Privacy Policy — All Things Mahjong

All Things Mahjong LLP ("we," "our," "us," or the "Company") is an Indian limited liability partnership registered under the Limited Liability Partnership Act, 2008 (LLPIN: ACV-8673), with its registered office at WeWork, Vaswani Chambers, 264/65 Dr Annie Besant Rd, Worli Colony, Worli Police Station, Mumbai 400030, India. We are committed to protecting the privacy of all users of our mobile games and digital services.

This Privacy Policy describes how we collect, use, store, share, and protect personal data when you use our Services, and explains the rights available to you. Please read it carefully.

BY ACCESSING OR USING OUR SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND CONSENT TO THE COLLECTION AND PROCESSING OF YOUR PERSONAL DATA AS DESCRIBED HEREIN. IF YOU DO NOT AGREE, PLEASE STOP USING THE SERVICES IMMEDIATELY.

Table of Contents

Scope and Applicability
Personal Data We Collect
Why We Process Your Personal Data
How We Share Your Personal Data
Your Choices
Your Privacy Rights
Security
International Transfers of Personal Data
Retention
Children
Additional Notice — Indian Users (DPDPA)
Additional Notice — EEA, UK, and Switzerland (GDPR)
Additional Notice — Users in Other Jurisdictions
Changes to This Privacy Policy
Grievance Officer
Contact Us

1. Scope and Applicability

This Privacy Policy applies whenever you:

use websites, landing pages, or web properties that we own or operate that link to this Policy;
download, install, or play our mobile game applications, including our Mahjong-themed titles (collectively, "Apps");
interact with our social media pages or profiles; or
otherwise access any content, feature, or service we own or operate that links to this Policy (collectively, "Services").

You are not required to provide personal data to use our Services; however, some features (such as saving your game progress or syncing across devices) may be unavailable if you choose not to do so.

This Policy does not cover the privacy practices of third parties whose services you may access through ours (e.g., payment processors, app stores, social networks). We encourage you to review their respective privacy policies.

2. Personal Data We Collect

The personal data we collect depends on how you interact with our Services. "Personal data" or "personal information" means any data that identifies or can reasonably be used to identify an individual. We collect data from three sources:

2.1 Data You Provide Directly

Account and profile information: If you create an account (including via third-party single sign-on such as Google or Apple), we may collect your username, profile picture, email address, and language preferences.

Game preferences and settings: Preferences such as sound or vibration settings that you configure within the game.

Transaction information: When you purchase Premium Features, payment is processed entirely by the relevant app store (Google Play or Apple App Store). We receive only limited transaction data — such as a user identifier or purchase receipt — and do not receive or store your payment card details.

Customer support communications: Information you provide when contacting us, including any screenshots or attachments you choose to share.

Promotional participation: If you participate in surveys, contests, or other promotional activities, we may collect your name, date of birth, email address, phone number, or other information described in those activity's specific terms.

2.2 Data Collected Automatically

Usage and activity data: IP address, device identifier, advertising identifier (GAID/IDFA), operating system, browser type, language, session duration, click-stream data, in-game activity, crash logs, and purchasing activity.

Device and network information: Operating system version, device model, mobile network identifiers (e.g., IMSI where permitted by law), and Wi-Fi or Bluetooth inferred location.

Inferred location: We infer your approximate geographic region from your IP address or device settings. We do not collect precise GPS location without your explicit permission.

Cookies, SDKs, and tracking technologies: We use cookies, software development kits (SDKs), pixels, and similar technologies to deliver personalised experiences, maintain session security, and measure the performance of our Services.

2.3 Data From Third Parties

Single sign-on (SSO): If you log in via Google, Apple, or Facebook, we receive data authorised by you on that platform (typically: username, email, profile picture).

Social media: If you interact with our content on social media platforms, we may receive data associated with that interaction, subject to the platform's own privacy controls.

Analytics and marketing partners: Subject to applicable law and your consent where required, we may receive aggregated or pseudonymous data from analytics and advertising partners to improve our Services and target relevant promotions.

3. Why We Process Your Personal Data

We process personal data for the following purposes:

Operate and administer our Services, including running games, saving progress, processing transactions, and syncing preferences across devices.
Provide customer support and respond to your inquiries.
Send service-related communications (e.g., account updates, security notices, policy changes). You cannot opt out of essential service communications.
Personalise your experience — for example, displaying content in your preferred language and time zone.
Research, analyse, and improve our Services, including fraud detection, quality assurance, and feature development.
Promote our Services — subject to your consent where required — through targeted marketing, special offers, and partner promotions.
Administer promotional events such as contests or surveys.
Ensure the security and integrity of our Services, including identity verification and fraud prevention.
Facilitate corporate transactions (e.g., mergers, acquisitions, restructurings).
Comply with applicable legal and regulatory obligations in India and other jurisdictions.
Enforce these Terms, agreements, and applicable policies.
Any other purpose for which you have given explicit consent.

4. How We Share Your Personal Data

We do not sell your personal data. We may share your personal data in the following circumstances:

Within our Company group: We may share data with affiliated entities for operational, management, and analytical purposes, subject to equivalent privacy protections.

Vendors and service providers: Third parties that provide services on our behalf (e.g., hosting, analytics, payment processing, fraud prevention, legal and financial advisors) may access your data solely to perform those services.

Business partners: Where we co-sponsor promotions or events with third parties, we may share relevant data with those partners, subject to their own privacy policies.

Analytics and advertising partners: Subject to your consent and applicable law, we may share identifiers and usage data with advertising partners for interest-based advertising and audience measurement.

Corporate transactions: In the event of a merger, acquisition, sale of assets, or similar transaction, your data may be transferred to the relevant counterparty, subject to equivalent privacy protections or a fresh consent request where required by law.

Professional advisors: We may share data with lawyers, accountants, auditors, or insurers where necessary for them to provide their services.

Legal obligations and safety: We may disclose data when required by a valid legal process (e.g., court order, subpoena), to comply with applicable law (including requests from Indian government authorities under the IT Act, 2000), to protect the safety of users or the public, or to enforce our legal rights.

With your consent: For any other sharing, we will ask for your explicit consent.

We require all third parties to handle your personal data securely and in accordance with applicable law.

5. Your Choices

Marketing communications: You can opt out of promotional notifications through the in-app Settings menu or by following the unsubscribe link in our emails. You will continue to receive essential service-related communications.

Correcting your information: You can update certain account details through the Settings section of the App. For changes you cannot make yourself, contact us at info@allthingsmahjong.in.

Targeted advertising: You can limit interest-based advertising by adjusting your device's advertising settings (e.g., resetting your advertising ID or enabling "Limit Ad Tracking"). You can also opt out through the in-app Privacy Preference menu.

Cookies and tracking technologies: You can manage cookie preferences through your browser or device settings. Note that some features may not function correctly if tracking is disabled.

6. Your Privacy Rights

Depending on the laws of your jurisdiction, you may have the following rights in relation to your personal data:

Right to access — obtain a copy of the personal data we hold about you.
Right to rectification — request correction of inaccurate or incomplete data.
Right to erasure — request deletion of your personal data, subject to legal retention obligations.
Right to restriction — request that we limit processing in certain circumstances.
Right to data portability — receive your data in a structured, machine-readable format.
Right to object — object to processing based on legitimate interests or for direct marketing.
Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
Right to nominate — under the DPDPA (India), you may nominate another individual to exercise your rights on your behalf in the event of your death or incapacity.

To exercise your rights, please contact our Grievance Officer (Section 15) or email us at info@allthingsmahjong.in with the subject line "Privacy Rights Request."

7. Security

We implement commercially reasonable administrative, technical, and physical safeguards to protect your personal data from unauthorised access, disclosure, alteration, and destruction. These measures are reviewed and updated periodically.

However, no system is completely secure. We cannot guarantee the absolute security of data transmitted over the internet or stored on our systems. You are also responsible for maintaining the confidentiality of your account credentials. If you suspect unauthorised access to your account, please notify us immediately at info@allthingsmahjong.in.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authorities and, where required, you, in accordance with applicable law.

8. International Transfers of Personal Data

We are based in India and primarily store and process data in India. However, some of our service providers and partners are located outside India, and your data may be transferred to and processed in other countries.

When we transfer personal data outside India, we rely on appropriate transfer safeguards as required by applicable law, which may include:

Standard Contractual Clauses (SCCs) or equivalent contractual protections approved by the relevant regulatory body;
Adequacy decisions where the destination country is recognised as providing an equivalent level of data protection; or
Your explicit consent, where required.

For users in the EEA, UK, or Switzerland, please see Section 12 for GDPR-specific transfer safeguards.

9. Retention

We retain your personal data for as long as necessary to fulfil the purposes described in this Privacy Policy, or as required by applicable law. Retention periods are determined by factors including:

Whether you have an active account with us;
Legal, regulatory, or contractual requirements (e.g., tax or accounting obligations);
The nature of the data and the potential risk of harm from unauthorised use; and
Whether the data is needed to resolve disputes or enforce our agreements.

When personal data is no longer required, we securely delete or anonymise it.

10. Children

Our Services are not directed at children under the age of 18 (or such higher age as required by the laws of your jurisdiction). We do not knowingly collect personal data from children without verifiable parental consent.

If you are a parent or guardian and believe we have inadvertently collected data from a child under 18, please contact us immediately at info@allthingsmahjong.in and we will take prompt steps to delete such data.

11. Additional Notice — Indian Users (DPDPA)

This section applies specifically to users located in India and supplements the rest of this Privacy Policy. It is provided in compliance with the Digital Personal Data Protection Act, 2023 ("DPDPA") and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules").

11.1 Our Role

We act as a "Data Fiduciary" as defined under the DPDPA with respect to the personal data of Indian users.

11.2 Lawful Bases for Processing

Under the DPDPA, we process your personal data on the following lawful bases:

Consent: For processing not strictly necessary for the performance of a contract or a legal obligation, we will seek your free, specific, informed, and unambiguous consent. You may withdraw consent at any time; withdrawal will not affect prior processing.
Legitimate uses: Where permitted under the DPDPA and its rules without requiring consent (e.g., performance of a contract, compliance with a legal obligation, medical emergency, employment-related processing, or processing for public interest purposes recognised by law).

11.3 Sensitive Personal Data (SPDI Rules)

To the extent we collect Sensitive Personal Data or Information ("SPDI") as defined under the SPDI Rules (e.g., financial information, health data), we do so only with your explicit consent and process it with heightened security and access controls.

11.4 Your Rights Under the DPDPA

Right to information about processing.
Right to correction and erasure of personal data.
Right to grievance redressal — you may raise a complaint with our Grievance Officer (see Section 15).
Right to nominate another person to exercise your rights in the event of death or incapacity.
Right to complain to the Data Protection Board of India, once established and operational.

11.5 Data Localisation

To the extent required by Indian law, we retain certain categories of personal data on servers located in India. Where data is transferred outside India, we comply with any cross-border transfer conditions prescribed by the Central Government under the DPDPA.

11.6 Consumer Redressal

Indian users who are "consumers" under the Consumer Protection Act, 2019 may also seek redressal through the appropriate Consumer Disputes Redressal Commission for any deficiency in service or unfair trade practices.

12. Additional Notice — EEA, UK, and Switzerland (GDPR)

This section applies to individuals located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland at the time of data collection.

12.1 Our Role

We are the data controller with respect to personal data collected from users in the Designated Countries. Third-party service providers acting on our behalf are data processors.

12.2 Legal Bases for Processing (GDPR)

Legal Basis	Processing Purposes
Legal obligation (Art. 6(1)(c) GDPR)	Maintain legal & regulatory compliance; Ensure security of Services; Respond to law enforcement requests
Performance of contract (Art. 6(1)(b) GDPR)	Operate & administer Services; Provide customer support; Service-related communications; Share within corporate group and with service providers
Legitimate interests (Art. 6(1)(f) GDPR)	Personalise experience; Research & develop Services; Corporate transactions; Enforce Terms; Share with professional advisors
Consent (Art. 6(1)(a) GDPR)	Promotional communications; Interest-based advertising; Analytics & advertising partner sharing; Any other purpose for which you give express consent

12.3 Your Rights Under GDPR

Right of access (Art. 15)
Right to rectification (Art. 16)
Right to erasure / "right to be forgotten" (Art. 17)
Right to restriction of processing (Art. 18)
Right to data portability (Art. 20)
Right to object to processing (Art. 21)
Rights related to automated decision-making and profiling (Art. 22) — we do not make decisions based solely on automated processing that produce significant legal or similar effects.
Right to lodge a complaint with your national supervisory authority. EEA authorities are listed at edpb.europa.eu. The UK authority is the ICO. The Swiss authority is the FDPIC.

12.4 Transfer Mechanisms

When we transfer personal data from the Designated Countries to India or other third countries, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, an adequacy decision where applicable, or your explicit consent where no other mechanism is available.

12.5 Marketing Communications (EEA/UK/Switzerland)

We will only send you marketing communications by electronic means (including email or push notification) if you have given prior consent, or where permitted by applicable law. You may withdraw consent or object to direct marketing at any time, free of charge.

13. Additional Notice — Users in Other Jurisdictions

We serve users globally and aim to respect privacy rights in all jurisdictions. Where local law provides privacy rights not expressly set out in this Policy, we will endeavour to honour those rights to the extent required.

For users who do not fall within the Indian or GDPR-specific sections above, the general provisions of this Privacy Policy apply, and you retain any non-waivable statutory rights afforded by the laws of your jurisdiction.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do:

We will update the "Last Updated" date at the top of this document.
For material changes, we will provide prominent notice within the App, via email (if we have your address), or through another appropriate channel.
Where required by the DPDPA or other applicable law, we will seek fresh consent if the changes affect the basis on which we process your data.

Your continued use of the Services after the effective date of any update constitutes acceptance of the revised Policy.

15. Grievance Officer

In accordance with the Information Technology Act, 2000, the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, we have designated a Grievance Officer to address privacy-related complaints and requests:

Name: Vineeta Gadia

Designation: Grievance Officer / Data Protection Contact

Company: All Things Mahjong LLP

Address: WeWork, Vaswani Chambers, 264/65 Dr Annie Besant Rd, Worli Colony, Worli Police Station, Mumbai 400030, India

Email: grievance@allthingsmahjong.in

Response time: We will acknowledge your complaint within 24 hours and endeavour to resolve it within 15 days of receipt.

If you are dissatisfied with our response, you may escalate your complaint to the Data Protection Board of India (once operational) or the relevant supervisory authority in your jurisdiction.

16. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:

All Things Mahjong LLP

WeWork, Vaswani Chambers, 264/65 Dr Annie Besant Rd, Worli Colony, Worli Police Station, Mumbai 400030, India

Email: info@allthingsmahjong.in

Website: www.allthingsmahjong.in

For urgent privacy concerns, please also copy the Grievance Officer at grievance@allthingsmahjong.in.

Appendix A: Summary of Personal Data Collected, Used, and Disclosed

Category of Personal Data	Purposes of Processing	Categories of Recipients
Identifiers (username, email, IP address, device IDs, account numbers)	Operate Services; Customer support; Communications; Personalise; Research; Promote; Security; Legal compliance; Enforce Terms	Company group; Service providers; Business partners; Analytics partners; Legal authorities
Contact & account data (name, address, email, phone, login credentials)	Operate Services; Customer support; Communications; Personalise; Research; Promote; Security; Legal compliance	Company group; Service providers; Business partners; Legal authorities
Demographic information (age group, gender)	Operate Services; Personalise; Research; Legal compliance	Company group; Service providers; Legal authorities
Transaction & commercial data (purchase records, subscription history)	Operate Services; Customer support; Personalise; Research; Promote; Security; Legal compliance	Company group; Service providers; Analytics partners; Legal authorities
Usage & internet activity data (browsing/click-stream, session data, crash logs)	Operate Services; Customer support; Personalise; Research; Promote; Security; Legal compliance	Company group; Service providers; Analytics partners; Legal authorities
Geolocation data (inferred from IP / device settings)	Operate Services; Personalise; Promote; With your consent	Company group; Service providers; Legal authorities
Inferences & game behavioural data (preferences, in-game behaviour patterns)	Personalise; Research; Promote; With your consent	Company group; Service providers; Analytics partners