This Privacy Policy ("Policy") governs the manner in which Lucky Arrows ("the Application," "we," "us," or "our") collects, processes, retains, and discloses personal data obtained from users of the Application. By downloading, installing, or using Lucky Arrows, you confirm that you have read and understood this Policy and consent to the data practices described herein. This Policy is designed to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and the Virginia Consumer Data Protection Act (VCDPA).
I Article I — Definitions
1.1 "Application" means Lucky Arrows, the mobile software product developed and operated by the Company.
1.2 "Company" means the legal entity that operates Lucky Arrows, referred to in this Policy as "we," "us," or "our."
1.3 "Personal Data" means any information relating to an identified or identifiable natural person ("data subject").
1.4 "Usage Data" means information collected automatically from the Application or its underlying infrastructure in the course of a user's interaction with the Service.
1.5 "Device" means any electronic apparatus — including smartphones, tablets, and personal computers — through which a user accesses the Application.
1.6 "Service Provider" means any natural or legal person who processes Personal Data on behalf of the Company under a binding data processing agreement.
1.7 "Advertising Identifier" means a resettable, non-permanent device identifier used for ad targeting and measurement — specifically the Google Advertising ID (GAID) on Android and the Identifier for Advertisers (IDFA) on iOS.
1.8 "Processing" means any operation performed on Personal Data, including but not limited to collection, storage, use, disclosure, erasure, and destruction.
II Article II — Categories of Personal Data Collected
2.1 Automatically Processed Data. The Application automatically collects the following categories of data when a user accesses or interacts with it:
(a) Internet Protocol (IP) address and approximate geolocation at the country or region level;
(b) Device identifiers, including GAID (Google Advertising ID) and ANDROID_ID;
(c) Device specifications: manufacturer, model, operating system version, and screen resolution;
(d) Session metrics: duration, frequency of access, and in-application navigation behavior;
(e) Crash reports, error logs, and Application performance diagnostics;
(f) Network connection details, including connection type (Wi-Fi, cellular) and carrier information.
2.2 Data Provided with User Consent. The following categories of data are collected only upon the user's explicit consent:
(a) Advertising Identifiers (GAID on Android; IDFA on iOS), for the purpose of delivering personalized advertisements and measuring campaign performance;
(b) In-Application engagement data, including interactions with advertisements, reward mechanisms, and interactive content;
(c) PayPal account email address and associated display name, collected exclusively for the processing of user withdrawal requests.
Scope Limitation: Lucky Arrows does not collect names, physical addresses, phone numbers, biometric data, precise GPS location, or any government-issued identification numbers.
III Article III — Purposes of Processing
3.1 Personal Data and Usage Data are processed by the Company for the following lawful purposes:
| Purpose | Description | Legal Basis |
|---|
| Service Delivery | Operating Lucky Arrows and its core features | Contract performance |
| Account Management | Registration, authentication, and user preferences | Contract performance |
| Payment Processing | Executing PayPal withdrawals accurately and securely | Contract performance |
| Communications | Service updates, security notices, and support responses | Legitimate interest |
| Analytics | Aggregated usage analysis to improve the Application | Legitimate interest |
| Advertising | Delivering relevant personalized advertisements | Consent |
| Legal Compliance | Meeting regulatory and legal obligations | Legal obligation |
| Business Transitions | Facilitating mergers, acquisitions, or restructurings | Legitimate interest |
IV Article IV — Disclosure and Sharing of Personal Data
4.1 The Company does not sell Personal Data to third parties. Personal Data may be disclosed only in the circumstances enumerated below:
(a) Service Providers — vendors engaged to perform hosting, analytics, customer support, and payment processing on behalf of the Company, each bound by a Data Processing Agreement;
(b) Business Transfers — in connection with any merger, acquisition, financing due diligence, or sale of all or a portion of Company assets;
(c) Affiliates — entities under common ownership or control with the Company, subject to privacy protections no less stringent than those in this Policy;
(d) Legal Process — when required to comply with applicable law, court order, subpoena, or binding governmental request;
(e) Safety & Security — to prevent fraud, enforce our terms, or protect the safety of users, the Company, or the general public;
(f) Explicit Consent — for any additional purpose disclosed to the user and affirmatively agreed to by the user.
PayPal Data Protection: A user's PayPal email address and display name are used solely to process that user's withdrawal transaction. Such data is never sold, rented, or shared with advertising partners, data brokers, or any unrelated third party. Disclosure occurs only when required by applicable financial regulations or by explicit user consent.
V Article V — Application Permissions
5.1 Lucky Arrows requests the following device permissions on Android. Each permission is disclosed prior to installation and is exercised only for the stated purpose. No permission is used to collect data beyond what is described.
| Permission | Purpose | Data Involved |
|---|
INTERNET | Core network access required for gameplay, ads, and updates | Network traffic metadata |
ACCESS_NETWORK_STATE | Detect network availability before initiating requests | Connection status |
ACCESS_WIFI_STATE | Read Wi-Fi status to optimize data transmission | Wi-Fi connection details |
AD_ID | Access advertising identifier for ad personalization | Resettable device ad ID |
VIBRATE | Haptic feedback during in-game interactions | None |
ACCESS_ADSERVICES_TOPICS | Privacy-preserving interest-based ad targeting (Topics API) | Ad topic signals |
ACCESS_ADSERVICES_ATTRIBUTION | Attribution Reporting API for ad effectiveness measurement | Attribution data |
BIND_GET_INSTALL_REFERRER_SERVICE | Identify how the Application was discovered and installed | Install source and campaign parameters |
BIND_APPHUB_SERVICE | Connect to app distribution and update services | Update and distribution data |
ACCESS_ADSERVICES_AD_ID | Compliance with modern ad services API requirements | Ad services identifier |
FOREGROUND_SERVICE | Maintain essential operations while Application is active | None |
DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION | Register secure internal broadcast receivers | None |
5.2 All permissions requested by Lucky Arrows are in full compliance with Google Play Developer Program Policies and applicable data protection regulations.
VI Article VI — Analytics and Service Endpoints
6.1 Lucky Arrows operates the following server infrastructure to deliver and support its service:
| Endpoint | URL | Function |
|---|
| Primary Application Server |
https://zbl.luckaws.com/ |
Gameplay logic, session management, account data, real-time synchronization |
| Analytics & Telemetry |
https://zbl.luckaws.com/ |
Anonymized, aggregated usage data collection for product improvement |
6.2 Endpoint Security Standards. All service endpoints are subject to the following mandatory security controls:
(a) Transport Layer Security (TLS) version 1.2 or higher is enforced on all connections;
(b) Role-based access control (RBAC) is implemented across all server infrastructure;
(c) The principle of data minimization is applied — only data essential to the specific function is transmitted;
(d) Regular penetration testing and vulnerability assessments are conducted;
(e) Data Processing Agreements (DPAs) are maintained with all infrastructure and hosting partners.
VII Article VII — Data Security
7.1 The Company implements commercially reasonable physical, administrative, and technical safeguards to protect Personal Data from unauthorized access, use, alteration, or disclosure, including:
(a) Encryption of all data in transit via TLS 1.2 or higher, and at rest using industry-standard algorithms;
(b) Role-based access controls limiting data access strictly to authorized personnel with a documented need to know;
(c) Scheduled security audits, penetration tests, and code vulnerability assessments;
(d) Contractual obligations requiring all third-party Service Providers to maintain equivalent security standards.
7.2 Notwithstanding the foregoing, no electronic transmission or storage system is unconditionally secure. The Company cannot guarantee the absolute security of Personal Data but undertakes to protect it to the highest practicable standard.
VIII Article VIII — Data Retention
8.1 Personal Data is retained only for as long as is necessary to fulfil the purposes described in this Policy, after which it is securely deleted or anonymized.
8.2 Where a user's account has remained inactive for a period of ninety (90) consecutive days, the Company shall permanently delete that user's Personal Data from its active systems.
8.3 Usage Data rendered fully anonymous and incapable of identifying any individual may be retained indefinitely for aggregate analytical purposes.
8.4 Specific categories of data may be retained beyond the above periods where required by applicable law, regulation, or valid legal process.
IX Article IX — International Data Transfers
9.1 Lucky Arrows operates globally. Personal Data may be transferred to, stored on, and processed by servers situated in jurisdictions other than the user's country of residence.
9.2 The Company safeguards all cross-border transfers through the following mechanisms:
(a) Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable to EEA residents;
(b) Mandatory TLS 1.2+ encryption for all data transmitted across national or jurisdictional boundaries;
(c) Contractual requirements obligating overseas processors to meet GDPR-equivalent data protection standards.
9.3 By using Lucky Arrows, the user acknowledges that their Personal Data may be transferred to and processed in countries outside their country of residence, including countries whose data protection laws may differ from local requirements.
X Article X — Third-Party Advertising Services
10.1 Advertisements within Lucky Arrows are served through AppLovin and its mediation network, which enables multiple advertising partners to deliver content within the Application.
10.2 The categories of data shared with advertising partners are strictly limited as follows:
(a) Resettable Advertising Identifiers (GAID / IDFA);
(b) Device information (model, OS version, screen dimensions);
(c) Session metrics (usage frequency, duration, time of access);
(d) Ad interaction data (impressions, clicks, video completion rates, rewards claimed);
(e) Country and language preferences.
Data Never Disclosed to Ad Partners: Email addresses, phone numbers, PayPal credentials, account login data, gameplay progression, user-generated content, and precise geolocation are never shared with advertising partners under any circumstances.
10.3 Schedule A — Advertising Partner Directory. Each advertising partner is governed by its own privacy policy. The complete list of partners and their respective policies is provided below:
XI Article XI — User Privacy Rights
11.1 The applicable rights available to each user depend on the jurisdiction in which the user resides. To exercise any right, submit a written request to
xee.district@gmail.com. All verifiable requests will be acknowledged within 48 hours and fulfilled within 30 days (extendable to 60 days where law permits).
CCPA / CPRA — California
- Right to Know — categories and specific pieces of data collected, used, and disclosed
- Right to Delete — request deletion of Personal Data (subject to legal exceptions)
- Right to Correct — rectify inaccurate Personal Data
- Right to Opt-Out — of the sale or sharing of Personal Data
- Right to Non-Discrimination — no adverse treatment for exercising rights
GDPR — EU / EEA / UK
- Right of Access — obtain a copy of your Personal Data
- Right to Rectification — correct inaccurate or incomplete data
- Right to Erasure — "right to be forgotten" in qualifying circumstances
- Right to Restrict Processing — limit specific processing activities
- Right to Object — object to processing based on legitimate interests
- Right to Portability — receive data in machine-readable format
VCDPA — Virginia Residents: You have the right to (a) access and obtain a copy of your Personal Data; (b) correct inaccuracies in your Personal Data; (c) delete Personal Data provided by or obtained about you; (d) receive your data in a portable, machine-readable format; and (e) opt out of targeted advertising, data sales, and profiling for decisions with significant legal effects.
XII Article XII — Opt-Out Mechanisms
12.1 Personalized Advertising. Users may disable interest-based advertising through the following device-level controls:
Android
Settings → Google → Ads → Opt out of Ads Personalization
Users may also reset their GAID from this same menu at any time, at no cost.
iOS
Settings → Privacy & Security → Tracking (disable "Allow Apps to Request to Track")
Alternatively: Settings → Privacy → Apple Advertising → Personalized Ads (toggle off).
12.2 Opt-Out of Data Sale. To exercise the right to opt out of the sale or sharing of Personal Data, users shall send a written request to
xee.district@gmail.com with the subject line
"Do Not Sell My Personal Information". The Company shall process such requests within fifteen (15) business days.
12.3 Automated Profiling Opt-Out. Lucky Arrows does not engage in automated decision-making that produces legal or similarly significant effects on users. No opt-out mechanism for such profiling is therefore required; however, users with concerns may contact the Company at
xee.district@gmail.com.
XIII Article XIII — Automated Decision-Making
13.1 Lucky Arrows does not employ automated decision-making processes — including profiling — that produce decisions having legal effects or similarly significant effects upon users, as described in Article 22 of the GDPR.
13.2 Algorithmic processes used within the Application (such as content recommendation or ad matching) are used solely to improve the user experience and do not produce binding determinations regarding any individual's rights, access to services, or legal standing.
13.3 Should the Company introduce any automated decision-making with legal or significant effects in the future, users will be notified and provided with appropriate safeguards, including the right to human review, as required by applicable law.
XIV Article XIV — California Shine the Light Disclosure
14.1 Under California Civil Code Section 1798.83 ("Shine the Light" law), California residents who have established a business relationship with Lucky Arrows may request information regarding whether we have disclosed their Personal Data to third parties for direct marketing purposes during the preceding calendar year.
14.2 Lucky Arrows does not disclose Personal Data to third parties for their own direct marketing purposes without the prior explicit consent of the user. Accordingly, no disclosure report is generated under this provision.
14.3 California residents who nonetheless wish to confirm this practice, or who have additional questions about their rights under California law, may submit an inquiry to
xee.district@gmail.com with the subject line
"California Privacy Inquiry".
XV Article XV — Children's Privacy
15.1 Lucky Arrows is not directed at, nor intended for use by, children under the age of thirteen (13). The Company does not knowingly collect, process, or retain Personal Data from any individual known to be under 13.
15.2 If a parent or legal guardian believes that a child under 13 has provided Personal Data to the Company without parental consent, they should immediately contact
xee.district@gmail.com. Upon receiving such notification and verification, the Company shall promptly and permanently delete all such data from its systems.
15.3 Users between the ages of 13 and 18 are encouraged to review this Policy with a parent or guardian before using Lucky Arrows.
XVI Article XVI — Third-Party Links and Services
16.1 The Application may contain hyperlinks, integrations, or references to websites and services operated by independent third parties. The Company exercises no control over, and assumes no liability for, the content, data practices, or security posture of any such external services.
16.2 Users are advised to review the privacy policies of any third-party service accessed through or in connection with Lucky Arrows. The presence of a link or integration does not constitute an endorsement of that party's privacy practices by the Company.
XVII Article XVII — Legal Disclosure Requirements
17.1 Business Transactions. In the event of a merger, acquisition, financing transaction, or sale of all or a material portion of Company assets, Personal Data held by the Company may be disclosed or transferred to the successor or acquiring entity. The Company shall provide affected users with advance notice of such a transfer and shall ensure that the successor entity is bound by privacy obligations no less protective than those set out in this Policy.
17.2 Law Enforcement Requests. The Company may disclose Personal Data when compelled to do so by a valid court order, subpoena, governmental directive, or other binding legal process, or when such disclosure is otherwise required by applicable law.
17.3 Protection of Rights and Safety. Disclosure may occur where the Company believes in good faith that it is necessary to prevent fraud, enforce the Application's Terms of Service, or protect the rights, property, or safety of the Company, its users, or members of the public.
17.4 In all cases of legally compelled disclosure, the Company shall disclose only the minimum data necessary to satisfy the legal requirement and shall notify affected users to the extent permitted by law.
XVIII Article XVIII — Amendments to This Policy
18.1 The Company reserves the right to amend this Policy at any time. Amended versions of the Policy shall be effective immediately upon publication on the Application's designated policy page.
18.2 The "Effective Date" at the head of this document will be updated to reflect the date of the most recent material revision.
18.3 For material amendments that substantially alter the nature of data processing activities or user rights, the Company shall provide not less than seven (7) days' advance notice via a prominent in-application notification or email, where feasible.
18.4 Users are encouraged to review this Policy periodically. Continued use of Lucky Arrows following the publication of any amendment shall constitute the user's acceptance of the revised terms.
XIX Article XIX — Contact Information
19.1 For all questions, concerns, rights requests, or communications relating to this Policy or the Company's data processing activities, users may contact the Company through the following channels:
(b) In-Application: Navigate to Settings → Help & Support within Lucky Arrows
19.2 The Company shall acknowledge all privacy-related inquiries within forty-eight (48) hours of receipt. Formal rights requests under GDPR, CCPA/CPRA, or VCDPA shall be completed within thirty (30) days, subject to applicable extensions.
Response Commitment: We are committed to addressing all privacy inquiries promptly and transparently. If you are not satisfied with our response, you retain the right to lodge a complaint with the relevant supervisory authority in your jurisdiction (e.g., a Data Protection Authority in the EU, or the California Privacy Protection Agency).