Privacy Policy

Privacy Policy for Bumper Karts

Operator: ,

Bumper Karts (the "Game") is a mobile arcade title on Google Play: arena bumper-kart action against AI-controlled rivals (not other human players in real time). Core modes include Battle Royale, Target Smash, Survival, and Time Attack. The Game is designed to be playable offline for much of its content; account features, purchases, and cloud sync still use the internet when you choose to connect.

("we," "us," or "our") explains here what personal information we collect, why we use it, how long we keep it, and how you can exercise your rights. Laws such as the CCPA/CPRA, CalOPPA, and COPPA (U.S.), and the GDPR (EEA, UK, Switzerland) may apply depending on your location. SDK-level categories and purposes are stated in Google Play Data Safety; we treat that disclosure as the live inventory of third-party components and update this Policy when integrations change.

By creating an account in or otherwise using the Game, you confirm that you have read and understood this Policy.

1. Information We Collect

The categories of personal information we may collect (using the categories defined in Cal. Civ. Code § 1798.140) are:

• Account identifiers (provided by you). Because Bumper Karts uses a self-registered account system, you must provide an email address or mobile phone number and a password (or one-time verification code) to create and access your account. You may also choose to provide a display name.
• Device and technical identifiers (collected automatically). Mobile device model, operating-system version and language, app version, IP address, time-zone setting, crash logs, and Android Advertising ID (AAID). The AAID is a resettable, user-controlled identifier — see Section 4 on how to reset or delete it.
• Commercial information. Records of in-app purchases (item, amount, transaction time, Google Play order number such as GPA.xxxx). All payment-card details are handled exclusively by Google through Google Play Billing; we do not receive or store full card numbers, CVV, or bank-account numbers.
• Internet or game-activity information. Matches played (including mode, e.g., Battle Royale / Target Smash / Survival / Time Attack), scores, arena progression, kart upgrades and cosmetics selected, power-up pickups and usage, session length, control and difficulty settings, and similar telemetry used to run servers, fix bugs, and tune NPC difficulty and economy — not to build a social graph, because the Game has no public player-to-player feed.
• Coarse location. Country/region inferred from your IP address. We do not collect precise GPS coordinates.
• Customer-support correspondence. Information you send us when you contact support (e.g., your message, screenshots, and the email address from which you wrote).
• Inferences. Aggregated or modeled insights from the above (e.g., skill bands, churn risk) used to balance arenas, NPC behavior, and rewards.

We do not knowingly collect, and you should not provide, the following sensitive personal information: government identification numbers, financial-account credentials, precise geolocation, racial/ethnic origin, religious beliefs, union membership, genetic data, biometric identifiers, health data, or data concerning sexual orientation.

2. How and Why We Use Information

We use the information described above for the following business purposes (Cal. Civ. Code § 1798.100; GDPR Art. 6 legal bases noted in brackets):

• To create, operate, secure, and maintain your Game account, including authenticating logins and recovering forgotten passwords [contract performance];
• To deliver the Game's core features, save your progress, and synchronize purchases across re-installs [contract performance];
• To process and fulfil in-app purchases through Google Play Billing [contract performance / legal obligation];
• To provide customer support and respond to your inquiries [contract performance];
• To send transactional notices (e.g., purchase receipts, security alerts, account-deletion confirmations) [contract performance];
• To monitor crashes, debug issues, balance matches and difficulty, and improve gameplay [legitimate interests];
• To detect, prevent, and respond to fraud, abuse, cheating, and security incidents [legitimate interests / legal obligation];
• To comply with applicable U.S. federal, state (including California), and other laws and to enforce our Terms of Service [legal obligation / legitimate interests];
• We do not send marketing about Bumper Karts to your registered email or phone based on gameplay alone. If we ever offer a separate mailing list or promotion, we will only use your contact for that purpose where you clearly opt in, and you may withdraw consent at any time [consent].

We will not use your personal information for materially different purposes without first providing notice and, where required, obtaining your consent.

3. How We Share Personal Information

We do not sell your personal information for money, and we do not "share" it for cross-context behavioral advertising as defined under the CCPA/CPRA. We disclose information only as follows:

• Service providers (processors). Vendors we hire for hosting, authentication, crash or stability reporting, product analytics, email delivery, and support ticketing. They process data on our behalf under contracts that limit use and onward sharing. The concrete SDK list is in Data Safety (see Section 4).
• Google (Google Play Billing). All payment data is handled by Google LLC under its own terms and privacy policy.
• Legal compliance. When required to comply with a subpoena, court order, lawful government request, or applicable law, or to defend our legal rights.
• Protection of rights. When we believe in good faith that disclosure is necessary to protect the safety, rights, or property of , our players, or the public.
• Corporate transactions. In a merger, acquisition, financing, reorganization, or sale of all or part of our assets, your information may be transferred. We will provide notice and, where required by law, obtain your consent.
• With your explicit consent in any other case.

4. Third-Party SDKs, Analytics, and Advertising

Bumper Karts is built on Android and distributed through Google Play. Besides our own servers, the Game may load third-party SDKs for functions such as billing (Google Play Billing), sign-in or Play Services glue, crash reporting, product analytics, and — only if present in your installed build — advertising or ad mediation. Each provider processes data under its own notice; we do not control Google's systems.

Data Safety on Google Play is the authoritative list of which SDKs are in the binary you download, what categories they collect, and why. If this Policy ever disagrees with Data Safety, trust Data Safety for SDK specifics. We update both when we ship a new integration or remove one.

Advertising ID (AAID): Some analytics or ad modules read the AAID. You can reset or delete it in Android settings (Settings → Privacy → Ads on newer devices, or Settings → Google → Ads on older ones). Limiting the AAID may reduce personalized ads but can affect measurement features some SDKs rely on.

5. Data Retention

We keep personal information only as long as necessary for the purposes described above or as required by law:

• Active account data (login credentials, profile, save data): kept while your account is active, plus up to 180 days after deletion request to allow account-recovery in the event of accidental deletion or compromise, after which it is permanently deleted or anonymized.
• Purchase and tax records: retained for up to 5 years in line with U.S. federal and applicable state tax/financial recordkeeping requirements; payment-card data is never stored by us.
• Crash logs and gameplay analytics: kept in identifiable form for up to 24 months, then aggregated or anonymized.
• Customer-support correspondence: retained for up to 3 years.
• Information subject to a legal hold: retained for the duration of the relevant proceeding, then deleted.

6. Data Security

We use commercially reasonable technical and organizational safeguards designed to protect your information, including:

• Transport encryption (TLS 1.2 or higher) for all data sent between the Game and our servers;
• Encryption at rest for credentials and other sensitive fields, with hashed-and-salted password storage;
• Role-based access controls and least-privilege principles for our personnel;
• Periodic security review and vulnerability remediation.

No system is 100% secure. If a personal-information breach occurs that affects your rights, we will notify affected individuals in accordance with Cal. Civ. Code § 1798.29 / § 1798.82 and other applicable breach-notification laws within the legally required timeframe.

7. International Data Transfers and Storage Location

is headquartered in Houston, Texas, United States. Personal information we collect is processed and stored on servers located in the United States and may be processed by service providers in other countries on our behalf. If you are located outside the United States, by using the Game you understand that your information will be transferred to and processed in the United States, which may have data-protection laws different from those in your jurisdiction.

For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable) or another lawful transfer mechanism, with supplementary measures where necessary.

8. Children's Privacy (COPPA)

Bumper Karts is not directed to children under the age of 13 in the United States, nor to children under the applicable age of digital consent in their jurisdiction (16 by default in the EEA, lower in some Member States). We do not knowingly collect personal information from such children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at and we will investigate and, where appropriate, delete the information without delay. Parents may also block in-app purchases through Google Play's parental controls and Google Family Link.

9. Account and Data Deletion

You may request deletion of your account and associated personal information at any time. We provide both an in-app option and a web-accessible request channel, in line with Google Play's account-deletion requirements:

• In-app: open Settings → Account → Delete Account in the Game and follow the on-screen confirmation.
• By email: send a request from the email address associated with your account to with the subject line "Account Deletion Request" and include your in-game player ID or registered email/phone for verification.

What we delete: your login credentials, profile, saved game progress, customer-support history tied to your account, and any other personal information we hold about you that is not subject to a legal retention requirement.

What we may retain (in limited form):

• Purchase, refund, and tax records — retained as required by U.S. federal and applicable state tax law (up to 5 years);
• Aggregated or de-identified analytics that can no longer reasonably be linked to you;
• Records necessary to detect or prevent fraud, abuse, or security incidents (e.g., a list of banned device hashes);
• Information we are required to keep under a legal hold or in response to a lawful government request.

Timing: we will acknowledge your request within 2 business days and complete deletion within 30 days of verification, unless a longer period is required by law. After deletion, your account cannot be recovered. We will confirm completion by email.

10. Your Rights as a California Resident (CCPA / CPRA)

If you are a California resident, you have the following rights under Cal. Civ. Code § 1798.100 et seq.:

• Right to Know — what categories and specific pieces of personal information we have collected about you, the sources, purposes, and the categories of third parties with whom we have disclosed it (covering the prior 12 months).
• Right to Delete — request deletion of personal information we hold about you, subject to statutory exceptions (e.g., information necessary to complete a transaction, comply with a legal obligation, or detect fraud).
• Right to Correct — request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing — we do not sell or share personal information for cross-context behavioral advertising. If that ever changes, we will update this Policy and provide a "Do Not Sell or Share My Personal Information" mechanism.
• Right to Limit Use of Sensitive Personal Information — we do not use sensitive personal information for purposes other than those expressly permitted by the CCPA/CPRA.
• Right to Non-Discrimination — we will not deny service, charge a different price, or provide a lower quality of service because you exercised any of these rights.

How to submit a request: email with your full name, the registered email/phone of your account, the right you want to exercise, and any information needed to verify your identity. We may ask you for additional information to verify the request. We will respond within 45 days and may extend by another 45 days where reasonably necessary, with notice. Authorized agents may submit requests on your behalf with written permission or a valid power of attorney.

11. Your Rights in the EEA, United Kingdom, and Switzerland (GDPR)

If you are located in the EEA, the United Kingdom, or Switzerland, the GDPR (or UK GDPR / Swiss FADP, as applicable) gives you the following rights with respect to your personal data:

• Access — obtain confirmation of whether we process your data and a copy of it;
• Rectification — have inaccurate or incomplete data corrected;
• Erasure ("right to be forgotten") — request deletion in the circumstances set out in GDPR Art. 17 (see Section 9 for our deletion process);
• Restriction — request that we restrict processing in the circumstances set out in GDPR Art. 18;
• Data Portability — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller;
• Object — object to certain processing based on our legitimate interests, as described in GDPR Art. 21;
• Withdraw Consent — where processing is based on your consent, withdraw it at any time without affecting the lawfulness of prior processing;
• Lodge a Complaint with your national data-protection authority. A list of EEA authorities is at edpb.europa.eu; UK residents may contact the ICO at ico.org.uk.

For all EEA/UK/Swiss requests, contact . We will respond within one month, extendable by two further months for complex requests, in line with GDPR Art. 12.

12. CalOPPA Compliance and Do-Not-Track

In accordance with the California Online Privacy Protection Act (Cal. Bus. & Prof. Code § 22575): (a) browsers may send a "Do Not Track" ("DNT") signal — there is no common industry standard for how mobile apps should respond, and we do not honor DNT in the Game client today; (b) any third-party SDK you install with the Game collects information only as described in Data Safety and that vendor's policy; (c) this Policy is our full statement of how handles personal information for Bumper Karts.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The "Last Updated" date at the top of this page will always reflect the most recent revision. For material changes, we will provide at least 30 days' prior notice via in-game notice or email (where we have one). Your continued use of the Game after the updated Policy takes effect constitutes acceptance of the changes.

14. Contact Us

Address:
Email:
Phone:
Response time: Initial acknowledgment within 1–2 business days; CCPA / GDPR requests handled within statutory deadlines (45 days / 1 month respectively).

15. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the State of Texas, U.S.A., without regard to conflict-of-law principles. Disputes arising out of or relating to this Privacy Policy are subject to the exclusive jurisdiction of the state or federal courts located in Harris County, Texas, except where mandatory consumer-protection or data-protection law in your country of residence (including the GDPR) entitles you to bring proceedings before the courts or supervisory authority of your habitual residence.