King (Rifki) — Privacy Policy
King (Rifki) is a Turkish trick-taking card game with 7 contract types. It supports solo mode (3 AI opponents), LAN multiplayer (Bonjour/mDNS auto-discovery), and online multiplayer through public rooms hosted on our self-operated server at king.albooren.com.
Last updated: May 9, 2026 · Effective: May 9, 2026Summary
https://king.albooren.com), Bonjour / mDNS for LAN peer discovery, and a self-hosted Dart WebSocket server at king.albooren.com for public online rooms. No account sign-up, no email or phone collection. Player nicknames are user-entered and pseudonymous.Data We Process
| Data type | Purpose | Legal basis | Retention |
|---|---|---|---|
| Advertising identifier (IDFA / GAID) | AdMob delivery, frequency capping, fraud prevention | Consent (ATT/UMP) where personalised; legitimate interests where non-personalised | Per Google AdMob retention |
| Firebase Analytics pseudonymous ID (App Instance ID) | Anonymous usage analytics (screen views, contract popularity, session length, multiplayer events such as mp_room_created, mp_room_joined, mp_disconnect, mp_reconnect) | GDPR 6(1)(a) consent (via UMP) or (f) legitimate interests | Currently configured as 2 months for both event data and user-level data (minimum supported by Firebase Analytics; maximum supported is 14 months). User-level deletion available on request |
| Auto-collected analytics events (first_open, app_update, session_start, screen_view) with device model, OS version, app version, country-level location | Product improvement, diagnostics | Legitimate interests | 2 months (current configuration). Aggregated standard reports retained by Google Analytics independently and are not user-identifiable |
| Crash reports (stack trace, OS version, device model, app version, locale, time of crash) — release builds only, disabled in debug | Diagnose and fix bugs that cause the app to crash | GDPR 6(1)(f) legitimate interests | Per Firebase Crashlytics retention (Google retains for up to 90 days) |
| Local game statistics (hands, scores, contract selections), settings, save state, ad-free purchase flag | App functionality + in-app stats screen | Not transmitted to us | Device-local until cleared |
Purchase verification token (StoreKit/Play receipt, product id, platform) sent to king.albooren.com | Server-side verification of the "Remove Ads" IAP, restore purchases | GDPR 6(1)(b) contract performance | Used at receipt-validation time; not persisted to a database. Apple/Google retain the underlying transaction record per their policies |
| LAN nickname and room state (local network only, never transmitted off-device) | LAN multiplayer | GDPR 6(1)(b) contract performance | Session duration |
| Online player nickname (user-entered) — visible to other players in the same online room | Display in online multiplayer rooms | GDPR 6(1)(b) contract performance | Server memory: lifetime of the room. Local device: until cleared |
| Online room code, rejoin token, and game state (hands, scores, cards played) | Online multiplayer functionality and reconnection | GDPR 6(1)(b) contract performance | Server memory: lifetime of the room (no persistent database) |
| IP address (connection metadata) | WebSocket transport, rate limiting, abuse prevention | GDPR 6(1)(f) legitimate interests (security) | Server stdout logs only (no disk persistence). Logs survive only as long as the host's container/log driver retains them |
We do not collect real name, email, phone, precise location, contacts, photos, microphone, or camera data.
Third-Party Services
Google AdMob (with mediation)
Banner, interstitial, and rewarded-video ads are shown. The app declares 55 SKAdNetwork identifiers in its iOS bundle to support AdMob mediation with multiple ad networks. The full list of Google-certified mediation partners is available at support.google.com/admob/answer/9012903. You may opt out of personalised ads via App Tracking Transparency on iOS or Google UMP on Android. Google advertising policy.
Firebase Analytics
We use Firebase Analytics to understand which screens are used, which contracts are most popular, and session duration to inform product decisions. Firebase assigns a pseudonymous App Instance ID; we do not send real names, emails, or identifiers you have provided to us. Firebase automatically collects some standard events (e.g., first_open, app_update, session_start, screen_view) together with device model, OS version, app version, and approximate (country-level) location. Event data and user-level data are currently retained for 2 months, the minimum supported by Firebase Analytics (the maximum supported is 14 months). This conservative retention setting is applied in line with the data-minimisation principle of GDPR Art. 5(1)(e). Aggregated standard reports (e.g., daily-active-user counts) are retained independently by Google and are not user-identifiable. Users may opt out via UMP consent prompt (Android) or by declining ATT and resetting the advertising identifier. Firebase privacy and security.
Firebase Crashlytics
Crashlytics is enabled in release builds only and disabled in debug builds. When the app crashes or hits an uncaught exception, Crashlytics sends a stack trace together with device model, OS version, app version, locale, the Firebase Installation ID, and the time of the crash. We use this strictly to find and fix bugs. Player nicknames, IAP receipts, statistics, and game state are not sent to Crashlytics. Google retains Crashlytics data for up to 90 days. Firebase Performance Monitoring is not used.
In-App Purchases (IAP)
Payments are processed by Apple App Store or Google Play. We never see your card number or payment details. The app receives only a verification token that unlocks purchased content (e.g., the king_remove_ads ad-free unlock). The verification token is forwarded once to https://king.albooren.com/api/receipts/verify for server-side validation; it is not persisted in a database after validation completes.
LAN Multiplayer (Bonjour / mDNS)
Used only to discover devices on the same Wi-Fi network. No data leaves the local network during LAN play. iOS requires the Local Network permission for this; Android uses NSD.
Self-Hosted Online Game Server (king.albooren.com)
Public room creation and online multiplayer connect to a Dart WebSocket server we operate. Endpoints used:
POST https://king.albooren.com/api/rooms— create a new online room and receive a room codeGET https://king.albooren.com/api/rooms/{code}— query whether a room is still livePOST https://king.albooren.com/api/receipts/verify— server-side IAP receipt validationwss://king.albooren.com/ws/{code}— real-time game traffic (player nicknames, hands, scores, cards played, contract selections, rejoin tokens)
The server keeps room codes, player nicknames, game state, and rejoin tokens in memory only; no persistent database is used. When a room ends or expires, the data is discarded. All traffic uses TLS (HTTPS / WSS).
International Transfers
AdMob, Firebase Analytics, and Crashlytics data may reach Google data centres globally, including the United States, under the EU–US Data Privacy Framework and Standard Contractual Clauses (GDPR Art. 46). Online multiplayer traffic (player nicknames, game state, rejoin tokens, IP address) and IAP receipt validation are transmitted to our self-operated server in Turkey. See the common policy — International Data Transfers section.
Analytics Deletion Request
To delete the Firebase Analytics data associated with your App Instance ID, email privacy@albooren.com with the subject "Firebase Analytics Deletion - King" and include (if you know it) the App Instance ID from Settings → About screen. Requests are submitted via the Firebase User Deletion API and processed within 30 days.
Children's Privacy
King is a card game suitable for teens and adults, not directed to children under 13 (COPPA) or 16 (GDPR Art. 8). We do not knowingly collect data from users below these thresholds. Contact privacy@albooren.com to report inadvertent child data collection.
Your Rights & Deletion
Online game data is deleted when the room ends. Uninstalling removes device-local statistics, settings, save state, and the stored player nickname. To reset the advertising identifier on iOS: Settings → Privacy & Security → Tracking. On Android: Settings → Google → Ads. For full GDPR / KVKK rights, including access, rectification, portability, and complaint to a supervisory authority, see the common policy.
Direct requests: privacy@albooren.com