1. Who we are
Cleave is developed and operated by Youssef Chajia, trading as Red Rain, based in Budapest, Hungary (hereinafter "we", "us", or "our"). Youssef Chajia is the data controller within the meaning of the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).
Contact: youssefchajia62@gmail.com
2. Scope
This Privacy Policy explains what personal data the Cleave mobile application (iOS and Android) and any associated websites collect, why we collect it, who we share it with, how long we keep it, and what rights you have over it.
3. Data we collect and why
3.1 Anonymous gameplay data (Supabase)
When you play Cleave, we store an anonymous device-level identifier (a randomly generated UUID) alongside your daily puzzle attempt — specifically your score, precision grade, and the date of play. This data does not contain your name, email address, or any information that directly identifies you.
- Purpose: Running the daily leaderboard and delivering tomorrow's puzzle.
- Legal basis (GDPR Art. 6(1)(f)): Legitimate interest in operating a functional daily-puzzle service.
- Stored on: Supabase infrastructure (EU region where available). See Supabase's privacy policy at supabase.com/privacy.
3.2 In-app purchases (RevenueCat, Apple, Google)
Cleave offers a one-time, $4.99 "Remove Ads" in-app purchase. All payment processing is handled exclusively by Apple (iOS) or Google (Android). We receive only a non-reversible purchase receipt and an anonymised customer identifier from RevenueCat; we never see your payment card details or billing address.
- Legal basis (GDPR Art. 6(1)(b)): Performance of a contract.
- RevenueCat privacy policy: revenuecat.com/privacy
- Apple privacy policy: apple.com/legal/privacy
- Google privacy policy: policies.google.com/privacy
3.3 Advertising identifiers (Google AdMob)
If you have not purchased "Remove Ads", Cleave displays rewarded and interstitial advertisements provided by Google AdMob. AdMob may read your device's Advertising Identifier (IDFA on iOS, GAID on Android) to serve personalised ads, measure ad performance, and prevent fraud.
- Legal basis (GDPR Art. 6(1)(a) / CCPA): Consent, collected via the Google UMP (User Messaging Platform) consent dialogue shown on first launch, and via Apple's App Tracking Transparency (ATT) prompt on iOS.
- You can withdraw consent at any time by going to Settings → Privacy → Reset Advertising Identifier (iOS) or by adjusting ad personalisation in the app settings.
- Google AdMob privacy policy: policies.google.com/privacy
3.4 Analytics (PostHog)
We use PostHog for product analytics to understand aggregate engagement (e.g. how many users complete the daily puzzle). Analytics are strictly opt-in — no data is sent unless you choose to help us improve the app in the consent dialogue.
- Legal basis (GDPR Art. 6(1)(a)): Consent.
- Data is anonymised before transmission; we do not track individual users across sessions.
- PostHog privacy policy: posthog.com/privacy
3.5 Local notifications
If you enable daily reminders, Cleave schedules notifications locally on your device using the iOS/Android notification framework. No personal data leaves your device for this feature; all scheduling logic runs entirely on-device.
4. Third-party service summary
| Service | Purpose | Data transferred | Legal basis |
|---|---|---|---|
| Supabase | Backend / leaderboard | Anonymous UUID, score, date | Legitimate interest |
| RevenueCat | IAP entitlement | Purchase receipt, anon customer ID | Contract performance |
| Google AdMob | Advertising | Advertising identifier (consent-gated) | Consent |
| Google UMP SDK | GDPR/CCPA consent UI | Consent choice (stored locally) | Legal obligation (GDPR) |
| Apple ATT | iOS tracking authorisation | Authorisation status (stored locally) | Legal obligation (Apple policy) |
| PostHog | Product analytics | Anonymised events (opt-in only) | Consent |
5. International transfers
Some third-party processors listed above are headquartered in the United States. Where personal data is transferred outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or on the adequacy decisions applicable to those processors, to ensure an equivalent level of data protection.
6. How long we keep your data
- Gameplay scores (Supabase): Retained for 12 months from the date of play, then automatically deleted.
- Purchase receipts (RevenueCat): Retained for the duration of your entitlement and for up to 7 years for tax and legal compliance purposes.
- Advertising data (AdMob): Governed by Google's retention policies. We do not receive or store advertising data directly.
- Analytics events (PostHog): Retained in anonymised aggregate form for up to 24 months.
7. Your GDPR rights
If you are located in the European Economic Area (EEA), you have the following rights under the GDPR:
- Right of access (Art. 15): Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): Ask us to correct inaccurate data.
- Right to erasure ("right to be forgotten", Art. 17): Request deletion of your data where no overriding legal ground exists.
- Right to restriction of processing (Art. 18): Ask us to pause processing in certain circumstances.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)): Withdraw any consent you have given at any time; withdrawal does not affect the lawfulness of prior processing.
- Right to lodge a complaint: If you believe we have violated your rights, you may lodge a complaint with the Hungarian supervisory authority, the National Authority for Data Protection and Freedom of Information (NAIH) — naih.hu.
To exercise any of the rights above, email us at youssefchajia62@gmail.com with "GDPR Request" in the subject line. We will respond within 30 calendar days.
8. California residents (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Know: Request disclosure of the categories and specific pieces of personal information we collect.
- Delete: Request deletion of your personal information.
- Opt-out of sale / sharing: We do not sell personal information. Advertising-identifier sharing via AdMob is consent-gated; you may opt out via the UMP consent dialogue or by disabling ad tracking on your device.
- Non-discrimination: We will not discriminate against you for exercising CCPA rights.
9. Children's privacy
Cleave is not directed at children under 13 years of age (or under 16 where required by applicable law). We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has submitted data to us, please contact us at youssefchajia62@gmail.com and we will delete the information promptly.
10. Security
We take reasonable technical and organisational measures to protect your data, including encrypted transport (TLS), row-level security on the Supabase database, and limiting data access to services that strictly require it. However, no method of transmission over the Internet is 100% secure.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified via an in-app notice or an updated "Last updated" date at the top of this page. We encourage you to review this page periodically.
12. Contact
For any questions or requests regarding this Privacy Policy, please contact:
Youssef Chajia (Red Rain)
Budapest, Hungary
youssefchajia62@gmail.com