Cubist logo

Cubist

Privacy Policy

Version 1.0.0|Last updated: June 27, 2026

Cubist — Privacy Policy

  • Effective Date: To be set on launch day.
  • Last Updated: 2026-06-27
  • Document Owner: semag studios

1. Who We Are

semag studios ("we", "our", or "Cubist") publishes the Cubist mobile application and the associated marketing site at cubist.semag.app.

For purposes of GDPR / UK GDPR we are the controller of personal data described in this Policy.

  • Controller: semag studios
  • Privacy contact: official@eodin.app [REVIEW] — confirm mailbox provisioning before launch.
  • EU representative: To be appointed before EU launch. [REVIEW]
  • UK representative: To be appointed before UK launch if applicable. [REVIEW]

For purposes of Korean PIPA, our "personal information protection officer" (개인정보 보호책임자) is [REVIEW] to be named on launch.

2. Scope

This Policy describes how Cubist collects, uses, shares, and protects personal data when you:

  • Install or use the Cubist mobile application on iOS or Android.
  • Visit cubist.semag.app (currently a marketing surface; no account features there).
  • Interact with us through support, social media, or feedback channels.

It applies to all users worldwide; where local law grants you additional rights, those rights apply in addition to anything described here.

3. Data We Collect

Cubist is designed to minimize personal data and to keep solve records cloud-backed primarily for the user's own convenience and for the integrity of competitive features.

3.1 Data You Provide

CategoryExamplesWhen
Authentication identifiersApple ID identifier, Google account ID, email address (from Apple/Google), display name (from Google)Sign-in (mandatory after onboarding)
Profile fieldsUsername, display name, country code, WCA ID (optional), age band, avatar imageWhen you edit your profile
Solve dataScramble string, recorded time, move sequence (per solve), penalty (+2 / DNF), inspection flag, lucky tag, free-form notes, session IDEach solve
User reportsReported user identifier, reason category, optional free-text up to 500 charactersWhen you submit a report
Appeal submissionsSolve identifier, your account identifier, free-text appeal bodyWhen you appeal a verifier rejection
Feedback messagesFree-text content you send through the in-app feedback channelWhen you submit feedback
PurchasesApple App Store / Google Play transaction identifiers, purchase status, and a RevenueCat app-user identifier and entitlement state (via our payments processor RevenueCat)When you make an in-app purchase

3.2 Data We Collect Automatically

CategoryExamplesPurpose
Device informationOS version, app version, model class, language, time zone, localeCompatibility, support, analytics
Network informationIP address (transient, used by Firebase for region routing and abuse detection), connection typeService operation
Crash & diagnostic dataStack traces, native crash logs, custom keys we set (e.g. event identifier), recent breadcrumb events — via Firebase CrashlyticsStability and bug-fix prioritization
Analytics eventsScreen views, tap events, funnel signals (e.g. solve_complete, tutorial_method_complete, friend_add) and their properties as documented in docs/cubist-prd_new.md §12 and .claude/agents/logging-agent.mdFunnel measurement, product improvement
iOS Advertising identifier (IDFA)Only when you grant App Tracking Transparency consentAttribution measurement for analytics — we do not serve advertising
Anti-cheat metadataHash of (scramble, moves, time), server-side flags (pending_review, flagged_for_review), heuristic verdictsIntegrity of leaderboards (PRD §7.4)
Avatar moderation resultsSafeSearch verdicts (adult / racy / violence likelihoods), magic-byte validation outcomeContent moderation (PRD §8.1)

We do not intentionally collect:

  • Payment card data (handled by Apple / Google).
  • Real names beyond what you choose to display.
  • Health, biometric, racial, political, or religious data.
  • Precise geolocation (we only derive country-level signals from IP via Firebase and from the country code you optionally provide).

3.3 Data from Third Parties

  • Apple Sign In with Apple provides us your Apple-issued identifier and, on first sign-in only, your email address (which you may proxy via Apple's relay) and name. Subsequent sign-ins return only the identifier.
  • Google Sign-In provides us your Google identifier, email address, display name, and profile picture URL (which we do not store; we only use the identifier you fetch via the SDK to obtain a Firebase credential).

3.4 No Children Under 13

Cubist is rated 13+ and is not designed for children under 13. If you identify your age band as under_13, the friend graph is locked down (you cannot search, add, accept, or be added) and your data is excluded from cross-user reads. If we learn we have inadvertently collected data from a child under 13 in a jurisdiction that prohibits it, we will delete the data promptly. Contact us at the address in §1 to request such deletion.

4. How We Use Data

4.1 Service Operation

  • Authenticate you and maintain your session.
  • Persist your solves, sessions, statistics, settings, and tutorial progress across devices.
  • Compute and display personal bests, averages, and other statistics.
  • Replay submitted move sequences server-side to verify solves (verifySolve Cloud Function).
  • Maintain leaderboard caches for the global, regional, friend, and time-windowed scopes.
  • Match friend requests, deliver friend-graph state, and gate friend features under the 13+ rule.
  • Process appeals and operate the moderation pipeline.
  • Process in-app purchases and unlock purchased features.

4.2 Anti-Cheat and Integrity

  • Replay move sequences to confirm the cube reaches the solved state.
  • Detect timing anomalies (sub-human floors, excessive turns-per-second, PB burst windows) per docs/sprint-0/anti-cheat-thresholds.md.
  • Detect replay attacks via canonical hash matching.
  • Detect username impersonation via homoglyph skeletons.
  • Auto-hide accounts that exceed our user-report threshold (5 unique reporters).

4.3 Analytics and Product Improvement

Cubist uses two analytics pipelines in parallel:

  • Eodin Analytics SDK (operated by Eodin, an affiliated entity — see §6) — emits the events documented in .claude/agents/logging-agent.md. Eodin's pipeline supports a SDK-level opt-out and a data deletion request (Settings → Privacy → Data collection / Delete my data).
  • Firebase Analytics (GA4) — emits a partially overlapping dual signal. GA4 collection can be disabled via Settings → Privacy → Data collection in the same toggle.

We use this telemetry to understand usage patterns, surface bugs, measure feature adoption, and tune the product roadmap. We do not use it to build advertising profiles about you or to sell data.

4.4 Communications

We may send transactional notifications inside the app (e.g. friend request received, your solve verified). We will only send marketing messages if you affirmatively opt in.

4.5 Legal and Safety

  • Comply with court orders and legal obligations under PIPA, GDPR, and equivalent laws.
  • Protect the rights, property, or safety of users, Cubist, or third parties.
  • Detect and prevent fraud, abuse, and security incidents.

5. Legal Bases (EEA / UK)

Where GDPR or UK GDPR applies, we rely on the following legal bases:

ProcessingLegal basis
Account creation, sign-in, solve storage, friend graphContract (GDPR Art. 6(1)(b)) — necessary to provide the service you requested
Anti-cheat, abuse detection, content moderationLegitimate interests (Art. 6(1)(f)) — operating a trustworthy competitive service
Crashlytics diagnosticsLegitimate interests (Art. 6(1)(f)) — keeping the app stable
Analytics (Eodin SDK + GA4)Consent where required by ePrivacy / local law; otherwise legitimate interests. The Settings → Privacy → Data collection toggle is the operative consent control
In-app purchasesContract (Art. 6(1)(b)) — necessary to deliver the purchase you requested
Compliance with legal requestsLegal obligation (Art. 6(1)(c))

For children below the age of digital consent in your jurisdiction, processing requires verifiable parental consent under GDPR Art. 8. Cubist's design intent is to restrict use to 13+ users in all jurisdictions to keep this scenario out of scope; however, [REVIEW] specific country thresholds (16 in some EU member states) require counsel review.

6. How We Share Data

We do not sell personal data, and we do not share it with advertising data brokers.

We share data only with sub-processors that help operate the Service, under contracts that bind them to GDPR-compliant terms.

CategorySub-processorPurposeData
Cloud platformGoogle LLC (Firebase / Google Cloud)Hosting (Firestore, Cloud Functions, Cloud Storage), authentication, analytics (GA4), crash reporting (Crashlytics), avatar moderation (Cloud Vision SafeSearch)All categories under §3; data resides in asia-northeast3 (Seoul) region for Firestore and Cloud Functions; Storage is in the default bucket region pending the asia-northeast3 migration [REVIEW]
IdentityApple Inc.Sign in with AppleApple identifier + email proxy
IdentityGoogle LLCGoogle Sign-InGoogle identifier + email
Analytics & attributionEodin (affiliated entity under common semag operation)Funnel tracking, deep-link attribution, share-link short URLsEvents documented in .claude/agents/logging-agent.md; device identifier; ATT-gated IDFA
PaymentsApple App Store, Google Play, RevenueCat, Inc.Process in-app purchases; RevenueCat validates store receipts and tracks entitlementsTransaction identifier, RevenueCat app-user identifier, entitlement state
Crash diagnosticsGoogle LLC (Firebase Crashlytics)Crash and non-fatal error reportingStack trace, device state, custom keys

We may share data with law-enforcement or other regulators if compelled by a valid legal demand, after reviewing the demand against our human-rights commitments.

6.1 International Transfers

Firebase and Google Cloud may process data in regions outside your country, in particular in the United States and Ireland. Where required, we rely on:

  • Standard Contractual Clauses (EU Commission Decision 2021/914) between Google LLC and us.
  • The EU-US Data Privacy Framework to the extent Google LLC is certified.

You may request a copy of our cross-border transfer documentation by writing to the privacy contact in §1.

7. Retention

We keep personal data only as long as needed for the purposes described in §4, and then delete or anonymize it.

DataRetention
Profile fields, solves, sessions, tutorial progress, friend graphUntil you delete your account or specific records
Authentication credentialsUntil you delete your account
Crashlytics eventsPer Firebase Crashlytics defaults (Google publishes retention windows; typically 90 days for non-fatals and 60 days for breadcrumb events)
Analytics events (Eodin SDK)Per Eodin's policy — currently 30 days for raw event logs. [REVIEW] Confirm with Eodin policy update before launch
Analytics events (GA4)Per Firebase Analytics retention (default 14 months, configurable) [REVIEW] confirm configured value before launch
Anti-cheat replay hashes (solve_hashes/{hash})30 days TTL (planned expires_at field — see §17.7 of docs/checklist.md) [REVIEW]
Server-side logs (Cloud Logging)30 days default in Google Cloud
Report records (reports/{auto-id})Retained for moderation history; PII is replaced with hashes

When you request account deletion (§8.3) we wipe your records immediately: the wipeUserData function recursively deletes your users/{uid} subtree (solves, sessions, statistics, per-event personal-best snapshots), reclaims your username and homoglyph-skeleton reservations, removes your friendship edges in both directions, evicts your entries from the leaderboard caches, and deletes your stored avatar; we then send a deletion signal to Eodin, revoke refresh tokens, and delete the Firebase Authentication entry. Anti-cheat replay hashes, anonymized aggregate counts, and report records that have been hashed may survive for the periods listed above in account-detached form.

8. Your Rights

8.1 Rights Available to All Users

  • Access — see what we know about you, mostly through in-app surfaces (Profile, Stats, Solve History). For a full export, contact us at §1.
  • Rectification — edit your profile fields directly in Me → Edit profile.
  • Privacy mode — switch between Private, Public, and Ghost in Me → Settings → Privacy to control cross-user visibility.
  • Restrict analytics — toggle off Me → Settings → Privacy → Data collection. This calls EodinAnalytics.setEnabled(false) and FirebaseAnalytics.setAnalyticsCollectionEnabled(false).
  • Erasure — delete your account from Me → Settings → Privacy → Delete account. The deletion is irreversible after a short propagation window.

8.2 GDPR / UK GDPR Rights

In addition to the above, EU and UK users have:

  • Right to object to processing based on legitimate interests.
  • Right to data portability — receive your data in a structured, commonly used format. We will provide a JSON export covering your profile and solves on request.
  • Right to withdraw consent at any time for processing based on consent (analytics).
  • Right to lodge a complaint with your supervisory authority. For Korean users, the Personal Information Protection Commission (개인정보보호위원회, <https://www.pipc.go.kr>) and the Korea Internet & Security Agency (한국인터넷진흥원, <https://www.kisa.or.kr>) handle complaints under PIPA. For EU users, your national DPA — the Korean equivalent will not necessarily be competent.

8.3 How to Exercise Rights

For most rights, use the in-app controls described above. For data access in machine-readable form, data portability, or anything the app does not surface directly, write to the privacy contact in §1. We will respond within 30 days (extendable by an additional 60 days for complex requests, with notice to you).

8.4 California Residents (CCPA / CPRA)

You have the right to know what categories of personal information we have collected, the right to delete personal information, the right to correct inaccurate personal information, and the right to opt out of "sales" or "sharing" of personal information.

We do not sell personal information within the meaning of CCPA and we do not "share" it for cross-context behavioral advertising. Cubist does not serve advertising of any kind.

9. iOS App Tracking Transparency

On iOS we present the App Tracking Transparency (ATT) prompt before any cross-app or cross-website tracking used for attribution measurement. If you decline, we do not pass IDFA to our analytics processor. Cubist does not serve advertising. You can change your decision at any time in iOS Settings → Privacy & Security → Tracking.

The att_prompt and att_response analytics events log the prompt and your response so we can measure consent rates; they record the status string (authorized / denied / restricted / not_determined) and an authorized boolean but no further personal data.

10. Security

We protect your data with industry-standard technical and organizational safeguards:

  • In transit — TLS 1.2+ for all client–server traffic. Firebase SDKs enforce certificate validation.
  • At rest — Firestore and Cloud Storage encryption-at-rest provided by Google Cloud (AES-256). Firestore Security Rules enforce per-document and per-collection access; the rules file is checked into version control and CI-tested.
  • Authentication — Apple Sign In and Google Sign-In OAuth flows; no Cubist-managed passwords.
  • Anti-cheat — server-side replay and hash-based replay-attack defense.
  • Server hardening — Cloud Functions run on Google's managed runtime. Each function declares a dedicated, least-privilege service account: wipeUserData (cubist-wipe-user-data), verifySolve, onSolveVerified, onPrivacyModeChange, rebuildLeaderboardCache, and onReportCreate are scoped to roles/datastore.user, and the avatar-moderation function (onAvatarFinalize) additionally to Cloud Vision SafeSearch — replacing the shared default runtime service account so a single function's compromise cannot reach unrelated data. [REVIEW] Service-account provisioning (creation + IAM bindings) is applied at deploy time per docs/ops/service-accounts.md; confirm the bindings are in place before launch.
  • Crash reporting — debug builds disable Crashlytics collection so developer test data never leaves the device.

No system is perfectly secure. If you believe you have discovered a vulnerability, please report it through coordinated disclosure to official@eodin.app [REVIEW]. Do not exploit it.

11. Cookies and Similar Technologies

The mobile application does not use browser cookies. It uses:

  • The system keychain on iOS and Keystore on Android to persist your authentication tokens.
  • Local SharedPreferences / NSUserDefaults to remember small preferences such as your accent color, inspection toggle, and one-time tutorial gates.

The marketing website may use minimal first-party analytics in a future release; if introduced, we will update this Policy and present a cookie banner where required.

12. Children's Data

We require users to be 13 or older. We additionally:

  • Gate the friend graph behind age confirmation. If you select under_13, follow / accept actions are blocked client-side, and Firestore Security Rules enforce the gate server-side.
  • Treat avatar moderation as fail-open with manual review; obviously inappropriate content is removed and the account flagged for review.

If you are a parent or guardian who believes a child under 13 has provided personal data to Cubist, contact us using §1 and we will delete it promptly.

13. Automated Decision-Making

We use automated processing for:

  • Solve verification (cube-replay outcome, anti-cheat heuristics).
  • Avatar moderation (SafeSearch verdicts).
  • Auto-hide of accounts that exceed report thresholds.

These produce decisions with limited individual impact (a rejected solve, a hidden avatar, a flagged account that no longer appears on leaderboards), and you can request human review through the in-app appeal channel or by writing to us. We are not aware of any automated decision-making that would produce legal effects within the meaning of GDPR Art. 22.

14. Changes to This Policy

We may update this Policy from time to time. We will announce material changes inside the app and on the marketing site at least 14 days before they take effect, except where shorter notice is required by law. The "Last Updated" date at the top of this document indicates the most recent revision. We will also keep prior versions accessible on request.

15. Contact

  • Privacy questions: official@eodin.app
Privacy Policy - Cubist