Cubist — Privacy Policy
- Effective Date: To be set on launch day.
- Last Updated: 2026-06-27
- Document Owner: semag studios
1. Who We Are
semag studios ("we", "our", or "Cubist") publishes the Cubist mobile application and the associated marketing site at cubist.semag.app.
For purposes of GDPR / UK GDPR we are the controller of personal data described in this Policy.
- Controller: semag studios
- Privacy contact:
official@eodin.app[REVIEW] — confirm mailbox provisioning before launch. - EU representative: To be appointed before EU launch. [REVIEW]
- UK representative: To be appointed before UK launch if applicable. [REVIEW]
For purposes of Korean PIPA, our "personal information protection officer" (개인정보 보호책임자) is [REVIEW] to be named on launch.
2. Scope
This Policy describes how Cubist collects, uses, shares, and protects personal data when you:
- Install or use the Cubist mobile application on iOS or Android.
- Visit
cubist.semag.app(currently a marketing surface; no account features there). - Interact with us through support, social media, or feedback channels.
It applies to all users worldwide; where local law grants you additional rights, those rights apply in addition to anything described here.
3. Data We Collect
Cubist is designed to minimize personal data and to keep solve records cloud-backed primarily for the user's own convenience and for the integrity of competitive features.
3.1 Data You Provide
| Category | Examples | When |
|---|---|---|
| Authentication identifiers | Apple ID identifier, Google account ID, email address (from Apple/Google), display name (from Google) | Sign-in (mandatory after onboarding) |
| Profile fields | Username, display name, country code, WCA ID (optional), age band, avatar image | When you edit your profile |
| Solve data | Scramble string, recorded time, move sequence (per solve), penalty (+2 / DNF), inspection flag, lucky tag, free-form notes, session ID | Each solve |
| User reports | Reported user identifier, reason category, optional free-text up to 500 characters | When you submit a report |
| Appeal submissions | Solve identifier, your account identifier, free-text appeal body | When you appeal a verifier rejection |
| Feedback messages | Free-text content you send through the in-app feedback channel | When you submit feedback |
| Purchases | Apple App Store / Google Play transaction identifiers, purchase status, and a RevenueCat app-user identifier and entitlement state (via our payments processor RevenueCat) | When you make an in-app purchase |
3.2 Data We Collect Automatically
| Category | Examples | Purpose |
|---|---|---|
| Device information | OS version, app version, model class, language, time zone, locale | Compatibility, support, analytics |
| Network information | IP address (transient, used by Firebase for region routing and abuse detection), connection type | Service operation |
| Crash & diagnostic data | Stack traces, native crash logs, custom keys we set (e.g. event identifier), recent breadcrumb events — via Firebase Crashlytics | Stability and bug-fix prioritization |
| Analytics events | Screen views, tap events, funnel signals (e.g. solve_complete, tutorial_method_complete, friend_add) and their properties as documented in docs/cubist-prd_new.md §12 and .claude/agents/logging-agent.md | Funnel measurement, product improvement |
| iOS Advertising identifier (IDFA) | Only when you grant App Tracking Transparency consent | Attribution measurement for analytics — we do not serve advertising |
| Anti-cheat metadata | Hash of (scramble, moves, time), server-side flags (pending_review, flagged_for_review), heuristic verdicts | Integrity of leaderboards (PRD §7.4) |
| Avatar moderation results | SafeSearch verdicts (adult / racy / violence likelihoods), magic-byte validation outcome | Content moderation (PRD §8.1) |
We do not intentionally collect:
- Payment card data (handled by Apple / Google).
- Real names beyond what you choose to display.
- Health, biometric, racial, political, or religious data.
- Precise geolocation (we only derive country-level signals from IP via Firebase and from the country code you optionally provide).
3.3 Data from Third Parties
- Apple Sign In with Apple provides us your Apple-issued identifier and, on first sign-in only, your email address (which you may proxy via Apple's relay) and name. Subsequent sign-ins return only the identifier.
- Google Sign-In provides us your Google identifier, email address, display name, and profile picture URL (which we do not store; we only use the identifier you fetch via the SDK to obtain a Firebase credential).
3.4 No Children Under 13
Cubist is rated 13+ and is not designed for children under 13. If you identify your age band as under_13, the friend graph is locked down (you cannot search, add, accept, or be added) and your data is excluded from cross-user reads. If we learn we have inadvertently collected data from a child under 13 in a jurisdiction that prohibits it, we will delete the data promptly. Contact us at the address in §1 to request such deletion.
4. How We Use Data
4.1 Service Operation
- Authenticate you and maintain your session.
- Persist your solves, sessions, statistics, settings, and tutorial progress across devices.
- Compute and display personal bests, averages, and other statistics.
- Replay submitted move sequences server-side to verify solves (
verifySolveCloud Function). - Maintain leaderboard caches for the global, regional, friend, and time-windowed scopes.
- Match friend requests, deliver friend-graph state, and gate friend features under the 13+ rule.
- Process appeals and operate the moderation pipeline.
- Process in-app purchases and unlock purchased features.
4.2 Anti-Cheat and Integrity
- Replay move sequences to confirm the cube reaches the solved state.
- Detect timing anomalies (sub-human floors, excessive turns-per-second, PB burst windows) per
docs/sprint-0/anti-cheat-thresholds.md. - Detect replay attacks via canonical hash matching.
- Detect username impersonation via homoglyph skeletons.
- Auto-hide accounts that exceed our user-report threshold (5 unique reporters).
4.3 Analytics and Product Improvement
Cubist uses two analytics pipelines in parallel:
- Eodin Analytics SDK (operated by Eodin, an affiliated entity — see §6) — emits the events documented in
.claude/agents/logging-agent.md. Eodin's pipeline supports a SDK-level opt-out and a data deletion request (Settings → Privacy → Data collection / Delete my data). - Firebase Analytics (GA4) — emits a partially overlapping dual signal. GA4 collection can be disabled via Settings → Privacy → Data collection in the same toggle.
We use this telemetry to understand usage patterns, surface bugs, measure feature adoption, and tune the product roadmap. We do not use it to build advertising profiles about you or to sell data.
4.4 Communications
We may send transactional notifications inside the app (e.g. friend request received, your solve verified). We will only send marketing messages if you affirmatively opt in.
4.5 Legal and Safety
- Comply with court orders and legal obligations under PIPA, GDPR, and equivalent laws.
- Protect the rights, property, or safety of users, Cubist, or third parties.
- Detect and prevent fraud, abuse, and security incidents.
5. Legal Bases (EEA / UK)
Where GDPR or UK GDPR applies, we rely on the following legal bases:
| Processing | Legal basis |
|---|---|
| Account creation, sign-in, solve storage, friend graph | Contract (GDPR Art. 6(1)(b)) — necessary to provide the service you requested |
| Anti-cheat, abuse detection, content moderation | Legitimate interests (Art. 6(1)(f)) — operating a trustworthy competitive service |
| Crashlytics diagnostics | Legitimate interests (Art. 6(1)(f)) — keeping the app stable |
| Analytics (Eodin SDK + GA4) | Consent where required by ePrivacy / local law; otherwise legitimate interests. The Settings → Privacy → Data collection toggle is the operative consent control |
| In-app purchases | Contract (Art. 6(1)(b)) — necessary to deliver the purchase you requested |
| Compliance with legal requests | Legal obligation (Art. 6(1)(c)) |
For children below the age of digital consent in your jurisdiction, processing requires verifiable parental consent under GDPR Art. 8. Cubist's design intent is to restrict use to 13+ users in all jurisdictions to keep this scenario out of scope; however, [REVIEW] specific country thresholds (16 in some EU member states) require counsel review.
6. How We Share Data
We do not sell personal data, and we do not share it with advertising data brokers.
We share data only with sub-processors that help operate the Service, under contracts that bind them to GDPR-compliant terms.
| Category | Sub-processor | Purpose | Data |
|---|---|---|---|
| Cloud platform | Google LLC (Firebase / Google Cloud) | Hosting (Firestore, Cloud Functions, Cloud Storage), authentication, analytics (GA4), crash reporting (Crashlytics), avatar moderation (Cloud Vision SafeSearch) | All categories under §3; data resides in asia-northeast3 (Seoul) region for Firestore and Cloud Functions; Storage is in the default bucket region pending the asia-northeast3 migration [REVIEW] |
| Identity | Apple Inc. | Sign in with Apple | Apple identifier + email proxy |
| Identity | Google LLC | Google Sign-In | Google identifier + email |
| Analytics & attribution | Eodin (affiliated entity under common semag operation) | Funnel tracking, deep-link attribution, share-link short URLs | Events documented in .claude/agents/logging-agent.md; device identifier; ATT-gated IDFA |
| Payments | Apple App Store, Google Play, RevenueCat, Inc. | Process in-app purchases; RevenueCat validates store receipts and tracks entitlements | Transaction identifier, RevenueCat app-user identifier, entitlement state |
| Crash diagnostics | Google LLC (Firebase Crashlytics) | Crash and non-fatal error reporting | Stack trace, device state, custom keys |
We may share data with law-enforcement or other regulators if compelled by a valid legal demand, after reviewing the demand against our human-rights commitments.
6.1 International Transfers
Firebase and Google Cloud may process data in regions outside your country, in particular in the United States and Ireland. Where required, we rely on:
- Standard Contractual Clauses (EU Commission Decision 2021/914) between Google LLC and us.
- The EU-US Data Privacy Framework to the extent Google LLC is certified.
You may request a copy of our cross-border transfer documentation by writing to the privacy contact in §1.
7. Retention
We keep personal data only as long as needed for the purposes described in §4, and then delete or anonymize it.
| Data | Retention |
|---|---|
| Profile fields, solves, sessions, tutorial progress, friend graph | Until you delete your account or specific records |
| Authentication credentials | Until you delete your account |
| Crashlytics events | Per Firebase Crashlytics defaults (Google publishes retention windows; typically 90 days for non-fatals and 60 days for breadcrumb events) |
| Analytics events (Eodin SDK) | Per Eodin's policy — currently 30 days for raw event logs. [REVIEW] Confirm with Eodin policy update before launch |
| Analytics events (GA4) | Per Firebase Analytics retention (default 14 months, configurable) [REVIEW] confirm configured value before launch |
Anti-cheat replay hashes (solve_hashes/{hash}) | 30 days TTL (planned expires_at field — see §17.7 of docs/checklist.md) [REVIEW] |
| Server-side logs (Cloud Logging) | 30 days default in Google Cloud |
Report records (reports/{auto-id}) | Retained for moderation history; PII is replaced with hashes |
When you request account deletion (§8.3) we wipe your records immediately: the wipeUserData function recursively deletes your users/{uid} subtree (solves, sessions, statistics, per-event personal-best snapshots), reclaims your username and homoglyph-skeleton reservations, removes your friendship edges in both directions, evicts your entries from the leaderboard caches, and deletes your stored avatar; we then send a deletion signal to Eodin, revoke refresh tokens, and delete the Firebase Authentication entry. Anti-cheat replay hashes, anonymized aggregate counts, and report records that have been hashed may survive for the periods listed above in account-detached form.
8. Your Rights
8.1 Rights Available to All Users
- Access — see what we know about you, mostly through in-app surfaces (Profile, Stats, Solve History). For a full export, contact us at §1.
- Rectification — edit your profile fields directly in Me → Edit profile.
- Privacy mode — switch between Private, Public, and Ghost in Me → Settings → Privacy to control cross-user visibility.
- Restrict analytics — toggle off Me → Settings → Privacy → Data collection. This calls
EodinAnalytics.setEnabled(false)andFirebaseAnalytics.setAnalyticsCollectionEnabled(false). - Erasure — delete your account from Me → Settings → Privacy → Delete account. The deletion is irreversible after a short propagation window.
8.2 GDPR / UK GDPR Rights
In addition to the above, EU and UK users have:
- Right to object to processing based on legitimate interests.
- Right to data portability — receive your data in a structured, commonly used format. We will provide a JSON export covering your profile and solves on request.
- Right to withdraw consent at any time for processing based on consent (analytics).
- Right to lodge a complaint with your supervisory authority. For Korean users, the Personal Information Protection Commission (개인정보보호위원회, <https://www.pipc.go.kr>) and the Korea Internet & Security Agency (한국인터넷진흥원, <https://www.kisa.or.kr>) handle complaints under PIPA. For EU users, your national DPA — the Korean equivalent will not necessarily be competent.
8.3 How to Exercise Rights
For most rights, use the in-app controls described above. For data access in machine-readable form, data portability, or anything the app does not surface directly, write to the privacy contact in §1. We will respond within 30 days (extendable by an additional 60 days for complex requests, with notice to you).
8.4 California Residents (CCPA / CPRA)
You have the right to know what categories of personal information we have collected, the right to delete personal information, the right to correct inaccurate personal information, and the right to opt out of "sales" or "sharing" of personal information.
We do not sell personal information within the meaning of CCPA and we do not "share" it for cross-context behavioral advertising. Cubist does not serve advertising of any kind.
9. iOS App Tracking Transparency
On iOS we present the App Tracking Transparency (ATT) prompt before any cross-app or cross-website tracking used for attribution measurement. If you decline, we do not pass IDFA to our analytics processor. Cubist does not serve advertising. You can change your decision at any time in iOS Settings → Privacy & Security → Tracking.
The att_prompt and att_response analytics events log the prompt and your response so we can measure consent rates; they record the status string (authorized / denied / restricted / not_determined) and an authorized boolean but no further personal data.
10. Security
We protect your data with industry-standard technical and organizational safeguards:
- In transit — TLS 1.2+ for all client–server traffic. Firebase SDKs enforce certificate validation.
- At rest — Firestore and Cloud Storage encryption-at-rest provided by Google Cloud (AES-256). Firestore Security Rules enforce per-document and per-collection access; the rules file is checked into version control and CI-tested.
- Authentication — Apple Sign In and Google Sign-In OAuth flows; no Cubist-managed passwords.
- Anti-cheat — server-side replay and hash-based replay-attack defense.
- Server hardening — Cloud Functions run on Google's managed runtime. Each function declares a dedicated, least-privilege service account:
wipeUserData(cubist-wipe-user-data),verifySolve,onSolveVerified,onPrivacyModeChange,rebuildLeaderboardCache, andonReportCreateare scoped toroles/datastore.user, and the avatar-moderation function (onAvatarFinalize) additionally to Cloud Vision SafeSearch — replacing the shared default runtime service account so a single function's compromise cannot reach unrelated data. [REVIEW] Service-account provisioning (creation + IAM bindings) is applied at deploy time perdocs/ops/service-accounts.md; confirm the bindings are in place before launch. - Crash reporting — debug builds disable Crashlytics collection so developer test data never leaves the device.
No system is perfectly secure. If you believe you have discovered a vulnerability, please report it through coordinated disclosure to official@eodin.app [REVIEW]. Do not exploit it.
11. Cookies and Similar Technologies
The mobile application does not use browser cookies. It uses:
- The system keychain on iOS and Keystore on Android to persist your authentication tokens.
- Local SharedPreferences / NSUserDefaults to remember small preferences such as your accent color, inspection toggle, and one-time tutorial gates.
The marketing website may use minimal first-party analytics in a future release; if introduced, we will update this Policy and present a cookie banner where required.
12. Children's Data
We require users to be 13 or older. We additionally:
- Gate the friend graph behind age confirmation. If you select
under_13, follow / accept actions are blocked client-side, and Firestore Security Rules enforce the gate server-side. - Treat avatar moderation as fail-open with manual review; obviously inappropriate content is removed and the account flagged for review.
If you are a parent or guardian who believes a child under 13 has provided personal data to Cubist, contact us using §1 and we will delete it promptly.
13. Automated Decision-Making
We use automated processing for:
- Solve verification (cube-replay outcome, anti-cheat heuristics).
- Avatar moderation (SafeSearch verdicts).
- Auto-hide of accounts that exceed report thresholds.
These produce decisions with limited individual impact (a rejected solve, a hidden avatar, a flagged account that no longer appears on leaderboards), and you can request human review through the in-app appeal channel or by writing to us. We are not aware of any automated decision-making that would produce legal effects within the meaning of GDPR Art. 22.
14. Changes to This Policy
We may update this Policy from time to time. We will announce material changes inside the app and on the marketing site at least 14 days before they take effect, except where shorter notice is required by law. The "Last Updated" date at the top of this document indicates the most recent revision. We will also keep prior versions accessible on request.
15. Contact
- Privacy questions:
official@eodin.app
