explain how users can exercise their rights.

5. Children's Online Privacy Protection Act (COPPA) Compliance

Compliance with COPPA is a critical aspect for any app that may interact with users under 13, particularly for a social gaming application.

5.1. Determining Applicability

COPPA applies to TileWorks because as a "social gaming app with friends," it is inherently appealing to children, even if the primary target audience is not explicitly children. This categorization places it squarely in the "mixed audience" category, which, under the updated COPPA Rule, requires age screening before collecting any personal information.

5.2. Key COPPA Requirements

Implement Neutral Age Gate: A robust, neutral age-gate is implemented at the very outset of the user experience. If a user identifies as under 13, the App either obtains verifiable parental consent or provides an experience that strictly avoids the collection of personal information.
Verifiable Parental Consent (VPC) Methods: VPC is required before collecting, using, or disclosing personal information from children under 13. Accepted methods, which ensure the person providing consent is indeed the parent, include:
- Signed consent form (physical mail or electronic scan).
- Credit/debit card transaction (with notification to the primary account holder).
- Toll-free phone call or video conference with trained personnel.
- Knowledge-based authentication (KBA) using dynamic, adequately difficult multiple-choice questions.
- Facial recognition technology matching a parent's webcam image to a government-issued ID (with mandatory prompt deletion after verification).
- "Email plus" or "Text plus" methods (initial email/text followed by a second confirmation step, generally permissible only when children's data is not publicly displayed or disclosed to third parties for non-integral purposes).
Direct Notice to Parents and Comprehensive Online Privacy Policy: We provide a direct notice to parents before collecting any information, explicitly detailing how the child's personal data will be used, the identities or specific categories of third parties receiving it, and their specific purposes.
Limitations on Data Collection from Children: We do not condition a child's participation in an activity on the child providing more personal information than is reasonably necessary for that activity.
Prohibition of Targeted Advertising to Children: We strictly prohibit allowing interest-based (personalized) ads to be shown to children under 13. The App implements technical mechanisms to ensure that AdMob serves only non-personalized or contextual ads to users identified as under 13. This may involve configuring AdMob ad requests for child-directed treatment or utilizing specific AdMob settings designed for COPPA compliance.
Parental Rights Regarding Their Child's Data: Parents are provided with reasonable means to review the personal information collected from their child, revoke their consent at any time, and request the deletion of their child's information.

5.3. Specific Considerations for Social Gaming

Handling of User-Generated Content (e.g., Chat Logs) from Children: If the App allows children to participate in chat or create other UGC, strict COPPA compliance is followed. This may involve limiting features for children (e.g., ensuring nicknames are only visible to the child, not other players) or obtaining verifiable parental consent for such interactive features. Any monitoring of chat for safety or moderation purposes is clearly disclosed in this privacy policy.
Ensuring Social Features Comply with COPPA: If social features like friend lists or connections involve sharing personal information from children, verifiable parental consent is mandatory. The App considers implementing age-gating for certain social features or providing a distinct, child-safe mode that severely limits data collection and sharing for users identified as under 13.

The 2025 COPPA amendments significantly broaden the definition of "personal information" to include biometric identifiers (e.g., fingerprints, facial patterns) and government-issued identifiers. We are acutely aware of this expanded definition and will handle any such data, even if inadvertently collected through third-party SDKs, with verifiable parental consent and appropriate disclosure.

5.4. Table 3: COPPA Compliance Checklist for Mixed Audience Apps

Requirement

Action/Mechanism

Policy Disclosure Point

Implement Neutral Age Gate

Display age verification screen at app launch/onboarding, prohibiting incentives for age falsification.

"Children's Privacy" section, "Data Collection" section.

Obtain Verifiable Parental Consent (VPC)

Utilize FTC-approved methods (e.g., Credit Card, KBA, "Email Plus" for non-public data) before collecting PII from children.

"Children's Privacy" section, specific "Parental Consent" subsection.

Provide Direct Notice to Parents

Send a clear notice to parents detailing data use, third-party identities/categories, and purposes before collecting child's data.

"Children's Privacy" section, "Parental Notice" subsection.

Limit Data Collection from Children

Collect only essential data for core app functionality from children under 13; avoid conditioning participation on excessive data.

"Data Collection" section, "Children's Privacy" section.

Prohibit Targeted Ads for Children

Configure AdMob and other ad partners to serve only non-personalized/contextual ads to child users.

"Advertising" section, "Children's Privacy" section.

Offer Parental Rights for Review/Deletion

Provide clear in-app and email options for parents to review their child's data, revoke consent, and request deletion.

"User Rights and Control" section, "Children's Privacy" section.

Secure Child Data

Implement robust security measures (encryption, access controls) specifically for children's personal information.

"Data Security" section, "Children's Privacy" section.

Maintain Data Retention Policy for Child Data

Establish and disclose clear data retention periods for children's data, prohibiting indefinite retention.

"Data Retention" section, "Children's Privacy" section.

Export to Sheets

This checklist provides a clear, actionable, and systematic roadmap for ensuring comprehensive coverage of all necessary COPPA requirements.

6. Data Security and Retention

We are committed to protecting user data through comprehensive security measures and responsible data retention practices.

6.1. Data Security Measures

We employ a multi-layered approach to data security, encompassing both technical and organizational safeguards:

Technical Safeguards:

Encryption: We implement robust encryption for data both in transit, utilizing HTTPS/SSL/TLS protocols for all network communications, and at rest, employing industry-standard algorithms like 256-bit AES for sensitive data storage.
Secure Authentication: We implement strong user authentication processes, including robust password policies, multi-factor authentication (MFA), biometric authentication (e.g., fingerprint, facial recognition), and leveraging federated identity providers (e.g., Sign in with Google). We minimize unnecessary credential requests and store authorization tokens securely.
Secure Servers/Backend: All servers and network connections supporting the App's backend are secured with firewalls, intrusion detection systems, and undergo regular security audits.
Access Controls: We implement granular access controls, such as role-based access control (RBAC), to limit what each user, and internal team member, can access or modify within the App and its underlying systems.
Code Security: We employ practices like encoding and encrypting application code, implementing code obfuscation, and runtime protection to make reverse-engineering and tampering more difficult.
Input Validation & Session Handling: We perform rigorous input validation when handling data from any untrusted source, including external storage, and manage user sessions securely to prevent session hijacking.

Organizational Safeguards:

Regular Audits: We conduct periodic (e.g., quarterly, annually) privacy and security audits to systematically evaluate the App's data practices, review all data collection points, verify access permissions, and reassess the privacy implications of integrated SDKs.
Incident Response Plan: We have a clear and well-documented plan for responding to data breaches, including protocols for detection, containment, notification to affected users and authorities, and post-incident analysis.
Data Minimization: We adhere strictly to the principle of collecting only the data that is absolutely necessary for the App's functionality, thereby reducing the volume of sensitive data that needs to be secured.
Employee Training: All employees, contractors, and agents with access to user data are thoroughly trained on privacy policies, data handling best practices, and security protocols.
Transparency: We clearly communicate the implemented security measures to users within this privacy policy to build and maintain trust.

Data security is an ongoing operational commitment, requiring continuous adaptation and vigilance. We integrate security best practices throughout the entire App development lifecycle, allocating continuous resources for monitoring, penetration testing, vulnerability management, and promptly deploying security updates.

6.2. Data Retention Policy

Our data retention policy is guided by fundamental privacy principles:

Principles: The data retention policy is guided by the principles of data minimization (collecting and retaining the least amount of information required) and purpose limitation (using and retaining data only for the original, stated purposes for which it was collected). Prioritizing data minimization from the initial design phase of the App leads to a more inherently secure and compliant product. This proactive approach reduces legal and reputational risks and streamlines operational processes related to data management.
Establishing Retention Periods: Personal data will be retained only for as long as is necessary to fulfill the specific purpose for which it was collected, or for a longer period if required to comply with legal obligations (e.g., for fraud prevention, dispute resolution, contract enforcement, or regulatory mandates). Indefinite retention of personal data is generally prohibited, especially for children's data.
- Account Data: Retained for the duration of the user's active account. Certain account-related data (e.g., match history) may be retained for a limited period after account deletion for legitimate business interests such as security and fraud detection.
- Gameplay Data: Retained for purposes of game analytics, performance improvement, and service provision.
- Chat Logs: Retained for a period sufficient to allow for the filing and investigation of complaints, which may be up to two years from creation in some contexts.
- Advertising Data: Retention periods for advertising identifiers and related data collected by AdMob will adhere to AdMob's policies and applicable legal requirements.
Secure Deletion and Anonymization Protocols: We implement robust and reasonable measures to securely delete personal data promptly when it is no longer needed, including from backup systems. Where full deletion is not immediately feasible or legally required, data will be anonymized to prevent re-identification.
Policy Review and Update Frequency: The data retention policy, along with this broader privacy policy, will be reviewed and updated annually or whenever there are significant changes to app features, data collection practices, or legal regulations.
DATA DELETION - Contact bdmlabs@gmail.com for data or account deletion.

7. Policy Accessibility and Maintenance

For this privacy policy to be effective, it is readily accessible to users and consistently maintained to reflect current practices and legal obligations.

7.1. Prominent Display

Google Play Store Listing: A clear and easily clickable link to the App's privacy policy is provided in the designated field within the Google Play Console listing.
Within the App: This privacy policy is readily accessible directly from within the App itself, typically found in a prominent location such as the "Settings," "About," or "Help" menu.
Before Data Collection: We display this privacy policy prominently and obtain explicit user consent before any personal data, especially sensitive data, is collected. This may involve a pop-up disclosure for runtime permissions during in-app usage.

7.2. Language and Clarity

This policy is written in clear, straightforward language, avoiding legal jargon that can confuse users. It is easily understandable by the target audience, including teenagers, and benefits from simplified explanations of technical terms, bullet points, and clear headings.

7.3. Policy Updates and Notification

Regular Review and Updates: This privacy policy is reviewed and updated regularly (e.g., annually) to reflect any changes in App features, data collection practices, third-party integrations, or evolving legal and regulatory requirements.
User Notification: You will be promptly notified of any significant changes to this privacy policy. Your consent may need to be re-obtained for new data processing purposes. Updates are protected with features like encryption and authorized access.

8. Contact Us

If you have any questions or concerns regarding this Privacy Policy or our data practices, please contact us at:

bdmlabs@gmail.com

Page updated

Google Sites

Report abuse