Guess X is a competitive bilingual guessing game available on the Apple App Store and Google Play. This Privacy Policy explains what personal data we collect when you use Guess X, why we collect it, how it is stored and protected, who we share it with, how long we keep it, and the choices you have. It applies to the Guess X mobile application, the Guess X website, and the Guess X backend services that power gameplay, accounts, and competitive features. By creating a Guess X account or otherwise using Guess X, you confirm that you have read and understood this Policy.

The Guess X team is the data controller for the personal data processed through Guess X. For privacy inquiries, data access requests, or to exercise your rights, contact us through the support channels listed at the end of this Policy and inside the app. We respond to verified requests within a reasonable timeframe consistent with applicable law.

When you create a Guess X account we collect: email address, username, display name, preferred language, hashed password (passwords are stored using a one-way bcrypt hash and are never visible to us), email-verification codes, password-reset codes, account-deletion confirmation codes, refresh-token records, and security signals such as failed login attempt counts, temporary login lockouts, and a trust score used for abuse prevention. If you use Sign in with Google or Sign in with Apple, we receive only the identifiers and email address that Google or Apple returns to authenticate you (we do not receive your Google or Apple password) and we store the resulting provider identity link.

We store the profile information you provide and choose inside the app: display name, country, selected profile character (avatar), preferred language, and visibility setting that controls whether your profile appears on public leaderboards. During gameplay you may send predefined reactions (short messages or emotes selected from the in-app reaction shop). Reactions you send and receive are processed to deliver them to other players and may be retained for moderation and abuse-reporting purposes. We do not collect free-form chat outside this curated reaction system.

We process and store data generated by gameplay so the game can work fairly and competitively: match sessions and opponent type (solo, dual matchmaking, friendly invite, or bot opponent), guesses, match outcomes, time-to-answer, win/loss totals, win streaks (current and maximum), XP, level, rank points, season rank, per-category statistics, achievements unlocked, daily missions progress, and competitive-leaderboard entries. We also store anti-cheat signals and integrity logs to detect manipulation, automation, or exploitation of game systems.

If you use the friends system, we store friend requests you send and receive, accepted friendships, and any friendly-invite rooms and reservations you create or join. Other players can see your public profile (display name, avatar, country, rank, and public stats) when you appear in matchmaking, leaderboards, friend lists, or game results. You can control public visibility from your profile settings.

Guess X uses an in-game virtual currency called Tokens. Tokens can be purchased through Apple App Store In-App Purchases or Google Play Billing using product IDs we configure for each token package, and can also be earned through gameplay, daily missions, achievements, leaderboard rewards, and rewarded ads. Apple or Google processes the actual payment; Guess X does not collect or store your credit card number, billing address, or other payment-card data. We receive and store the confirmation of your purchase (product identifier, purchase status, and reward grant), your Token wallet balance, and the history of Token grants and spends. Tokens are a virtual in-game item with no real-world cash value, are non-transferable between accounts, and are non-refundable from Guess X — refunds for in-app purchases are handled by Apple or Google in accordance with their store policies.

Guess X may offer optional rewarded ads through a third-party ad provider, capped at a daily limit per account. Watching a rewarded ad is your choice and grants Tokens to your wallet. To validate your reward, we process the ad session identifier, placement, the ad provider's identifier where applicable, the client event timestamp, your wallet balance after the grant, and a reason code if a grant is denied (for example because the daily limit is reached). The ad SDK that displays the ad is provided by the ad partner and is governed by that partner's privacy practices and the device-level ad settings that you control on iOS (Limit Ad Tracking / App Tracking Transparency) and on Android (Ads ID controls).

If you grant notification permission, the app registers an Expo push token tied to your device and account. We use this token, together with Apple Push Notification service on iOS and Firebase Cloud Messaging on Android (as upstream providers used by Expo), to deliver game-related notifications such as match results, friend requests, mission availability, reward availability, and important account or security notices. We also store an in-app notification inbox so you can review past notifications. You can revoke notification permission at any time from your device's system settings; doing so will not delete your account but will stop push delivery.

To run the service securely and improve quality, we record device-level information that the app sends about your session: device identifier provided by the operating system, platform (iOS or Android), OS version, app version, build number, device model and manufacturer, locale, timezone, the notification permission status, the build channel, and the runtime version, along with the first-seen and last-seen timestamps for each of your devices. We also keep operational logs such as authentication events, anti-cheat detections, bot-match telemetry, and game-event logs. These records are used for security, fraud prevention, abuse prevention, crash and performance debugging, and product analytics tied to your account. We do not use this data for cross-app behavioral advertising tracking.

When you contact support, submit feedback, or report another player or piece of content, we process what you send us — including your message, the category you select, the subject, and any optional metadata you include such as app version, platform, device info, and the screen you reported from — together with the identifiers needed to investigate (such as the reported user, match, message, or content). This data is used to respond to your request, investigate abuse and policy violations, and enforce our rules.

We process the data described above for the following purposes: to perform the contract you enter into with us when you use Guess X (creating and operating your account, delivering gameplay, processing purchases, and providing support); to comply with our legal obligations (including tax, accounting, fraud-prevention, and platform-policy obligations); to protect our legitimate interests in operating a fair and secure service (anti-cheat, abuse prevention, security monitoring, and product improvement); and, where required, on the basis of consent you provide (for example notification permission, or rewarded-ad participation).

We share limited data with the third-party processors we use to operate Guess X: Apple (Sign in with Apple, App Store In-App Purchases, and APNs for push notifications); Google (Sign in with Google, Google Play Billing, and Firebase Cloud Messaging for push notifications); Expo (push notification delivery); our transactional email provider (to send verification, password reset, and account deletion emails); and the rewarded-ad provider used inside the app. These providers process data on our behalf or under their own terms as joint-controllers where applicable. We do not sell your personal data, and we do not share it for cross-context behavioral advertising.

Guess X is a global service. Your data may be processed and stored on servers operated by us or our processors in countries other than your country of residence. Where required by applicable law, we rely on appropriate safeguards (such as standard contractual clauses or equivalent mechanisms) for international transfers.

We keep your personal data for as long as your account is active. Verification, password-reset, and account-deletion codes expire shortly after issue and are cleared from active storage when expired or consumed. Short-lived authentication artifacts (refresh-token records, login lockout timers) are retained only for the period needed to operate the relevant security control. When your account is deleted (see Section 16), personal data is removed or anonymized, except for the limited categories of records we are required to retain for legal, tax, security, anti-fraud, anti-abuse, or financial-compliance reasons. Aggregated, non-identifying statistics (for example total matches played in a season) may be retained indefinitely.

You can request deletion of your Guess X account from the Delete Account page on the website or from Settings > Delete Account inside the mobile app. Both surfaces use the same flow: you enter the email linked to your account, we email a 6-digit verification code that is valid for 10 minutes, and submitting that code records the deletion request. The website does not ask for your password, so users who signed up with Google or Apple can delete their account using only the email-code flow. Once the request is recorded, the account enters a 72-hour pending-deletion window during which we sign you out everywhere, revoke active tokens, and hide the account from leaderboards. Signing in again during the window — by email, Google, or Apple — automatically cancels the request and blocks new deletion requests for 24 hours. If you do not sign in within 72 hours, the deletion is finalized automatically: eligible personal and gameplay data is removed or anonymized, while the limited records described in Section 15 may be retained where required by law, security, or fraud-prevention obligations. Deleting your Guess X account does not affect your underlying Google or Apple account.

Subject to applicable law, you have the right to access the personal data we hold about you, to request correction of inaccurate data, to request deletion (including through the in-app deletion flow described above), to object to or restrict certain processing, and to receive a copy of your data in a portable format. To exercise these rights, contact support through the channels listed at the end of this Policy. We may need to verify your identity before acting on a request. If you believe we have processed your data unlawfully, you may also lodge a complaint with your local data-protection authority where one exists.

Guess X is not directed to children under the age of 13, or under the higher minimum age set by the laws of the user's country (for example 16 in parts of the European Economic Area). We do not knowingly create accounts for, or knowingly collect personal data from, children below that age. If we discover that we have collected personal data from a child below the applicable minimum age, we will delete the account and the associated personal data. If you are a parent or guardian and believe your child has provided us with personal data, please contact support so we can take appropriate action.

We use industry-standard technical and organizational measures to protect personal data, including hashing of passwords with bcrypt, rate limiting and login lockouts on authentication endpoints, signed and rotated JWT-based access and refresh tokens with version-based revocation, anti-cheat and integrity monitoring, and access controls on admin tools. No method of transmission or storage is perfectly secure, so we cannot guarantee absolute security. You can help protect your account by using a strong password, signing out of devices you no longer use, and reporting any suspicious activity to support.

We may update this Policy from time to time to reflect changes in our service, our processors, or legal requirements. When we make material changes we will update the version number and the last-updated date shown with this Policy, and where appropriate we will notify you in-app. Continued use of Guess X after the changes take effect means you accept the updated Policy.

For privacy questions, data-rights requests, or to report a privacy concern, contact the Guess X support team through the support form in the app, the support form on the Guess X website, or the support email shown in the website footer. We aim to acknowledge privacy requests promptly and resolve verified requests within a reasonable timeframe.