PRIVACY POLICY – ECHO OF ELEMENTS

This section contains the Privacy Policy for the mobile game Echo of Elements. Click here to jump to the Privacy Policy for this website.

---

1. Updates to this Privacy Policy

We may update this Privacy Policy from time to time at our sole discretion to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. If we make material changes, we will notify you by posting the updated Privacy Policy on our website at https://echoofelements.com/privacy, and/or through in-game notices, email, or other reasonable means. Changes take effect on the date indicated in the “Last updated” section. Your continued use of the Game after the effective date constitutes your acceptance of the revised Privacy Policy.

---

2. Responsible Entity

Cosmic Crocodile Entertainment UG (haftungsbeschränkt)
Hohe Straße 12, 70174 Stuttgart, Germany
Email (privacy): privacy@cosmic-crocodile.com
Support & data requests: support@echoofelements.com or https://echoofelements.com/support/
Terms of Service: https://echoofelements.com/terms/

---

3. Scope & Relationship to our Terms

This Privacy Policy explains what personal data we process when you play Echo of Elements, why we process it, the legal bases we rely on, how long we keep it, with whom we share it, and your rights under applicable laws (including EU/UK GDPR and U.S. state privacy laws such as CCPA/CPRA). Our Terms of Service govern the use of the Game; where the Terms reference privacy, this Policy controls.

---

4. Account Registration & Authentication

• Google Sign-In: we store only your Google unique ID. We do not collect your Google name, email, or profile picture.
• Sign in with Apple: we store only your Apple user identifier (per-developer user ID). We do not collect your Apple email or name.
• Email + Password (via Back4App / Parse Server): your email is stored in plaintext as a login identifier. Passwords are stored as non-reversible salted hashes by the authentication backend; we cannot view plaintext passwords.
• Guest Account (device-based): a guest account binds to a Unity-provided device identifier (not a MAC address). This identifier may change after OS updates, app reinstalls, or signing-key changes. For reliability and account recovery, we recommend upgrading to a registered account.

Legal basis (GDPR/UK GDPR): Art. 6(1)(b) (contract) to provide the Game; Art. 6(1)(f) (legitimate interests) for security and fraud prevention.

---

5. Children & Age Restrictions

The Game is not intended for children under 13 years of age in any jurisdiction. In the European Union/EEA and the United Kingdom, we observe Article 8 GDPR (and equivalent UK provisions): if a Member State sets a higher minimum age for consent to information society services (e.g., 14, 15, or 16), that higher age applies.

We do not knowingly collect, maintain, or process personal data from users under the applicable minimum age. If we become aware that such data has been provided, we will delete the account and all associated data within 14 days, unless a longer retention is legally required (e.g., to comply with law or to protect vital interests).

For U.S. users, we comply with the Children’s Online Privacy Protection Act (COPPA). Details: https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa .

Parents or guardians who believe their child has provided personal data in violation of this section should contact us immediately at support@echoofelements.com. We will verify the requester’s identity and remove the data as required by law. See also our Terms of Service for further age-related conditions and parental responsibilities: https://echoofelements.com/terms/.

---

6. Categories of Data We Process

• Gameplay & Account Data: account type and identifiers (Google ID / Apple ID / email / device ID for guests), game progress, inventory, virtual currency balances, unlocked content.
• Purchase & Validation Data: store (Apple or Google), product ID, transaction ID, purchase token/receipt, timestamps, and related receipt fields, used strictly to grant/restore entitlements, prevent fraud/“double-purchase” scams, and assist support.
• Crash & Error Reports (optional): only if you enable Send Crash Reports in Settings and confirm the in-game prompt; may include device/OS info, installation ID, stack traces, and developer-defined metadata related to the crash.
• Support Communications: your messages and contact details when you reach out to us (email or support form).

We do not collect analytics/behavioral tracking data and we do not build marketing profiles. Transient IPs may appear in server logs for security/network operations but are not used for profiling.

We do not collect precise location data, contact lists, photos, camera or microphone recordings through the Game.

---

7. Purposes & Legal Bases

• Provide & operate the Game (account creation, save/restore progress, entitlement delivery) — Art. 6(1)(b) GDPR/UK GDPR (contract).
• Security & fraud prevention (purchase validation, abuse/chargeback mitigation) — Art. 6(1)(f) (legitimate interests). You may object where we rely on legitimate interests.
• Support (bug tickets, account help, refunds) — Art. 6(1)(b) and 6(1)(f).
• Crash diagnostics (optional, opt-in) — Art. 6(1)(a) (consent). You can withdraw at any time in Settings.
• Legal compliance (e.g., tax/consumer law, responding to lawful requests) — Art. 6(1)(c) (legal obligation).

Where we rely on legitimate interests (Art. 6(1)(f) GDPR/UK GDPR), you have the right to object to such processing on grounds relating to your particular situation.

---

8. Third-Party Services (Processors/Service Providers)

We use trusted third-party providers to deliver and operate the Game. These providers only process data necessary to perform their services under our instructions and agreements. For details, please review their privacy policies:

Back4App (database & authentication): back4app.com/privacy.pdf
Unity (game services & crash reporting): unity.com/legal/game-player-and-app-user-privacy-policy
MongoDB Privacy Policy: mongodb.com/legal/privacy-policy
Apple (payments & platform services): apple.com/legal/privacy/
Google (payments & platform services): policies.google.com/privacy

---

9. International Data Transfers

We are based in Germany (EU). Our processors may process data outside the EEA/UK/Switzerland (e.g., the United States or other countries). Where such transfers occur, we implement appropriate safeguards such as the EU Standard Contractual Clauses and the UK Addendum (as applicable). If a provider participates in the EU–U.S. Data Privacy Framework, we may rely on it where appropriate. You can request more information about these safeguards or obtain a copy by contacting us using the details above (redactions may apply).

---

10. Security

• Transport encryption: all client–server communications use HTTPS/TLS.
• At-rest protection: our managed databases apply industry-standard protections, including encryption at rest provided by our hosting providers.
• Credential protection: passwords are stored as salted, non-reversible hashes by the authentication backend; we cannot view plaintext passwords.
• Access controls & monitoring: we apply least-privilege access and rely on provider safeguards documented in their privacy and security pages.
• Incident response: in case of a personal-data breach, we notify affected users and, where required, supervisory authorities pursuant to Arts. 33/34 GDPR and other applicable laws.

---

11. Retention & Deletion

• Active accounts: retained while your account is in use.
• Inactive accounts: typically deleted after 12–24 months of inactivity.
• Crash data (opt-in): retained for 14–30 days for debugging; we do not keep separate copies beyond operational needs.
• Purchase/entitlement records: retained as necessary to honor entitlements, defend against chargebacks/fraud, and satisfy legal retention.
• Support tickets: retained for the lifecycle of the request and applicable limitation periods.

In-Game Deletion: You may permanently delete your account at any time directly within the Game. When logged in, tap your profile picture in the Hub (top left), open the Settings via the gear icon, and navigate to Support → Delete Account. You must explicitly confirm the deletion via a toggle. Once confirmed, your account and all associated data will be immediately and irreversibly deleted. This includes all progress, Virtual Goods, and In-App Purchases. No refunds, credits, or recovery are possible after deletion.

Email/Support Requests: Alternatively, you may request deletion by emailing support@echoofelements.com or via https://echoofelements.com/support/. We generally complete such requests within 14–28 days, unless retention is required by law (e.g., transaction records).

---

12. In-App Purchases & Purchase Validation

We validate purchases using receipt/token data from Apple or Google (via Unity IAP) to unlock content, restore entitlements, prevent fraud, and handle support requests. We do not use purchase history for advertising or marketing profiling.

For more information about how our partners handle data, please review their privacy policies:
Unity Privacy Policy for Users: unity.com/legal/game-player-and-app-user-privacy-policy
Apple Privacy Policy: apple.com/legal/privacy/
Google Privacy Policy: policies.google.com/privacy

---

13. Crash Reporting (Opt-In Only)

• Default: disabled.
• Opt-in: enable Send Crash Reports in Settings; you will see an in-game prompt to confirm.
• Opt-out anytime: toggle it off; no further crash data will be sent.
• Retention: Unity’s default retention is 7 or 90 days depending on plan. You can also ask us to request deletion of crash data held by Unity.

Unity Cloud Diagnostics privacy overview: https://docs.unity.com/ugs/en-us/manual/cloud-diagnostics/manual/privacy-overview

---

14. Data Minimization, No Sale/Share, No Profiling

• We process only what is necessary to operate the Game, validate purchases, provide support, secure the service, and (if you opted in) diagnose crashes.
• We do not sell personal information and we do not share it for cross-context behavioral advertising (CPRA “sell/share”: No).
• We do not use automated decisions producing legal or similarly significant effects, and we do not build advertising profiles.

---

15. Your Rights

Subject to conditions and exceptions in applicable law, you may have the right to: access, rectification, erasure, restriction, data portability, and objection (EU/UK GDPR); to withdraw consent at any time (e.g., disable Crash Reports); and, under U.S. state laws (e.g., CPRA/Colorado/Virginia), rights to know, access, delete, correct, and opt-out from sale/share/targeted advertising (not used here). We will not discriminate for exercising rights.

Where U.S. state laws apply, you may designate an authorized agent to make a request on your behalf, and—where provided by law—appeal our decision if we deny your request.

---

16. How to Exercise Your Rights & Complaints

Contact us at support@echoofelements.com or via https://echoofelements.com/support/. We may need to verify your identity. We will respond within statutory timelines. You may also lodge a complaint with your local supervisory authority. Our local authority is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW)
Lautenschlagerstraße 20, 70173 Stuttgart, Germany
Postal: Postfach 10 29 32, 70025 Stuttgart, Germany
Phone: +49 711 61 55 41-0 — Email: poststelle@lfdi.bwl.de
Website: https://www.baden-wuerttemberg.datenschutz.de/kontakt-aufnehmen/

---

---

Last updated: 13 August 2025

---