Privacy Policy

Effective date: 2026-06-01 · Last updated: 2026-06-01
Operator: strykowski-lab · Contact: support@make10.io

This Privacy Policy explains what data Make10 ("the App", "we", "us") collects, why we collect it, how long we keep it, and the choices you have. It is written to be globally compliant — including the EU GDPR, California (CCPA/CPRA), Australia (Privacy Act / APPs), the UK (UK GDPR), Brazil (LGPD), and Canada (PIPEDA) — and to default to the strictest standard where laws differ.

1. The short version

We deliberately collect as little personal data as possible.
Your age is the only personal field we treat as essential. We use it to keep younger players safe and to comply with child-safety laws.
Gender is optional and only used as an anonymous demographic signal for product decisions.
We do not sell your personal data. We never will.
You can download all of your data from inside the App at any time (Settings → Account management → Download my data).
You can delete your account at any time (Settings → Account management → Delete account). Deleting your account removes your personal data. Some anonymised, non-identifying play statistics are retained (see §7).
Chat content is retained for a limited period in case of abuse reports (see §6).

2. What we collect

2.1 Account data (required to use online features)

Field	Purpose	Retained until
Username	Identifying you to other players in chat / leaderboards	Account deletion
Email address	Account recovery, password reset, security notices	Account deletion
Password (hashed)	Authentication	Account deletion
Date of birth	Age-gating safety features (chat, DMs, ads) and parental-consent compliance	Account deletion (then derived "is over 13" flag is retained anonymously per §7)
Sign in with Apple identifier (if used)	Authentication	Account deletion

2.2 Optional profile data

Field	Purpose	Retained until
Gender	Anonymous demographic for product decisions	Account deletion
Country flag	Display next to your name	Account deletion
Avatar (symbol + colours)	Display next to your name	Account deletion
Clan membership	Display + clan war participation	You leave the clan or delete account
Friends list	Friend invites + private messages	You remove the friend or delete account

2.3 Gameplay data

Field	Purpose	Retained until
Per-mode best scores	Leaderboards and Solver Profile display	Account deletion
Match history (mode, score, opponent, outcome)	Display in your Match History view	Account deletion
ELO / trophy points	Matchmaking + leaderboards	Account deletion
Game-mode play counts and durations	Internal analytics so we know which modes to improve	Indefinitely as anonymised aggregates (§7)

2.4 Chat and social content

Field	Purpose	Retained until
Chat messages (global / clan / DM)	Show them to recipients	90 days after sending (then deleted), OR until the channel is deleted, OR until you delete your account — whichever is sooner. We may retain messages longer if the message has been reported and is under review (see §6).
Reports you file or receive	Safety review	12 months after the report is closed
Chat moderation actions (mutes, bans)	Enforce the rules	Until the action expires + 90 days

2.5 Device + analytics

Field	Purpose	Retained until
Approximate location (country only, derived from IP)	Demographic analytics, server region routing	30 days at row level; indefinitely as aggregate
Device model + iOS version	Crash diagnostics and analytics	90 days at row level (Firebase default)
APNs device token (if you enabled notifications)	Sending you friend-challenge invites and war-end alerts	Removed when you sign out, disable notifications, or delete account
Crash reports (Firebase Crashlytics)	Diagnosing crashes	Firebase default (~90 days)
Analytics events (Firebase Analytics)	Understanding which features get used	Firebase default (≤ 14 months)
AdMob identifiers (IDFA, if you opted in)	Ad targeting and frequency capping	Per AdMob's policy; revocable in iOS Settings → Privacy → Tracking

2.6 Purchase data

Field	Purpose	Retained until
Apple in-app purchase transaction IDs and product IDs	Granting your purchase + subscription entitlements	Indefinitely (legal record-keeping)
Subscription start / expiry / renewal status	Granting subscriber benefits	Indefinitely (legal record-keeping)

We never see your full payment details — Apple handles payment and only gives us the transaction record. Refer to Apple's privacy policy for how Apple handles payment.

3. Children's privacy

Make10 is rated for ages 4+ in the App Store, but online communication features (global chat, clan chat, clan mail, private messages) are restricted to users aged 13 or older.

Players under 13 (verified by date of birth at sign-up) cannot access global chat or clan chat.
Players under 13 cannot send or receive clan mail.
Players under 13 and guests (anyone who hasn't signed in) only see non-personalised, non-tracking ads.
We do not knowingly collect any data from children under 13 beyond what is needed to operate single-player gameplay locally on their device. If you believe a child under 13 has signed up and shared personal information, contact us at support@make10.io and we will delete the account.

4. How we use your data

We use the data above to:

Run the App's core features (gameplay, accounts, leaderboards, chat, matchmaking, clans, friends).
Enforce community safety (moderation, age-gating).
Diagnose crashes and improve the App (Crashlytics, Analytics).
Show ads (AdMob) to non-subscribers.
Communicate transactional emails (account verification, password reset, security notices) via Resend.
Comply with legal obligations (tax records for purchases, response to lawful requests).

We do not:

Sell or rent your personal data.
Use your data to build profiles for advertisers outside of AdMob's on-device frequency capping.
Share your chat content with anyone outside strykowski-lab except when required to respond to lawful legal process.

5. Who we share data with

We share the minimum data necessary with the following processors, each of whom is contractually required to protect your data:

Processor	What they receive	Where
Supabase (hosting + database)	All account data and gameplay data	EU / US / Asia-Pacific
Firebase (Google) — Analytics + Crashlytics	Anonymous analytics events, crash logs, device identifiers	Google data centres
AdMob (Google)	Ad-related identifiers (IDFA if you opted in; otherwise non-personalised request)	Google data centres
Resend	Email address and the content of transactional emails we send you	US / EU
Apple	StoreKit purchase data and APNs push tokens	Apple data centres
Cloudflare	DNS resolution for `make10.io` and our email routing	Globally

Each of these processors has its own privacy policy; you can find them linked from their websites.

We may also disclose data when required by law (subpoena, court order, legal process) or to investigate fraud / abuse / threats to user safety. We will challenge legal demands we believe are overbroad.

6. Chat retention specifically

Chat is retained for 90 days to allow time for moderation reviews, then permanently deleted from active storage. Messages that have been reported within that window are retained until the report is closed (maximum 12 months) and then deleted unless retained longer for legal reasons.

Deleting your account immediately removes your own messages from display ("Message deleted by user"). The original message text remains in backups for the rolling 90-day backup window before being purged.

7. Account deletion specifically

When you delete your account (Settings → Account management → Delete account):

Removed immediately:

Username
Email address
Password
Date of birth
Gender (if you set it)
Country flag
APNs device tokens
Clan membership
Friends list and pending friend requests
Private messages you sent (displayed as "Message deleted by user" to the recipient; permanently purged after 30 days)
Avatar customisations
Username colour / cosmetic selections

Retained, anonymised:

Aggregate play-mode statistics (which modes you played, how often, for how long) with no link back to your real identity. Used to make product decisions.
Trophy / leaderboard score history, attributed to a "deleted user" placeholder so historic match results stay consistent.
A derived "was over 13 at last play" flag (true/false), kept for demographic analytics. The date of birth itself is removed.

Retained for legal reasons:

In-app purchase records (transaction ID + product ID + date), required by Apple and tax/accounting law in most jurisdictions.

You can request export of all your data BEFORE deletion via Settings → Account management → Download my data (returns a JSON archive). After deletion we cannot provide a re-download because the personal identifiers are gone.

8. Your rights

Depending on where you live, you have some or all of these rights:

Access: see what we hold about you (use Download my data).
Rectification: correct inaccurate data (edit in-app).
Erasure: delete your account.
Restriction: ask us to limit processing (email us).
Portability: Download my data returns a machine-readable JSON.
Object to processing: opt out of analytics (Settings → Account management → Analytics) and ad tracking (Settings → Account management → Tracking, or iOS Settings → Privacy → Tracking).
Withdraw consent: for anything based on consent (e.g. ad tracking) at any time.
Complain: to your local data protection authority.

We respond to verified requests within 30 days. Email support@make10.io.

9. International transfers

Your data may be processed outside your country of residence (notably in the EU and US, depending on which Supabase region your account is hosted in). We rely on Standard Contractual Clauses and our processors' equivalent transfer mechanisms for transfers out of the EU/UK.

10. Security

All data in transit is encrypted with TLS 1.2+.
Passwords are hashed with bcrypt (Supabase Auth default).
Apple App Store receipt validation runs server-side; we never trust client-supplied entitlement claims.
Supabase Row Level Security policies enforce that you can only read / write your own data unless explicitly broadened.
Service-role keys (full database access) live only in server-side Supabase Edge Function environment variables, never in the iOS app.

We will notify affected users without undue delay (and within 72 hours where required by law) of any data breach that creates a meaningful risk to your rights.

11. Changes to this policy

Material changes will be notified in-app at next sign-in. Continuing to use the App after a notified change constitutes acceptance. Non-material edits (typo fixes, clarifications) are made silently and noted in the version history of this document.

12. Contact us

strykowski-lab
support@make10.io