Supplemental EEA+ Privacy Statement

Introduction

We, Chalcedonx Yazılım Teknoloji Danışmanlık Sanayi ve Ticaret Limited Şirketi ("Chalcedonx"), address this Supplemental EEA+ Privacy Statement to individuals located in the European Economic Area (EEA), United Kingdom (UK) and Switzerland only (collectively, "EEA+"). This document supplements our Chalcedonx Privacy Policy ("Core Privacy Policy") and describes how we process your personal data when you use or interact with our website, online advertisements and mobile games (collectively, our "Services"). If there are any inconsistencies between our Core Privacy Policy and this Supplemental EEA+ Privacy Statement, this Statement prevails.

If you are located in the EEA, the EU General Data Protection Regulation applies to our processing of your personal data, as well as local data protection laws, as the case may be. If you are located in the UK, the UK General Data Protection Regulation applies to our processing of your personal data. References to the "GDPR" are references to the General Data Protection Regulation as it applies in the country where you are located. If you are located in Switzerland, the Swiss Federal Data Protection Act (the "FDPA") applies to our processing of your personal data, and references to the GDPR below shall be interpreted analogously for the purposes of applying the FDPA.

1. Who is the Data Controller?

The data controller is:

Note:If you require assistance, please contact us directly using the contact information provided in Section 11 below.

2. How Can You Contact Our Data Protection Officer?

You may contact our Data Protection Officer at info@chalcedonx.com.

3. What Types of Personal Data Do We Collect and How Do We Collect It?

Please see Section 2 of our Core Privacy Policy for detailed information about the types of personal data we collect and how we collect it.

In summary, we collect:

• Pseudonymized Identifiers: Numeric identifiers generated at installation for various purposes such as game progress, analytics, and support. None of these are your real name or email.
• Parental Information: Only if you activate parental controls (name, email, hashed PIN)
• Analytics Data: Pseudonymized gameplay interaction data
• Security Data: Hashed IP addresses only
• Device Data: ChalcedonX has removed the AD_ID permission from its Android application and does not collect the Android Advertising ID. We may process limited non-identifying device signals (model, OS version, language) needed to deliver non-personalized rewarded ads.
• Analytics Identifier: Google Firebase App Instance ID, generated on your device and used together with our pseudonymized Player ID and Installation ID to attribute analytics events.
• Location Data: Country inferred from IP address (no precise location)
• Transaction Information: Transaction IDs and purchase tokens for purchase validation

4. For What Purposes Do We Process Personal Data? What Lawful Bases Do We Rely On?

The lawful bases of processing include the following:

• Contract Performance Legal Basis: The processing is necessary for us to perform a contract with you or take steps at your request prior to entering into a contract per Article 6(1)(b) GDPR.
• Legal Obligations Legal Basis: The processing is necessary for us to comply with an applicable legal obligation per Article 6(1)(c) GDPR.
• Legitimate Interest Legal Basis: The processing is necessary for us to realize a legitimate interest based on an assessment of that interest and your privacy and other fundamental interests per Article 6(1)(f) GDPR. More information on the balancing test is available upon request.
• Consent Legal Basis: The processing is performed according to your consent per Article 6(1)(a) GDPR. In these cases, you can withdraw your consent at any time with future effect by using the consent settings in our mobile games, or by emailing us at info@chalcedonx.com.

Processing Purposes and Corresponding Legal Bases

Service Provision and Optimization

Purposes:

• To personalize your in-game profile and provide our games (including competitive elements such as leaderboards)
• To ensure that purchases are activated in the games
• To provide player support
• To optimize our games for you and your device
• To deliver customized in-game events, offers and promotions
• To verify your identity and entitlement when you access our Services
• To maintain the safety, security and integrity of our Services
• To ensure internal quality control

Legal Basis: Contract Performance Legal Basis (if there is a contract); otherwise, Legitimate Interest Legal Basis (to optimize and personalize our Services, maintain security, and ensure quality control).

Business Operations

Purposes:

• To manage our organization and its day-to-day operations
• To develop new games and Services
• To measure interest in our Services
• To conduct internal research and analytics

Legal Basis: Legitimate Interest Legal Basis (to operate and optimize our business, improve our Services, and develop new offerings).

Communications

Purposes:

• To communicate regarding Services-related information (confirmations, technical notices, updates, security alerts)
• To respond to your comments and inquiries
• To provide customer support

Legal Basis: Contract Performance Legal Basis (if contractually required); Legal Obligations Legal Basis (if legally required); otherwise, Legitimate Interest Legal Basis (to manage our relationship with you).

Legal Compliance and Security

Purposes:

• To comply with applicable laws and prevent fraud
• To ensure compliance with our Terms of Service
• To defend, exercise or establish our legal rights
• To activate, verify and give effect to parental control settings

Legal Basis: Contract Performance Legal Basis (if contractually required); Legal Obligations Legal Basis (if legally required); otherwise, Legitimate Interest Legal Basis (to comply with laws, prevent fraud, and enforce contracts).

Advertising (Rewarded Ads, Non-Personalized)

Purposes:

• To deliver rewarded video ads inside our games (you watch an ad in exchange for in-game tickets)
• To verify ad completion, prevent fraud and apply frequency capping

No personalized advertising. ChalcedonX has removed the AD_ID permission from its Android application and does not collect the Android Advertising ID. Our ad network is configured to serve non-personalized (contextual) rewarded ads only. We do not build advertising profiles based on your in-game behavior.

Legal Basis: Legitimate Interest Legal Basis. Because our ads are non-personalized and we do not use the Android Advertising ID or profile users, we rely on legitimate interests (delivering an optional, value-exchange feature inside the game that supports our business). To deliver and verify a rewarded ad, we may share with our ad network:

• Limited, non-identifying device signals (device model, operating system version, language, country)
• Ad completion status (used for fraud prevention and frequency capping)

We do not share the Android Advertising ID, your Player ID, your Installation ID, your name, your email address or any directly identifying information with our ad network.

Business Transactions

Purposes:

• To evaluate and enter into a reorganization, restructuring, merger, acquisition, or sale of our business or assets

Legal Basis: Legitimate Interest Legal Basis (to engage in transactions advantageous to our business interests). We will seek your consent if we wish to use your personal data for any new purpose incompatible with those set forth herein.

5. What Categories of Recipients Receive Personal Data From Us?

We may disclose personal data to the following types of third parties:

• Other Users: If you participate in leaderboard competitions, your leaderboard identifier (a pseudonymized numeric ID), rank, and in-game performance metrics will be visible to other players. Your internal identifiers used for support purposes are never displayed publicly.
• Service Providers: Companies that provide IT services, customer support, analytics, and other supporting activities. We have executed appropriate contracts that prohibit them from using personal data except as necessary to perform services on our behalf.
• Disclosures to Protect Rights: Legal advisors and law enforcement authorities when required to comply with legal processes, protect rights and safety, or in connection with legal claims.
• Ad Network (Rewarded Ads): We work with Google AdMob to deliver non-personalized rewarded ads. We share only limited non-identifying signals (device model, OS version, language, country, ad completion status) needed to deliver and verify the ad. We do not share the Android Advertising ID, your Player ID or your Installation ID with AdMob.
• With Your Consent: We may disclose personal data to other third parties with your consent or direction.
• Sale of Assets: We may disclose personal data to potential acquirers of our business assets for evaluating Business Transactions.

6. Where Is Your Personal Data Processed and On What Basis Do We Transfer Personal Data Across Borders?

We may disclose personal data to our processors and advertising technology providers in locations including Türkiye, the United States, and the European Union.

We take measures to ensure that recipients outside the EEA provide an adequate level of data protection by:

• Entering into appropriate data transfer agreements based on Standard Contractual Clauses (including local law amendments where necessary)
• Performing data transfer impact assessments as appropriate

The UK Government and the Swiss Federal Council recognize the EEA as providing an adequate level of protection for personal data. The EU Commission recognizes the UK GDPR and the FDPA as providing an adequate level of protection for personal data.

Data transfer agreements are accessible upon request by contacting us at the details shown in Section 11 below.

7. How Long Do We Process Personal Data?

The length of time for which we retain personal data depends on the purposes for which we collect and use it and how long we need to retain it to comply with applicable laws (including for the purpose of satisfying any legal, regulatory, tax, accounting or reporting requirements), to establish, exercise or defend our legal rights, or to make the data available to judges and courts or the competent public authorities.

If we retain the personal data solely to satisfy legal requirements, we will keep your personal data blocked. This means that we will implement measures to prevent the data's processing, except for making it available to public administrations, judges, and courts if necessary to satisfy legal requirements or address potential liabilities arising from its processing.

Once personal data is no longer necessary for the purposes for which it was collected, to meet legal requirements, in connection with legal rights, or for courts or authorities, we delete it.

8. What Data Protection Rights Do You Have?

In the EEA, Switzerland and the UK you have the following rights, subject to the conditions under the GDPR and/or local data protection law:

• Right to Object: On grounds relating to your particular situation, you may object to the processing of your personal data. This includes the right to object to processing for direct marketing and processing based on legitimate interests or public interest. If we process your personal data based on legitimate interests, you can object and we will cease processing unless we have compelling legitimate grounds or need the data for legal reasons.
• Right of Access: You may obtain confirmation as to whether your personal data is being processed, and request access to details about how we process your personal data and copies of the personal data.
• Right to Rectification: You may obtain the rectification of inaccurate personal data concerning you.
• Right to Erasure: You may ask us to erase your personal data to the extent it is not required for legally required purposes or necessary for security and integrity purposes.
• Right to Restriction: You may request restriction of processing of your personal data, in which case, it would be marked and processed by us only for certain purposes.
• Right to Data Portability: You may receive your personal data which you have provided to us in a structured, commonly used and machine-readable format and transmit it to another entity.
• Right to Withdraw Consent: You may withdraw your consent at any time. This will not affect the lawfulness of our use of your personal data before your withdrawal.
• Right to Lodge a Complaint: You may lodge a complaint with a supervisory authority.

Supervisory Authorities

You may view a list of supervisory authorities and their contact information here:

• EEA: https://edpb.europa.eu/about-edpb/about-edpb/members_en
• United Kingdom: https://ico.org.uk/global/contact-us/
• Switzerland: https://www.edoeb.admin.ch/en/contact-2

Exercising Your Rights

To submit a request to exercise your privacy rights, you can contact us by any method described in the Contact Us section below. In your request, please describe what rights you are exercising and how you would like us to assist.

We may need to request specific information from you to help us verify your identity and that you have the right to request what you are requesting. These are security measures to ensure that we do not disclose personal data to any person who has no right to receive it, or otherwise process the data in unauthorized ways.

How we identify you in our records

ChalcedonX is designed with privacy in mind: we do not collect names, email addresses, phone numbers or other directly identifying information. The only way we can locate the data we hold about you is through your Installation ID and Player ID.

• If you provide these IDs (in the in-app form, or by email), we can locate your records and respond within the timeframes required by the GDPR.
• If you no longer have your IDs, we may be unable to identify your records. Under Article 11 GDPR, where a controller processes data that does not require identification of the data subject, the controller is not obliged to acquire or maintain additional information solely to identify users. In such cases we may be unable to fulfil your request, not because we are unwilling, but because we cannot link any record we hold to you. We will make reasonable efforts to help you locate your IDs (for example, by checking Google Play purchase records or screenshots you can provide) and will tell you clearly if we cannot.

9. Are You Required to Provide Us With Your Personal Data?

You are not legally required to provide personal data to us, but we cannot provide our Services without receiving some personal data from you. If you do not provide certain personal data, you may not be able to use all features of our Services.

10. Children & Article 8 GDPR

ChalcedonX is a primarily child-directed application designed for children ages 7–10. Our processing of children's personal data complies with Article 8 of the GDPR (and the equivalent UK GDPR provisions).

Age of digital consent

The age at which a child can consent to information society services varies between EU member states (between 13 and 16, with 16 being the GDPR default). For children below the applicable age in their country, processing requires the consent of the holder of parental responsibility, except where processing can be justified on another lawful basis with appropriate safeguards.

Lawful bases we rely on for children

• Legitimate Interests (Article 6(1)(f) GDPR): for the limited pseudonymized data we collect to operate the Services (game progress, performance, security, fraud prevention). We have conducted a legitimate interests assessment that takes specific account of the rights and interests of children, with privacy-protective safeguards including pseudonymization, removal of advertising identifiers (AAID and Privacy Sandbox AdServices permissions), absence of behavioral profiling, and absence of personalized advertising.
• Parental Consent (Article 6(1)(a) and Article 8 GDPR): for any processing that requires consent. Parental consent is obtained through the in-app Parental Controls activation flow, where the parent provides their name, email, and creates a PIN whose hash is stored.

What we do not do

• We do not collect children's real names, email addresses, phone numbers, addresses, photos, voice recordings, or precise location.
• We do not use the Android Advertising ID (AAID) — the com.google.android.gms.permission.AD_ID permission is removed from our application.
• We do not use the Privacy Sandbox AdServices identifiers (ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION, ACCESS_ADSERVICES_TOPICS) — all three permissions are removed from our application.
• We do not engage in behavioral or interest-based advertising for children.
• We do not build advertising profiles or measure cross-app conversions for children.
• We do not show personalized ads to any user.

Parents' rights

Parents and legal guardians may exercise all the data protection rights described in Section 8 above on behalf of their child. They may also withdraw any consent previously given through Parental Controls at any time. To do so, please use the in-app Parental Controls support form (Settings → Support) or contact us at info@chalcedonx.com. See Section 11 (Contact Us) for the information we need to identify the relevant account.

Reporting concerns

If you believe a child has provided us with personal information without proper parental consent, or you have any concerns about our processing of children's data, please contact us immediately at info@chalcedonx.com. You also have the right to lodge a complaint with your local supervisory authority (see Section 8 above for contact details).

11. How Can You Contact Us?

If you have any questions about our privacy practices, our processing of personal data, or would like to exercise your rights under the GDPR, you may contact us through the channels below.

In-App Contact Form (recommended)

If you still have access to the game, please contact us from inside the application:

1. Open ChalcedonX.
2. Go to Settings → Support.
3. Write your message and tap Send. You will see a confirmation message once it has been sent successfully.

Email

You can also reach us at info@chalcedonx.com. To help us locate your records, please include both of the following in your email:

1. Subject line — start the subject with [ installation_id ] [ player_id ] followed by a short description of your request, replacing the placeholders with your actual IDs.
2. Email body — include your installation_id and player_id again, clearly labelled, along with a description of your request.

Both IDs are visible inside the app under Settings → Support.

Account and Data Deletion

For details on how to request deletion of your account and associated data, see our Account & Data Deletion page.

12. Will We Change This Supplemental EEA+ Privacy Statement?

From time to time, we may revise this Supplemental EEA+ Privacy Statement. When we do so, the changes will be posted and the revised document will be available online and the "Effective Date" above will be revised. We encourage you to periodically review this page for the latest information on our privacy practices.