Privacy Policy

Last updated: May 5, 2026

At Zafronix, your privacy is fundamental to everything we build. This Privacy Policy explains how we handle information across all Zafronix mobile applications and our website (zafronix.com).

Our Core Principle

We do not collect, store, transmit, or sell any personal data. Period. Our games are designed to work entirely on your device without any server communication.

Information We Do NOT Collect

  • Personal identification information (name, email, phone number)
  • Device identifiers (IDFA, IDFV, or any unique device IDs)
  • Location data
  • Usage analytics or behavioral data
  • Crash reports or diagnostic data
  • Advertising identifiers
  • Contact lists, photos, or any on-device content

Local Data Storage

Our games store your preferences, high scores, and game progress locally on your device using iOS's built-in UserDefaults and on-device storage. This data:

  • Never leaves your device
  • Is not accessible to Zafronix or any third party
  • Is deleted when you uninstall the app
  • Can be deleted at any time through your device settings

Third-Party Services (Mobile Games)

Our mobile games do not integrate any third-party SDKs, analytics platforms, advertising networks, or social media frameworks. There are no third parties involved in any Zafronix mobile application.

Our website and API products are different — see the “Website (zafronix.com)”, “Email Subscriptions”, and “API Customer Data” sections below.

Advertising

Zafronix games contain zero advertisements. We do not use any ad networks, display any ads, or participate in any ad-related data sharing.

Internet Connectivity

Our games are designed to work 100% offline. They do not require or request internet access. No network calls are made by any Zafronix application.

Children's Privacy

Because we do not collect any data whatsoever, our apps are safe for users of all ages. We comply with COPPA (Children's Online Privacy Protection Act) and similar regulations worldwide by simply not collecting any information.

Website (zafronix.com)

Our website (zafronix.com) is separate from our games. The website uses a small number of third-party services to run, all listed below:

  • Google Analytics — aggregate page view counts. We use this to understand which pages people read; we do not track individuals.
  • Meta Pixel — aggregate visit data shared with Meta for ad attribution.
  • Cloudflare Turnstile — a CAPTCHA replacement on the contact form and newsletter signup. Verifies you’re human without using personal data.
  • Resend — our email delivery provider. Used only to send confirmation and notification emails to people who voluntarily sign up for the Wayfinders launch list or Zafronix newsletter via our website. See “Email Subscriptions” below.
  • Stripe — our payment processor for paid API products. Stripe.js loads only on pages where you can purchase a product (currently the World Cup API checkout). Card numbers, CVVs, and billing addresses are entered directly into Stripe-hosted form fields and never reach Zafronix servers. Stripe is PCI DSS Level 1 certified. See stripe.com/privacy for what Stripe does with that data.

If you contact us via the contact form, your message is sent directly to our email and is not stored in any database we operate.

Email Subscriptions (optional)

The Subscribe page and the Premium page (/premium) include an optional signup form for the Wayfinders launch list and Zafronix updates. If you subscribe:

  • We store your email address, your IP address, your locale, and which list(s) you opted into in a SQLite database on our server. This is needed to comply with anti-spam law (CAN-SPAM, CASL) and to honor your unsubscribe request.
  • We send you a confirmation email via Resend. Until you click the link in that email, we do not send anything else — this is the “double opt-in” required under GDPR for explicit consent.
  • Once confirmed, we will send at most: one launch notification (Wayfinders) and occasional release announcements (Zafronix updates).
  • Every email includes a one-click unsubscribe link in the body and the standard List-Unsubscribe header (RFC 8058) so Apple Mail and Gmail can unsubscribe you in one tap. Unsubscribing is immediate.
  • We never sell, share, or rent subscriber emails.

API Customer Data (Zafronix WC API)

The Zafronix World Cup API (sold via the wc-api product) is a paid commercial service. If you purchase access:

  • What we store: your email address, a hashed copy of your API key (the plaintext key only exists in your possession and Stripe’s billing records), your subscription plan, and request logs (timestamp, endpoint, response code, originating IP) for the past 30 days.
  • Why we store it: account management, billing, fraud and abuse detection, rate limit enforcement, and debugging support tickets you open with us.
  • How long we keep it: active-account data is retained for the life of the account plus 30 days after cancellation (so we can reverse mistaken cancellations and issue final invoices). Request logs roll off after 30 days. After the 30-day post-cancellation window, all account-level records are permanently deleted; aggregate, anonymized usage statistics may be retained indefinitely for capacity planning.
  • Payment data: handled entirely by Stripe. We never see, store, or have access to card numbers, CVVs, or full billing addresses. We retain only the Stripe customer ID, the last four digits of the card (for receipts), and the billing email.
  • Your rights extend here too. The access, deletion, and portability rights below apply to API customer data exactly the same way they apply to newsletter subscribers. The /delete-my-data flow, when submitted with your billing email, revokes your API key, anonymizes your request logs, and closes your Stripe customer record.

Your Rights (GDPR / CCPA / UK GDPR)

If you’re a resident of the EU, EEA, UK, or California, applicable law gives you these rights over data we hold about you. We honor them globally regardless of where you live:

  • Right to access — email support@zafronix.com with your address and we’ll send you a copy of every record we have.
  • Right to rectify — ask us to correct inaccurate data via the same email.
  • Right to unsubscribe — use the link in any email, or visit /unsubscribe. Effective immediately, no questions asked.
  • Right to erasure (“right to be forgotten”) — visit /delete-my-data and submit your email. We’ll send a confirmation email; clicking the link in it triggers permanent deletion within 30 days as required by GDPR Article 17. We require this double-confirmation to make sure the request actually came from the email’s owner — otherwise anyone could trigger deletion of someone else’s data.
  • Right to data portability — we’ll export your records as JSON on request.
  • Right not to be discriminated against — exercising any of these rights doesn’t affect anything else (we don’t lock you out of anything you have access to).

Note: a few of our processors retain records on their own schedules and we can’t override them. Resend (email delivery) retains logs for ~30 days. Stripe (payments) retains transactional records for 7+ years to comply with financial regulations — that’s the law in every jurisdiction we operate in, not their choice. When you exercise your right to erasure, we delete every record on our side and trigger Stripe’s “close customer” flow, but the underlying transaction history remains in their system for the legally required period.

Changes to This Policy

If we ever change this privacy policy, we will update the "Last updated" date above. Given our commitment to zero data collection, significant changes are unlikely.

Contact

If you have questions about this Privacy Policy, contact us at support@zafronix.com or through our contact form.