Privacy Policy

Effective date: 2026-05-13
Last updated: 2026-05-13

Data controller

The party responsible for the processing of your personal data under the EU GDPR and the Swiss FADP is:

Sierco Böhler
Waldstrasse 37
4562 Biberist
Switzerland

Email: hello.dottrack@outlook.com
Web: https://dottracks.app

DotTracks ("we", "us", "our") respects your privacy. This policy describes what data the app collects and how it is used.

EU/UK representative

DotTracks is based in Switzerland and is currently made available through Google Play. If and to the extent that GDPR Art. 3(2) or UK GDPR Art. 3 applies — for example, where the app is offered to users in the EU/EEA or the UK in a way that qualifies as offering goods or services or monitoring behaviour — the corresponding obligations apply. Based on our current limited, occasional, low-risk processing and the fact that we do not process special categories of personal data, we currently rely on the exemption under GDPR Art. 27(2)(a) and UK GDPR Art. 27(2)(a), and have not appointed an EU or UK representative. We will appoint a representative before actively targeting users in the EU/EEA or the UK if and to the extent no exemption is available. Until then, users may contact the controller directly at hello.dottrack@outlook.com.

Scope of this policy

This Privacy Policy applies to:

the DotTracks Android app (package id com.dottracks.app)
the website https://dottracks.app
and any other DotTracks-branded property operated by the data controller named above.

It does not apply to third-party websites or services that we may link to (for example, the Google Play Store or Google's own services). Those have their own privacy policies, which you should read separately.

Website data. When you visit https://dottracks.app, our hosting provider (Vercel) may process technical access logs such as IP address, browser type, requested page, date and time of access, and error logs for security, availability, and abuse prevention. We do not use website analytics or marketing cookies unless this is stated separately and, where required, consent is obtained.

What we collect

DotTracks uses Firebase services (operated by Google Ireland Limited) to back up your gameplay progress and to understand how the app is used. The following data is processed:

Pseudonymous user identifier — a random Firebase user ID automatically generated on first launch. It is not linked to your name, email address, phone number, or login account. If you uninstall the app or clear app data, this identifier may be lost and your cloud-saved progress may no longer be recoverable. Because the identifier is persistent across app sessions on the same device, it qualifies as pseudonymous (not anonymous) personal data under GDPR Art. 4(5).
Completed level IDs — which levels you have solved.
Firebase Authentication and backend connection data. Whenever the app communicates with our cloud infrastructure (Firebase Authentication, Cloud Firestore), Google may automatically process technical connection data such as your IP address, user agent strings, and the Firebase Android App ID, to route traffic, authenticate the app instance, prevent abuse, and secure the service. This processing happens for basic app functionality and is not dependent on analytics consent.
App usage events (only after analytics opt-in) — screen views, basic interaction counters, app version, device model, OS version, country, language, approximate location (country and, where available, city) derived from your IP address by Firebase Analytics, and analytics identifiers generated by Firebase Analytics such as the Firebase Installation ID and App Instance ID.
Approximate location (country and, where available, city) derived from your IP address by Firebase Analytics, only when you have given analytics consent. We use this to understand the geographic distribution of our users at an aggregate level. We do not collect precise GPS location.
Crash reports. We currently do not collect crash reports. If we enable crash reporting in a future update, we will update this Privacy Policy and the applicable app store privacy disclosures before or at the time the feature is enabled.

Note: Firebase "anonymous sign-in" is the technical name of the Firebase authentication method. It does not mean that the data is anonymous under privacy law. The Firebase UID and related app data are treated as pseudonymous personal data where applicable.

We do not collect direct identifiers such as your real name, email address, phone number, contact list, photos, or precise location. However, the pseudonymous Firebase identifier, gameplay progress, analytics events, and technical device information may qualify as personal data under applicable privacy laws.

How we use your data and our legal basis

We process your data only for the purposes listed below, and only when one of the legal bases set out in Art. 6(1) of the EU GDPR applies. Under the Swiss FADP, we process personal data in accordance with the principles of transparency, purpose limitation, proportionality, data security, and good faith.

1. Saving and backing up your gameplay progress

Data used: pseudonymous user identifier, completed level IDs.
Purpose: Save your progress in the cloud while the same pseudonymous Firebase user ID remains available on your device. If you uninstall the app, clear app data, change devices, or lose the pseudonymous user ID, we may be unable to reconnect you to the saved progress.
Legal basis: Performance of the service requested by you — GDPR Art. 6(1)(b) / UK GDPR Art. 6(1)(b) — because saving gameplay progress in the cloud is necessary to provide the progress-backup functionality of the app. DotTracks uses Firebase anonymous sign-in automatically on first launch; this is a technical pseudonymous identifier and not a user account requiring a name, email, or password.

2. App usage analytics

Data used: app version, device model, OS version, country, language, screen views, basic interaction counters — collected via Firebase Analytics.
Purpose: Understand which levels are too hard or too easy, identify drop-off points, and improve the game design.
Legal basis: Your consent — GDPR Art. 6(1)(a). Firebase Analytics is disabled by default. We only store or access analytics-related identifiers or information on your device after you give prior consent in the first-run consent dialog, as required under applicable ePrivacy/PECR rules. You can withdraw analytics consent at any time in Profile → Analytics in the app. After withdrawal, Firebase Analytics is disabled for future events. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

3. Stability and bug fixing (only if and when enabled)

Data used: pseudonymous crash and error reports.
Purpose: Diagnose and fix bugs and crashes.
Legal basis: Our legitimate interest in providing a stable app — GDPR Art. 6(1)(f). This interest is balanced against your right to privacy by using only pseudonymous reports for technical purposes. You may object to this processing at any time by contacting us at hello.dottrack@outlook.com.

We do not sell, rent, or share your data with advertisers or third parties for marketing.

Storage and security

Data is stored on Google Cloud servers (region: europe-west6, Zurich, Switzerland). Access control. Firebase Security Rules are configured so that data linked to a pseudonymous Firebase UID can only be read or written by an authenticated app instance using that UID, subject to the limits of Firebase Authentication, device security, and our backend configuration. Communication between the app and Google's servers is encrypted in transit (TLS), and the data is encrypted at rest by Google Cloud's default storage encryption.

We apply commercially reasonable administrative, technical, and physical safeguards. However, no information system can be completely secure, and we cannot guarantee that unauthorized access, hardware or software failure, or other factors will never compromise the security of your data. If you become aware of an actual or suspected security incident affecting your data, please notify us at hello.dottrack@outlook.com without undue delay. If we become aware of a personal data breach, we will assess our notification obligations and, where legally required, notify the competent authority within the applicable legal deadline — including without undue delay under Swiss FADP, and generally within 72 hours after becoming aware of the breach under EU GDPR or UK GDPR — and affected users where required.

When we share or disclose your data

We do not sell, rent, or share your data with advertisers or third parties for marketing purposes. Disclosure is limited to the following narrow cases:

Service providers (processors). Google Ireland Limited and Google LLC operate the Firebase infrastructure (Authentication, Cloud Firestore, Analytics) that stores and processes your data on our behalf, under data processing agreements that bind them to GDPR-compliant terms. Google may also process certain service/diagnostic data independently according to its own privacy policy and service terms.
Google entities. Depending on the Firebase service and your location, Firebase services may be provided by Google Ireland Limited, Google LLC, or other Google affiliates acting as processors, subprocessors, or — for certain service/diagnostic data — independent controllers under Google's applicable terms and privacy policy.
Vercel (website hosting). Vercel Inc. processes technical access logs and hosting-related data for https://dottracks.app — including IP address, request timestamps, user agent, and error logs — for website hosting, security, availability, and abuse prevention.
Legal obligations. We may disclose data where required by a valid legal obligation, court order, subpoena, regulatory request, or other comparable lawful measure issued by a competent authority — whether in Switzerland, the EU/EEA, the United Kingdom, or another jurisdiction with valid legal authority over us or our processors. Where lawful and feasible, we will notify the affected user in advance.
Business transfers. If the controller's activities are succeeded by another legal entity (sale, merger, restructuring, or estate succession), your data may be transferred to the successor. You will be notified before any change of purpose and may object before any new processing begins.
With your specific consent. For any other purpose only with your prior, freely given, specific, informed, and unambiguous consent — which you may withdraw at any time.

How long we keep your data

Data category	Retention period
Gameplay progress. Kept until you request deletion. We do not currently delete inactive accounts automatically, and we are working to implement an inactivity-based deletion policy.	Until you request deletion
Firebase Analytics events. Event-level data is retained for 14 months after collection (the configured Firebase/Google Analytics retention setting). After 14 months, event-level records are deleted; aggregated reports may remain in non-identifiable form.	14 months
Crash reports (when enabled in a future update)	90 days (Firebase Crashlytics default), then automatically deleted
Pseudonymous user identifier	Same as gameplay progress — deleted together

When you use Profile → Delete account & data, the app first uses your current pseudonymous Firebase user ID to request server-side deletion of the cloud-saved progress linked to that UID. After the server-side deletion request is submitted, the Firebase user ID is deleted, local app data on the device is cleared, and a fresh anonymous ID is generated so the app keeps working. Server-side deletion is normally completed without undue delay and in any event within 30 days, after which backup residual copies are removed per our backup retention schedule. Analytics data that has already been aggregated cannot be re-attributed and therefore cannot be selectively deleted, but the underlying raw event records expire on the schedule above.

Backup residual data. Residual copies of deleted Personal Data may remain in encrypted Firebase / Google Cloud backups for up to 30 days after deletion (consistent with Cloud Firestore's default Point-in-Time Recovery and managed backup retention). Such residual copies are not actively processed and are not restored except where necessary for security incident response, disaster recovery, or compliance with a legal obligation.

Analytics deletion limits. Firebase Analytics events are linked to Firebase Analytics identifiers (e.g. App Instance ID), which are not always directly linkable to your in-app pseudonymous user ID. Where we can reasonably identify analytics data linked to you, we will delete it where legally required and technically feasible. Aggregated, non-identifiable reports cannot be re-attributed to an individual user and may be retained for product analytics.

Reasons we may retain data beyond the stated periods:

Legal obligation — where we are required by law to retain specific data (e.g. financial records for tax authorities if in-app purchases are introduced).
Legal claims — where data is necessary to establish, exercise, or defend legal claims.
Your explicit request — where you ask us to retain specific information.
Technical/backup limitations — where data temporarily exists in encrypted backup systems awaiting scheduled deletion.

International data transfers

Although your gameplay data is stored in Switzerland, Google LLC (United States) may need to access it for technical support and maintenance.

Our service providers — including Google/Firebase and Vercel — and their subprocessors may process or access personal data from countries outside Switzerland, the EU/EEA, or the UK, including the United States.

Where Google LLC's DPF certification covers the relevant transfer, we rely on the applicable EU-US, Swiss-US, or UK Extension to the Data Privacy Framework. Where a transfer is not covered by an adequacy mechanism, we rely on the applicable Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum or equivalent UK safeguards, and supplementary technical, contractual, or organisational measures where required.

You may obtain copies of these safeguards by contacting us.

Your rights

Under the EU GDPR, the UK GDPR, and the Swiss FADP, where applicable, you may have the following rights:

Right of access (GDPR Art. 15 / FADP Art. 25) — confirmation of what data we hold and a copy of it.
Right to rectification / correction. Because DotTracks stores only pseudonymous completed-level records, correction is generally limited to deleting or resetting incorrect entries linked to your verified pseudonymous user ID. (GDPR Art. 16 / FADP Art. 32(1).)
Right to erasure (GDPR Art. 17 / FADP Art. 32(2)) — deletion of your data ("right to be forgotten"). In the DotTracks app, you can exercise this right directly via Profile → Delete account & data. When you use Profile → Delete account & data, the app first uses your current pseudonymous Firebase user ID to request server-side deletion of the cloud-saved progress linked to that UID. After the server-side deletion request is submitted, the Firebase user ID is deleted, local app data on the device is cleared, and a fresh anonymous ID is generated so the app keeps working. Server-side deletion is normally completed without undue delay and in any event within 30 days, after which backup residual copies are removed per our backup retention schedule.

For users who have already uninstalled the app: If you have uninstalled DotTracks and cannot use the in-app deletion flow, you may request deletion by emailing us at hello.dottrack@outlook.com. To process the request, please include your pseudonymous Firebase user ID (visible in Profile → About in the app before uninstall) so we can identify the data linked to you. If you no longer have the ID, we may be unable to verify the request. See also our Data Deletion page for the full procedure.
Right to restriction of processing (GDPR Art. 18) — temporarily block processing while a dispute is resolved.
Right to data portability: where applicable and technically feasible, we can provide the completed-level records linked to your verified in-app pseudonymous user ID in a structured, commonly used, machine-readable format.
Right to object (GDPR Art. 21 / FADP Art. 30) — object to processing based on our legitimate interest.
Right to withdraw consent (GDPR Art. 7(3)) — withdraw at any time the consent you gave for analytics. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Right not to be subject to automated individual decision-making (GDPR Art. 22) — we do not carry out such decision-making.
Right to lodge a complaint with a supervisory authority (GDPR Art. 77 / FADP Art. 49) — see the list below.

To exercise any of these rights, contact us at hello.dottrack@outlook.com. We will respond within one month (GDPR Art. 12(3)).

Because DotTracks stores only pseudonymous gameplay progress, some rights may be limited by the nature of the data. Where technically feasible, we can provide, delete, or correct completed-level records linked to your in-app pseudonymous user ID.

Identity verification

Because we operate on pseudonymous identifiers and do not hold your name or email, we need a way to confirm that a request actually comes from the data subject. When you submit a request, we will ask you to provide your in-app pseudonymous user ID (you can find it in the app under Profile → About) and may ask for additional reasonable information to rule out fraudulent or abusive requests. We will not use this information for any other purpose and will delete it once the request is closed. If we cannot verify your identity within a reasonable period, we are entitled to refuse to act on the request (GDPR Art. 12(6)).

If you have already used the in-app Delete account & data action, your pseudonymous identifier has been removed and we will generally be unable to link you to your data.

Note: If you uninstall the app or clear app data before noting your pseudonymous user ID, we will generally be unable to link you to your data and may not be able to fulfill access or deletion requests.

Supervisory authorities

You may lodge a complaint with the data protection authority of your country of residence. Examples:

Switzerland: Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB) — https://www.edoeb.admin.ch
Germany: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) or the data protection authority of your federal state — https://www.bfdi.bund.de
Austria: Datenschutzbehörde — https://www.dsb.gv.at
United Kingdom: Information Commissioner's Office (ICO) — https://ico.org.uk/
Other EU/EEA: the supervisory authority of your member state.

"Do Not Track" and Global Privacy Control (GPC)

DotTracks does not respond to "Do Not Track" (DNT) browser signals, because no industry-standard meaning for these signals has been agreed upon. We honor legally required opt-out preference signals, such as GPC, where they apply to sale, sharing, targeted advertising, or other opt-out processing covered by applicable law. DotTracks does not currently sell personal data, share personal data for cross-context behavioral advertising, or engage in targeted advertising.

Children

DotTracks is a general-audience puzzle game with abstract visuals (dots, geometric tracks, color theory) and is not directed to children under 13. We do not market DotTracks to children under 13 and do not place it in child-directed store categories. We do not knowingly collect personal data from children under 13. We do not ask users to provide their age. If we learn that a user is under 13, we will delete data linked to that user unless legally valid parental consent has been obtained. If DotTracks is later offered to children or included in a child-directed store category, we will implement the required parental consent and child-privacy controls before doing so.

Analytics and minors. Analytics is optional and disabled by default. If we know that a user is below the age at which they can validly consent to analytics in their country (the digital-consent age under EU GDPR varies between 13 and 16 depending on the EU member state; the UK GDPR sets it at 13), analytics will remain disabled unless valid parental consent is provided where required.

UK Children's Code. If DotTracks is made available to users in the UK and is likely to be accessed by children under 18, we will take into account the UK Information Commissioner's Office (ICO) Age Appropriate Design Code (the "Children's Code"), including age-appropriate privacy protections, data minimisation, and default privacy-friendly settings.

Parents. If you are a parent or legal guardian and you discover that a child under 13 (or under the applicable digital-consent age in your jurisdiction) is using DotTracks, please email hello.dottrack@outlook.com with the child's pseudonymous user ID, and we will delete the associated data without undue delay.

Notice to California residents (CCPA / CPRA)

If and to the extent the CCPA/CPRA applies to DotTracks, California residents may have the rights described below. DotTracks does not currently believe it is subject to the CCPA/CPRA because it does not meet any of the applicable statutory thresholds, namely: (a) annual gross revenue above USD 26.625 million, (b) processing the personal information of 100,000 or more California consumers or households per year, or (c) deriving 50% or more of annual revenue from the sale or sharing of personal information. We provide this notice for transparency in case the thresholds are met in the future.

If you reside in California, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights. In the 12 months preceding the "Effective date" of this policy, we have not sold or shared your personal information in the CCPA sense, and we do not intend to do so.

Categories of personal information collected: identifiers (pseudonymous Firebase user ID, Firebase Android App ID, App Instance ID where analytics is enabled, and similar app identifiers); internet or electronic network activity information (app usage events where analytics is enabled, and connection metadata such as IP address and user agent strings); approximate location (country and, where available, city, derived from your IP address by Firebase Analytics where enabled); device and technical information (device model, operating system version, app version, IP address, user agent strings); and gameplay progress. We do not collect sensitive personal information.

We do not collect or use sensitive personal information as defined by the CCPA/CPRA. Therefore, the right to limit the use and disclosure of sensitive personal information does not currently apply to DotTracks.

Sources of personal information. We collect personal information directly from your device and your use of the DotTracks app, and from Firebase services integrated into the app. We do not obtain personal information from data brokers or advertising networks.

You have the right to:

Know what categories of personal information we collect, the sources we collect it from, and the purposes for which we use it (all set out above).
Delete personal information we have collected, subject to permitted exceptions.
Correct inaccurate personal information.
Opt out of sale or sharing — not applicable because we do not sell or share your data.
Non-discrimination — we will not deny services, change prices, or provide a different level of service because you exercised any CCPA right.

To exercise these rights, email hello.dottrack@outlook.com with the subject line "California Privacy Request". We will verify your request and respond within 45 days.

You may also submit a request through an authorized agent. We may require proof that the agent is authorized to act on your behalf and may still need to verify the request using your in-app pseudonymous user ID.

Timing of this notice. This notice is provided at or before the point at which DotTracks collects personal information, including through the Google Play Store listing, the in-app privacy link, and the first-run consent flow.

Notice to residents of other US states

These state privacy rights apply only if and to the extent the relevant state law applies to DotTracks, including any applicable thresholds, exemptions, and effective dates. If a state law does not apply, we may still handle requests voluntarily where technically feasible.

Several US states have enacted comprehensive privacy laws that grant their residents rights similar to those listed above for California. These include, where applicable: Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Virginia Consumer Data Protection Act (VCDPA), Utah Consumer Privacy Act (UCPA), Texas Data Privacy and Security Act (TDPSA), Oregon Consumer Privacy Act (OCPA), Montana Consumer Data Privacy Act (MTCDPA), New Jersey Data Privacy Act (NJDPA), Delaware Personal Data Privacy Act (DPDPA), Tennessee Information Protection Act (TIPA), Indiana Consumer Data Protection Act (INCDPA), Iowa Consumer Data Protection Act (ICDPA), Nebraska Data Privacy Act (NDPA), New Hampshire Data Privacy Act (NHDPA), Maryland Online Data Privacy Act (MODPA), and Minnesota Consumer Data Privacy Act (MNCDPA).

Depending on your state of residence and whether the relevant law applies to DotTracks, you may have rights to access, delete, correct, or obtain a copy of your personal data, and to opt out of certain processing such as sale, targeted advertising, or qualifying profiling. Not all rights apply in all states.

Depending on your state of residence, you may have rights to access, delete, correct, obtain a copy of your personal data, and opt out of the sale of personal data, targeted advertising, or qualifying profiling, where applicable under the relevant state law.
We do not sell your personal information, and we do not engage in targeted advertising based on cross-context behavioral tracking.
To exercise any right, contact hello.dottrack@outlook.com. If your state grants a right to appeal a denied request, you may do so by replying to our response within 30 days.
We do not process "sensitive data" as defined under these laws.

No profiling with significant effects. DotTracks does not engage in automated profiling that produces legal or similarly significant effects for any user. We do not use Firebase Analytics for targeted advertising, cross-context behavioral advertising, the sale of personal data, or profiling that affects access to legal, financial, healthcare, housing, insurance, or employment opportunities.

Right to appeal. If we decline to take action on your privacy request and you reside in a state whose law grants an appeal right (such as Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), or other states with applicable appeal procedures), you may appeal our decision by replying to our response email or by writing to hello.dottrack@outlook.com. We will respond within the time period required by the applicable state law.

Changes

We may update this policy from time to time. The "Last updated" date will reflect changes. If a change materially affects how we process your data or requires consent, we will ask for your consent or provide another legally required notice before the new processing starts.

Third parties

DotTracks uses:

Firebase Authentication (anonymous sign-in)
Cloud Firestore (gameplay progress)
Firebase Analytics (pseudonymous app usage analytics, only after opt-in)
Vercel — website hosting and technical access logs for dottracks.app.

Google's privacy policy applies to data they process: https://policies.google.com/privacy

In-app purchases. DotTracks currently does not offer in-app purchases. If we introduce in-app purchases, purchases will be processed by the relevant app store provider, such as Google Play Billing or Apple In-App Purchase. We will update this Privacy Policy and the relevant app store privacy disclosures before enabling purchases.

iOS release. If DotTracks is released on iOS, the App Store privacy disclosures will reflect the data collected by the iOS version of the app, including data collected through Apple frameworks or third-party SDKs. Before any iOS submission, we will also include any required Apple privacy manifests, SDK signatures, and Required Reason API declarations.