Privacy Policy
Last updated: 29 May 2026
This Privacy Policy explains what information the Penrose Park Puzzles apps collect, how it is used, and the choices you have. We have deliberately built our apps to collect as little personal data as possible.
1. Who we are
The Penrose Park Puzzles apps (including Tiny Tiles, Mini Mosaic, Super Sudoku, Color Connect, Mini Monarchs, Letter Labyrinth, Chess Codex, and Mine Mania, the "Apps") are provided by [TODO: legal/trade name], a sole proprietorship (eenmanszaak) established in the Netherlands, trading as "Penrose Park Puzzles" ("we", "us", "our").
- Chamber of Commerce (KvK) number: [TODO: KvK number]
- Registered address: [TODO: business address]
- Contact: [TODO: support email]
For the purposes of the EU General Data Protection Regulation (GDPR) and the Dutch implementation act (UAVG), we are the data controller for the limited personal data described below. We have not appointed a Data Protection Officer, as we are not required to.
2. Scope
This policy applies to all of the Apps and to this website. It does not apply to the platforms that distribute the Apps (the Apple App Store and Google Play) or to third-party services such as advertising networks, which process data under their own privacy policies (see section 4).
3. What we collect and why
Information you provide
The Apps have no accounts and no sign-up. The only information you can actively give us is a promo or Pass code you choose to enter. We use it only to verify and grant the corresponding entitlement.
At first launch we ask for your age. We use it to provide an age-appropriate experience (for example, users under 16, the digital age of consent in the Netherlands, are never shown personalised ads and their gameplay is not sent to us). We do not store your date of birth: we keep only a coarse, anonymous age band (such as "16–24"), with no link to your device or identity, and use it in aggregate to understand our audience.
Information collected automatically (first-party)
What we store on our own servers is intentionally minimal and not tied to your identity:
- A random device identifier generated on your device at first launch. It is not derived from any hardware ID and is not linked to your name, email, or any account.
- Anonymised, bucketed gameplay events, for example that a puzzle was started or completed, a coarse difficulty, an approximate solve time or score, and the app version. Sensitive ranges are grouped into buckets on your device before being sent.
- Anonymous solve/score records used to calibrate game difficulty and ranking. These contain no device identifier.
We use this to operate and improve the Apps, balance difficulty and ranking, detect abuse, and understand aggregate usage. We do not collect your name, email address, phone number, contacts, photos, or precise location, and we do not store your IP address on our servers.
Purchases
The optional Penrose Park Pass and any other in-app purchases are processed entirely by Apple or Google. We receive confirmation that an entitlement is active; we do not receive or store your payment-card details. See our Terms of Use for purchase and refund details.
4. Advertising and third parties
The Apps may be supported by advertising. When ads are enabled, our advertising partner(s), primarily Google AdMob and any networks it mediates, act as independent controllers and may collect and process:
- your device's advertising identifier and similar identifiers;
- your IP address and coarse location derived from it;
- information about your device and how you interact with ads,
in order to serve, cap, and measure advertising, including personalised ads where you have given consent. This means that, by showing ads, we share data with these third parties.
Your consent and choices. Where required (in the European Economic Area, the UK, and Switzerland), we ask for your consent before personalised ads are shown, using a Google-certified consent mechanism. On iOS, Apple's App Tracking Transparency prompt additionally controls access to the advertising identifier. You can change or withdraw these choices at any time in your device settings, and you can reset or limit your advertising identifier in the operating system's privacy settings. If you do not consent, you may still see non-personalised ads.
To understand how these partners handle data, see:
5. Legal bases (GDPR)
- Consent (Art. 6(1)(a)): for personalised advertising and access to the advertising identifier where required.
- Legitimate interests (Art. 6(1)(f)): for running and securing the Apps and for aggregated, non-identifying analytics, balanced against your interests.
- Performance of a contract (Art. 6(1)(b)): to deliver purchases and entitlements you request, including code redemption.
- Legal obligation (Art. 6(1)(c)): where we must retain records to comply with law.
6. Who we share data with
We do not sell your personal data. We share data only with:
- Advertising partners (e.g. Google AdMob): as described in section 4;
- Apple and Google: as distributors and payment processors of the Apps;
- Infrastructure providers that host our backend on our behalf (e.g. Vercel Inc. for hosting and a managed PostgreSQL database provider), acting as our processors;
- Authorities where required by law.
7. International transfers
Some of these providers are based outside the European Economic Area, including in the United States. Where data is transferred outside the EEA, it is protected by an appropriate safeguard under the GDPR, such as the European Commission's Standard Contractual Clauses or an adequacy decision (including the EU–U.S. Data Privacy Framework where applicable).
8. Retention
We keep anonymised gameplay and solve data only as long as it is useful for the purposes above, and aggregate or delete it when it is not. Code redemption records are kept while the entitlement is active and for a reasonable period afterwards. Because most of what we store is not linked to your identity, it generally cannot be traced back to you.
9. Security
We use appropriate technical and organisational measures to protect data, including encrypted connections and access controls. No method of transmission or storage is completely secure, but the limited, largely anonymous nature of the data we hold reduces the risk to you.
10. Children
The Apps are not directed to children under the age of 16, which is the digital age of consent in the Netherlands. We do not knowingly collect personal data from children under 16. The Apps include an age check; where a user indicates they are under 16, we do not request consent for personalised advertising, we treat advertising as non-personalised, and we do not collect their gameplay or other behavioural data (only the anonymous age band described above). If you believe a child under 16 has provided personal data without appropriate consent, please contact us at [TODO: support email] and we will delete it.
11. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased;
- restrict or object to processing;
- data portability; and
- withdraw consent at any time, without affecting prior processing.
To exercise these rights, email [TODO: support email]. Note that because we usually cannot link our data to you, we may need you to provide the device identifier shown in the app's settings to locate any record. You also have the right to lodge a complaint with the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens, or your local supervisory authority.
12. Changes to this policy
We may update this policy from time to time. We will change the "Last updated" date above and, where changes are significant, provide notice in the Apps. Continued use after an update means you accept the revised policy.
13. Contact
Questions or requests: [TODO: support email]. [TODO: legal/trade name], [TODO: business address], the Netherlands.