Privacy Policy

1. Scope & Application

This Privacy Policy ("Policy") applies to all applications, software, websites, services and products published, operated or distributed by primecodevaultlink ("we", "us", "our", the "Studio") under the brand name "primecodevaultlink" or any product name within the primecodevaultlink matrix (including but not limited to Pet Health Archive, Home Cost Engine, Offline Language Memory, Wardrobe Inventory Planner, Audio Sheet Archive, and Monthly Spending Analytics), collectively the "Apps" or "Services".

This Policy is published in English. Translations may be provided for convenience; in case of conflict, the English version prevails. This version (2026.1) supersedes all prior versions.

By downloading, installing, registering for, or otherwise using our Apps, you confirm that you have read, understood, and agreed to this Policy. If you do not agree, please discontinue use and uninstall the relevant App.

2. Data Controller & Regional Representatives

2.1 Data Controller

The data controller responsible for your personal data is primecodevaultlink, registered at St John's Innovation Centre, Cambridge, United Kingdom. You can reach our Data Protection Officer at privacy@primecodevaultlink.com.

2.2 EU & UK GDPR Representative (Article 27 / UK GDPR Article 27)

For users in the European Economic Area and the United Kingdom, our appointed Article 27 representative can be contacted for any data-protection inquiry. Details are provided on request at privacy@primecodevaultlink.com and are answered within 7 business days.

2.3 Other Regional Representatives

• Brazil (LGPD) — Encarregado / DPO: reachable at privacy@primecodevaultlink.com with subject "LGPD".
• India (DPDP Act) — Data Protection Officer: reachable at privacy@primecodevaultlink.com with subject "DPDP".
• Saudi Arabia (PDPL) — Local Contact: reachable at privacy@primecodevaultlink.com with subject "NDPA".

3. Data Collection — Specific Granularity & Purpose

We strictly follow the principle of data minimisation. We collect the following categories of information only to the extent necessary to operate IAA (in-app advertising) and IAP (in-app purchase) systems, to optimise user experience, and to prevent fraud. All data handling complies with global privacy regulations.

3.1 Device Fingerprint & Identifiers

• IDFA (Identifier for Advertisers, iOS): collected only after explicit ATT (App Tracking Transparency) consent is granted. Used to deliver personalised ads and to attribute installs.
• GAID (Google Advertising ID, Android): used similarly to IDFA, opt-out via device privacy settings.
• OAID (Open Anonymous ID, China-region Android): used as a replacement for GAID in China-region builds, in line with the MIIT / TC260 guidance.
• Device brand, model, screen resolution, OS version, language settings, battery state, system clock offset — used to detect timezone cheating and cross-region price-fraud; not used to identify the user.
• Encrypted device-only unique identifier: a per-install hash rotated at least every 30 days; never linked to a user's real-world identity.

3.2 Network Environment Data

• IP address: used only for geographic compliance filtering and to determine applicable regional regulations. IP addresses are not used for precise geolocation and are truncated or hashed where technically possible.
• Mobile carrier name, Wi-Fi connection state, network type (4G/5G/Wi-Fi): used to ensure service stability and to apply regional compliance gating.

3.3 Behavioural Data (IAA & UX)

3.3.1 Advertising Behaviour

• Ad display ID, click timestamp, conversion path, rewarded-video watch duration and drop-off moment, dwell time on displayed ad — used to optimise ad delivery and to detect ad fraud.
• Data is used for internal analysis and, after de-identification, may be shared with the third-party ad platforms listed in Section 5.

3.3.2 App Logic

• Core loop trigger count, paywall impression / click rate, onboarding drop-off point, feature-use frequency — used to optimise in-app UX and layout, not to identify a user.

3.4 Financial Transaction Data (IAP)

• We receive transaction receipts only through the official App Store / Google Play APIs. We never collect, store, transmit, or process bank card numbers, CVV codes, payment passwords, or card expiry dates — all payment data is handled exclusively by Apple / Google.
• We record: order ID, product name and quantity, payment currency, payment amount, country code, transaction timestamp, whether the order is a sandbox test order, and order status (success / failure / refund) — used for order verification, refund processing, financial reconciliation, and payment-fraud prevention.

4. Deep Third-Party Sharing Architecture

To operate IAA, IAP, anti-fraud, and payment-processing flows, we share the minimum data necessary with vetted third-party ecosystems. All sharing follows the principles of minimum necessary, encrypted in transit, fully auditable. We never share sensitive personal information. Each partner's privacy policy governs their downstream use; please consult them for detail.

Each third-party partner has signed a Data Processing Agreement (DPA) and a confidentiality agreement with us, defining the scope, duration, and security responsibilities of data processing. We conduct regular compliance audits; if a partner is found to be non-compliant, we terminate the partnership immediately and pursue any contractual remedies.

Users can view the active third-party sharing list in the App's "Privacy & Data" settings and may opt out of non-essential sharing at any time. Opt-out may reduce ad relevance and certain functionality.

5. Advertising Platforms We Integrate

The following advertising and monetisation platforms are integrated across the primecodevaultlink app matrix. Each is bound by a signed DPA. The list below includes the official privacy-policy URL for each platform; please consult it for downstream use of bid signals.

5.1 Ad Mediation & Header Bidding

• AppLovin MAX — applovin.com/privacy
• Google AdMob — policies.google.com/privacy
• Unity LevelPlay (ironSource) — unity.com/legal/privacy-policy
• Meta Audience Network — facebook.com/policy.php
• Pangle (ByteDance) — pangleglobal.com/privacy
• InMobi — inmobi.com/privacy-policy
• Chartboost (now Zynn) — chartboost.com/privacy
• Vungle (now part of Liftoff) — liftoff.io/privacy-policy
• ironSource (now Unity) — is.com/privacy-policy
• Tapjoy — tapjoy.com/legal/advertisers/privacy-policy
• Mintegral (Mobvista) — mintegral.com/en/privacy
• Fyber (now Digital Turbine) — digitalturbine.com/privacy-policy

5.2 Attribution & Mobile Measurement Partners (MMP)

• AppsFlyer — appsflyer.com/legal/privacy-policy
• Adjust — adjust.com/terms/privacy-policy
• Singular — singular.net/privacy-policy
• Kochava — kochava.com/privacy-policy
• Branch — branch.io/policies/privacy-policy

5.3 Consent Management Platforms (CMP)

• Usercentrics — usercentrics.com/privacy-policy
• OneTrust — onetrust.com/privacy-policy

For users in the European Economic Area, the United Kingdom, and Switzerland, the IAB Europe Transparency & Consent Framework (TCF) v2.2 standard applies. Our CMP produces a TC String that is propagated through every bid request.

6. Ad Formats Implemented

Below is the complete set of in-app advertising (IAA) formats implemented across the primecodevaultlink app matrix, the disclosure / consent requirements for each, and the frequency / behavioural guardrails we apply.

For all formats: where ATT (iOS) or the relevant Android consent (e.g. Privacy Sandbox Topics) is denied, the ad request is sent with allow_tracking = false (iOS) or non-personalised (Android) signals. Personalised ads are never shown to users who have refused consent.

7. Global Regional Compliance

We adapt our data-handling practices to the laws of every region we operate in. Below is the region-specific overview.

7.1 European Union (GDPR) & United Kingdom (UK-GDPR)

7.1.1 Legal Basis

We process your personal data under one or more of the following legal bases, as set out in Article 6 GDPR / UK-GDPR:

• Performance of a contract (Art. 6(1)(b)) — to provide the App services you have requested.
• Explicit consent (Art. 6(1)(a)) — for advertising personalisation, ATT, non-essential cookies / SDKs, and any AI features.
• Legitimate interest (Art. 6(1)(f)) — for anti-fraud, service stability, and analytics that do not override your fundamental rights.
• Legal obligation (Art. 6(1)(c)) — to comply with applicable law.

7.1.2 EU/UK Representative

See Section 2.2.

7.1.3 DSA Transparency

As required by the EU Digital Services Act (DSA):

• We publicly disclose our ad-placement logic, content-moderation standards, and any algorithmic recommendation system used in our Apps.
• We publish a transparency report at least every six months covering content-moderation actions, user complaints received, and the response to each.
• For any feature involving user-generated content (UGC), we operate a "notice and action" mechanism: 24-hour takedown SLA for clearly illegal content, with appeal rights.
• We cooperate with the European Board for Digital Services and with national Digital Services Coordinators.

7.1.4 Your Rights

You have the right to:

• Access the personal data we hold about you (Art. 15).
• Rectification of inaccurate or incomplete data (Art. 16).
• Erasure ("right to be forgotten") (Art. 17).
• Restriction of processing (Art. 18).
• Data portability (Art. 20) — receive your data in a structured, machine-readable format.
• Object to processing based on legitimate interest (Art. 21) and to processing for direct marketing (Art. 21(2)).
• Withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7(3)).
• Lodge a complaint with your national supervisory authority (e.g. the ICO in the UK, the CNIL in France, the BfDI in Germany) or with the European Data Protection Board (EDPB).

7.2 United States (CCPA / CPRA / VCDPA / State-by-State)

7.2.1 No Sale of Personal Information

We do not sell your personal information to any third party (including advertisers, data brokers, or attribution partners). However, under California CPRA and Virginia CDPA, the act of sharing device identifiers with mediation partners for personalised advertising may constitute "sharing" (cross-context behavioural advertising). Where this occurs, we provide a clear in-app opt-out.

7.2.2 "Do Not Track" / Global Privacy Control

We honour the device-level Do Not Track signal, the iOS Limit Ad Tracking setting, and the browser-level Global Privacy Control (GPC). When any of these signals is present, we suppress all behavioural tracking and serve only contextual or non-personalised ads.

7.2.3 State-by-State Compliance

• California (CCPA / CPRA): Right to know (categories disclosed in past 12 months), right to delete, right to opt out of "sale / sharing", right to limit use of sensitive personal information, right to non-discrimination. Response within 45 days.
• Virginia (VCDPA): Right to access, right to correct, right to delete, right to opt out of (a) targeted advertising, (b) "sale" of personal data, (c) profiling. Response within 30 days.
• Texas (TDPSA): Free access to consumer data; no barriers to data-subject requests; prohibition on sharing sensitive data without written consent.
• Colorado (CPA): Universal opt-out mechanism recognition, right to access, correct, delete, and opt out.
• Connecticut (CTDPA), Utah (UCPA), Montana (MCDPA), Oregon (OCPA), Tennessee (TIPA), Florida (FDBR), Iowa, Indiana, New Hampshire: each is mapped in our internal compliance matrix and respected in our data flows.

7.3 Brazil (LGPD)

We comply with the Lei Geral de Proteção de Dados. We collect personal data only after explicit consent, with clear purpose, scope, and method. Brazilian users retain the rights of access, correction, deletion, portability, and consent withdrawal. Brazilian user data is stored on Brazil-region servers; cross-border transfer requires ANPD authorisation or use of standard contractual clauses.

7.4 China (PIPL / DSL / Cross-Border Data Transfer Rules)

We comply with the Personal Information Protection Law (PIPL), the Data Security Law (DSL), the Cybersecurity Law (CSL), and the Provisions on Promoting and Regulating the Cross-Border Data Flows (2024). For users in mainland China, personal data is stored on China-region servers. Sensitive personal information is collected only with separate explicit consent. Cross-border transfer follows security assessment / standard contract / certification as required.

7.5 India (DPDP Act)

We comply with the Digital Personal Data Protection Act, 2023. We collect personal data only with informed consent for a specific purpose. Users may withdraw consent at any time. We have appointed a Data Protection Officer. Cross-border transfer requires MeitY approval for any restricted data category.

7.6 Saudi Arabia (PDPL)

We comply with the Personal Data Protection Law. Saudi user data is stored on Saudi-region servers; cross-border transfer follows NDPA authorisation procedures.

7.7 Other Jurisdictions

• Canada (PIPEDA & Quebec Law 25): explicit consent, breach notification to the OPC, data residency where required.
• Japan (APPI): explicit consent for sensitive personal information, opt-out for promotional use, possible cross-border transfer to a country with comparable protection.
• South Korea (PIPA): explicit consent, residency for Korean users above statutory thresholds.
• Australia (Privacy Act 1988): APP compliance, Notifiable Data Breaches scheme.
• Switzerland (revDSG/FADP): equivalent GDPR-level protection, FDPIC oversight.
• Singapore (PDPA), Hong Kong (PDPO), Taiwan (PDPA), New Zealand (Privacy Act 2020): each is mapped and respected.

8. Auto-Renewal Subscription Transparency

Where a primecodevaultlink App offers auto-renewable subscriptions, we strictly follow Apple App Store and Google Play rules and global regulations.

8.1 Information We Collect for Subscriptions

We collect only the minimum subscription-related data: subscription period, trial-period time remaining, subscription status (active / expired / paused), next renewal date. This is used for subscription management and service provision only.

8.2 Transparency Requirements

• Before subscription: the App clearly discloses the subscription period (weekly / monthly / annual), price, trial period length (if any), renewal rules, and cancellation method. No hidden terms.
• Renewal reminder: 24 hours before each auto-renewal charge, we send an in-app banner and / or system push notification disclosing the amount, the date, and a direct link to cancellation.
• Subscription management: users may cancel auto-renewal at any time via in-app "Settings → Subscription" or via App Store / Google Play subscription management. After cancellation, no further charges will be applied. Trial-period cancellation is always free.
• Trial period: where a free trial is offered, the App automatically converts to a paid subscription at the end of the trial unless cancelled in advance. If a user has used subscription-only features during the trial, those features become unavailable upon cancellation.

8.3 Regional Variations

• EU/UK users receive the renewal reminder in line with the Consumer Rights Directive.
• California (Rosenthal Act, SB-313) users receive an annual reminder and a "cancel now" direct link.
• Korean users may cancel within 7 days of a renewal under the Korean e-commerce law where applicable.

9. AI-Generated Content Disclosure

Where an App includes AI-generated content (text, audio, image, interactive scenes), the following commitments apply.

• Explicit labelling: every AI-generated artefact is marked "AI-Generated" and is visually distinguishable from human-authored content. This complies with the EU AI Act and applicable US state laws.
• Content moderation: AI output is filtered against global content-moderation rules (no violence, no sexual content, no political persuasion, no racism). A dual "AI + human" review pipeline is in place for any borderline content.
• Liability: AI output is auxiliary. It does not constitute advice, warranty, or commitment. We disclaim liability for user decisions based on AI output, while assuming responsibility for any IP or reputational harm caused by AI output we publish.
• Training data: we never train AI on user personal data or private user content. Training data is either (a) openly licensed, (b) commercially licensed, or (c) generated under controlled conditions.
• Opt-out: where AI is used as a feature (e.g. suggested outfit), users can opt out and the feature falls back to a non-AI alternative.

10. Children & Age Gating

Our Apps are not designed for or directed at children under 13 (or the higher age of digital consent in the user's jurisdiction: 14 in Spain/Italy, 16 in some EU member states under GDPR, 13 in the US under COPPA, 18 in Korea for certain processing, etc.). We do not knowingly collect personal data from children.

• The App Store / Google Play age rating is set honestly. Where a region requires a higher minimum age, the higher age applies.
• If we learn that a child's personal data has been inadvertently collected, we delete it within 7 business days.
• For unverified minors, the IAA bid request is sent with the childDirectedTreatment = true flag (COPPA-compliant) or the equivalent under the relevant local regime. Behavioural advertising is disabled.
• IAP is disabled by default for accounts flagged as under-age.

11. Security Measures

We apply industry-standard technical and organisational measures to protect personal data:

• AES-256 encryption at rest; TLS 1.3 in transit.
• Encrypted local-first storage (Core Data / EncryptedSharedPreferences / SQLCipher).
• Biometric (Face ID / Touch ID / Android BiometricPrompt) gate for sensitive features.
• Role-based access control for staff; access logs; just-in-time access requests.
• Annual third-party security audit; quarterly internal penetration testing.
• 72-hour breach notification timeline (aligned with GDPR Art. 33, CPRA, US state breach-notification laws).

12. Your Rights & How to Exercise Them

You may exercise the rights described in this Policy by emailing privacy@primecodevaultlink.com with the subject line indicating the right (e.g. "GDPR Access Request", "CCPA Opt-Out", "LGPD Erasure").

We respond within:

• 7 business days for GDPR, UK-GDPR, LGPD, PIPL, DPDP Act, NDPA, PIPEDA, APPI.
• 30 business days for VCDPA (Virginia).
• 45 days for CCPA / CPRA (California).
• 60 days for Colorado (CPA) and similar state regimes that allow the longer window.

To verify your identity, we may request a minimum of information (e.g. device-installation hash) and will not retain that verification record once the request is closed.

13. Data Retention

14. International Data Transfers

Where data is transferred across borders, we use one of the following safeguards:

• EU Standard Contractual Clauses (SCCs) — 2021/914 modules.
• UK International Data Transfer Addendum to the EU SCCs.
• US-EU Data Privacy Framework (where applicable).
• China CAC Standard Contract for cross-border PII transfer.
• Brazil ANPD-approved standard clauses.
• APEC Cross-Border Privacy Rules (CBPR) for participating Asia-Pacific economies.

15. Changes to This Policy

We will update this Policy as needed to reflect changes in our practices or in applicable law. Material changes will be communicated through in-app notification and (where you have provided an email) by email at least 30 days before the change takes effect. The current version is identified by its effective date at the top of this document.

16. Contact

For any question related to this Policy, please contact:

• Support — support@primecodevaultlink.com
• Postal address — St John's Innovation Centre, Cambridge, United Kingdom