Privacy Policy

1. Controller Identity and Contact

Aurora Mobi Limited is the data controller for personal data processed under this Policy unless otherwise specified in product-specific notices.

• Company name: Aurora Mobi Limited
• Address: FLAT/RM B 5/F GAYLORD COMMERCIAL BUILDING 114-118 LOCKHART ROAD HK
• General support: support@auroramobi.com
• Business contact: jiayi.li@auroramobi.com

2. Scope of This Policy

This Policy covers information processed through: (a) mobile applications and games distributed through Apple App Store and Google Play; (b) web properties under auroramobi.com; (c) customer support interactions; and (d) enterprise services delivered for clients where Aurora Mobi acts as controller or processor.

3. Categories of Data We Process

3.1 Account and Contact Data

Email address, support ticket content, business inquiry details, and optional profile information when a feature requires account functionality.

3.2 Device and Technical Data

Device model, operating system version, language settings, app version, push token, crash logs, diagnostics, network type, and fraud-prevention signals.

3.3 Usage and Event Data

Session activity, feature interactions, completion events, game progression events, ad impression events, in-app purchase events, and performance telemetry.

3.4 Transaction Data

Purchase status and receipt validation metadata from platform billing channels. We do not receive or store full payment card numbers from App Store or Google Play billing systems.

3.5 Advertising and Attribution Data

Advertising identifiers, attribution identifiers, campaign tags, and conversion events, subject to user choice, platform permissions, and region-specific legal requirements.

3.6 Sensitive Data

Our products are not designed to intentionally collect special category or sensitive personal data. If a user voluntarily discloses sensitive data in support channels, we process it only as necessary to resolve the specific request and delete it under applicable retention rules.

4. Legal Bases for Processing

• Contract performance: delivering requested app functionality, service operation, and user support.
• Legitimate interests: product security, fraud prevention, service reliability, and analytics that do not override user rights.
• Consent: personalized advertising, optional analytics, tracking, or data sharing where legally required.
• Legal obligation: compliance with tax, accounting, consumer protection, and lawful disclosure obligations.

5. Purposes of Processing

• Provide and maintain application and game functionality.
• Deliver customer support and issue resolution.
• Detect abuse, fraud, and technical incidents.
• Measure product quality and optimize user experience.
• Operate IAA and IAP monetization under legal and platform controls.
• Support localization, regional content controls, and legal compliance workflows.

6. Apple App Store Compliance Practices

6.1 Data Minimization and Transparency

For App Store distributed apps, we maintain data collection disclosures aligned with app functionality categories, provide in-product explanations, and avoid collecting data irrelevant to the stated service purpose.

6.2 Tracking and Attribution Controls

Where tracking requires permission, we implement permission prompts with clear pre-permission context, honor user denial choices, and avoid techniques designed to circumvent platform-level restrictions.

6.3 Children and Age Features

For products directed to younger audiences or age-restricted markets, we adjust data flows, disable behaviorally targeted advertising where required, and enforce age-appropriate defaults.

6.4 App Privacy Nutrition Labels

We maintain app-level data declaration records for data used for functionality, analytics, and advertising. Material changes trigger review and update cycles before release.

7. Google Play Compliance Practices

7.1 Data Safety Form Governance

For Google Play distribution, we maintain Data Safety disclosures regarding collection, sharing, purpose, encryption-in-transit, deletion handling, and security practices. Release workflows include checks to keep disclosures synchronized with implementation.

7.2 User Data Policy and Limited Use

Data access is limited to declared product functions, anti-fraud controls, and legal obligations. We do not repurpose user data beyond disclosed purposes without obtaining required legal basis and policy-compliant notice.

7.3 Permissions and SDK Controls

We request runtime permissions only when necessary for core features and use SDK governance reviews to identify excessive data access, unsupported behavior, and policy risks.

8. International Privacy and Data Protection Compliance

8.1 European Economic Area and United Kingdom

For users in the EEA and UK, we support rights under GDPR and UK GDPR, including access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. Cross-border transfers use recognized safeguards such as standard contractual clauses and transfer impact assessments where required.

8.2 Switzerland

For users in Switzerland, processing aligns with the revised Federal Act on Data Protection, including transparency, proportionality, and data security controls.

8.3 United States

For applicable U.S. states, we support rights frameworks that may include knowing, deletion, correction, portability, and opt-out of certain data sharing for targeted advertising. Rights handling is implemented through verifiable request workflows and nondiscrimination principles.

8.4 Canada

For Canadian users, data processing follows fair information principles including accountability, purpose specification, consent where required, limited collection, safeguards, and access rights handling.

8.5 Brazil

For Brazilian users, processing aligns with LGPD principles including adequacy, necessity, transparency, security, prevention, and rights to access, correction, anonymization, portability, and deletion where applicable.

8.6 Mexico and Latin America

Where local laws apply, we implement notice, consent, and rights handling procedures according to jurisdictional requirements, including data transfer restrictions and special treatment for minors.

8.7 Singapore

For Singapore users, processing practices align with PDPA principles including consent management, purpose limitation, notification, correction and access handling, and retention limitation.

8.8 Hong Kong

For Hong Kong users, processing follows Personal Data (Privacy) Ordinance data protection principles, including lawful collection, purpose limitation, accuracy, security, openness, and access/correction mechanisms.

8.9 Mainland China

For users located in Mainland China, processing controls are aligned with PIPL, Data Security Law, and Cybersecurity Law requirements where applicable, including legal basis checks, necessity, and user rights handling for access, correction, deletion, and explanation of automated decisions when required.

8.10 Japan and South Korea

For Japan and South Korea, privacy controls are managed to support local legal obligations related to purpose notification, security controls, overseas transfer handling, and user rights channels.

8.11 Australia and New Zealand

For Australia and New Zealand users, we implement disclosure, lawful use, access, correction, and security safeguards consistent with applicable privacy principles.

9. Age Limits and Child Data Protection

Our services are not intended for children below the minimum legal digital consent age unless explicitly designated as child-appropriate with dedicated controls. We apply age gates and regional compliance logic where required.

• EEA: default digital consent age handling aligned with jurisdictional ranges between 13 and 16 depending on country law.
• United Kingdom: child-design considerations are applied for users under 18 where relevant, including high privacy defaults and restricted profiling.
• United States: additional controls for users under 13 and, where required by state law, under 16 for ad targeting and data sale/sharing restrictions.
• South Korea and other jurisdictions with elevated child protections: enhanced parental notice or consent controls when legally required.

If we learn that personal data has been collected from a child contrary to applicable law, we take corrective actions including account limitation, data deletion, and parental contact workflows where feasible.

10. Data Sharing and Recipients

We may share data with service providers acting under contractual obligations, including cloud hosting providers, analytics and monitoring partners, customer support platforms, and advertising/attribution providers where legally permitted. We require contractual safeguards, purpose limitations, and security controls. We do not sell personal data for independent third-party ownership.

11. Cross-Border Data Transfers

Because we operate globally, data may be processed in multiple jurisdictions. We implement transfer controls including contractual safeguards, access controls, encryption measures, and regional data governance procedures to reduce transfer risk.

12. Retention

We retain data only for as long as needed for the purposes described in this Policy, legal requirements, dispute handling, and security or fraud-prevention needs. Retention periods vary by data category and product lifecycle stage. Deletion or anonymization is performed when data is no longer required.

13. Security Measures

We use administrative, technical, and organizational controls including access management, encryption in transit, secure development workflows, monitoring and alerting, vulnerability remediation, and incident response procedures.

14. User Rights and Requests

You may submit requests to access, correct, delete, port, restrict, or object to processing of your data, depending on local law. To submit a request, email support@auroramobi.com with subject line "Privacy Request" and include your country/region and product name to support lawful handling.

15. Cookies and Similar Technologies

Our web properties may use essential cookies for security and session continuity and optional cookies for analytics and performance improvement where legally permitted. Region-specific consent interfaces may be applied.

16. Automated Decision-Making and Profiling

We may use automated systems for fraud detection, recommendation ranking, and performance optimization. Where local law grants rights related to automated decisions, users may request additional information and review channels.

17. Data Breach Response

We maintain incident response procedures for detection, containment, remediation, impact assessment, and notification obligations. If a breach poses legal reporting obligations, we coordinate notifications to regulators and affected users according to applicable deadlines.

18. Policy Changes

We may update this Policy to reflect legal, product, or operational changes. Updated versions are published on this page with revised effective dates. Material changes may also be communicated through in-product notices when required.

19. Contact for Privacy Matters

For all privacy and data governance inquiries, contact support@auroramobi.com. For enterprise data processing arrangements, contractual privacy and security coordination can be initiated through jiayi.li@auroramobi.com.