Last updated: 24 October 2025

Who we are (Data Controller): iValuation UG (haftungsbeschränkt), Wiesenstraße 2, 67482 Venningen, Germany.

Contact (privacy): privacy@youvsall.com (or info@youvsall.com)

Products covered: YouvsAll mobile app, youvsall.com and related services (together the “Services”).

Applicability and acceptance. This Privacy Policy applies to the YouvsAll mobile application (the “Application”) and related services provided by iValuation UG (haftungsbeschränkt) (the “Service Provider” or the “Company”). The Application is offered as an ad supported service and is provided to the extent permitted by law. We use your personal data to provide and improve the Services. By using the Services, you agree to the collection and use of information in accordance with this Privacy Policy and—where required by law—on the basis of your consent.

________________________________________

1. Scope and key terms

This Policy explains what personal data we collect, how and why we use it, with whom we share it, how long we keep it and which choices you have. “Personal data” means any information relating to an identified or identifiable individual. “EEA” means the European Economic Area and includes the UK where the context requires.

________________________________________

2. Categories of data we collect

Depending on your use, we collect:

• Account & profile: email, display name, password hash, country, language, avatar.

• Public leaderboards & profiles: display name, avatar, country/region, scores/rankings, achievements and similar gameplay statistics that may be visible to others (see § 3).

• Single Sign-On (Apple/Google/Meta): provider user ID, name (if provided), email (Apple may provide a private relay email), profile image (if permission granted).

• Usage & device: app events, interactions, diagnostics, crash logs, device identifiers (IDFA/GAID where you consent), IP address, device/OS, app version, language, time zone.

• Website cookies & similar tech: cookie IDs, consent signals (IAB TCF where applicable), page views, referrers, coarse location (country/region).

• Support & communications: contact details and message content, preferences, email engagement metrics.

• Payments & purchases: purchase history, product, currency, receipt/transaction identifiers from Apple App Store or Google Play (we do not process full payment card data).

• User Content: text, images and other content you submit.

• Reports/flags: information you or others provide when reporting content/users (see § 8).

We do not knowingly collect special categories of personal data or children’s data contrary to § 13.

2A. Public leaderboards and profiles (visibility, choices, legal bases)

Some features (such as leaderboards, rankings, public profiles and winner announcements) are social and public by design.

• What may be shown: your display name, avatar, country/region, scores/rankings, achievements and similar gameplay statistics. If you participate in events or win prizes, we may publish abbreviated winner information (e.g., display name and country) as required by law or the applicable Official Rules.

• Audience: other users and, in some cases, the general public (e.g., global leaderboards on our website).

• Legal bases (GDPR/UK GDPR): provision of the Services and competitions (Art. 6(1)(b) – contract), and our legitimate interests in fostering a fair and competitive community and ensuring integrity of rankings (Art. 6(1)(f)). Where local law requires consent for certain disclosures, we will ask for it.

• Your choices: you may choose a display name that does not reveal your real name. Where available, you can adjust profile or visibility settings (e.g., hide from public leaderboards, limit profile fields). Some leaderboard features require public display to function.

• Retention: for the life of your account and as needed for safety, fraud prevention and audit trails. We may retain de identified statistics.

3. Sources

We collect data directly from you, automatically via the App/Website, and from third parties such as app stores, identity providers, analytics/advertising partners and anti fraud providers.

4. Purposes and legal bases (GDPR)

We process personal data for these purposes and legal bases:

• Provide and operate the Services (create/manage accounts, enable gameplay/competitions, provide customer support, process purchases): Art. 6(1)(b) GDPR – contract.

• Single sign on: authenticate via Apple/Google/Meta and link your account: contract and our legitimate interests, Art. 6(1)(f).

• Analytics, crash reporting and product improvement: legitimate interests (to understand and improve the Services) and, where required (EEA/UK), consent via our CMP, Art. 6(1)(a) and 6(1)(f).

• Personalised ads / ad measurement (AdMob/other ad partners): consent in the EEA/UK; legitimate interests or consent elsewhere as required.

• Marketing communications (emails, push notifications): consent where required; otherwise legitimate interests with opt out.

• Security, fraud prevention & legal compliance: legitimate interests and legal obligation, Art. 6(1)(c) and (f).

Where we rely on consent, you can withdraw it at any time in the App/Website preferences or via your device settings (e.g., “Allow Apps to Track” on iOS).

5. Third party providers we use

We work with third party processors and independent controllers to run the Services. The list below describes the key categories, what they do, and the types of data involved. The exact providers may change; we will update this Policy when material changes occur.

• Identity & authentication (SSO providers) — Apple, Google, Meta (Facebook): authenticate you and link an identity to your account. Data: provider user ID, email (Apple may provide a private relay email), name (if provided), profile image (if permitted), token/transaction logs. Legal basis: contract (Art. 6(1)(b)), legitimate interests (Art. 6(1)(f)).

• Analytics & measurement (web & app) — Google Analytics 4 (web); Firebase Analytics & Crashlytics (app): understand usage and stability. Data: device & app identifiers (e.g., Instance ID), IP address (masked for GA4), events, diagnostics, crash traces (without sensitive content), coarse location (country/region). Legal basis: consent in EEA/UK where required; otherwise legitimate interests.

• Advertising & ad measurement (app) — Google AdMob (and mediated demand partners via AdMob). Runs only with consent in the EEA/UK (otherwise non personalised/contextual ads). Data: advertising identifiers (IDFA/GAID), device/usage signals, approximate location, ad interactions. Legal basis: consent (EEA/UK); elsewhere legitimate interests or consent as required by local law.

• Email delivery — for transactional and (if opted in) marketing emails. Data: recipient email, name (if provided), IP address, delivery status, engagement metrics (opens/clicks), suppression lists. Legal basis: contract for transactional messages; consent or legitimate interests for marketing, with opt out.

• Cloud hosting & storage — reputable cloud providers (e.g., AWS, Azure) in regions we select, typically within the EU/EEA; where processing, support or backup occurs outside the EEA/UK, we implement appropriate transfer safeguards (see section 10) and robust technical/organisational measures (encryption at rest and in transit, access controls, logical isolation). Data: application databases, media and backups.

• App stores & purchase processing — Apple App Store and Google Play for in app purchases, subscriptions, refunds. Data: transaction/receipt IDs, product, currency, timestamp; no full payment card data processed by us.

• (If applicable) Customer support tooling — ticketing/contact tools used to handle support requests. Data: contact details, request content, metadata. Legal basis: contract and legitimate interests (to resolve issues).

We enter into data processing agreements with processors and require appropriate security and confidentiality. For international transfers, we use Standard Contractual Clauses or rely on adequacy decisions (see section 10).

2B. App permissions and device settings

The App may request operating system permissions—for example access to the camera or photos to set an avatar, permission to send push notifications, and access to advertising identifiers. We request only what is needed to provide features, security and (with your consent in the EEA/UK) analytics and advertising. You can change permissions in your device settings at any time, though some features may not work without the relevant permission.

________________________________________

3. Sources

We collect data directly from you, automatically via the App or Website, and from third parties such as app stores, identity providers, analytics and advertising partners and anti fraud providers.

________________________________________

4. Purposes and legal bases (GDPR)

We use personal data to provide and operate the Services, which includes creating and managing accounts, enabling gameplay and competitions, providing support and processing purchases; this relies on Art. 6(1)(b) GDPR (contract). We use Apple, Google or Meta to authenticate you and to link your account; this is necessary for the contract and in our legitimate interests (Art. 6(1)(f)). We analyse usage, collect diagnostics and crash information and improve the Services based on our legitimate interests, and in the EEA/UK we obtain consent through our consent banner where the law requires it (Art. 6(1)(a) and 6(1)(f)). We show personalised ads and measure ad performance in the App only with your consent in the EEA/UK; elsewhere we apply legitimate interests or consent as local law requires. We send transactional emails necessary for the Services and, with your consent where required, marketing emails and push notifications, always with an easy opt out. We also process data to maintain security, prevent fraud and comply with legal obligations (Art. 6(1)(c) and 6(1)(f)). Where we rely on consent, you can withdraw it at any time in the App or Website settings or via your device controls; this does not affect processing already performed.

________________________________________

5. Third party providers we use

We rely on trusted third parties to run the Services. Identity and authentication are provided through Apple, Google and Meta, which act as independent controllers when they authenticate you and share with us your provider identifier, name if available, email address—potentially a private relay address in the case of Apple—and, if you grant permission, your profile image. Analytics and stability are supported on the web by Google Analytics 4 and in the app by Firebase Analytics and Crashlytics. These tools collect usage events, device and OS information and crash diagnostics; IP masking is enabled for GA4, and in the EEA/UK these tools run only after consent. Advertising in the App uses Google AdMob and its mediated demand partners. In the EEA/UK, ads and related measurement run only with a valid consent signal under the IAB TCF; if you do not consent, we serve non personalised ads with limited measurement, and you can manage device advertising identifiers in your OS settings. We host and store data with cloud providers in regions we select - typically within the EU/EEA – and apply encryption in transit and at rest, access controls and logical isolation; where processing, support or backup occurs outside the EEA/UK we apply the transfer safeguards described below. Purchases are handled by the Apple App Store and Google Play. Where helpful, we may use customer support tooling to triage and resolve tickets. We have data processing agreements with processors and require appropriate security and confidentiality.

________________________________________

6. Analytics and ads — details

On the web we use Google Analytics 4 with IP masking. In the EEA/UK it only runs after consent via our cookie banner and you can withdraw consent at any time in Cookie Settings. We configure data retention for a limited period consistent with our analytics needs, we keep Google Signals and advertising features off in the EEA/UK unless you consent, and we do not use GA4 data to build individual profiles without consent. In the App we use Firebase Analytics and Crashlytics to understand usage and improve stability. Advertising identifiers are used only for ads and measurement where consent applies in the EEA/UK, and you can reset or limit these identifiers in your device settings. For ads we use Google AdMob under the IAB TCF framework; if you decline consent we serve non personalised, contextual ads and limit measurement.

In the EEA and the UK, any storage of or access to information on your device for analytics or advertising requires your prior consent under the ePrivacy rules (including the German TTDSG). Our consent banner and in app choices implement this requirement, and you can change your choices at any time.

________________________________________

7. Payments and in app purchases

Purchases are processed by the Apple App Store or Google Play. We receive receipt or order identifiers, product, currency and timestamps to validate entitlements such as premium or ad free access and to prevent fraud and provide support. We do not process payment card details. For subscriptions we receive renewal and cancellation status from the stores and synchronise access accordingly. Refunds and chargebacks are handled by the stores under their policies and applicable consumer law. We keep purchase records for statutory accounting and tax periods.

________________________________________

7A. Safety, integrity and AI assisted moderation

We use automated systems, including AI based classifiers, to keep gameplay and leaderboards fair, to prevent fraud and abuse, and to protect the security and integrity of the Services. These systems analyse technical signals such as anomalous usage patterns, device and network characteristics and server side telemetry. We do not analyse private communications for advertising, and we do not use AI for emotion recognition, biometric categorisation or any form of social scoring. Where our tools flag potential violations, a human will review significant decisions before they take effect. If we restrict your account, you can appeal via in app settings or by contacting privacy@youvsall.com; we will provide meaningful information about the decision and will re examine it. Processing is based on our legitimate interests in ensuring service integrity and safety, and on legal obligations where applicable.

________________________________________

8. Email and push communications

We send transactional emails such as account notices, security alerts and purchase confirmations. With your consent where required, we also send marketing emails or push notifications about product updates and offers. You can unsubscribe at any time via the link in the email, in app settings or via your device controls. Our email provider processes IP addresses and basic engagement metrics to deliver, secure and troubleshoot emails, and we keep suppression lists to honour opt outs.

________________________________________

9. Sharing and disclosures

We share personal data as necessary with service providers acting under contract, with other users or the public when you choose to share content or participate in public features such as leaderboards and profiles, with app stores and identity providers in order to operate purchases and sign ins, and with advertising and analytics partners as described and only in line with your consent and choices where required. We may also share with group companies and professional advisers bound by confidentiality, and with public authorities or third parties where the law requires it, in response to valid legal requests or to protect rights, safety and security including in cases of fraud, abuse or security incidents. If we undergo a corporate transaction such as a merger, acquisition or asset sale, your data may be transferred subject to appropriate safeguards. We may share aggregated or de identified information that cannot reasonably be used to identify you. We do not sell personal information for money; for California residents we only “share” data for cross context behavioural advertising as described in section 14 and provide opt out controls.

________________________________________

10. International transfers

Where we transfer personal data outside the EEA or the UK, we rely on adequacy decisions where available or on the EU Standard Contractual Clauses together with the UK Addendum, and we apply supplementary measures such as encryption and access controls. Where our partners participate in the EU US or UK US Data Privacy Framework, we may rely on those certifications for transfers to the United States. We carry out transfer impact assessments where required.

________________________________________

11. Retention

We retain personal data only for as long as necessary for the purposes described in this Policy. As a guide, account data is kept for the life of the account and up to twenty four months after the last activity unless we must keep it longer by law; analytics and advertising data are retained for between two and twenty six months depending on the configuration of the tools we use; crash logs are kept for up to twenty four months; purchase records are stored for statutory accounting and tax retention periods; and support correspondence is kept for up to thirty six months after a matter is resolved. We may also anonymise and aggregate information for statistics and product improvement.

________________________________________

12. Children

The Services are not directed to children under sixteen in the EEA or UK, or under thirteen in the United States and elsewhere as required by law. We do not knowingly collect data from children below these ages. If you believe a child has provided data, please contact us and we will take appropriate action.

________________________________________

13. Your rights (GDPR/UK GDPR)

If you are in the EEA/UK, you have the following rights over your personal data. These may be subject to conditions and legal limits.

• Right of access – to obtain confirmation whether we process your data and to receive a copy of your personal data together with related information.

• Right to rectification – to have inaccurate or incomplete personal data corrected.

• Right to erasure ("right to be forgotten") – to have some or all of your personal data deleted where, for example, it is no longer needed, you withdraw consent (where relied on), or you successfully object to processing. Legal obligations may require us to retain some data.

• Right to restriction of processing – to limit our processing where: (i) the accuracy of the data is contested (while we verify it); (ii) the processing is unlawful and you oppose erasure; (iii) we no longer need the data but you require it for legal claims; or (iv) you have objected pending verification of overriding legitimate grounds.

• Right to data portability – to receive certain personal data you provided to us in a structured, commonly used and machine readable format and to have it transmitted to another controller where technically feasible. This applies where processing is based on consent or contract and carried out by automated means.

• Right to object – to object at any time to processing based on our legitimate interests, including profiling on that basis. We will stop unless we demonstrate compelling legitimate grounds or need the data for legal claims. You have an absolute right to object to direct marketing (including related profiling).

• Rights related to automated decision making – the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects or similarly significantly affects you. We do not engage in such decisions (see section 17).

• Right to withdraw consent – where we process data based on consent, you may withdraw it at any time; this will not affect prior processing.

• Right to lodge a complaint – with a supervisory authority. You can contact your local authority, or our likely lead authority: Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland Pfalz (LfDI RLP), Germany.

How to exercise your rights.

You can exercise rights by emailing privacy@youvsall.com. We may need to verify your identity before acting on a request. We aim to respond within one month (extendable by two further months for complex requests, in which case we will notify you). Some rights may not apply in certain contexts (for example, where we must retain data to comply with law or to establish, exercise or defend legal claims). Where you make a request electronically, we will respond electronically where possible. You may also object to the use of your personal data for improving internal AI systems where we rely on legitimate interests; we will honour that objection unless we demonstrate compelling legitimate grounds.

________________________________________

14. California Privacy Notice (CCPA/CPRA)

This section applies to California residents and supplements the rest of this Policy.

Categories collected: identifiers (e.g., email, device IDs), commercial information (purchase history), internet/activity data (usage, analytics), geolocation at coarse level, inferences (to improve services), and user content. We do not knowingly collect sensitive personal information.

Sources: you, your devices, app stores, identity and analytics/advertising partners.

Purposes: see section 4.

Disclosure for business purposes: to service providers (analytics, ads, email, hosting, stores).

Sale/Share: we do not sell personal information for money. We may “share” identifiers and activity data with advertising partners for cross context behavioural advertising. You can opt out by using the "Do Not Sell or Share My Personal Information" link on our website or the in app privacy settings.

Your rights: to know/access, delete, correct, opt out of sale/share, limit use of sensitive personal information (not used), and non discrimination. You may exercise rights via our web form or by emailing privacy@youvsall.com. We will verify requests and may use an authorised agent consistent with CPRA rules.

Retention: see section 11.

________________________________________

15. Do Not Track / CalOPPA

Our website does not currently respond to “Do Not Track” browser signals. You can control cookies via Cookie Settings and your browser or device controls.

________________________________________

16. Security

We use technical and organisational measures such as encryption in transit, access controls, logging, least privilege access and regular reviews. No method of transmission or storage is completely secure. Where legally required, we will notify authorities and affected users of a personal data breach and provide guidance.

________________________________________

16A. AI use and transparency (EU AI Act)

We use artificial intelligence in limited ways to operate and improve the Services, principally for security, anti cheat and moderation as described in section 7A and for analytics as described in section 6. If we introduce features where you interact with an AI system (for example, an in app assistant) we will clearly inform you that you are interacting with AI and provide appropriate controls. Where we generate or alter content using AI, we will label such content as artificially generated or manipulated and, where feasible, apply technical measures to support provenance or watermarking. We do not use AI for emotion recognition, biometric categorisation or real time remote biometric identification, and we do not engage in prohibited practices such as social scoring. When we rely on third party AI providers, we do so under contracts that prevent them from using your personal content to train their foundation models, and we ensure appropriate data protection and transfer safeguards. We do not use your personal content to train third party general purpose AI models; where we improve our internal models, we do so using aggregated or de identified data or another appropriate legal basis, and you may object to such use where it relies on our legitimate interests. These measures are designed to meet the transparency obligations for deployers under the EU Artificial Intelligence Act.

________________________________________

17. Automated decision making

We do not make decisions solely by automated means that produce legal or similarly significant effects about you.

________________________________________

18. Changes

We may update this Policy from time to time. We will post updates here and, if changes are material, provide a prominent notice such as an in app message or email. Your continued use signifies acceptance of the updated Policy.

________________________________________

19. Your Consent

By using the Application, you are giving your consent to the Service Provider processing of your information as set forth in this Privacy Policy now and as amended by us.

________________________________________

20. Contact

Questions or requests? Email privacy@youvsall.com or write to our address above.