Privacy Policy — Tiles

Effective date: 20 June 2026
Publisher: SubeSubeGames ("we", "us", "our").
Application: Tiles (package com.subesubegames.tiles)
Policy URL: https://subesubegames.com/privacy

This policy is written in English, the standard for Google Play submissions. A Spanish-language version is recommended for Spanish-market users and may be advisable under the Spanish LOPDGDD. This document should be reviewed by a qualified Spanish/EU attorney before publication.

1. Who We Are and How to Contact Us

SubeSubeGames is the data controller for personal data processed through Tiles. We are established in Spain and subject to EU Regulation 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD).

For any privacy question, request, or complaint:

Email: subesubegames@gmail.com
Website: https://subesubegames.com

We will respond to verifiable requests within 30 days.

2. Scope and Audience

This policy applies to the Tiles mobile application on Android (Google Play). Tiles is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with data, please contact us at subesubegames@gmail.com and we will delete it promptly.

3. Data We Collect and Why

3.1 Data We Collect Directly Through Gameplay

When you play Tiles, the following data is created and stored on our backend (Firebase Cloud Firestore, Google, EU region europe-west1):

Data element	Description	Why we collect it
Anonymous Firebase UID	A random identifier generated by Firebase Anonymous Authentication. Not linked to your name, email address, or any other identifying information.	To maintain your game state across sessions without requiring account registration.
Player alias / nickname	A display name of 1–16 characters that you choose when first entering the Daily Challenge. May be visible to other players on the leaderboard.	To identify you on the leaderboard in a way you have chosen.
Best score	The number of puzzle levels you completed in your best Daily Challenge attempt.	To rank you on the leaderboard and show you your progress.
Best completion time	Total time (in milliseconds) for your best Daily Challenge run.	Used as a tiebreaker for leaderboard ranking.
Daily challenge attempts used	A counter of how many attempts you have made on today's challenge (maximum 2 free + 1 ad-granted).	To enforce fair play limits and to grant the rewarded-ad bonus attempt.
Division / league placement	Your current league division (e.g., bronze) and league group identifier.	To group you with similarly-ranked players for the leaderboard.
Last-seen timestamp	Server timestamp updated each time you open the game.	To maintain an active session and support anti-cheat temporal validation.
Per-level timing data	Time (in milliseconds) taken to complete each puzzle level in a submitted attempt. Processed server-side for anti-cheat validation; not persisted beyond the validation transaction.	To verify that submitted scores are humanly achievable (server-side anti-cheat).

We do not collect: real name, email address, phone number, precise or approximate GPS location, payment information, contacts, photos, camera access, or microphone access.

3.2 Data Collected by Firebase Anonymous Authentication (Google)

Firebase Anonymous Authentication (operated by Google) creates and manages the anonymous UID described above. Google may process technical data associated with this authentication (device identifiers, IP address at authentication time) in accordance with Google's own privacy policy. See Section 6 for links.

3.3 Data Collected by Firebase Analytics and Crashlytics (Google)

We use Firebase Analytics and Firebase Crashlytics (both operated by Google) to understand how the app is used and to diagnose crashes. These SDKs automatically collect:

Device information: device model, operating system version, screen resolution, device language/locale.
App usage events: session duration, screens viewed, feature interactions, app open/close events.
Instance identifiers: Firebase installation ID (a randomly-generated, resettable identifier).
Crash and performance data: stack traces, device state at the time of a crash, ANR (Application Not Responding) reports.
Android Advertising ID (AAID): may be collected by Firebase Analytics unless you reset or opt out via Android settings (see Section 9).

Analytics data is aggregated and used by us in aggregate or pseudonymous form. We do not use Firebase Analytics to build individual user profiles for advertising purposes.

3.4 Data Collected for Advertising via Yodo1 MAS (Ad Mediation, incl. Google AdMob)

Tiles includes rewarded advertisements served through Yodo1 MAS, an ad-mediation platform that aggregates multiple advertising networks (including Google AdMob, AppLovin, Unity Ads, ironSource and others) behind a single SDK. When an advertisement is displayed, Yodo1 and the mediated advertising networks (including AdMob/Google) and their advertising partners may collect:

Android Advertising ID (AAID): a resettable, device-level identifier used to deliver relevant ads and measure ad performance.
IP address: used to determine approximate region for ad targeting and fraud prevention.
Device and app information: device type, OS version, app version, ad interaction data (impressions, clicks).
Coarse location (inferred from IP): the mediated networks may infer a general geographic region from your IP address for ad targeting.

Advertising data collection and processing is governed by Yodo1's privacy policy and by the advertising policies of each mediated network (including Google's, for AdMob). We do not control which data Yodo1 or its mediated networks collect beyond what is disclosed in their documentation. See Section 6 for links and Section 9 for how to opt out of personalised advertising.

4. Legal Bases for Processing (GDPR)

Processing activity	Legal basis
Creating and maintaining your anonymous player profile (UID, alias, scores, timestamps)	Legitimate interests (Article 6(1)(f) GDPR) — necessary to operate the core game functionality and leaderboard. Our interest in providing a functioning game service does not override your rights given that the data is pseudonymous and no personally identifying information is collected.
Anti-cheat timing validation	Legitimate interests (Article 6(1)(f)) — necessary to protect the integrity of the leaderboard and the fair-play experience of all players.
Firebase Analytics and Crashlytics	Legitimate interests (Article 6(1)(f)) — necessary to maintain app stability and understand aggregate usage patterns. Analytics data is collected in aggregate/pseudonymous form.
Displaying rewarded advertisements via Yodo1 MAS (mediating AdMob and other networks)	Consent (Article 6(1)(a)) where personalised ads require it under applicable law, or Legitimate interests (Article 6(1)(f)) for contextual or non-personalised ads. On first launch we present a consent prompt via Yodo1's built-in User Messaging Platform (UMP) dialog in EEA/UK territories.
Compliance with legal obligations	Legal obligation (Article 6(1)(c)) where applicable.

5. How Long We Keep Your Data

Data	Retention period
Player profile (UID, alias, scores, division)	Retained for as long as your anonymous account is active. If you have not played for 24 months, your profile may be deleted.
Daily score entries (scores, attempts, timings)	Per-day score documents are retained for 90 days after the challenge date, after which they are deleted.
Firebase Analytics data	Controlled by Google; default retention is 14 months in the Firebase console, which we have set as our maximum.
Crashlytics crash reports	Retained for 90 days in Firebase Crashlytics.
Advertising data (Yodo1 MAS and mediated networks, incl. AdMob)	Controlled by Yodo1 and each mediated network (including Google for AdMob) per their respective advertising data retention policies.

When retention periods expire, data is deleted or anonymised.

6. Third Parties and International Transfers

We share data with the following third-party processors. All are acting on our instructions as data processors under GDPR Article 28.

Google Firebase (Alphabet Inc.)

Services used: Anonymous Authentication, Cloud Firestore, Cloud Functions, Firebase Analytics, Firebase Crashlytics.
Data location: Firebase project tiles-ea86c, region europe-west1 (Belgium). Player profile and score data is stored within the European Economic Area.
Privacy policy: https://firebase.google.com/support/privacy
Google Privacy Policy: https://policies.google.com/privacy

Yodo1 (Yodo1 MAS — Ad Mediation)

Services used: Rewarded video advertising via the Yodo1 MAS mediation SDK, which aggregates multiple advertising networks (including Google AdMob, AppLovin, Unity Ads, ironSource and others).
Data location: Yodo1's and the mediated networks' global infrastructure. Advertising data may be transferred outside the EEA.
Transfer mechanism: Yodo1 and the mediated networks rely on Standard Contractual Clauses (SCCs) and equivalent safeguards for EEA-to-third-country transfers.
Yodo1 privacy policy: https://www.yodo1.com/en/privacy-policy

Google AdMob (Alphabet Inc.) — mediated under Yodo1 MAS

Services used: Rewarded video advertising. AdMob is one of the advertising networks mediated by Yodo1 MAS (see above); it is not integrated directly.
Data location: Google's global infrastructure. Advertising data may be transferred outside the EEA.
Transfer mechanism: Google relies on Standard Contractual Clauses (SCCs) approved by the European Commission for EEA-to-third-country transfers.
AdMob privacy information: https://support.google.com/admob/answer/6128543
How Google uses data from partner apps: https://policies.google.com/technologies/partner-sites

We do not sell your personal data to any third party. We do not share your data with advertisers other than through the Yodo1 MAS SDK (and the networks it mediates, including AdMob) operating on-device.

7. Your Rights Under GDPR

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights:

Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate data. You can update your in-game alias directly within the app.
Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"). Note that deleting your data will also delete your scores, alias, and league placement.
Right to restriction of processing (Art. 18): Request that we limit how we process your data in certain circumstances.
Right to data portability (Art. 20): Request your data in a structured, machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interests.
Right to withdraw consent (Art. 7(3)): Where we rely on consent (e.g., personalised advertising), you may withdraw it at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint: You may lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos — AEPD) at https://www.aepd.es, or with the supervisory authority in your country of residence.

To exercise any of these rights, contact us at subesubegames@gmail.com with the subject line "Privacy Request". To help us locate your data, include your Firebase UID if you know it (visible in app debug/settings) or describe your in-game alias.

8. Rights for California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

Right to know: What personal information we collect, use, disclose, or sell.
Right to delete: Request deletion of personal information we have collected from you.
Right to opt-out of sale: We do not sell personal information. Advertising ID data shared with Yodo1 MAS and its mediated networks (including AdMob) for personalised advertising may qualify as a "sale" or "sharing" under CCPA. You may opt out via your Android advertising settings (see Section 9) or by contacting us.
Right to non-discrimination: We will not discriminate against you for exercising your rights.

To submit a California privacy request, contact us at subesubegames@gmail.com.

9. Advertising and Your Choices

Personalised vs. Non-Personalised Ads

Tiles shows rewarded video advertisements through Yodo1 MAS, which mediates Google AdMob and other advertising networks. In EEA/UK/Switzerland territories, Yodo1's built-in User Messaging Platform (UMP) consent dialog will present a consent prompt on first launch. If you decline personalised advertising, you will continue to see ads but they will not be targeted based on your advertising profile.

Resetting or Limiting Your Android Advertising ID

On Android:

Go to Settings > Privacy > Ads (path may vary by device/OS version).
Select "Reset advertising ID" to generate a new AAID, breaking the link with prior ad data.
Select "Opt out of Ads Personalization" (Android 12 and earlier) or "Delete advertising ID" (Android 13+) to prevent apps from using your AAID for personalised advertising.

Firebase Analytics Opt-Out

Firebase Analytics collection can be disabled by contacting us at subesubegames@gmail.com to request account deletion, which removes the associated Firebase installation. Alternatively, the Analytics data tied to a specific device can be reset by clearing app data in Android Settings.

10. Security

We implement reasonable technical and organisational measures to protect your data:

All communication between the app and our backend uses HTTPS/TLS.
Firebase Cloud Firestore security rules restrict each player to reading and writing only their own data.
Cloud Functions authenticate all requests using Firebase Anonymous Auth tokens before processing them.
Score submissions are validated server-side using anti-cheat timing checks; implausible scores are rejected and logged.
We do not store passwords or financial data.

No method of data transmission or storage is 100% secure. If you believe a security incident has occurred, please report it to subesubegames@gmail.com.

11. Changes to This Policy

We may update this policy as the game evolves. When we make material changes, we will update the effective date at the top of this document. For significant changes, we will provide notice within the app. Continued use of Tiles after the effective date constitutes acceptance of the updated policy.

12. Contact

SubeSubeGames
Email: subesubegames@gmail.com
Website: https://subesubegames.com

← Back to SubeSubeGames