Privacy Policy

1. Overview

Mismatchy (the "App") is a casual mobile spot-the-differences puzzle game published by Melih Özkaş (the "Developer", "we", "us"). This Privacy Policy explains what information the App and its third-party components handle, why, and what choices you have. It applies to the iOS and Android versions of Mismatchy.

We do not have user accounts. We do not ask for your name, email, or phone number. The App keeps your progress on the device. Data that leaves your device goes only to the third parties that make the App work: Apple or Google for store operations and payment processing, Google AdMob for ads, RevenueCat for purchase receipts, Meta (Facebook) for measuring whether our Instagram and Facebook ad campaigns brought you to the App, and our backend (which only delivers the level catalogue, never personal information). Each of these flows is described in detail below.

2. What we collect

Stored locally on your device

The following is stored only on your device using standard sandboxed storage. It never leaves your phone unless you back up your device to iCloud or Google Drive, in which case the backup is governed by Apple's or Google's policy, not ours.

• Per-level records: lowest number of wrong taps and fastest completion time for each level you have cleared.
• Coin balance.
• The last level you opened, used to drive the "where you left off" continue card.
• A local copy of the level catalogue JSON, cached for offline play.
• A flag noting whether the first-run zoom tip has been seen.
• Selected language, music track, music and sound-effect volumes, mute state.

Sent to our content backend

The App fetches the level catalogue (puzzle images and difference coordinates) from a backend operated by the Developer at rehberce.com. The request is authenticated with a build-time API key that identifies the App itself, not you. The backend records standard web-server logs (request timestamp, IP address, user-agent) for operational diagnostics and abuse prevention. These logs are retained for up to 30 days and are never linked to a user account, because there are no user accounts.

Information processed by Apple or Google for store operations

When you install or update the App, Apple's App Store or the Google Play Store handles the transaction. They may collect device identifiers, country, language, and aggregated install/uninstall metrics. We do not control or directly access that data. See Apple's Privacy Policy and Google's Privacy Policy.

Diagnostic information shared with Google AdMob

When the App requests an ad, Google's AdMob SDK collects standard advertising signals (advertising identifier where allowed, IP address, approximate location derived from IP, device model and OS version, app version, ad interaction events). This is used to serve and measure ads. We do not see individual user-level data from AdMob.

Purchase and entitlement data shared with RevenueCat

When you tap "Buy" on a coin pack or the No Ads / Ultimate Pack, the App routes the purchase through RevenueCat, which acts as an intermediary between the App and Apple's StoreKit or Google Play Billing. RevenueCat receives the store transaction receipt, an anonymous device-bound identifier, the product identifier, and the locale-priced amount you paid. It uses this to validate the receipt, sync your entitlement (for example, the No Ads upgrade) across your devices on the same store account, and provide us aggregate analytics. RevenueCat does not receive your card number or billing address — those stay with Apple or Google.

Attribution events shared with Meta (Facebook & Instagram)

If you arrived at the App from a Facebook or Instagram ad, Meta needs to know that the ad worked. The App integrates Meta's official mobile SDK to send a small set of events: app install, app open, purchase (with the localized amount and currency), and a few engagement milestones (completing the tutorial, reaching level 10, 20, 30 …). The SDK also reads your operating system's advertising identifier (IDFA on iOS, GAID on Android) where you have allowed it. On iOS, the App requests permission via Apple's App Tracking Transparency framework on first launch; if you decline, Meta receives only privacy-preserving aggregated attribution via Apple's SKAdNetwork.

3. What we don't collect

• Your name, email address, phone number, or photo.
• Your contacts, calendar, microphone, or camera.
• Your precise GPS location.
• Health, financial, or biometric data.
• Account credentials — there are no accounts to create.
• Browsing history outside the App.
• The content of any messages or other apps on your device.

4. How we use information

Local data on your device is used solely to make the App work: remembering your records, your language and audio preferences, your coin balance, which levels you have cleared, and which in-app purchases you own. Backend traffic is used only to deliver the level catalogue and the associated puzzle images. Information that flows to Apple, Google, Google AdMob, Meta, or RevenueCat is used by them — on our behalf or as independent data controllers — to operate the store, process payments, serve and measure ads, attribute installs to advertising campaigns, sync purchase entitlements across devices, and detect fraud. We do not sell, rent, or share user-level data with anyone outside this list.

5. Third-party services

6. Advertising and tracking

The App shows ads from Google AdMob to support free distribution (unless you have purchased the No Ads or Ultimate Pack upgrade). Two formats appear:

• Interstitial ads: shown briefly when you enter a level (after level 1) and when you advance to the next level from the win screen.
• Rewarded interstitial: opt-in only. Tap "Rewarded ad +5" on the level-complete screen to watch a short video and earn five bonus coins. If you do not tap, no rewarded ad is shown.

On iOS, the App requests permission via Apple's App Tracking Transparency framework on first launch. If you decline, ads still appear but they are not personalised based on cross-app behaviour.

On Android, you can reset or delete your Advertising ID from Settings → Google → Ads. Limit personalised ads from the same screen.

To opt out of personalised advertising in EU/EEA regions, the App presents Google's UMP consent flow. You can re-open this flow anytime by reinstalling the App or clearing its data.

Separately from the AdMob ads served inside the App, we also run ad campaigns elsewhere — primarily on Facebook and Instagram. The next section explains exactly what data the Meta SDK sends back to Meta so those campaigns can be attributed and measured.

7. Meta (Facebook & Instagram) attribution

We run Instagram and Facebook ad campaigns to find new players for Mismatchy. Meta needs to know which ads actually work, so the App ships Meta's official mobile measurement SDK (facebook_app_events). The SDK sends Meta a small fixed set of events:

• App install — sent once on first launch, used to credit the install to the ad you clicked.
• App open — sent on every launch, used to measure retention.
• Purchase — sent when an in-app purchase succeeds, with the localized amount, currency, product identifier, and how many coins were credited.
• Tutorial completion — sent the first time you clear level 1.
• Level milestone — sent when you clear level 10, 20, 30, … (every tenth level), at most once per milestone per install.

Alongside these events, Meta receives standard mobile attribution signals: the operating system's advertising identifier (IDFA on iOS, GAID on Android) where you have allowed it, IP address, device model, OS version, app version, and locale. We do not forward your name, email, contacts, gameplay history, or any sensitive data.

iOS — App Tracking Transparency. On iOS 14.5 and later, Apple gates the advertising identifier behind the App Tracking Transparency framework. The App will show you the standard system dialog the first time it launches. If you tap Allow, Meta receives your IDFA. If you tap Ask App Not to Track, Meta receives only Apple's privacy-preserving SKAdNetwork postback (an aggregated, delayed signal that does not identify you). You can change this choice at any time in Settings → Privacy & Security → Tracking.

Android. Android does not have an ATT-style consent dialog at the operating-system level. You can reset or delete your Advertising ID, or turn off personalised ads entirely, from Settings → Google → Ads.

Meta processes the events above under its own privacy policy and its Business Tools Terms. To exercise data-protection rights against Meta directly (for example, to request deletion of attribution data Meta holds about you), use the controls inside the Facebook or Instagram apps under Settings → Privacy.

8. In-app purchases

Mismatchy offers six optional in-app purchases: three consumable coin packs (75, 250, and 600 coins), a non-consumable "No Ads" upgrade (with two price tiers — a launch-window introductory price and the standard price), and a non-consumable Ultimate Pack that bundles 1,750 coins with the No Ads upgrade. None of these purchases are required to play the App.

Payment is processed entirely by Apple's App Store or by Google Play. We do not see your card number, billing address, or any payment details. The App and our intermediary (RevenueCat) receive only:

• The product identifier (for example, mismatchy_ultimate_pack) so the App knows what to unlock.
• The localized amount and currency you paid, used solely to tell Meta and our analytics that the purchase happened.
• A store-issued purchase token used to validate the receipt with Apple or Google.
• An anonymous device-bound identifier issued by RevenueCat so the same purchase can be restored on a new device under the same store account.

Coin balances are kept on your device only and do not survive uninstalling the App. The No Ads / Ultimate Pack entitlements, however, are bound to your Apple ID or Google account and can be restored on any device with the Restore Purchases button inside Settings.

9. Children

Mismatchy is suitable for general audiences but is not specifically directed at children under the age of 13 (or the equivalent age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided personal information through the App, please contact us and we will work with the relevant platform to delete it.

10. Your rights (GDPR / CCPA)

If you are a resident of the European Economic Area, the United Kingdom, Switzerland, or California, you have the right to:

• Access the personal data processed about you.
• Request correction or deletion of inaccurate data.
• Restrict or object to certain processing.
• Withdraw consent at any time (where consent is the legal basis).
• Lodge a complaint with your local data protection authority.

Because we do not maintain user accounts, the personal data we directly hold about you is effectively limited to what is on your device and short-lived server logs. To exercise any of these rights against the third parties listed above (Apple, Google, Google AdMob, RevenueCat, Meta), please follow their published procedures linked in section 5.

11. Data retention and deletion

Local data on your device is retained until you uninstall the App or clear its storage from system settings. Backend request logs are retained for up to 30 days. RevenueCat retains your purchase history for as long as the store keeps the corresponding receipt, so you can restore non-consumable purchases on a new device. Meta retains attribution events under its own retention policy, typically up to two years for ad-measurement purposes. There is no other server copy of your gameplay.

12. How to delete your data

Because the App does not maintain a user account, there is very little personal data tied to you that needs deletion. To wipe what exists, take the following steps:

1. Delete the App.
   • iOS: long-press the app icon → Remove App → Delete App. This removes every coin balance, record, and cached file.
   • Android: Settings → Apps → Mismatchy → Storage → Clear data, then uninstall the app.
2. Revoke advertising tracking. Reset or delete your IDFA (iOS: Settings → Privacy & Security → Tracking; Settings → Privacy & Security → Apple Advertising → Personalized Ads Off) or your GAID (Android: Settings → Google → Ads → Reset/Delete advertising ID).
3. Ask Meta to delete attribution data. Inside the Facebook app: Settings & Privacy → Settings → Off-Facebook activity → Manage your off-Facebook activity → Clear history. Mismatchy will appear in the list if your install was attributed to a Meta ad.
4. Ask us to delete server-side data. Email melihozkass@gmail.com with the subject "Delete my data — Mismatchy". Include the approximate first-install date so we can locate the related backend log entries. We will confirm deletion within 30 days as required by GDPR Article 17. Backend logs are auto-rotated after 30 days regardless.

13. Security

We follow standard mobile-app security practices: data on your device is sandboxed by the operating system; backend, ad, and store traffic uses HTTPS managed by us, Apple, Google, and AdMob. No system is perfectly secure, and we cannot guarantee absolute security of information transmitted to or processed by third-party services.

14. Changes to this policy

We may update this Privacy Policy from time to time. The effective date at the top of this page reflects the most recent revision. If we make material changes, we will indicate them clearly when you next open the App.

15. Contact

Questions, concerns, or requests under data-protection law can be sent to:

Melih Özkaş
Email: melihozkass@gmail.com