This Privacy Policy describes how Anna Nikitina ("DJampa", "we", "us", or "our") collects, uses, and protects information when you or your child uses DJampa's mobile applications, including Hungry Cat Dao, and the website at djampa.fun (collectively, the "Services").

We have designed our Services with privacy in mind, especially for children. We collect as little data as possible. We never sell data. We never serve third-party advertising inside our games, and we never use children's data for ad targeting or behavioural profiling.

If you are a parent or guardian, please read Section 7 "Children's Privacy" carefully — it explains what we do, what we do not do, and what choices you have.

1. Who we are

Data controller: Anna Nikitina, an individual acting as data controller, resident in Spain. Postal address: Carrer de Vicent Marco Miranda (Polític), 9, 12C, 46026 Valencia, Spain.

Contact for all privacy matters: [email protected]

Because the controller is established within the European Union, we do not appoint a separate EU/EEA representative under Article 27 GDPR.

Supervisory authority for Spain: Agencia Española de Protección de Datos (AEPD), www.aepd.es. You have the right to lodge a complaint with the AEPD or with the supervisory authority of your country of residence.

2. Scope of this policy

This policy applies to:

• The Hungry Cat Dao mobile application on iOS and Android
• The website at djampa.fun and its subdomains
• Any future DJampa products that link to this policy

Hungry Cat Dao is a child-directed service intended for players aged roughly 9 to 12. It is submitted to the Apple App Store under the Kids Category (Ages 9–11) and to Google Play under the Designed for Families programme (target age 9–12), with content rating "Everyone". As a result, the following frameworks apply throughout this policy:

• EU General Data Protection Regulation (GDPR), including Article 8
• Spanish Organic Law 3/2018 on Personal Data Protection (age of digital consent: 14)
• United States Children's Online Privacy Protection Act ("COPPA")
• United Kingdom Age-Appropriate Design Code

3. Information we collect

We collect the minimum necessary to operate the Services. We never collect more than what is needed for the specific purpose described below.

3.1 Information collected automatically

When you or your child uses Hungry Cat Dao, the following is collected automatically:

• Anonymous account identifier. The app signs in using Firebase Anonymous Authentication and creates a randomly generated user identifier so the app can save settings and progress. This identifier is not linked to your real name, email, phone number, or any social account. The app does not support sign-in with Google, Apple, Facebook, email, or any other identity provider.
• Device and technical information. Device model, operating system version, screen size, language setting, and approximate region (country only). Used for performance optimization and crash diagnosis.
• Crash and stability data. When the app crashes, we collect a technical report (which line of code failed and the device state at the time) through Firebase Crashlytics. These reports do not include identifying information.
• Gameplay events. Events such as "game started", "song completed", "level passed" with no personal information attached. These are aggregated to understand how to improve the game.
• Limited network information. For session security and abuse prevention, our servers retain only a short prefix of the device's IP address (the network subnet, not the full IP). Full IP addresses are not written to durable storage.

3.2 Phone-as-controller / TV companion mode

Hungry Cat Dao may offer a mode in which a phone acts as a controller for a paired display (for example, a Chromecast-enabled TV in the same home). In this mode:

• A short display name chosen by the player is shown only on the paired display and never used outside the household session.
• Display names are server-side sanitized (HTML stripped, length-limited) before being stored.
• The room and any associated display names automatically expire shortly after the session ends (typically within a couple of hours).
• We do not allow open chat, voice chat, or any other communication with strangers. This is intended for family co-play only.

3.3 Camera and microphone

Hungry Cat Dao uses the device camera to detect body movements for the rhythm gameplay. No camera images are recorded, stored, or transmitted off the device. All pose detection runs locally on the device using on-device machine learning. The app does not record or transmit audio.

3.4 Information we do NOT collect

We do not collect:

• Real name, email address, phone number, postal address, or date of birth
• Apple's Identifier for Advertisers (IDFA) — the app does not present the App Tracking Transparency prompt
• Google Advertising ID (AAID / AD_ID) — the corresponding Android permission is explicitly removed from the app manifest
• Android SSAID and other persistent device-level advertising identifiers
• Photos, videos, or images of your child
• Audio recordings
• Precise geolocation (GPS)
• Contacts, calendar entries, files, or any data from other apps
• Biometric data
• Health or medical information
• Information about other people the user knows

4. Why we use information (purposes and lawful bases)

Under EU/UK GDPR, we identify a lawful basis for each purpose:

• Operating the app (saving progress, settings). Data: anonymous identifier, device info. Basis: performance of a contract (Art. 6(1)(b)) and our legitimate interest in providing a working app (Art. 6(1)(f)).
• Fixing crashes and bugs. Data: crash reports, device info. Basis: legitimate interest in maintaining a stable service (Art. 6(1)(f)).
• Understanding which gameplay features work. Data: anonymized event data. Basis: legitimate interest in improving the product (Art. 6(1)(f)).
• Phone-as-controller / TV companion mode. Data: display name, short-lived room data, anonymous identifier. Basis: performance of a contract (Art. 6(1)(b)).
• Security and abuse prevention. Data: subnet prefix, rate-limit counters. Basis: legitimate interest in protecting users and the service (Art. 6(1)(f)).
• Privacy-preserving install measurement for parent-facing marketing. Data: aggregated, non-identifying signals only — through Apple SKAdNetwork on iOS and Meta's Limited Data Use on Android. No advertising ID is collected. Basis: legitimate interest (Art. 6(1)(f)). This measurement runs outside the child-directed scope and never identifies a child.

For users under the age of digital consent (14 in Spain, 13 in the United States and certain other countries), we apply additional safeguards described in Section 7 and rely on Article 6(1)(f) only when the balancing test demonstrably favours the child's interests.

5. Who we share information with

We share data only with the following service providers ("processors"), who act under our written instructions:

• Google Firebase (Google Ireland Limited). Provides Firebase Analytics, Firestore (database), Cloud Functions, Anonymous Authentication, Crashlytics, Remote Config, App Check, and Cloud Messaging. Cloud Functions for Hungry Cat Dao are deployed in europe-west3 (Frankfurt, Germany). Firestore is configured to use a European multi-region for storage. Firebase Analytics is initialized with Google Consent Mode v2, with ad-storage, ad-personalization, and ad-user-data signals set to denied by default. Google Advertising ID collection is disabled.
• Amplitude Inc. Provides product analytics. We use Amplitude with COPPA controls enabled and the European data residency zone. All identifier-based features are disabled in the SDK configuration: no IP address tracking, no IDFA, no IDFV, no Android advertising ID, and no carrier or city/region collection.
• Meta Platforms Ireland Limited (Facebook). Used solely for privacy-preserving install measurement for parent-targeted marketing. The Meta SDK is configured with FacebookAdvertiserIDCollectionEnabled set to false on both iOS and Android, and Limited Data Use is enabled. No data collected from children is used by Meta for advertising purposes.
• Apple Inc. and Google LLC as operators of the mobile platforms (App Store, Google Play, push notifications via APNs and FCM, and Apple's privacy- preserving SKAdNetwork install attribution).

We never sell personal information. We never share information with data brokers, advertising networks for retargeting, or social networks for content distribution.

In limited circumstances, we may disclose information to comply with a lawful legal request (subpoena, court order, or regulatory inquiry). When we receive such a request that we believe is invalid or overbroad, we will challenge it.

6. Where your data is stored and processed

Data is primarily stored and processed in the European Union. Cloud Functions run in Frankfurt, Germany (europe-west3); Firestore is configured to use a European multi- region. Where any service provider must process data outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs).

The only personal data that may transit outside the EU is non-identifying technical data routed through global infrastructure for delivery purposes (for example, push notifications via APNs and FCM). This data does not include analytics events or content from gameplay.

7. Children's Privacy

7.1 Hungry Cat Dao is designed for children

Hungry Cat Dao is a child-directed service. We assume the user is a child. This means COPPA, GDPR Article 8, the Spanish Law 3/2018 (age threshold of 14), and the UK Age-Appropriate Design Code apply by default to all users.

7.2 No collection of identifying information

Hungry Cat Dao does not ask for a child's name, date of birth, email address, or any other identifying information. The app uses an anonymous, randomly generated identifier internally and submits to the Apple "Made for Kids" programme and Google Play "Designed for Families" programme. We rely on the platform's age category and parental controls (Family Sharing, Google Family Link) rather than asking the child for personal data.

Where the platform requires a parental gate before an external link or other adult-only action, we use a simple arithmetic challenge in line with Apple's and Google's published guidance.

7.3 What we do NOT do with children's data

We do not:

• Show third-party advertising or sponsored content inside the app
• Offer in-app purchases — the app does not integrate StoreKit purchases on iOS or Google Play Billing on Android
• Profile children for marketing or behavioural targeting
• Use children's data to train AI or machine-learning models for advertising
• Sell, rent, lease, or otherwise transfer children's data to third parties for commercial purposes
• Enable open chat, voice chat, or social features that connect a child with strangers
• Collect persistent identifiers tied to a child's identity across services
• Allow user-generated content that other users can see, except for short-lived display names within a household co-play session, which expire automatically

7.4 COPPA Internal Operations exception

Under COPPA's "Internal Operations" exception (16 C.F.R. § 312.2), an operator may collect persistent identifiers from children without verifiable parental consent if the data is used only for limited internal purposes such as maintaining service functionality, network communications, content personalization, authentication, security, and legal compliance.

We rely on this exception. Our use of anonymous identifiers is strictly limited to internal operations as defined in COPPA. We do not use these identifiers to contact a child, build a profile, or serve targeted advertising.

7.5 Rights of parents

If you are a parent or guardian, you have the following rights:

• Review. Request to see what data we hold about your child. Because we do not collect identifying information, we can in practice only honour this request if you provide the anonymous identifier stored on the child's device, which can be retrieved from the in-app Settings screen.
• Delete. Request deletion of all data associated with your child's device. We will honour this request within 30 days and will confirm completion in writing.
• Refuse further collection. Stop using the Services and uninstall the app. Uninstallation removes locally stored data on the device immediately; server- side data is purged within 90 days, except short-lived companion-mode data which expires within hours.

To exercise any of these rights, email [email protected] with the subject line "Parental Request — [device identifier or app version]". We will respond within 30 days. We do not require government-issued ID to honour a deletion request, because we do not hold identifying information that would let us match an ID to a record.

7.6 Notice to schools, educators, and clubs

If you intend to use Hungry Cat Dao with multiple children in an educational or supervised setting, please contact [email protected] before doing so. We can provide a supplementary data processing agreement for institutional use.

7.7 If we learn we have collected data contrary to this policy

If we discover that we have collected data from a child in violation of this policy (for example, identifying information mistakenly submitted in a companion-mode display name), we will delete the data immediately and notify the parent if we have any means of doing so.

8. Cookies and similar technologies

The Hungry Cat Dao mobile app does not use cookies. The app stores small amounts of data locally on the device using the standard mobile operating system facilities (Android SharedPreferences and iOS UserDefaults). These are used to remember the user's settings, audio calibration preferences, and progress. This local storage never leaves the device.

The djampa.fun website uses a minimal set of strictly necessary cookies for security and basic functionality. No marketing or analytics cookies are set without explicit consent.

9. Data retention

We retain data only for as long as necessary for the purpose for which it was collected:

• Anonymous gameplay events (Firebase Analytics) — retained according to Firebase's default retention period, then deleted
• Anonymous product analytics (Amplitude) — retained according to Amplitude's default retention period, then deleted
• Crash reports (Crashlytics) — retained for Firebase's default 90-day window, then deleted
• Companion-mode session data (display names, short-lived room state) — until the session expires (typically within a couple of hours), then deleted
• Anonymous account identifier and local settings — until the user uninstalls the app or requests deletion
• Aggregated, non-identifying analytics — indefinitely (no personal information)

Where you exercise a deletion right, data is purged from primary systems within 30 days and from backup systems within 90 days.

10. Your rights under GDPR

If you are in the EU, EEA, or United Kingdom, you have the following rights regarding your personal data:

• Right of access (Art. 15) — obtain a copy of the personal data we hold about you
• Right to rectification (Art. 16) — correct inaccurate data
• Right to erasure (Art. 17) — have your data deleted
• Right to restrict processing (Art. 18) — limit how we use your data
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
• Right to object (Art. 21) — object to processing based on legitimate interests
• Right not to be subject to automated decisions (Art. 22) — we do not engage in automated decision-making that produces legal or similarly significant effects

To exercise any of these rights, email [email protected]. We will respond within one month (extendable to three months for complex requests). There is no fee for the first request in a calendar year.

If you believe we have not handled your request appropriately, you have the right to complain to the AEPD (Spain) or your local supervisory authority.

11. Your rights under U.S. state privacy laws

If you reside in a U.S. state with a comprehensive privacy law (including California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Delaware, New Jersey, and New Hampshire), you have rights similar to those described above, including the right to know, the right to delete, and the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under U.S. privacy laws. To exercise any U.S. state-law right, contact [email protected].

12. Security

We use industry-standard security measures, including:

• Encrypted transport (HTTPS) for all server communication
• Firebase App Check, with Play Integrity on Android and App Attest on iOS, to prevent abuse
• Firestore security rules enforcing strict per-document access controls
• Server-side input sanitization (HTML stripping, length limits) of any text submitted by a player
• Minimization of network identifiers (only a subnet prefix is retained, not full IP addresses)
• Limited retention periods (data deleted on a schedule)
• Periodic security review of code and infrastructure

No system is perfectly secure. If we discover a breach affecting your personal data, we will notify the relevant supervisory authority within 72 hours as required by GDPR, and we will notify you directly if there is a high risk to your rights.

13. Short version for parents

For parents reading quickly:

• We do not show ads to your child
• We do not collect your child's real name, email, phone, or address
• We do not allow your child to chat with strangers
• We do not allow in-app purchases
• We use only anonymous, internal identifiers
• Camera input is processed entirely on your child's device — no images leave the phone
• Servers handling your child's data are in the European Union
• You can request deletion at any time by emailing [email protected]
• We comply with COPPA (U.S.), GDPR Article 8 (EU), Spanish Law 3/2018, and the UK Age-Appropriate Design Code

14. Changes to this policy

We may update this policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Display a notice in the app at next launch
• Where required by law, request renewed consent

We will not make changes that reduce your rights or our protections for children without providing clear notice and, where applicable, obtaining renewed consent.

15. Contact us

For any question or request relating to this policy or your data:

Email: [email protected]

Postal address: Anna Nikitina, Carrer de Vicent Marco Miranda (Polític), 9, 12C, 46026 Valencia, Spain.

For Apple App Store privacy questions you can also use Apple's in-app reporting tools. For Google Play Store privacy questions you can report concerns through the Play Store listing.

If we cannot resolve your concern, you have the right to contact:

• Agencia Española de Protección de Datos (AEPD) — www.aepd.es — for matters in Spain
• Your national Data Protection Authority if you reside in another EU/EEA country
• Information Commissioner's Office (ICO) — ico.org.uk — for matters in the United Kingdom
• U.S. Federal Trade Commission (FTC) — ftc.gov/complaint — for COPPA-related complaints in the United States
• California Privacy Protection Agency (CPPA) — cppa.ca.gov — for California residents

This policy was last reviewed for compliance with applicable laws on 21 May 2026.