Privacy Policy & Service Agreement

Effective Date: January 15, 2026   |   Last Updated: January 15, 2026

This document is the 2026 Global Full-Compliance Deep-Enhanced Edition. It comprehensively addresses the EU Digital Services Act (DSA) latest transparency requirements, U.S. state privacy laws (California, Texas, Virginia, etc.), AI-Generated Content declarations (where applicable), and details IAP and advertising fraud penalty rules. It also integrates the latest 2026 global data sovereignty and app store policy changes, supplementing regional compliance details, technical execution standards, and risk prevention measures.

This Privacy Policy applies to all mobile applications, websites, and services developed and published by cloudbitlogicpro (the “Studio”, “we”, “us”, or “our”), available on the Apple App Store, Google Play Store, and the website cloudbitlogicpro.com.

Part 1: Privacy Policy (Privacy Policy)

1. Data Collection Granularity and Purpose

We strictly follow the “minimum necessary” principle and collect the following information through compliant technical means, used solely to maintain the normal operation of the IAA (In-App Advertising) and IAP (In-App Purchase) systems, optimize user experience, and prevent fraudulent behavior. The entire process complies with privacy regulations in all global regions. We do not collect any personal information unrelated to the services:

1.1 Device Fingerprint & Identification Codes

• IDFA (iOS devices), GAID (Android devices), OAID (Android devices for the China market), device brand, model, screen resolution, system version, language settings, battery status, system clock offset (used to detect timezone cheating and prevent cross-regional price fraud), device unique identifier (encrypted, not linked to user real identity).

1.2 Network Environment Data

• IP address (used only for geographic compliance filtering, to determine the user's region and adapt to local regulations and services; not used for precise location), mobile network operator name, Wi-Fi connection status, network type (4G/5G/Wi-Fi), used to ensure service stability and regional compliance management.

1.3 Behavior Trajectory (IAA & UX)

• Advertising Behavior: Ad display ID, click time, conversion path, video rewarded ad viewing duration and whether the user exited mid-way, ad dwell time. Used to optimize ad delivery effectiveness, prevent ad fraud. Data is used only for internal analysis and to synchronize necessary information to third-party monetization platforms (after de-identification processing).
• Game/Application Logic: Core function loop trigger count, pop-up click rate at pay points, new-user guidance drop-off points, feature usage frequency. Used to optimize product interaction experience, adjust feature layout, improve user convenience. We do not collect specific user operation content or private data.

1.4 Financial Transaction Data (IAP)

• We receive transaction receipts solely through the official App Store / Google Play API. We do not touch, store, or process your bank card number, CVV code, payment password, bank card expiration date, or other sensitive payment information. All payment operations are handled by Apple's or Google's official payment systems.
• Recorded items include: order number, purchased item name and quantity, payment currency, payment amount, country code, transaction time, whether the order is a sandbox test order, and order status (success / failure / refund), used for order verification, refund processing, financial reconciliation, and payment fraud prevention.

2. Deep Third-Party Sharing Architecture (Data Mapping)

To achieve legal monetization, service optimization, and anti-fraud purposes, we only share necessary data with the following compliant third-party ecosystems. The sharing process strictly follows the “minimum necessary, encrypted transmission, fully controllable” principle. We do not share any sensitive personal information. You may review their privacy policies on each platform's official website to understand the data processing details:

2.1 Aggregation Layer (Mediation)

• AppLovin (MAX), Google AdMob, Unity LevelPlay. Purpose: Real-Time Bidding (RTB), optimization of ad fill rate and monetization efficiency. Shared data only includes de-identified device information and ad display / click data, not linked to user real identity.

2.2 Attribution & Anti-Fraud (MMP)

• AppsFlyer, Adjust, Singular. Purpose: Track ad installation effectiveness, identify fake installs, prevent ad fee theft. Shared data only includes de-identified device information and installation attribution data, used for anti-fraud verification, no private user information is collected.

2.3 Payment Processors

• Apple Inc., Google LLC. Purpose: Process in-app purchase transactions, verify order validity. Shared data only includes order-related information (no sensitive payment information), used for transaction reconciliation and order verification, strictly following Apple's and Google's official data processing specifications.

2.4 Additional Ad Networks and Platforms

• Pangle (ByteDance), Mintegral, InMobi, Meta Audience Network, Vungle, Liftoff, ironSource, Chartboost, Tapjoy, AdColony, MyTarget, Yandex Ads, Smaato, PubMatic, OpenX, Verizon Media, Criteo. Each is integrated with limited data scopes, configurable in the application settings.

3. Global Region-Specific Legal Disclosures

We strictly adapt to privacy regulations in all countries / regions around the world. Combined with the latest policy changes in 2026, we have formulated differentiated compliance terms for key regions to ensure full compliance throughout the service:

3.1 European Union (GDPR) & United Kingdom (UK-GDPR)

• Legal Basis: Our legal grounds for processing user data include: performance of the service agreement with the user, obtaining the user's explicit consent, maintaining our legitimate interests (such as anti-fraud, service optimization). All data processing activities comply with Article 6 of GDPR / UK-GDPR.
• Representative Office: [EU/UK Statutory Representative contact information and registered address reserved here], responsible for receiving data-related requests (access, correction, deletion, withdrawal of consent, etc.) from EU / UK users, with a response time of no more than 7 business days.
• DSA Transparency Supplement: We strictly follow the latest transparency requirements of the EU Digital Services Act (DSA), publicly disclose ad delivery rules, algorithmic recommendation logic, and content review standards, regularly publish transparency reports, clarify data processing workflows and third-party cooperation details, and accept supervision by EU regulatory authorities. If the application involves User Generated Content (UGC), the content review mechanism, complaint handling process, and non-compliant content disposal standards will be made public, ensuring users' right to know.
• User Rights Protection: EU / UK users have the right to access, correct, and delete personal data at any time, withdraw data processing authorization, request that we provide a copy of personal data (data portability), and file complaints about non-compliant data processing with the European Data Protection Board (EDPB) or the UK Information Commissioner's Office (ICO).

3.2 United States (CCPA / CPRA / VCDPA and other state-level differentiated provisions)

• No Sale of Personal Information: We explicitly commit not to sell users' personal information to any third party (including advertisers, data brokers, etc.). However, according to the legal definitions of California CPRA and Virginia VCDPA, to achieve ad precision, sharing non-sensitive information such as device IDs with third parties may be considered “data sharing.” We will clearly inform users of such sharing within the application. Users have the right to opt-out of such sharing at any time.
• Do Not Track: We fully respect the device system's “Do Not Track” setting. If the user enables this setting, we will stop collecting user behavior trajectory data, which will no longer be used for precision ad targeting or personalized recommendations. We only retain the minimum data necessary to maintain normal service operation.
• State-Specific Adaptations:
  • California (CPRA): Users have the right to require us to disclose details of personal information collected, used, and shared in the past 12 months, the right to request deletion of personal information, and the right to refuse the use of personal information for targeted advertising. We will respond to user requests within 45 business days.
  • Texas (CCPA-TX): Strengthens user data access rights. Users may freely query personal data collection records. We must not set unreasonable barriers. Sharing sensitive user information (such as biometric data, financial information) with third parties is prohibited unless explicit written consent is obtained from the user.
  • Virginia (VCDPA): Users have the right to require us to correct erroneous personal data and stop sharing personal data with third parties. We must complete the correction or stop-sharing operation within 30 business days and provide feedback to the user.
  • Other States: We adapt to the latest privacy regulations in Washington, Colorado, Connecticut, Utah, and other states, clarifying user data rights and our compliance obligations, ensuring compliance across the United States.

3.3 Brazil (LGPD)

We strictly comply with Brazil's General Data Protection Law (LGPD). We must obtain explicit user authorization before collecting personal information, clearly informing the user of the purpose, scope, and method of information collection. We protect Brazilian users' rights to access, correct, delete, and withdraw authorization for data. We have established a dedicated compliance officer to handle Brazilian users' data-related requests. User data is stored on servers within Brazil and is not arbitrarily transferred abroad. If cross-border transfer is required, approval from the Brazilian National Data Protection Authority (ANPD) is required.

3.4 Other Key Regions

• China: We comply with the Personal Information Protection Law (PIPL), the Data Security Law (DSL), and the Regulations on Promoting and Regulating Cross-border Data Flows. We obtain explicit user consent before collecting personal information. We implement data localization storage requirements (data of users in China is stored on servers within China). We do not illegally collect sensitive personal information, and cooperate with the supervision and inspection of China's Cyberspace Administration.
• India: We comply with the Digital Personal Data Protection Act (DPDP Act). We clarify data collection boundaries, collect data only after obtaining the user's written consent, establish a Data Protection Officer (DPO), grant users the right to request deletion of personal data, and require approval from India's Ministry of Electronics and Information Technology (MeitY) for cross-border data transfer.
• Saudi Arabia: We comply with the Personal Data Protection Law (PDPL), implement data localization storage requirements (user data is stored on servers within Saudi Arabia), do not arbitrarily transfer data abroad, and accept supervision by the Saudi Data and Artificial Intelligence Authority (SDAIA).
• Canada, Japan: We adapt to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Japan's Act on the Protection of Personal Information (APPI), clarify data processing specifications, protect user data rights, cooperate with local regulatory authority audits, and respond to the upgraded 2026 global data sovereignty requirements.
• Other Regions: Including but not limited to South Korea (PIPA), Singapore (PDPA), Australia (Privacy Act 1988), Russia (Federal Law No. 152-FZ), and other countries / regions. We continuously monitor changes in local laws and regulations to ensure global compliance.

4. Auto-Renewal Subscription Statement (Subscription Transparency)

If the application includes auto-renewal subscription services, we strictly follow Apple and Google app store rules and global regional compliance requirements. The following statements are explicitly made to protect users' right to know and right to choose:

• We only collect subscription-related necessary information, including subscription period, remaining trial time, subscription status (active / expired / paused), renewal time, used for subscription management and service provision, and do not collect any unrelated information.
• Transparency Guarantee:
  • Before Subscription: Clearly inform users of the subscription period (weekly / monthly / annual), subscription price, trial period length (if any), renewal rules, and how to cancel the subscription. There are no hidden clauses.
  • Billing Reminder: 24 hours before each auto-renewal billing, we will send a billing reminder to the user through an in-app pop-up, system push, etc., clearly informing the billing amount, billing time, and direct access path to cancel the subscription.
  • Subscription Management: Users can cancel auto-renewal at any time through the in-app “Settings - Subscription Management” or the App Store / Google Play subscription management page. After cancellation, no further charges will be incurred. Cancellation during the trial period is free of charge.
• Trial Period Description: If a free trial is provided, the subscription will automatically renew and be billed after the trial period ends. The user may cancel the subscription at any time during the trial period to avoid charges. If the user has used subscription-exclusive features during the trial period, those features will be deactivated immediately after cancellation.

5. AI-Generated Content Statement (where applicable)

If the application includes AI-generated content (including but not limited to text, audio, images, interactive scenes, etc.), we strictly follow global AI compliance requirements. The following statements are explicitly made to protect users' right to know and legal rights:

• Clear Labeling: All AI-generated content will be clearly marked as “AI Generated” to distinguish it from human-created content, without misleading users, in compliance with the EU AI Act and the AI transparency requirements of various U.S. states.
• Content Compliance: AI-generated content strictly follows global content review standards, prohibiting the generation of violent, pornographic, vulgar, false information, politically sensitive, racially discriminatory, or other non-compliant content. We implement an “AI generation + manual review” dual mechanism to ensure content compliance.
• Responsibility Definition: AI-generated content is only used as an auxiliary function, does not constitute any advice, commitment, or guarantee. We do not assume relevant liability for any loss suffered by the user based on AI-generated content. If AI-generated content infringes upon others' intellectual property rights, reputation rights, or other legal rights, we will assume corresponding liability and promptly delete the non-compliant content.
• Data Security: The data used to train AI models is compliantly collected or authorized non-sensitive data. We do not use user personal information or private data to train AI models, strictly protecting user data security.

Part 2: Service Agreement (Terms of Service)

1. Account Ownership and License Scope

• Non-Ownership Statement: After the user downloads and installs the application through App Store / Google Play and other app stores, the user is only granted a limited, non-transferable, non-rentable, non-loanable software usage right by our company, and does not possess legal ownership of the account and in-app virtual property (including but not limited to coins, diamonds, skins, levels, props, etc.).
• Account Attribution: The account is registered and used by the user. True and complete information (if any) must be provided during registration. The account is owned by our company, and the user only has the right to use the account. The user must properly keep the account and related login information. Losses caused by the user's own improper operations (such as leaking the account password or authorizing untrusted third parties) such as account theft or virtual property loss, shall be borne by the user.
• Account Recovery: For accounts that have not logged in for [180] consecutive days and have no payment records, we have the right to cancel the account and release server resources. We will notify the user 30 days in advance through in-app push, registered email (if any), etc. After the account is canceled, all virtual properties and personal data in the account will be permanently deleted (except for those required to be retained by laws and regulations) and cannot be recovered.
• Account Usage Restrictions: Users may not transfer, rent, lend, or sell the account to third parties, may not use it for commercial profit purposes, and may not use the account for illegal or non-compliant activities. If non-compliant use of the account is found, we have the right to suspend or ban the account, delete the virtual property in the account, and pursue the user's relevant liability.

2. IAA Advertising and Reward Policy (Detailed Fraud Penalty Rules)

2.1 Reward Acquisition Rules

The user must completely watch the rewarded video ad, complete the ad interaction (if any), and there must be no abnormal operations during ad playback (such as switching applications, locking the screen, using plugins to skip, etc.) to obtain the corresponding reward. The reward will be credited immediately after the ad playback is complete. If the reward is not credited due to network delay, ad platform failure, or other reasons, the user may provide feedback through the in-app customer service channel, and we will verify and handle it within 3 business days.

2.2 Ad Quality Assurance

We strictly review the ad content provided by third-party ad platforms, striving to filter out violent, pornographic, vulgar, false propaganda, illegal, and non-compliant inappropriate ads. However, ad content is delivered by third parties. If users find non-compliant ads, they may provide evidence through the in-app “Ad Complaint” channel, and we will verify within 24 hours, block and delete non-compliant ads, and pursue the liability of the third-party ad platform.

2.3 Ad Fraud Behavior Definition and Penalty Rules (Extremely Detailed)

Definition Scope

Any act of obtaining ad rewards, evading ad playback, or interfering with ad statistics through improper means is deemed ad fraud, including but not limited to:

• Using plugins, scripts, cracking tools, etc. to skip ads, accelerate ad playback, or simulate ad watching behavior;
• Batch watching ads through multiple accounts or multiple devices to obtain rewards and then resell or monetize them;
• Modifying device parameters (such as device ID, IP address), using VPN / proxy tools to switch regions, and batch watching ads;
• Frequently switching applications, locking the screen, or restarting the device during ad playback to evade the complete viewing requirement;
• Exploiting ad platform vulnerabilities to falsely trigger ad display / clicks and defraud ad revenue;
• Other fraudulent acts that interfere with normal ad playback and statistics.

Penalty Rules

• First Violation: Warn the user, clear the current unused ad rewards of the account, and restrict ad viewing permissions for 7 days.
• Second Violation: Ban the account's ad viewing permission for 30 days, clear all ad rewards in the account, and record the device violation information.
• Three or More Violations: Permanently ban the account's ad viewing permission, ban the relevant device from using the application, list it in the platform blacklist, and reserve the right to pursue the user's legal liability and claim compensation for ad losses.
• Serious Circumstances (such as batch fraud, malicious interference with the ad ecosystem): Permanently ban the account and related devices, report to App Store / Google Play and other app stores, assist the platform in taking further punishment measures, pursue the user's civil compensation liability, and transfer to judicial authorities for processing if the case is suspected of being illegal.

3. IAP Payment, Refund, and Dispute Resolution (Detailed Fraud Penalty Rules)

3.1 Final Price Description

The virtual goods and value-added services purchased by the user in the application, the displayed price includes the price of the goods themselves, the platform commission of the app store (officially charged by Apple / Google), and possible value-added tax (VAT), tariffs, and other related taxes. The final payment price is subject to the app store payment page. Price adjustments will be notified to the user 7 days in advance through in-app announcements, push, etc.

3.2 Payment Rules

Payment operations are completed through the official payment channels of App Store / Google Play. We do not directly collect any payment from users and do not store user payment information. After successful payment, virtual goods and value-added services will be credited immediately. The user may check the order details in “My Orders” within the application.

3.3 Refund Restrictions

• Due to the immediacy and non-refundable nature of virtual goods and value-added services, once the user purchases and uses them (such as consumed coins, unlocked features), refunds are not supported in principle.
• Special circumstances under which a refund may be applied for (relevant proof must be provided):
  • Payment is successful but virtual goods or value-added services have not been credited, and it is verified to be caused by our technical fault.
  • Minors purchase by mistake without the consent of their guardian. The guardian may provide relevant proof (such as minor identity certificate, payment record) to apply for a refund from the app store or us.
  • The application has a major failure, causing the user to be unable to use the purchased value-added services, and the failure cannot be fixed within 7 business days.
• Refund Process: The user needs to submit a refund application through the official refund channel of App Store / Google Play or the in-app customer service channel and provide relevant proof. We will verify within 3 business days and cooperate with the app store to complete the refund processing. The refund arrival time is subject to the official regulations of the app store.

3.4 IAP Fraud Behavior Definition and Penalty Rules (Extremely Detailed)

Any act of obtaining in-app virtual goods, value-added services, evading payment, or defrauding refunds through improper means is deemed IAP fraud, including but not limited to:

• Malicious refunds: Exploiting the app store refund policy loopholes, purchasing virtual goods, using them, and then applying for a refund without returning the used virtual goods;
• Cracking the payment process: Obtaining virtual goods and value-added services through plugins, scripts, cracked versions of applications, etc., bypassing the official payment channel;
• Forging payment records: Forging orders and payment receipts to defraud virtual goods and value-added services;
• Using stolen bank cards, payment accounts for purchases, or redeeming virtual goods through exchange codes obtained from illegal channels;
• Using VPN / proxy tools to switch to low-price regions to purchase virtual goods, evading normal prices;
• Batch registering accounts, taking advantage of app store new user discounts and discount activities, maliciously purchasing virtual goods, and then reselling or monetizing them;
• Other fraudulent acts that evade payment or defraud virtual goods or refunds.

Penalty Rules

• First Violation: Warn the user, recover the virtual goods obtained through fraud in the account, and restrict in-app purchase permission for 15 days.
• Second Violation: Ban the account's in-app purchase permission for 90 days, clear all virtual goods in the account, record device violation information, and list in the platform blacklist.
• Three or More Violations: Permanently ban the account and related devices, prohibit the use of applications and related services, report to the app store, assist the platform in taking further punishment measures (such as banning the account, restricting device download of the application).
• Serious Circumstances (such as batch fraud, malicious theft, causing major economic losses): Permanently ban the account and related devices, pursue the user's civil compensation liability, transfer to judicial authorities for processing if the case is suspected of being illegal; meanwhile, reserve the right to report to the app store and payment institutions, and assist relevant institutions in pursuing the user's liability.

3.5 Unauthorized Transaction Handling

If unauthorized transactions caused by minor misoperation or account theft occur, the user (or guardian) needs to contact Apple / Google official support in a timely manner and report to us at the same time, providing relevant proof (such as minor identity certificate, account theft certificate, payment record). We will cooperate with the app store to verify and handle, and assist the user in applying for a refund (subject to the refund conditions).

4. Anti-Cheat and Security Agreement (Supplementary Detail)

To ensure the normal operation order of the application and protect the legitimate rights and interests of users and us, the following cheating and non-compliant behaviors are strictly prohibited. If violations are found, we will take corresponding punishment measures according to the severity of the circumstances. If the circumstances are serious, legal liability will be pursued:

• Using VPN, proxy tools, or other means to bypass regional restrictions, price differences, and engage in cross-regional purchases, ad viewing, etc.;
• Using any automated scripts, simulators, plugins, cracked applications, plug-in tools, etc. to interfere with the normal operation of the application, tamper with application data, or obtain improper benefits;
• Capturing packets, modifying packets, or forging data on the application communication protocol to interfere with the core functions of the application such as statistics, payment, and advertising;
• Batch registering accounts, maliciously swiping volume, swiping scores, interfering with the application leaderboard and rating system, and destroying the application ecosystem;
• Stealing others' accounts, virtual property, or leaking others' account information and personal data;
• Modifying device parameters (such as device ID, IMEI, MAC address) to evade violation punishment and repeatedly obtain rewards;
• Spreading application cracking methods, cheating tools, and instigating others to violate rules and cheat;
• Other violations and cheating behaviors that interfere with the normal operation of the application or infringe upon the legitimate rights and interests of users or us.

Penalty Measures: According to the severity of the violation, measures such as warning, function restriction, account ban, device ban, and blacklisting will be taken. If the circumstances are serious, civil compensation liability will be pursued. If the case is suspected of being illegal, it will be transferred to judicial authorities for processing. Meanwhile, we have the right to delete the relevant data of violating users, terminate the provision of services to them, and assume no compensation liability.

5. Content Review (DSA Compliance, Detailed Supplement)

If the application involves User Generated Content (UGC), we strictly follow the EU Digital Services Act (DSA) compliance requirements, establish a complete content review mechanism, regulate user content publishing behavior, and ensure content compliance:

• Review Mechanism: Implement an “AI automated monitoring + manual review” dual mechanism. AI tools monitor user-published content in real time, identify non-compliant content and initially intercept it. The manual review team conducts a secondary review of suspected non-compliant content and user-complaint content to ensure review efficiency and accuracy.
• “Notice and Delete” Mechanism: If we find that a user has published non-compliant content, we will immediately notify the user, explain the reason for the violation, and delete the non-compliant content within 24 hours. The user may appeal against the deletion, and we will verify and provide feedback within 3 business days.
• Prohibited Content: Users are strictly prohibited from publishing the following non-compliant content, including but not limited to:
  • Politically sensitive, endangering national security, undermining social stability content;
  • Racially discriminatory, gender discriminatory, religiously discriminatory, or other discriminatory content;
  • Violent, pornographic, vulgar, bloody, terrifying, or other inappropriate content;
  • False information, rumor-mongering, fraudulent, or misleading content;
  • Content that infringes on others' intellectual property rights, reputation rights, portrait rights, privacy rights, or other legitimate rights;
  • Other content that violates the laws and regulations of various countries / regions around the world, and public order and good customs.
• User Responsibility: When publishing UGC content, the user must ensure the legality, authenticity, and originality of the content, and must not infringe on the legitimate rights and interests of others. If a user publishes non-compliant content, we have the right to delete the content, restrict the user's publishing permission, ban the account, and the user shall bear all legal liabilities arising therefrom. If the user causes losses to us, we have the right to claim compensation.
• DSA Additional Requirements: Publicize content review standards, complaint handling processes, and detailed rules for non-compliant content disposal. Regularly publish UGC content review reports, accept supervision by users and regulatory authorities. Establish a user appeal mechanism to protect users' legitimate rights and interests. If large-scale UGC content is involved, a dedicated content review person in charge will be appointed to cooperate with EU regulatory authority inspections.

Part 3: 2026 Technical Compliance Execution Guide (Required Reading, Supplementary Detail)

This guide combines the latest 2026 Apple App Store, Google Play policies, and global regional compliance requirements to clarify technical execution standards, ensure full compliance in application R&D, listing, and operation, avoid risks of application removal or punishment due to technical violations, and adapt to the latest system version requirements such as Android 15 and iOS 18.

1. For Apple App Store (iOS) (Supplementary 2026 Latest Requirements)

• Privacy Labels: Privacy label information must be accurately filled in the App Store backend. “Data Linked to User” (data associated with the user) must be strictly checked, because data such as IDFA and purchase records will be associated with the user profile, and the data association relationship must not be concealed. At the same time, the scope, purpose of data collection, and third-party sharing must be accurately filled in to ensure consistency with this Privacy Policy. Filling in false information will lead to application review rejection and removal.
• ATT Mandatory Execution (2026 Upgrade Requirements):
  • Before obtaining device_id (IDFA), the requestTrackingAuthorization interface must be called first, popping up a window to request user authorization. The authorization text must clearly inform the user of the purpose of authorization (such as precision ad targeting), and must not mislead the user.
  • If the user refuses authorization, allow_tracking = false must be transmitted to all third-party SDKs. IDFA must not be obtained or used without authorization, and the ATT framework restrictions must not be circumvented by other means.
  • Adapting to the latest iOS 18 requirements, the ATT authorization pop-up can only be displayed once, and the user must not be harassed with multiple pop-ups. If the user refuses, no further authorization may be requested. The user can only be guided to enable authorization through the device system settings.
  • User device identifiers must not be obtained through non-ATT channels, and other device parameters (such as MAC address) must not be used as IDFA substitutes to circumvent the Privacy Policy requirements.
• Other Technical Compliance Requirements:
  • The application must not contain hidden functions or non-compliant code, and must not circumvent App Store review rules (such as hiding payment entrances, false function descriptions).
  • Adapting to the latest iOS 18 system privacy requirements, access to sensitive data (such as photos, contacts) requires the user's per-authorization. Default authorization or mandatory authorization is not allowed.
  • In-app purchase items must clearly indicate prices and subscription periods. Inducement purchase traps must not be set, and users must not be misled into paying.
  • If the application contains AI-generated content, it must be clearly marked in the App Store details page, in compliance with Apple's AI compliance requirements.

2. For Google Play (Android) (Supplementary 2026 Latest Requirements)

• Data Safety Form: The data safety form must be accurately filled in the Google Play backend, clearly stating that data in transit is processed with encryption (HTTPS protocol encryption must be used), and data at rest is processed with AES-256 encryption. The scope, purpose of data collection, and third-party sharing must be accurately filled in. Data processing behavior must not be concealed. Filling in false information will lead to application review rejection and removal.
• SDK Transparency (2026 Upgrade Requirements):
  • Google requires developers to take full responsibility for the behavior of integrated third-party SDKs. It is necessary to ensure that all integrated SDK versions support the latest Android 14+ Privacy Sandbox, and outdated SDKs (which may have privacy and security vulnerabilities) must not be used.
  • The list of all integrated third-party SDKs must be publicly disclosed in the Google Play backend, clearly specifying the SDK name, purpose, and scope of data collection, ensuring the compliance of SDK data processing behavior. If an SDK engages in non-compliant data collection, it must be immediately removed and rectified.
  • Adapting to the latest Android 15 requirements, integrated SDKs must not request permissions unrelated to application functions, must not arbitrarily collect user personal information, and must not interfere with the normal operation of the device.
  • If the application supports the Android 15 private space feature, the logic must be adjusted according to the application type. Medical applications must clearly inform users not to install in private space to avoid affecting the operation of core functions. Launcher applications must declare relevant permissions and adapt to the display needs of private space applications.
• Other Technical Compliance Requirements:
  • Adapting to the latest Android 15 privacy protection measures, supporting the dynamic password (OTP) hiding function, hiding sensitive content during screen sharing, and sensitive fields of the application can be manually marked to protect user privacy and security.
  • The application must not contain malicious code or ad plug-ins, must not forcibly push ads or induce users to click ads. Ad display must comply with Google Play ad policies.
  • The application must support the 64-bit architecture, and the 32-bit version cannot be provided alone, ensuring compatibility with the latest Android devices.
  • If the application contains subscription services, the subscription management entry must be clearly marked within the application, supporting users to cancel subscriptions at any time, in compliance with Google Play subscription policies.

3. 2026 Data Residency Compliance

With the increasing awareness of global data sovereignty in 2026, many countries / regions have introduced stricter data localization requirements. We must strictly follow the following rules to avoid violations:

• If the application has a large number of users in a specific country / region (such as China, India, Saudi Arabia, Brazil, EU, Canada) (the specific threshold is subject to local regulations), local user data must be stored on compliant servers within that country / region, and may not be arbitrarily transferred abroad.
• Cross-border data transfer must strictly follow local regulatory requirements, such as the EU GDPR adequacy decision, the security assessment / standard contract requirements of China's Regulations on Promoting and Regulating Cross-border Data Flows, and the cross-border transfer approval requirements of India DPDP Act. Data may not be transferred abroad without approval.
• Regarding the global data sovereignty disputes mentioned in the 2026 U.S. Trade Report, care must be taken to avoid trade compliance risks caused by cross-border data transfer. If the application is targeted at U.S. users, the requirements of the CLOUD Act must be followed, and U.S. regulatory authorities' data access requests (if any) must be cooperated with.
• Regularly check data storage locations to ensure compliance with local regulatory changes, such as Canada, Japan, Bolivia, Colombia, and other countries that have added new data localization requirements in 2026. Data storage strategies must be adjusted in a timely manner to avoid violations.
• Establish a data residency compliance ledger, record user data storage locations and transfer situations, regularly conduct compliance self-checks, and cooperate with local regulatory authority inspections.

4. Interaction Design Suggestions (Supplementary Detail, Improve Compliance)

• Double Confirmation Mechanism:
  • Before the user makes a large-amount IAP purchase (it is recommended that a single amount ≥ USD 50 / EUR 50), an in-app secondary confirmation pop-up must be added, clearly informing the user of the purchase amount, product name, and payment method. The user must manually click “Confirm Purchase” before jumping to the payment page, to avoid misoperation.
  • For auto-renewal subscriptions, after the user clicks the “Subscribe” button, a pop-up confirmation must be displayed again, clearly informing the user of the subscription period, price, and renewal rules, to avoid accidental subscription.
• Easy Accessibility of Privacy Policy (Mandatory Requirement): The link to the Privacy Policy must exist in the following three locations simultaneously to ensure that users can view it at any time, in compliance with global compliance requirements:
  1. App store details page (App Store / Google Play description page in a prominent position);
  2. Application startup flash screen page (or login page). Users can click the link to view the full Privacy Policy. The flash screen page must have “Agree” and “Reject” buttons. After rejection, the application may not be used.
  3. The application’s “Settings” or “About” menu. The link must be placed in a prominent position, and users can directly view the Privacy Policy by clicking, supporting user access at any time.
• Other Interaction Compliance Suggestions:
  • Permission Request: When requesting user authorization (such as camera, photo album, location), the purpose of the permission must be clearly informed. Default or mandatory authorization is not allowed. The user may withdraw the authorization at any time in the application or device system settings.
  • Ad Interaction: Rewarded video ads must be clearly marked as “Watch the complete ad to get rewards”, and a “Skip Ad” button must be provided (which can be skipped after 5 seconds of ad playback). The user must not be forced to watch the ad.
  • Complaint Feedback: Convenient complaint feedback channels must be set up within the application, including privacy complaints, ad complaints, UGC content complaints, etc. The feedback processing time limit (no more than 7 business days) must be clearly defined, and the processing results must be fed back to the user.
  • Transparency Display: Ad delivery rules, algorithmic recommendation logic, and data processing workflows (simplified version) must be displayed in a prominent position within the application, in compliance with DSA transparency requirements, to protect users' right to know.
  • Screen Sharing Notification: Adapting to the latest Android 15 requirements, a prominent notification label must be displayed in the status bar during screen sharing, screen casting, and recording, reminding the user that the device is currently in the screen sharing state. The user may click the label to quickly stop sharing.

Part 4: Compliance Risk Prevention and Regular Review

1. Compliance Risk Prevention Measures

• Establish a compliance review mechanism: Before application R&D and listing, conduct a comprehensive compliance review of the application code, privacy policy, service agreement, and interaction design to ensure compliance with App Store, Google Play policies, and global regional regulations, and avoid violations.
• Regularly update compliance knowledge: Assign dedicated personnel to pay attention to the latest changes in global privacy regulations and app store policies (such as U.S. state privacy laws, EU DSA updates, Android 15 / iOS 18 system policy changes), and timely adjust the application and agreement content.
• Third-party partner management: Regularly review the compliance of third-party ad platforms, SDK providers, and payment processors, sign compliance agreements, clarify data processing responsibilities, and immediately terminate cooperation if the third party engages in non-compliant behavior.
• User request handling: Establish a handling mechanism for user data-related requests (access, correction, deletion, complaint) to ensure response and handling within the prescribed time limit, retain handling records, and accept supervision by users and regulatory authorities.
• Security protection: Strengthen application data security protection, adopt encrypted storage, encrypted transmission, access permission control, and other technologies to prevent data leakage, tampering, and loss. Regularly conduct data security testing and risk assessment.
• Employee training: Regularly conduct compliance training for R&D, operation, customer service, and other relevant employees, popularize privacy regulations, app store policies, and anti-fraud rules, enhance employee compliance awareness, and avoid violations caused by improper operations.

2. Regular Review Requirements

Due to the continuous changes in the global legal environment (especially U.S. state privacy laws, EU DSA implementation rules), and the continuous update of app store policies and technical standards, it is recommended to conduct a routine review of this agreement and application compliance every 6 months. The specific review content includes:

• Agreement Clauses: Check whether the agreement clauses comply with the latest regulations and app store policies, and whether they need to be supplemented or modified (such as adding regional compliance clauses, updating fraud penalty rules).
• Application Compliance: Check whether the application code, SDK version, and interaction design comply with the latest technical compliance requirements (such as Android 15 / iOS 18 adaptation, ATT framework execution).
• Data Processing: Check whether the data collection, storage, transmission, and sharing processes are compliant, whether data residency complies with local requirements, and whether third-party data sharing is controllable.
• Anti-Fraud Mechanism: Check whether the advertising and in-app purchase anti-fraud rules are perfect, and whether it is necessary to update penalty measures according to the latest fraud methods.
• User Requests: Check the handling of user data-related requests, whether there is any failure to respond in a timely manner or improper handling, and optimize the handling process.

Contact Us

If you have any questions, feedback, complaints, or reports, you may contact us through the following methods:

• Privacy & Data Protection Officer: privacy@cloudbitlogicpro.com
• Business Inquiries: contact@cloudbitlogicpro.com
• User Support: support@cloudbitlogicpro.com
• Postal Address: Delaware Technology Park, USA

© 2020 - 2026 cloudbitlogicpro. All rights reserved. This document is the 2026 Global Full-Compliance Deep-Enhanced Edition. Any updates will be published on this page and announced through in-app notifications.