Privacy Policy.

Part One — Privacy Policy

Welcome to novasoftstackmeta.com ("we," "us," or "our"). This Privacy Policy describes how we collect, use, share, and protect information when you use our websites, mobile applications (the "Apps"), and related services (collectively, the "Services"). This Policy is designed to comply with major global privacy regulations including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Brazil General Data Protection Law (LGPD), India's Digital Personal Data Protection Act (DPDP Act), the Saudi Personal Data Protection Law (PDPL), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Japan's Act on the Protection of Personal Information (APPI), Australia's Privacy Act 1988, and other applicable regional privacy laws as updated for 2026.

1. Data Collection: Granularity & Purposes

We strictly adhere to the "minimum necessary" principle and use compliant technical means to collect only the information required to maintain the normal operation of our IAA (advertising monetization) and IAP (in-app purchase) systems, optimize user experience, and prevent fraudulent activities. Our data collection practices are fully compliant with global regional privacy regulations and we do not collect any personal information unrelated to our Services.

1.1 Device Fingerprints & Identifiers

• IDFA (iOS devices) — used solely for advertising measurement, attribution, and personalized ad serving, subject to user consent via Apple's App Tracking Transparency (ATT) framework.
• GAID / OAID (Android devices, including OAID for the China market) — used for advertising measurement and personalization, subject to user consent.
• Device brand, model, screen resolution, OS version, language settings, battery state, system clock offset (used to detect time-zone cheating and prevent cross-regional price fraud).
• Encrypted device unique identifiers that do not link to a user's real identity.

1.2 Network Environment Data

• IP address — used only for geographic compliance filtering (to determine the user's region for legal and service compliance, not for precise geolocation).
• Mobile network operator name, Wi-Fi connection status, network type (4G/5G/Wi-Fi) — used to ensure service stability and regional compliance.

1.3 Behavior Trajectory (IAA & UX)

• Ad behavior: ad display ID, click timestamps, conversion paths, rewarded video ad view duration and mid-exit status, ad dwell time. Used to optimize ad delivery effectiveness, prevent ad fraud, and is shared only with desensitization through our third-party ad mediation partners.
• App / game logic: core feature loop trigger counts, paywall popup click-through rates, onboarding drop-off points, feature usage frequency. Used to optimize product interaction experience and adjust feature layouts. We do not collect specific user operation content or private data.

1.4 Financial Transaction Data (IAP)

We receive transaction receipts exclusively through App Store / Google Play official APIs. We do not touch or store your bank card number, CVV, payment password, card expiration date, or any other sensitive payment information. All payment operations are completed by Apple's or Google's official payment systems.

• Order number, purchased item name and quantity, payment currency, payment amount, country code, transaction time, sandbox test order status, order status (success / failure / refund).
• Used for order verification, refund processing, financial reconciliation, and payment fraud prevention.

2. Deep Third-Party Sharing Architecture (Data Mapping)

To achieve legal monetization, service optimization, and anti-fraud purposes, we share only the necessary data with the following compliant third-party ecosystems. The sharing process strictly follows the "minimum necessary, encrypted transmission, fully controllable" principle. We do not share any sensitive personal information. You may review the privacy policies of each platform to understand their data processing details.

2.1 Mediation Layer (Ad Aggregators)

• AppLovin (MAX) — Real-time bidding (RTB), fill rate optimization, and monetization efficiency.
• Google AdMob — Ad serving, fill, and yield management.
• Unity LevelPlay (ironSource) — Cross-network mediation, bidding, and reporting.
• Moloco Bidding — ML-driven bidding optimization.
• BidMachine — Open-source mediation.

Shared data includes only desensitized device information and ad display / click data, not linked to the user's real identity.

2.2 Attribution & Anti-Fraud (MMP)

• AppsFlyer — Install attribution, fraud detection.
• Adjust — Attribution, MMP, fraud prevention.
• Singular — Attribution, aggregative analytics.
• Branch — Attribution and deep linking.
• Kochava — Attribution and fraud detection.

Shared data includes only desensitized device information and install attribution data, used for anti-fraud validation. We do not collect user private information through these partners.

2.3 Direct Ad Networks (Demand Sources — 30+ networks)

Meta Audience Network · Pangle (TikTok) · Chartboost · Vungle · InMobi · Start.io · Tapjoy · AdColony · Mintegral · Digital Turbine · Ogury · Liftoff · Yahoo Advertising · Amazon Publisher Services · Criteo · Pinterest · Snapchat · X (Twitter) · Reddit Ads · LinkedIn · Media.net · Smaato · Flashtalking · Epom · Appier · Pubmatic · Index Exchange · Sovrn · TripleLift, and others.

2.4 Payment Processors

• Apple Inc. — Process in-app purchase transactions and verify order validity.
• Google LLC — Process in-app purchase transactions and verify order validity.
• Stripe · PayPal · RevenueCat — Optional web / subscription billing.

Shared data includes only order-related information (excluding sensitive payment information), used for transaction reconciliation and order verification, strictly following Apple and Google official data processing specifications.

3. Global Region-Specific Legal Notices

We strictly adapt to global country / region privacy regulations, incorporating 2026 latest policy changes, and formulate differentiated compliance terms for key regions to ensure full compliance throughout the service.

3.1 European Union (GDPR) & United Kingdom (UK-GDPR)

• Legal Basis: Our legal grounds for processing user data include: performance of service agreement with the user, obtaining the user's explicit consent, maintaining our legitimate interests (such as anti-fraud and service optimization). All data processing activities comply with Articles 6 of the GDPR / UK-GDPR.
• EU / UK Representative: [Placeholder for EU/UK legal representative contact & registered address, to be populated prior to EU/UK launch.] Responsible for receiving data-related requests (access, correction, deletion, withdrawal of consent, etc.) from EU / UK users with a response time of no more than 7 working days.
• DSA Transparency Supplement: We strictly comply with the latest transparency requirements of the EU Digital Services Act (DSA), publicly disclosing ad delivery rules, algorithmic recommendation logic, and content review standards. We periodically publish transparency reports, clearly stating data processing workflows and third-party cooperation details, and accept supervision from EU regulatory authorities. If the App involves user-generated content (UGC), we will publicly disclose content review mechanisms, complaint handling processes, and violation content disposition standards to ensure user right to know.
• User Rights Protection: EU / UK users have the right to access, correct, delete personal data at any time, withdraw data processing authorization, request a copy of their personal data (data portability), and file complaints about non-compliant data processing to the European Data Protection Board (EDPB) or the UK Information Commissioner's Office (ICO).

3.2 United States (CCPA / CPRA / VCDPA & other state-differentiated terms)

• Do Not Sell Personal Information: We clearly commit to not selling users' personal information to any third party (including advertisers, data brokers, etc.). However, under the definitions of laws such as the California CPRA and Virginia VCDPA, sharing desensitized device IDs and other non-sensitive information with third parties to achieve ad personalization may be considered "data sharing." We will clearly inform users of such sharing within the App, and users have the right to opt-out of such sharing at any time.
• Do Not Track: We fully respond to the device's "Do Not Track" (DNT) system setting. If the user enables this setting, we will stop collecting user behavior trajectory data, which will not be used for ad precise targeting or personalized recommendation. We retain only the minimum data necessary to maintain normal service operation.
• State-Specific Compliance:
  • California (CPRA): Users have the right to request disclosure of the categories of personal information collected, used, and shared over the past 12 months, request deletion of personal information, and refuse use of personal information for targeted advertising. We will respond to user requests within 45 working days.
  • Texas (CCPA-TX): Strengthened user data access rights; users can freely query personal data collection records. We may not set unreasonable barriers. We are prohibited from sharing user sensitive information (such as biometric data, financial information) with third parties without written user consent.
  • Virginia (VCDPA): Users have the right to request correction of incorrect personal data and to request us to stop sharing personal data with third parties. We must complete correction or stop sharing within 30 working days and provide feedback to the user.
  • Other States: We adapt to the latest privacy regulations in Washington, Colorado, Connecticut, and other states, clarifying user data rights and our compliance obligations to ensure compliance across the United States.

3.3 Brazil (LGPD)

We strictly comply with Brazil's General Data Protection Law (LGPD). We must obtain explicit user authorization before collecting personal information, clearly informing the user of the purpose, scope, and method of information collection. We protect Brazilian users' rights to access, correct, delete, and withdraw authorization over their data. We appoint a dedicated compliance officer to handle Brazilian users' data requests. User data is stored on servers within Brazil and is not transferred abroad without authorization. Cross-border data transfer requires approval from the Brazilian National Data Protection Authority (ANPD).

3.4 Other Key Regions

• China: We comply with the Personal Information Protection Law (PIPL), the Data Security Law (DSL), and the Provisions on Promoting and Regulating the Cross-Border Flow of Data. We obtain explicit user consent before collecting personal information, implement data localization requirements (data of users in China is stored on servers within China), do not illegally collect sensitive personal information, and cooperate with the Cyberspace Administration of China in regulatory inspections.
• India: We comply with the Digital Personal Data Protection Act (DPDP Act), clarify data collection boundaries, collect data only after obtaining written user consent, appoint a Data Protection Officer (DPO), respect users' right to request deletion of personal data, and obtain approval from the Ministry of Electronics and Information Technology (MeitY) for cross-border data transfer.
• Saudi Arabia: We comply with the Personal Data Protection Law (PDPL), implement data localization requirements, store user data on servers within Saudi Arabia, and do not transfer abroad without authorization. We accept supervision by the National Data Management Office (NDMO).
• Canada, Japan, Australia: We adapt to Canada's PIPEDA, Japan's APPI, and Australia's Privacy Act 1988, clarify data processing standards, protect user data rights, cooperate with local regulatory authorities in audits, and respond to 2026 global data sovereignty upgrade requirements.

4. Auto-Renewing Subscription Disclosure (Subscription Transparency)

For Apps that include auto-renewing subscription services, we strictly follow Apple App Store and Google Play Store rules as well as global regional compliance requirements, and make the following declarations to protect user right to know and right to choose:

• We collect only the minimum information necessary for subscription management, including subscription cycle, remaining trial period, subscription status (active / expired / paused), and renewal time. This information is used for subscription management and service delivery. We do not collect any unrelated information.
• Transparency Assurance:
  • Before subscription: Clearly inform the user of the subscription cycle (weekly / monthly / yearly), subscription price, trial period duration (if any), renewal rules, and cancellation method. No hidden terms.
  • Renewal reminder: 24 hours before each auto-renewal charge, send a renewal reminder to the user via in-App pop-up, system push, etc., clearly stating the charge amount, charge time, and direct cancellation path.
  • Subscription management: Users may cancel auto-renewal at any time via in-App "Settings - Subscription Management" or the App Store / Google Play subscription management page. After cancellation, no further charges will occur, and cancellation during the trial period incurs no charge.
• Trial Period Explanation: If a free trial is offered, the subscription will auto-renew and be charged at the end of the trial period. The user may cancel during the trial period to avoid charges. If the user has used subscription-exclusive features during the trial period and then cancels, those features will become immediately unavailable.

5. AI-Generated Content Disclosure (where applicable)

For Apps that include AI-generated content (including but not limited to text, audio, images, and interactive scenes), we strictly follow global AI compliance requirements and make the following declarations to protect user right to know and legitimate rights:

• Clear Labeling: All AI-generated content is clearly marked as "AI-generated" to distinguish it from human-created content, not misleading users, and complying with the EU AI Act and U.S. state AI transparency requirements.
• Content Compliance: AI-generated content strictly follows global content review standards. It is prohibited from generating violent, pornographic, vulgar, false, politically sensitive, racially discriminatory, or other non-compliant content. We implement an "AI generation + human review" dual mechanism to ensure content compliance.
• Liability Definition: AI-generated content is provided only as an auxiliary function. It does not constitute any advice, commitment, or guarantee. We do not bear any responsibility for any losses resulting from user reliance on AI-generated content. If AI-generated content infringes on the intellectual property, reputation rights, or other legitimate rights of others, we bear corresponding responsibility and promptly delete the non-compliant content.
• Data Security: Data used to train AI models is either compliantly collected or used under authorization. We do not use user personal information or private data to train AI models, strictly protecting user data security.

Part Two — Terms of Service Summary

Our full Terms of Service govern your use of our Services. Key points include: account ownership and license scope, IAA advertising and reward policies (with detailed fraud penalty rules), IAP payment, refund, and dispute resolution (with detailed fraud penalty rules), anti-cheat and security agreements, content review (DSA compliance), and AI content compliance. Please review the Terms of Service in full for complete information.

• Account Ownership: Users obtain only a limited, non-transferable, non-rentable, non-loanable software usage right. Accounts unused for [180] days with no payment records may be deleted after 30 days' notice.
• Ad Fraud Penalties: First offense = warning + reward wipe + 7-day suspension. Second offense = 30-day suspension + reward wipe + device blacklisting. Third+ offense = permanent ban + device ban + legal referral.
• IAP Fraud Penalties: First offense = warning + IAP suspension 15 days. Second offense = 90-day suspension + virtual goods wipe. Third+ offense = permanent ban + legal referral.
• Refund Policy: Virtual goods are non-refundable once consumed. Exceptions include technical non-delivery, unauthorized minor purchases, and major service failures.

Part Three — 2026 Technical Compliance Execution Guide

This guide combines the latest 2026 Apple App Store and Google Play policies, as well as global regional compliance requirements, to clarify technical execution standards, ensuring full compliance of application development, publishing, and operation, avoiding risks of application removal or penalties due to technical violations, and adapting to the latest system version requirements of Android 15 and iOS 18.

1. Apple App Store (iOS) — 2026 Updates

• Privacy Labels: Must accurately complete Privacy Label information in App Store Connect. Strictly select "Data Linked to User" because data such as IDFA and purchase records will be associated with the user profile. Do not conceal data linkage relationships. Accurately fill in the data collection scope, purpose, and third-party sharing situation to ensure consistency with this Privacy Policy. Filling in false information will lead to App review rejection and removal.
• ATT Mandatory Execution (2026 Upgrade):
  • Before obtaining device_id (IDFA), must first call the requestTrackingAuthorization interface, pop up the window to request user authorization. The authorization text must clearly inform the user of the purpose (such as ad precise delivery) and may not mislead the user.
  • If the user refuses authorization, must pass allow_tracking = false to all third-party SDKs, may not obtain or use IDFA without authorization, and may not circumvent ATT framework limits by other means.
  • Adapted to the latest iOS 18 requirements, the ATT authorization pop-up can only be shown once, may not pop up multiple times to harass users. If the user refuses, subsequent authorization requests are prohibited; users may only be guided to enable authorization through device system settings.
  • May not obtain user device identifiers through non-ATT channels, and may not use other device parameters (such as MAC address) as an IDFA substitute to circumvent privacy policy requirements.
• Other Technical Compliance:
  • Apps must not contain hidden features or non-compliant code, and must not circumvent App Store review rules (such as hiding payment entrances, false feature descriptions).
  • Adapted to the latest iOS 18 system privacy requirements, access to sensitive data (such as photos, contacts) requires user authorization each time. Default or forced authorization is prohibited.
  • In-App purchase items must clearly mark the price and subscription cycle. Inducing purchase traps or misleading users into payment is prohibited.
  • If the App contains AI-generated content, it must be clearly marked on the App Store detail page, complying with Apple AI compliance requirements.

2. Google Play (Android) — 2026 Updates

• Data Safety Form: Must accurately complete the Data Safety form in Google Play Console, clearly declaring that HTTPS encryption is used for data in transit, AES-256 encryption is used for stored data. Accurately fill in the data collection scope, purpose, and third-party sharing situation. Concealing data processing behavior will lead to App review rejection and removal.
• SDK Transparency (2026 Upgrade):
  • Google requires developers to bear full responsibility for the behavior of all integrated third-party SDKs. All integrated SDK versions must support the latest Android 14+ Privacy Sandbox. Outdated SDKs (which may have privacy security vulnerabilities) are prohibited.
  • Publicly disclose all integrated third-party SDK lists in Google Play Console, clearly stating SDK name, purpose, and data collection scope, ensuring SDK data processing behavior is compliant. If SDK has non-compliant data collection behavior, the SDK must be immediately removed and rectified.
  • Adapted to the latest Android 15 requirements, integrated SDKs may not request permissions unrelated to App functions, may not collect user personal information without authorization, and may not interfere with the normal operation of the device.
  • If the App supports the Android 15 Private Space feature, logic must be adjusted according to the App type. Medical Apps must clearly inform users not to install in Private Space to avoid affecting core function operation. Launcher Apps must declare relevant permissions to adapt to Private Space App display requirements.
• Other Technical Compliance:
  • Adapted to the latest Android 15 privacy protection measures, supports dynamic password (OTP) hiding function, hides sensitive content during screen sharing, can manually mark App sensitive fields, ensuring user privacy security.
  • Apps may not contain malicious code or ad plugins, may not force push ads or induce users to click ads, and ad display must comply with Google Play ad policy.
  • Apps must support 64-bit architecture, may not provide only 32-bit version, ensuring adaptation to the latest Android devices.
  • If the App contains subscription services, it must clearly mark the subscription management entrance within the App, support users in canceling subscriptions at any time, complying with Google Play subscription policy.

3. 2026 Data Residency Compliance

With the rise of global data sovereignty awareness in 2026, more countries / regions have issued stricter data localization requirements. We must strictly follow the following rules to avoid violations:

• If the App has a large number of users in a specific country / region (such as China, India, Saudi Arabia, Brazil, EU, Canada) (specific thresholds subject to local regulations), local user data must be stored on compliant servers in that country / region, and may not be transferred abroad without authorization.
• Cross-border data transfer must strictly follow local regulatory requirements, such as the EU GDPR adequacy decision, China's "Provisions on Promoting and Regulating the Cross-Border Flow of Data" security assessment / standard contract requirements, India's DPDP Act cross-border transfer approval requirements. Without approval, user data may not be transferred abroad.
• Regarding the global data sovereignty disputes mentioned in the 2026 U.S. Trade Report, attention must be paid to avoiding trade compliance risks caused by cross-border data transfer. If the App targets U.S. users, the CLOUD Act requirements must be followed, while cooperating with U.S. regulatory authorities' data access requests (if any).
• Regularly review data storage locations to ensure compliance with local regulatory changes, such as Canada, Japan, Bolivia, Colombia, and other countries that have added new data localization requirements in 2026, and adjust data storage strategies in a timely manner to avoid violations.
• Establish a data residency compliance ledger, record user data storage location, and transmission situation, regularly conduct compliance self-inspection, and cooperate with local regulatory authorities in inspections.

4. Interaction Design Recommendations

• Dual Confirmation Mechanism:
  • Before users make large IAP purchases (recommended single amount ≥ $50 / €50), an in-App secondary confirmation pop-up must be added, clearly informing the user of the purchase amount, product name, and payment method. The user must manually click "Confirm Purchase" before jumping to the payment page to avoid misoperation.
  • For auto-renewing subscriptions, after the user clicks the "Subscribe" button, a pop-up confirmation is required, clearly informing the subscription cycle, price, and renewal rules to avoid user mis-subscription.
• Privacy Policy Accessibility (Mandatory Requirement): The link to the Privacy Policy must exist simultaneously in the following three locations to ensure users can view it at any time, complying with global compliance requirements:
  1. App Store detail page (significant location on App Store / Google Play description page).
  2. App launch splash screen (or login page). Users may click the link to view the complete Privacy Policy. The splash screen must have "Agree" and "Refuse" buttons. If refused, the user may not use the App.
  3. In-App "Settings" or "About" menu. The link must be placed in a prominent position. Clicking it will directly view the Privacy Policy, supporting user access at any time.
• Other Interaction Compliance Recommendations:
  • Permission requests: When requesting user-granted permissions (such as camera, photo album, location), the purpose of the permission must be clearly stated. Default authorization or forced authorization is prohibited. The user may withdraw authorization at any time in the in-App or device system settings.
  • Ad interaction: Rewarded video ads must clearly mark "Watch the full ad to receive rewards," provide a "Skip Ad" button (the ad can be skipped after 5 seconds of playback), and may not force users to watch ads.
  • Complaint feedback: The App must set up convenient complaint feedback channels, including privacy complaints, ad complaints, UGC content complaints, etc., clearly stating the feedback processing time limit (no more than 7 working days), and providing users with feedback processing results.
  • Transparency display: Prominently display ad delivery rules, algorithmic recommendation logic, and data processing workflows (simplified version) within the App, complying with DSA transparency requirements and ensuring user right to know.
  • Screen sharing reminder: Adapted to the latest Android 15 requirements, during screen sharing, casting, and recording, display eye-catching reminder labels in the status bar to remind users that they are currently in the screen sharing state. Users may click the label to quickly stop sharing.

Part Four — Compliance Risk Prevention & Periodic Review

1. Compliance Risk Prevention Measures

• Establish a compliance review mechanism: Before application development and publishing, conduct a comprehensive compliance review of application code, Privacy Policy, Terms of Service, and interaction design to ensure compliance with App Store, Google Play policies, and global regional regulatory requirements, and avoid violations.
• Regularly update compliance knowledge: Arrange dedicated personnel to follow up on the latest changes in global privacy regulations and App Store policies (such as U.S. state privacy laws, EU DSA updates, Android 15 / iOS 18 system policy changes), and adjust applications and agreement content in a timely manner.
• Third-party partner management: Regularly audit the compliance of third-party ad platforms, SDK providers, and payment processors, sign compliance agreements, clarify data processing responsibilities, and immediately terminate cooperation if third parties engage in non-compliant behavior.
• User request handling: Establish a user data-related request (access, correction, deletion, complaint) handling mechanism, ensure response and handling within the specified time limit, retain handling records, and accept supervision by users and regulatory authorities.
• Security protection: Strengthen application data security protection, adopt encrypted storage, encrypted transmission, access permission control, and other technologies to prevent data leakage, tampering, and loss, and regularly conduct data security inspections and risk assessments.
• Employee training: Regularly conduct compliance training for R&D, operations, customer service, and other related employees, popularize privacy regulations, App Store policies, and anti-fraud rules, improve employee compliance awareness, and avoid violations caused by improper operation.

2. Periodic Review Requirements

Due to the continuous changes in the global legal environment (especially U.S. state privacy laws, EU DSA implementation details) and the constant update of App Store policies and technical standards, it is recommended to conduct a routine review of this Agreement and application compliance every 6 months. The specific review content includes:

• Agreement terms: Check whether the Agreement terms comply with the latest regulations and App Store policies, and whether they need to be supplemented or modified (such as adding regional compliance terms and updating fraud penalty rules).
• Application compliance: Check whether the application code, SDK version, and interaction design comply with the latest technical compliance requirements (such as Android 15 / iOS 18 adaptation, ATT framework execution).
• Data processing: Check whether the data collection, storage, transmission, and sharing processes are compliant, whether data residency meets local requirements, and whether third-party data sharing is controllable.
• Anti-fraud mechanism: Check whether the ad and IAP anti-fraud rules are perfect, and whether the penalty measures need to be updated according to the latest fraud methods.
• User requests: Check the handling of user data-related requests, and whether there is any situation of untimely response or improper handling, to optimize the handling process.

Cookies & Tracking Technologies

This website uses cookies and similar tracking technologies for the following limited purposes:

• Strictly necessary cookies: Required for basic site functionality (session management, language preference, security tokens). These cannot be disabled.
• Analytics cookies: Anonymous, aggregated analytics (no third-party tracking) to understand site usage patterns. We do not use Google Analytics; we self-host a privacy-preserving analytics solution that does not track individual users.
• No advertising cookies: We do not use advertising cookies on this website. Our apps may use device identifiers for ad purposes as described above, subject to ATT / consent frameworks.

You may control cookies via your browser settings. Disabling strictly necessary cookies may limit site functionality.

Contact & Data Protection Officer

If you have any questions, feedback, complaints, or data subject requests (access, correction, deletion, portability, opt-out, withdrawal of consent), please contact us via:

• Email (General & Data Protection): contact@novasoftstackmeta.com
• Email (Support): support@novasoftstackmeta.com
• Postal Address: Research Park, University of Illinois, Champaign, IL 61820, United States

We aim to respond to all inquiries within 7 working days (or sooner per regional requirement). EU/UK users also have the right to lodge a complaint with their national Data Protection Authority.