Privacy Policy

Last Updated: April 03, 2026

Summary

Capone’s Bones uses account data, gameplay data, analytics, and limited device information to operate the game, support multiplayer and progression features, measure performance, and provide advertising where applicable. This policy is the official public version published at https://capones-bones.pages.dev/privacy-policy/. You can contact us at jakesorce@gmail.com for privacy questions, data access, correction, or deletion requests.

Retention (headline): After a verified account deletion request, we aim to remove personal data from our live database within about 30 days (backups may persist for a short rolling window—see Data Retention). PostHog product analytics events are typically retained about 12 months on our current plan (replay shorter).

International transfers (headline): Where GDPR/UK GDPR applies and data is sent to the US or other non-adequate countries, we rely on Standard Contractual Clauses (SCCs) in vendor DPAs, including Supabase and PostHog (see International Data Transfers).

Children: The app is not for under-13 account holders; creating or using an account requires you to confirm you are 13+ and agree to our Terms (see Children’s Privacy).

iOS ads — App Tracking Transparency: On iOS, we may request App Tracking Transparency permission before initializing advertising SDKs when the system status is undetermined, so personalized ads and ad measurement align with Apple’s rules and your device settings (see Permissions and Google AdMob).

Introduction

Welcome to Capone’s Bones (“we,” “our,” or “us”). We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our mobile application.

When you visit our public documentation website (this policy, support pages, changelog, and related pages hosted with our infrastructure provider), we may collect basic technical and usage statistics about that visit—for example through Cloudflare (hosting and web analytics) and, if enabled, PostHog page analytics described under Third-Party Services below. That helps us keep legal pages reliable and understand traffic to the public site.

Information We Collect

Personal Information

• Account Information: Email address, display name, and optional profile photo if you choose to upload or capture one
• Authentication Data: Authentication provider information (Google, Apple) when you sign in
• Game Data: Scores, awards and progression, leaderboard rankings, purchase history

Automatically Collected Information

• Device Information: Device type, operating system, app version
• Usage Data: Game sessions, features used, interactions with the app
• Analytics Data: Events, errors, performance metrics (via PostHog)
• Advertising Data: Ad interactions, ad identifiers (via Google AdMob)
• Bluetooth/Local Network: When using local multiplayer, we use Bluetooth and local network to discover and connect to nearby devices. No data from these connections is transmitted to our servers.
• Location (Android only): On Android, Bluetooth device discovery may require location permission to be enabled. We do not collect or use GPS coordinates; this is a platform requirement for Bluetooth Low Energy scanning.

Third-party processors (summary)

We integrate the following categories of services that may collect or process information on our behalf:

• PostHog: Analytics, error tracking, and session replay
• Google AdMob: Advertising and ad analytics
• Supabase: Backend services, database, authentication
• Apple/Google: Authentication providers

Details for each appear under Third-Party Services below.

How We Use Your Information

We use the collected information to:

• Provide and improve our game services
• Process in-app purchases and transactions
• Send push notifications (with your consent)
• Analyze app usage and performance
• Display personalized advertisements
• Respond to support requests
• Ensure app security and prevent fraud
• Comply with legal obligations

Legal Bases for Processing

Where applicable, we process personal data on one or more of the following bases:

• Performance of a contract — to operate the app features you request, such as account services, multiplayer, progression, and purchases
• Legitimate interests — to improve reliability, measure product performance, prevent fraud, and maintain security
• Consent — for features that depend on permission or consent, such as push notifications and certain platform-level tracking choices
• Legal obligations — where we must retain or disclose information to comply with law

Permissions and Device Features

Depending on your platform and how you use the app, we may request permission for:

• Notifications — to send reminders or service-related alerts if you opt in
• Bluetooth / local network — for local multiplayer discovery and connectivity
• Camera / photo library — only if you choose to set or change a profile picture from the camera or your photo library
• App Tracking Transparency (iOS) — when advertising SDKs are active, iOS may show Apple’s tracking prompt so you can allow or decline cross-app tracking for relevant ads and measurement, consistent with your Settings choices
• Sign in with Apple / Google — if you choose those account methods

If you deny a permission, related features may be limited or unavailable.

Production and beta builds

We may distribute beta or preview builds through TestFlight, Play testing tracks, or similar channels, and when we publish a general-public release, production binaries on the App Store and Google Play. The same privacy practices in this policy apply to those builds unless we tell testers otherwise in writing (for example in TestFlight notes).

Typical differences in beta: Beta pipelines sometimes use Google test advertisement identifiers instead of live ad inventory, or connect to backend environments labeled for testing. Those choices affect how ads behave, not whether we respect this policy or your rights requests.

Data Storage and Security

• Your data is stored securely using Supabase’s infrastructure
• We implement industry-standard security measures
• Authentication credentials are handled by secure third-party providers (Google, Apple)
• Payment information is processed securely through Apple App Store and Google Play Store

Third-Party Services

PostHog

• Purpose: Analytics, error tracking, session replay (recorded user interface interactions such as taps and navigation to improve the app)
• Data Collected: Events, errors, user interactions, device information, session replays (UI interactions; text inputs are masked)
• Privacy Policy: https://posthog.com/privacy
• Retention (aligned with PostHog Cloud plans):
  • Events, error data, and related product analytics (excluding recordings): PostHog’s free plan includes one year of retention; after that, PostHog may move data to cold storage or delete it per their policies. Paid PostHog plans can extend retention (for example up to seven years for analytics data on pay-as-you-go, per PostHog pricing and their published billing FAQs).
  • Session replay recordings: Retention is separate and shorter. On PostHog’s free plan, replay is kept up to 30 days (maximum allowed on that tier; we may configure a shorter period in project settings). Longer replay retention applies on paid tiers—see PostHog session replay data retention.
• Region: PostHog Cloud is offered in US and EU regions; our project uses the region configured in the app (for example United States or European Union hosting for ingestion and storage).
• Opt-out / objection: There is no separate in-app toggle for product analytics today. Depending on your region and the legal basis for processing, you may object to certain analytics processing or request deletion of data tied to your account by contacting us (see Contact Us). We honor applicable rights within the timeframes described in this policy. Roadmap: We plan to add an in-app analytics preference where practical so you can exercise objections without email alone.

Google AdMob

• Purpose: Display advertisements (formats implemented in the app, such as interstitial, rewarded, and app open ads)
• Data Collected: Ad identifiers, ad interactions, device information
• Privacy Policy: https://policies.google.com/privacy
• Consent (EEA, UK, Switzerland, and similar regions): Google requires a supported consent mechanism (often a certified CMP and/or UMP) for AdMob in many EEA/UK scenarios. Today, you can limit ad personalization through device and Google account settings and any OS / store prompts that apply. We are working toward full UMP (or equivalent certified) consent flows in-app for regions where AdMob mandates them—see Google’s AdMob and UMP documentation and your local rules.
• iOS — tracking permission: Where the App Tracking Transparency status is not yet determined, we request permission before initializing the advertising SDK so Apple’s rules are followed; you can change your choice later under Settings → Privacy & Security → Tracking (wording may vary by iOS version).
• Opt-out: Adjust ad preferences in device settings and, where available, in your Google account

Supabase

• Purpose: Backend services, database, authentication
• Data Collected: User data, game data, authentication tokens
• Privacy Policy: https://supabase.com/privacy
• Data Location: United States (or as configured)

Your Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate data
• Deletion: Request deletion of your data
• Portability: Receive your data in a portable format
• Opt-out: Opt-out of certain data collection (where applicable)
• Complaint: File a complaint with your local data protection authority

To exercise these rights, contact us at: jakesorce@gmail.com. We will respond to verified requests within 30 days, or as required by applicable law.

Account Deletion and Data Requests

If you want to request account deletion, data access, or data correction, email us at jakesorce@gmail.com. To protect account security, we may request information needed to verify the request before acting on it.

Children’s Privacy

Capone’s Bones is not directed at children under 13, and we do not knowingly collect personal information from anyone under 13.

Store age rating vs. account rule: Apple and Google assign an age rating for the app based on their questionnaires (for example, themes or simulated gambling with virtual currency may produce a 12+, 17+, or other calculated rating on a given store). Regardless of that badge, you must be at least 13 years old to create an account and use account-based features: our Terms of Service require this, and by signing up or signing in you represent that you meet the age requirement.

Account creation — age confirmation: To create or access an account you must use the in-app sign-up or sign-in flow (email, Google, or Apple). By completing that flow and using account features, you represent and confirm that you are at least 13 years old and you agree to our Terms of Service, which state this age requirement. (OAuth providers do not pass your date of birth to us; this is a declared confirmation, not ID verification.)

How we limit under-13 sign-up (in practice):

• There is no “kids” account, school registration, or under-13 onboarding path in the app—only the same sign-up and sign-in flows as adults.
• Sign in with Apple and Google Sign-In do not provide us your date of birth; we do not run a separate document or ID check. Compliance relies on the contractual 13+ rule in our Terms, store listing and parental controls on the device, and removal if we learn someone under 13 has an account.

Parents and guardians can use platform parental controls (for example Apple Family Sharing or Google Family Link) to restrict installs, purchases, or accounts. If you believe a child under 13 has given us personal data, contact us at jakesorce@gmail.com and we will take appropriate steps, including deletion where required.

Data Retention

The default retention periods below apply unless a longer period is required by law, a legal hold, or an active security or fraud investigation. We do not keep personal data indefinitely “just in case” beyond these categories.

• Account and gameplay data (Supabase — live database) — Profile, progression, purchases, and related records tied to your account: for the lifetime of your account while it remains active. After a verified account deletion or erasure request we honor, we aim to remove or anonymize personal data in the live database within 30 days.
• Database backups (Supabase) — Deleted or updated rows can remain in encrypted automated backups for a limited rolling window after deletion from the live database (commonly up to 7 days on typical Pro plans, up to 14 days on Team, and up to 30 days on some Enterprise setups—see Supabase database backups). That window is separate from the 30-day live-database deletion target above.
• Support and correspondence — Up to 24 months after the last message in the thread, unless we must keep it longer for legal claims or compliance.
• PostHog — events, persons, and error tracking (excluding session replay recordings) — On PostHog’s free Cloud tier, about one year for hot storage, after which PostHog may move data to cold storage or delete it per their terms; paid plans may retain analytics longer (see PostHog pricing).
• PostHog — session replay — Up to 30 days on the free plan (or less if we configure a shorter period); see PostHog session replay data retention.
• Web traffic / documentation site (Cloudflare and optional web analytics) — Days to a few weeks for typical edge or access logs, per each provider’s documentation and our settings (not used to build a long-term profile of visitors).
• Legal holds — We may retain specific information beyond the periods above when law requires it or to establish, exercise, or defend legal claims.

If we add new analytics or logging processors, we will list their published retention (or our configured caps) in an update to this policy.

You may request deletion of your account and associated data at any time (see Account Deletion and Data Requests).

Advertising and Analytics Choices

• You can control notification permissions in your device settings.
• You can manage certain ad personalization or tracking preferences through your device or platform settings where available.
• In regions where consent is required for personalized ads, use any in-app consent prompts presented for AdMob (when shown) and your device or Google account ad settings.
• You may stop using the app at any time or contact us with a deletion request.
• For analytics, see the PostHog section above regarding objection and deletion requests.

International Data Transfers

Your information may be transferred to and processed in countries other than where you live, including the United States, where our service providers host data or operate services.

Where GDPR or UK GDPR applies and we transfer personal data to countries without an adequacy decision, we rely in practice on the EU Standard Contractual Clauses issued 4 June 2021 (2021 SCCs, Commission Implementing Decision (EU) 2021/914) as incorporated in our vendors’ Data Processing Agreements (DPAs), and, where applicable, the UK International Data Transfer Addendum to the EU SCCs (UK Addendum) or equivalent UK-approved tools. These instruments are the appropriate safeguards required by law for those transfers.

Processors where we rely on SCC-based (or equivalent) transfer terms today include at least:

• Supabase (database, authentication, and related hosting) — SCCs in the Supabase DPA / data processing terms.
• PostHog (product analytics, errors, session replay) — SCCs in the PostHog DPA / cloud terms for the region where the project is hosted.
• Google (AdMob, Google Sign-In, and related Google processor services) — Google’s advertising and cloud / API DPAs and transfer mechanisms.
• Apple (Sign in with Apple and related processing) — Apple’s data processing terms for developers.
• Cloudflare (documentation site and related infrastructure) — Cloudflare’s DPA and SCCs where applicable.

You may contact us for a short summary of the transfer mechanisms we rely on for your data, or with questions about a specific vendor.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by updating the “Last Updated” date and, where appropriate, through in-app notifications.

Contact Us

If you have questions about this privacy policy or our data practices, please contact us:

• Email: jakesorce@gmail.com
• Website: https://capones-bones.pages.dev/

California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

If you are a resident of Virginia, Connecticut, Colorado, or Utah, you may have additional rights under your state’s privacy law. Contact us for details.

European and UK Privacy Rights (GDPR/UK GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom (UK), you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure (“right to be forgotten”)
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent