Who we are (data controller)
Mustafa Baykal (Individual Developer), jurisdiction: Republic of Türkiye.
For all privacy-related questions: mustafabaykal91@gmail.com
What we collect
- Anonymous usage analytics — page views, button taps, anonymized session data. No personal identifiers.
- Advertising identifier — only with your ATT consent.
Third-party services we use
- Google AdMob (kids-safe advertising — TFCD/TFUA, G-rated only)
- RevenueCat (subscription receipt validation + entitlement management)
- PostHog (anonymous product analytics — no PII, opt-out available)
- Sentry (crash diagnostics — no PII, sendDefaultPii=false)
Data processors and international transfers
We use the following processors. All have signed Data Processing Agreements (DPAs); transfers to the United States are additionally protected by Standard Contractual Clauses (SCCs) per GDPR Articles 44–49 (post-Schrems II).
| Processor | Purpose | Location | DPA | SCC |
|---|---|---|---|---|
| Google LLC (AdMob) | Advertising delivery. Kids-safe configuration: tagForChildDirectedTreatment=true (COPPA), tagForUnderAgeOfConsent=true (GDPR-K), maxAdContentRating='G' (only family-friendly ads), requestNonPersonalizedAdsOnly=true | Global (US/EU/Asia regions) | ✓ | ✓ |
| RevenueCat, Inc. | App Store / Google Play receipt validation, subscription entitlement, restore-purchases coordination across devices | USA | ✓ | ✓ |
| PostHog, Inc. | Anonymous product analytics (level start/complete, ad funnel, retention) — strictly no PII; identifier is a random device-scoped UUID | USA (US Cloud) | ✓ | ✓ |
| Functional Software, Inc. (Sentry) | Crash diagnostics, performance breadcrumbs — sendDefaultPii=false enforced; only stack traces, device model, OS version transmitted | USA | ✓ | ✓ |
| Apple, Inc. | App Store distribution, in-app purchase processing, advertising identifier (IDFA) gating via App Tracking Transparency | Global | ✓ | N/A |
| Google LLC (Play Store) | Google Play distribution, in-app billing, advertising identifier (AAID) for users who haven't opted out | Global | ✓ | N/A |
Data retention
We keep data only as long as necessary for the purpose collected, or as required by law (GDPR Art. 5(1)(e); KVKK Art. 7).
| Data type | Retention period | Reason |
|---|---|---|
| Anonymous device-scoped ID (random UUID — never linked to email/name/phone) | until-deletion | Required so your in-app progress, premium entitlement, and daily reward streak persist across app launches |
| Local game progress (coins, gems, current level, lives, settings) | until-deletion | Stored locally on your device via AsyncStorage; deleted automatically when you uninstall the app |
| Anonymous analytics events (level_started, level_completed, ad_rewarded_completed, etc.) | 90-days | Used to detect difficulty spikes, ad fatigue, and crash patterns. Deleted after 90 days. Event payloads contain no personal information. |
| Crash reports (Sentry) | 90-days | Used to find and fix crashes. Includes device model, OS version, stack trace — never user names, emails, or game contents. |
| Advertising identifier (IDFA on iOS, AAID on Android) | as-controlled-by-platform | Used by Google AdMob ONLY to frequency-cap and serve G-rated, non-personalized ads. You can reset or disable this at any time in iOS Settings → Privacy → Tracking, or Android Settings → Google → Ads. We never receive your actual identifier — it stays inside AdMob. |
| Subscription receipts (via Apple/Google + RevenueCat) | 7-years | Turkish tax law (Vergi Usul Kanunu) requires payment-record retention for 7 years. No personal identification is linked — only the anonymous user ID and the receipt itself. |
Built for everyone 4+
Only Tower Defense is rated 4+. All visual content is pastel-colored, all enemies have cute names (Bumble, Whisp, Mossback, etc.), and there is no blood, no scary imagery, and no aggressive language. Advertisements are filtered to G-rated content only via Google AdMob's child-directed treatment flag (TFCD=true) — we never serve mature or personalized advertising.
We do NOT collect
We do not collect or use: your real name, email address, phone number, precise location, contacts, photos, microphone, camera, health/fitness data, calendar, browsing history, biometrics, or any social-network profile. The game has no login, no account, no chat, no user-generated content, and no social features.
How advertising works in Only Tower Defense
The free version of Only Tower Defense shows two kinds of ads from Google AdMob: (1) rewarded ads you opt-in to watch in exchange for an extra life or doubled coins — you can never be forced to watch one; (2) brief interstitial ads after every fifth level you complete, with at least a 3-minute gap, capped at 8 per day. All ad requests are configured with: tagForChildDirectedTreatment=true (COPPA), tagForUnderAgeOfConsent=true (GDPR-K), maxAdContentRating='G' (only family-friendly content), requestNonPersonalizedAdsOnly=true (no behavioral targeting). Only Tower Defense+ subscribers see zero ads of any kind.
Children's privacy (COPPA + GDPR-K)
Only Tower Defense is appropriate for users of all ages including children. We do not knowingly collect personal information from children under 13 (or under 16 in the EU). The advertising SDK is configured for child-directed treatment on every single ad request, which limits the data Google can collect or use. If you believe a child has somehow had personal information collected via this app, email us at mustafabaykal91@gmail.com and we will request deletion from our analytics providers within 30 days.
How to opt out of analytics
Open Only Tower Defense → Settings → Privacy → toggle 'Help improve Only Tower Defense' OFF. This immediately stops PostHog event collection from your device. You can also disable advertising tracking system-wide: iOS → Settings → Privacy & Security → Tracking → toggle off; Android → Settings → Google → Ads → 'Opt out of Ads Personalization'.
International data transfers (post-Schrems II)
Anonymous analytics flow to PostHog (USA), crash reports to Sentry (USA), subscription receipts to RevenueCat (USA). All three providers have signed Data Processing Agreements with Mustafa Baykal and operate under Standard Contractual Clauses approved post-Schrems II. AdMob processes advertising-identifier requests on regional Google infrastructure. Apple StoreKit and Google Play Billing are global pipelines outside our control — see their respective privacy policies for transfer details.
Your GDPR / KVKK / CCPA rights
You have the right to access, correct, or delete the anonymous data tied to your device. Because we collect no PII and use only a device-scoped random UUID, deletion is straightforward: uninstall the app to remove all local data. For server-side analytics events tied to your random UUID, email mustafabaykal91@gmail.com with your device's anonymous ID (shown in Settings → About → Anonymous ID) — we will forward the deletion request to our analytics providers and confirm completion within 30 days. We do not sell, rent, or share data with advertisers beyond AdMob's standard advertising pipeline (which we configure for child safety as described above).
Automated decision-making (GDPR Art. 22)
Only Tower Defense does not use AI, profiling, or any automated decision-making with legal or similarly significant effects. The 'difficulty scaling' in the game is deterministic and applies identically to all players at the same level.
Breach notification
In the unlikely event of a personal data breach affecting your data, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and, if there is a high risk to your rights, notify you directly via in-app message and on this page.
Your rights
- Access — request a copy of any data we hold about you.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion (see Delete account).
- Portability — receive your data in a machine-readable format.
- Restriction — restrict processing in certain circumstances.
- Objection — object to processing based on legitimate interests.
- Object to automated decisions — the app does not make consequential automated decisions; you may still email us per GDPR Art. 22.
- Withdraw consent — for any processing based on consent.
- Lodge a complaint — with your local supervisory authority (in Türkiye: KVKK; in EU: your national DPA).
Legal bases for processing (GDPR Art. 6)
- Performance of a contract — processing payment receipts via Apple/RevenueCat to provide your subscription.
- Legitimate interests — anonymized analytics + crash reporting to improve the app.
- Consent — health permissions, push notifications, ATT tracking (you can withdraw at any time in iOS Settings).
- Legal obligation — retaining payment records per applicable tax law.
Children
Only Tower Defense is not directed at children under 4. We do not knowingly collect data from children under that age. If you believe a child has provided us data, contact mustafabaykal91@gmail.com and we will delete it within 30 days.
Security
We implement industry-standard security measures: TLS 1.3 for all network traffic, encrypted at rest where stored on third-party services, no plaintext credentials, principle of least privilege for data access. No system is 100% secure; if a breach impacts you, we will notify per GDPR Art. 33–34 (within 72 hours of discovery).
California / CCPA
California residents have the right to: (i) know what personal info we collect; (ii) delete personal info; (iii) opt out of sale (we do not sell); (iv) non-discrimination. To exercise: email mustafabaykal91@gmail.com with subject "CCPA request".
Changes
If this policy changes materially, the "Last updated" date will be revised. Significant changes will be flagged in-app and we will provide a 30-day notice period for objection where required by law.
Contact
Privacy questions: mustafabaykal91@gmail.com · Data subject requests: same email, subject "Data subject request".