Privacy Policy

1. Scope of This Privacy Policy

TimeLoop is a mobile idle progression game in which players progress through four eras and forty portal stages, hire Timekeepers to automate gameplay, use Chronos-powered boosts and time warps, and may protect progress through optional account-linking and cloud-save functionality.

This Privacy Policy applies to information processed by ScryptFyre in connection with those functions. It does not govern the independent privacy practices of Apple, Google, Firebase, AdMob, OneSignal, or other third parties operating under their own privacy notices, except to the extent information is transmitted to or from those providers as part of operating the services.

2. Categories of Information We Collect or Process

Depending on how you use the services, TimeLoop may collect or process several categories of information. Some of this information is stored only on your device, some may be transmitted to our backend or service providers, and some may exist in both places for operational continuity.

• Gameplay and progression data, including portal states, upgrade levels, unlocks, era progression, lifetime earnings, prestige state, timers, statistics, achievements, daily reward state, ad-boost state, Chronos balances, premium-entitlement expiry data, onboarding state, and offline-progress snapshots.
• Account and authentication data, including whether you are using a guest account or a linked provider account, your account identifier, provider type, provider subject identifier, device-linked access tokens, refresh tokens, token-expiry timestamps, and guest-account status.
• Device and application metadata, including a generated device identifier and, when online features are used, device name, platform, app version, build number, and may include operating-system version, device model, locale, and time-zone offset.
• Cloud-save data and metadata, including compressed save data, save summaries, playtime values, milestone descriptions, Chronos balances, entitlement summaries, sync versions, save-schema versions, save timestamps, and originating device identifiers.
• Commerce and purchase-verification data, including store, product identifier, transaction identifier, verification status, purchase timestamps, verification timestamps, sandbox indicators, entitlement history, and Chronos grant or spend history, and, where applicable, Apple receipt data or Google purchase tokens processed for verification and anti-duplication purposes.
• Advertising, consent, and diagnostics data, including rewarded-ad usage state, consent status, tracking-authorization status where requested by platform rules, analytics events, crash information, remote-configuration values, and notification-permission or push-subscription state if notifications are enabled.
• Communications and support data, including information you provide when contacting us for support, privacy, export, deletion, or legal matters.

3. How Information Is Collected

We collect information from several sources depending on the features you use.

• Directly from your device and in-app activity, such as progression state, settings, ad interactions, and support actions.
• From Apple or Google sign-in flows when you choose to link an account. The reviewed TimeLoop backend model stores provider type and provider subject identifier for authentication purposes. The mobile application requests identity tokens from those providers, and provider platforms may disclose additional account attributes subject to their own rules, but the reviewed core backend model is not built around storing a broad profile record such as a postal address or payment-card details.
• From purchase-verification flows with the Apple App Store and Google Play when you buy Chronos packs or time-limited premium entitlements.
• Automatically from app, device, and backend operations, including request metadata, sync metadata, crash reporting, analytics events, and service diagnostics.

4. Data Stored Locally on Your Device

TimeLoop is designed to function as a mobile game with substantial local-state storage. As a result, much of the active gameplay record resides on the device where you play.

• Local data may include your save state, portal and era progression, Timekeeper automation state, Chronos balance, prestige state, daily rewards, achievement state, ad-boost timers, entitlement-expiry cache values, local onboarding state, and time-played metrics.
• Local device storage may also include a generated device identifier, authentication-session values, cached purchase data, pending purchase-verification items, pending currency-spend items, and other temporary or recovery-oriented records needed to resume service after interruption.
• Removing the app or clearing app storage may delete local data from that device, but doing so does not necessarily delete server-side account or transaction records governed by the retention practices described below.

5. Data Processed for Accounts, Cloud Save, and Synchronization

If cloud-sync features are available and used, we process information necessary to authenticate the session, associate the account with a device, synchronize authoritative save data, and handle save conflicts between devices.

• Guest users may receive a guest account and guest session so the services can operate online. Guest saves may be processed by the backend, but guest progress is not designed to be recoverable across devices unless the account is later upgraded or linked through Apple or Google sign-in.
• Linked users may authenticate with Apple or Google. The backend issues short-lived access tokens and rotating refresh tokens linked to the user and device.
• Account and sync operations may process device-registration data, save summaries, full save payloads, sync versions, save-schema versions, save timestamps, conflict metadata, and operational request information such as idempotency keys and hashes.
• Backend systems may update device last-seen timestamps and maintain related account, device, save, entitlement, and currency-ledger records so the service can provide cloud continuity and protect against corruption, duplication, or abuse.

6. Purchases, Rewarded Advertising, and Premium Entitlements

Apple App Store and Google Play process billing. We do not collect or store full payment-card numbers within the reviewed TimeLoop application or core backend code.

• To verify purchases and prevent duplicate grants, our systems may process product identifiers, transaction identifiers, store identifiers, purchase timestamps, verification timestamps, sandbox indicators, and, where applicable, Apple receipt data or Google purchase tokens.
• Our backend also maintains related entitlement history and Chronos grant or spend history where needed to deliver purchased content, apply premium time-limited benefits, and preserve transactional integrity.
• The reviewed code supports one-time Chronos purchases and manual 30-day ad-free or VIP entitlements. Those offerings are not implemented in the reviewed codebase as auto-renewing subscriptions.
• If you use rewarded ads, we and our advertising or consent providers may process information required to determine ad eligibility, honor consent settings, request ads, detect reward completion, enforce usage limits, and measure ad-delivery performance.

7. Analytics, Crash Diagnostics, Remote Configuration, and Notifications

• Firebase Analytics may receive product and gameplay events, including events relating to progression, prestige, shop interactions, ad boosts, daily rewards, and other gameplay milestones, so we can understand feature use and tune the game.
• Firebase Crashlytics may receive crash and fatal-error information generated by the app or platform runtime so we can diagnose and correct defects.
• Firebase Remote Config may be used to control or adjust certain ad, balancing, and operational configuration values without requiring a new app release.
• If you enable notifications, OneSignal and applicable platform push-notification services may process your push-subscription and permission state so reminders or service-related notifications can be delivered.

8. How We Use Information

• Provide, operate, maintain, and improve TimeLoop and related account-management features.
• Store, restore, synchronize, and protect player progress across supported sessions and linked devices.
• Verify purchases, grant purchased content, administer premium entitlements, and prevent duplicate or fraudulent grants.
• Load rewarded ads, respect consent or tracking settings where applicable, and measure service performance.
• Balance gameplay systems, investigate service health, diagnose bugs or crashes, and improve player experience.
• Enforce our Terms & Conditions, prevent abuse, support account integrity, and respond to support, export, deletion, or legal requests.

9. How We Disclose Information

We do not sell personal information as part of the TimeLoop services described in this policy. We may disclose information to service providers, platform operators, and other recipients where reasonably necessary to operate the services, complete transactions, prevent abuse, or comply with law.

• Our backend and cloud-data infrastructure, including Supabase-backed systems used for account, save, purchase, entitlement, and currency-ledger operations.
• Apple and Google for provider sign-in, purchase verification, billing administration, and store-platform compliance.
• Google AdMob and related consent technologies used for rewarded advertising and advertising-compliance workflows.
• Firebase services used for analytics, crash reporting, and remote configuration.
• OneSignal and platform push providers if you enable notifications.
• Advisers, law enforcement, regulators, courts, or other parties where disclosure is required by law, legal process, or reasonably necessary to protect rights, safety, or the integrity of the services.

10. Data Retention

We retain information for as long as reasonably necessary to provide the services, protect account integrity, complete transactions, resolve disputes, comply with legal obligations, and enforce our agreements. Retention periods may vary by record type and operational need.

Based on the current backend configuration reviewed for this policy, inactive guest accounts are targeted for cleanup after approximately 90 days of inactivity, stale device registrations after approximately 60 days without updates, entitlement history after approximately 1 year, and purchase history after approximately 3 years. Local device data remains on your device until you remove the app, clear app storage, or overwrite that local data.

Although internal documentation contemplates historical save-snapshot retention, the reviewed primary database schema stores a single save row per user in the main saves table. For that reason, this policy describes save retention conservatively as retention of current cloud-save records and associated sync metadata rather than promising a particular historical archive.

11. Account Export, Deletion, and Player Choices

• You may play locally without linking a provider account, but guest progress is not designed to be recoverable across devices unless you later link Apple or Google sign-in.
• You may manage certain notification, tracking, or advertising-preference settings through your device, operating system, or applicable platform interfaces where available.
• Non-guest linked accounts may request export of eligible server-side account data through the TimeLoop request-data process.
• Non-guest linked accounts may request deletion of eligible server-side account data through the TimeLoop deletion process.
• Guest accounts do not currently use the same export or deletion eligibility path in the reviewed backend. Players who want export or deletion support should first protect the save by linking the account through Apple or Google.
• The reviewed backend export path includes account, device, save, purchase, entitlement, and Chronos-ledger records for eligible linked accounts. The reviewed deletion path removes user, device, save, purchase, entitlement, currency, refresh-token, and related idempotency records associated with the linked TimeLoop account.

12. Security and Service Integrity

We use technical and operational measures reflected in the reviewed codebase to help protect service integrity, including device-linked authentication, time-limited access tokens, rotating refresh tokens, idempotency protections for sensitive request flows, request tracing, rate limiting, and validation checks for purchases and currency-spend events. No security measure is perfect or impenetrable, and we cannot guarantee absolute security.

13. Children's Privacy

TimeLoop is not directed to children under 13, and we do not knowingly collect personal information from children under 13 through the services. If you believe a child under 13 has provided personal information to us, please contact us so we can review and address the situation.

14. Changes to This Privacy Policy

We may modify this Privacy Policy from time to time to reflect changes in the services, legal requirements, operational practices, or service providers. When we do, we will update the effective date posted on this page. Your continued use of the services after the updated policy becomes effective constitutes acknowledgment of the revised policy.

15. Contact Us

For player-support matters, privacy questions, export requests, deletion requests, or other legal requests relating to TimeLoop, you may contact support@scryptfyre.com.