Privacy Policy

Last Updated: February 15, 2026

This Privacy Policy describes how Lemon Crate Studio LLC (“we”, “us”, or “our”) collects, uses, and discloses information about you when you use our website (https://cardandpuzzle.com) and our mobile applications (collectively, the “Services”).

We are the Data Controller for your information.

1. Information We Collect

We collect information to provide a seamless gaming experience across web and mobile. We categorize data collection by the source:

A. Information You Provide to Us

• Contact Information: If you use our contact form or email us, we collect your name, email address, and message content.
• Newsletter Subscription: If you subscribe to our newsletter, we collect your email address. You can unsubscribe at any time using the “unsubscribe” link included in every email.
• Voluntary Feedback: Any game reviews or bug reports you submit.

B. Information Automatically Collected (Web & Mobile)

2. Legal Bases for Processing (EEA/UK)

Where required by law, we rely on the following legal bases to process your personal data:

• Consent — for personalized advertising, analytics cookies, and advertising identifiers. You can withdraw consent at any time via the “Consent Preferences” link on our website or “Manage Consent” in our mobile apps.
• Legitimate Interest — for security (e.g., Cloudflare DDoS protection), crash reporting (e.g., Crashlytics), and basic device diagnostics needed to ensure game compatibility.
• Performance of Contract — to provide core game functionality such as saving your progress locally on your device.

3. Third-Party Services and Data Sharing

We do not sell your personal data. We share data with trusted third-party service providers to operate our business.

A. Website Services (Web Only)

These services operate when you visit cardandpuzzle.com.

• Google Funding Choices: Manages your consent preferences and cookie choices.
• Google AdSense: Displays advertisements on the website. Uses cookies to personalize ads.
• PostHog: Our primary analytics tool. Analyzes user behavior and improves website performance.
• Formspark: Processes our contact form submissions.
• Cloudflare: A Content Delivery Network (CDN) that secures our site and speeds up loading. (Processes IP addresses for security).
• Google Ads (gtag.js): Tracks ad conversions.
• Meta Pixel: Tracks ad conversions and measures the effectiveness of advertising campaigns across Meta platforms (Facebook, Instagram).
• Email Service Provider: If you subscribe to our newsletter, your email address is processed by our email marketing service provider to deliver newsletters and related communications.

B. Mobile & Game Services (App & WebGL)

These services operate when you play the game on mobile or in the browser.

• Google Analytics for Firebase: Analyzes user engagement, retention, and in-game behavior on mobile devices.
• Google AdMob / Unity Ads / ironSource: Mobile ad networks and mediation partners that may access your Advertising ID to show rewarded videos or interstitials. On mobile devices, consent for personalized advertising may be managed through the in-app consent dialog and your device privacy settings.
• Meta Ads / Meta Audience Network: Used for user acquisition campaigns, ad performance measurement, and serving ads within mobile apps. May access device identifiers for attribution and ad optimization.
• GameAnalytics / ByteBrew: Game-specific analytics to track difficulty curves (e.g., “How many players fail Level 5?”).
• Crashlytics (Firebase): Reports app crashes so we can fix bugs.

Some third-party advertising partners (for example, Google AdMob, Unity Ads, ironSource, and Meta) may process certain data (such as device identifiers, usage data, and IP-based general location) for their own purposes, including ad personalization, measurement, fraud prevention, and compliance. In those cases, they may act as independent data controllers. Please review their privacy policies for details.

We may add or remove advertising and analytics partners over time (including through mediation platforms). We will update this policy and related disclosures as required by applicable law.

C. Cookies and Tracking Technologies

We use cookies and similar technologies on our website and in our apps.

You can manage your choices through privacy controls provided in the website and app consent flows, browser settings, and device privacy settings.

D. Third-Party Privacy Policies

For more details about how our third-party partners process data, you can review their privacy policies:

• Google (AdMob, AdSense, Firebase/Crashlytics, Funding Choices, Google Ads): https://policies.google.com/privacy
• Meta (Meta Ads, Meta Audience Network, Meta Pixel): https://www.facebook.com/privacy/policy/
• Unity Ads: https://unity.com/legal/privacy-policy
• ironSource (LevelPlay): https://unity.com/legal/privacy-policy
• GameAnalytics: https://gameanalytics.com/privacy/
• ByteBrew: https://docs.bytebrew.io/BBSettings/privacypolicy
• PostHog: https://posthog.com/privacy
• Cloudflare: https://www.cloudflare.com/privacypolicy/
• Formspark: https://formspark.io/legal/privacy-policy/

These third-party policies may be updated by their providers from time to time.

4. How We Process Your Information

We process data for the following specific purposes:

1. To Provide the Service: Storing your game progress locally so you don’t lose progress.
2. To Improve the Game: Using PostHog, Firebase, and GameAnalytics to see where players get stuck.
3. To Fund the Service: Using AdSense (Web) and mobile ad networks/mediation partners (such as AdMob, Unity Ads, and ironSource) to generate revenue via ads.
4. Security: Using Cloudflare to block bots and DDoS attacks.
5. To Communicate: If you subscribe, sending you newsletters with game updates, tips, and announcements. You can opt out at any time.

5. International Data Transfers

Our servers and third-party service providers (like Google, PostHog, and Cloudflare) are primarily located in the United States. If you are accessing our Services from the EEA or UK, please note that your data is transferred to the US. We rely on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework (where applicable for certified providers like Google) to safeguard these transfers.

6. Your Rights (GDPR, UK, LGPD & Global)

If you are located in the EEA, UK, or Switzerland, you have the following rights:

• Right to Access: Request a copy of your personal data.
• Right to Rectification: Correct inaccurate data.
• Right to Erasure (“Right to be Forgotten”): Request deletion of your data (e.g., reset game stats).
• Right to Withdraw Consent: You can withdraw your consent for ads/analytics at any time via the “Consent Preferences” link (Web) or “Manage Consent” (Mobile).
• Right to Restrict Processing: Ask us to pause processing your data.
• Right to Object: Object to processing based on “legitimate interest” or direct marketing.
• Right to Portability: Request your data in a structured, machine-readable format.
• Right to Complain: Lodge a complaint with your local Data Protection Authority (DPA).

To exercise these rights, email [email protected].

For users in Brazil (LGPD) and Canada (PIPEDA), you may contact us using the details in Section 13 for privacy inquiries, complaints, and data-related requests.

7. U.S. State Privacy Rights (California, Virginia, Colorado, etc.)

Global Privacy Control (GPC)

We honor the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, we will automatically treat it as a request to opt-out of the “sale/sharing” of your personal information (turning off tracking cookies/ads).

Do Not Track Signals

Our Services do not respond to traditional “Do Not Track” browser signals. However, we honor Global Privacy Control (GPC) signals where required by law.

Your CCPA/CPRA Rights regarding “Sale” vs. “Sharing”

We do not sell personal information for monetary value (we don’t sell your email list). However, allowing ad networks (like Google, Meta, or Unity) to place cookies or access your Advertising ID to show personalized ads may be considered “sharing” or a “sale” under California law.

• Right to Opt-Out of Sale/Sharing: You can opt-out of this ad targeting at any time.
  • Web: Click the “Do Not Sell or Share My Personal Information” link in the website footer.
  • Mobile: Go to Settings > “Manage Consent” or “Do Not Sell My Info”.
• Right to Know & Delete: You may request to know what data we hold and ask for it to be deleted.
• Response Timeline: We will respond to verified requests within 45 days.

California Civil Code Section 1798.83 (“Shine the Light”) permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, contact us using the details in Section 13.

8. Automated Decision-Making

We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects.

9. Data Retention

We keep your information only as long as necessary:

• Game Save Data (Local): Stored locally on your device until you clear your browser/app data, reset the game, or uninstall the app.
• Analytics Data: Retained by our partners (Google, PostHog) for a period of 14 to 26 months before being automatically deleted or anonymized.
• Contact Form Data: Retained for as long as necessary to resolve your support inquiry, then archived or deleted.
• Newsletter Data: Your email address is retained until you unsubscribe or request deletion.

We do not collect precise GPS location. Some third-party advertising or analytics partners may infer general (coarse) location from IP address or device signals.

10. Children’s Privacy (COPPA)

Our Services are not directed to children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you are a parent and believe we have collected data from a child, contact us immediately at [email protected], and we will delete it.

11. Data Security

We implement reasonable security measures, including HTTPS encryption for web traffic and secure storage for game data. However, no method of transmission over the internet is 100% secure.

If a security incident involving personal data occurs, we will investigate, mitigate, and provide notices to affected users and regulators where required by applicable law.

12. Changes to This Policy

We may update this privacy notice from time to time. The updated version will be indicated by an updated “Revised” date at the top of this policy. If we make material changes, we may notify you via a prominent notice on our Service.

13. Contact Us

If you have questions about this policy, please contact us:

Lemon Crate Studio LLC 2108 N ST STE N, Sacramento, CA 95816, USA Email: [email protected]