Privacy Policy

Mobile Hangar

Privacy Policy — Mobile Hangar TCG Builder

Last Updated: June 9, 2026 Effective Date: June 9, 2026 Operated by: Tinkavu LLC / Extra Turn Games Contact: privacy@extraturngames.com

Mobile Hangar ("the App") is an unofficial, fan-made companion app for the Gundam Card Game (MSG TCG). It is not affiliated with, endorsed by, or officially connected to Bandai Co., Ltd., Sunrise Inc., or any other rights holder.

This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data. Jurisdiction-specific sections (GDPR, CCPA, LGPD, etc.) are linked in the table of contents below. By using the App you agree to this policy.

Data We Collect
How We Use Your Data
Third-Party Sharing & Processors
Data Storage & Backups
Security
Data Retention
Your Rights & Choices
EEA / UK / Switzerland (GDPR)
California (CCPA / CPRA)
Brazil (LGPD)
Canada (PIPEDA)
Japan (APPI)
Australia
Children's Privacy
Cookies & Mobile Identifiers
Changes to This Policy
Contact Us

Data We Collect

Data You Provide Directly

Data	When	Purpose
Google Account email	When you sign in via Google Sign-In	Account identification; linking your subscription and cloud backups
Apple ID / relay email	When you sign in via Sign in with Apple	Account identification; Apple may provide a private relay email address instead of your real address
Bug reports / feature requests	When you submit feedback in-app	Includes your email, description text, device model, OS version, and platform
Card collection, decks, wishlists	When you use the App	Stored locally on your device only unless you enable cloud backup

Data Collected Automatically

Data	When	Purpose
Non-personalized ad signals	When ads are displayed (free tier only)	Google AdMob serves non-personalized ads. The Google Advertising ID (GAID on Android) and IDFA (on iOS, only if ATT permission is granted) may be accessed by AdMob for ad-fraud detection and frequency capping. On iOS we do not request App Tracking Transparency (ATT) permission and therefore IDFA is not used for personalized advertising.
Firebase UID	When you are signed in	Passed to RevenueCat to verify active subscription status
Purchase receipts & platform transaction IDs	When you purchase Mobile Hangar Pro	RevenueCat receives Apple App Store receipts or Google Play purchase tokens, plus the platform order and transaction IDs, to validate and manage your subscription

Data We Do NOT Collect

We do not use analytics or crash-reporting SDKs (no Google Analytics, Firebase Analytics, Crashlytics, Mixpanel, Amplitude, or similar).
We do not collect location data.
We do not store or transmit camera images or OCR results — all card scanning happens entirely on your device using ML Kit (see §4 Camera & OCR).
We do not create advertising profiles or use personalized advertising.
We do not collect persistent device identifiers for tracking purposes beyond what is described above for AdMob fraud prevention.

Per-Processor Data Summary

Processor	Data Received	Purpose
Google Firebase Auth	Email address, Firebase UID	Authentication
Google Firestore	Email, bug-report text, device metadata	Bug/feature report storage
Google Drive (appDataFolder)	Backup JSON blob	Hidden app-private cloud backup (see §storage)
Google AdMob	GAID / IDFA (fraud only, non-personalized), general device info	Ad serving and fraud prevention
Apple Inc.	Apple ID or private relay email	Authentication via Sign in with Apple
RevenueCat	Firebase UID, App Store / Play Store receipts, platform order & transaction IDs	Subscription management and validation
ML Kit (on-device)	Camera frames (never transmitted)	Card-text OCR; all processing is local

How We Use Your Data

We use your data only to:

Authenticate your identity and maintain your account.
Sync and restore your collection backup via Google Drive appDataFolder.
Store and act on bug reports and feature requests you submit.
Verify and manage your Mobile Hangar Pro subscription.
Serve non-personalized advertisements on the free tier.
Scan card text on-device to populate your collection (ML Kit OCR).

We do not sell, rent, or trade your personal data to any third party for their independent marketing or advertising purposes.

We share data with the following processors only to the extent needed for the purposes above:

Service	Data Shared	Their Policy
Google Firebase (Auth + Firestore)	Email, Firebase UID, bug-report content	Google Privacy Policy
Google Drive API	Backup JSON (appDataFolder, hidden, app-only)	Google Privacy Policy
Google AdMob	Device ad-ID signals (non-personalized)	Google Advertising Privacy
Apple Inc.	Apple ID / relay email (Sign in with Apple)	Apple Privacy Policy
RevenueCat	Firebase UID, purchase receipts, platform transaction IDs	RevenueCat Privacy Policy
Apple App Store / Google Play	Payment and distribution	Platform-specific privacy policies

Google, Apple, and RevenueCat act as data processors or independent controllers under their own policies. We have no control over data they collect for their own purposes.

Data Storage & Backups

On Your Device (Local)

Your card collection, decks, wishlists, and app preferences are stored in a local SQLite database (via WatermelonDB) on your device. This data never leaves your device unless you explicitly enable cloud backup.

Google Drive — appDataFolder (Optional, User-Initiated)

When you enable cloud backup, your collection data is written to the appDataFolder scope of your Google Drive account. This is a hidden, app-private storage area — it does not appear as a visible "Mobile Hangar" folder anywhere in your Google Drive. Only the Mobile Hangar app can access this data; you cannot browse it in Google Drive's standard interface.

To manage or delete this backup data, you must revoke the app's Google Drive access at myaccount.google.com/permissions. Revoking access immediately prevents further backup writes and causes Google to delete the app's stored data according to Google's own retention schedule. See also Data Deletion.

We do not have access to your broader Google Drive contents — only the app's own appDataFolder scope.

Firebase

Your Google/Apple sign-in credentials are managed by Firebase Authentication. Bug reports and feature requests you submit are stored in Google Firebase Firestore.

Security in Transit and at Rest

All network communications use HTTPS/TLS. Firebase and Firestore data is encrypted at rest by Google. OAuth 2.0 is used for Google authentication and Drive access — we never see or store your Google or Apple password. Firestore security rules restrict document access to the owning Firebase UID.

Security

We apply the following security measures:

TLS/HTTPS for all network communications.
OAuth 2.0 for authentication (Google Sign-In, Apple Sign-In, Drive API).
Firestore security rules scoped to authenticated user UIDs.
Minimal data collection — the best protection is not collecting data we don't need.
On-device OCR — camera frames are never transmitted to any server.
Non-personalized ads — limiting the ad-network data surface.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security.

Breach Notification

In the event of a data breach that poses a material risk to your rights or freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33 and equivalent laws.
Notify affected users without undue delay by email (to the address associated with your Firebase account) and/or via an in-app notice when the breach is likely to result in a high risk to your personal rights and freedoms.
Where the risk is low and notification would require disproportionate effort, we may publish a public notice instead of individual notification.

If you believe a security issue affects your data, contact us immediately at privacy@extraturngames.com.

Data Retention

Data	Retention
Local collection, decks, preferences	On device until you uninstall or clear app data
Google Drive appDataFolder backup	Until you revoke app access at myaccount.google.com/permissions; then per Google's own schedule
Firebase Authentication account	While active; deleted within 30 days of a verified deletion request
Bug / feature reports (Firestore)	Up to 2 years from submission, or until the issue is resolved, whichever comes first
RevenueCat subscription records	Per RevenueCat's data-retention policy
AdMob signals	Per Google's retention schedule
Apple Sign-In data	Per Apple's privacy policy

Your Rights & Choices

Regardless of where you live, you may:

Access: Request a summary of the personal data we hold about you.
Delete: Request deletion of your personal data held by us. See our Data Deletion page or contact us at privacy@extraturngames.com with subject "Data Deletion Request — Mobile Hangar."
Opt out of ads: Upgrade to Mobile Hangar Pro to remove all advertising and stop ad-ID data being accessed by AdMob.
Withdraw consent: Where processing is based on your consent (e.g., Google Sign-In, cloud backup, ad display), you may withdraw consent at any time by signing out, disabling cloud backup, revoking app permissions, or uninstalling the App. Withdrawal does not affect the lawfulness of processing before withdrawal.

We respond to all verifiable data-rights requests within 30 days. Where we need more time (complex requests, volume), we will notify you within the initial 30-day window and complete the request within 60 days total (or as required by applicable law).

Jurisdiction-specific rights are detailed in the sections below.

This section applies to users in the European Economic Area, United Kingdom, and Switzerland.

Processing Activity	Lawful Basis
Google Sign-In / Apple Sign-In	Consent (Art. 6(1)(a))
Google Drive appDataFolder backup	Consent (Art. 6(1)(a))
Ad display (free tier)	Consent (Art. 6(1)(a))
Subscription management (RevenueCat)	Contract performance (Art. 6(1)(b))
Bug report processing	Legitimate interest (Art. 6(1)(f)) — improving App quality
App functionality / session management	Legitimate interest (Art. 6(1)(f))

Access (Art. 15): Obtain confirmation of whether we process your data and a copy of it.
Rectification (Art. 16): Request correction of inaccurate data.
Erasure (Art. 17): Request deletion of your personal data where the ground for processing no longer exists, you withdraw consent, or you object successfully. We will action erasure requests within 30 days.
Restriction (Art. 18): Request that we limit processing of your data in certain circumstances.
Portability (Art. 20): Receive your data in a structured, machine-readable format. Your local collection data can be exported to Google Drive as JSON via the in-app backup feature.
Object (Art. 21): Object to processing based on legitimate interest; we will cease unless we can demonstrate compelling legitimate grounds.
No automated decision-making (Art. 22): We do not make automated decisions (including profiling) that produce legal or similarly significant effects on you.
Lodge a complaint: You have the right to lodge a complaint with your local supervisory authority (e.g., your EU Member State DPA, the UK ICO, or the Swiss FDPIC).

International Transfers

Data is transferred to the United States (Google, RevenueCat, Apple). These transfers are covered by:

Google: EU–US Data Privacy Framework participation and Standard Contractual Clauses (SCCs).
RevenueCat: Standard Contractual Clauses.
Apple: EU–US Data Privacy Framework participation.

EU/UK Representative (Article 27)

Tinkavu LLC is a small-scale operator that does not process EU/UK personal data on a large scale, does not process special-category data, and does not systematically monitor individuals. On the basis that our EU/UK data processing is not systematic or large-scale within the meaning of Article 27(2), we have not designated a formal EU/UK Article 27 representative at this time. We remain directly reachable at privacy@extraturngames.com and will cooperate fully with EEA and UK supervisory authorities. If our processing scale changes materially we will designate a representative and update this section.

DPO Status

We have not appointed a Data Protection Officer, as we do not meet the thresholds in GDPR Article 37. The contact point for all data-protection matters is privacy@extraturngames.com.

California — CCPA / CPRA

This section supplements the above for California residents.

Categories of Personal Information We Collect (Cal. Civ. Code § 1798.140)

Category	Examples Collected
Identifiers	Email address, Firebase UID, Apple ID / relay email
Commercial information	Subscription status, purchase receipts, platform transaction IDs
Internet or other electronic network activity	Bug-report device metadata (device model, OS version, platform)
Inferences	None — we do not build user profiles
Sensitive personal information	None collected beyond what is listed above

Your CCPA / CPRA Rights

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, and the categories of sources, purposes, and third parties.
Right to Delete: Request deletion of personal information we hold. (See Data Deletion.)
Right to Correct: Request correction of inaccurate personal information.
Right to Limit Use of Sensitive PI: We do not collect sensitive personal information as defined by CPRA beyond what is strictly necessary to provide the App. You may contact us to limit any such use.
Right to Non-Discrimination: We will not deny you services, charge you a different price, or provide a different level of quality because you exercise your CCPA rights.
Authorized Agent: You may designate an authorized agent to make a request on your behalf. We will require verification of both the agent's authorization and your identity before processing.

We do not sell personal information within the meaning of the CCPA. We do not share personal information for cross-context behavioral advertising. AdMob receives device ad signals for non-personalized ad delivery only; we do not direct AdMob to use this data for cross-context behavioral advertising.

To submit a California privacy request, contact us at privacy@extraturngames.com with subject "CCPA Request — Mobile Hangar."

Brazil — LGPD

This section supplements the above for Brazilian users under the Lei Geral de Proteção de Dados (LGPD, Law 13,709/2018).

Legal Bases (LGPD Art. 7)

Processing	LGPD Basis
Sign-in, cloud backup, ads	Consent (Art. 7, I)
Subscription management	Contract performance (Art. 7, V)
Bug reports	Legitimate interest (Art. 7, IX)

Your LGPD Rights

You have the right to: confirmation of processing; access; correction; anonymization, blocking, or deletion of unnecessary data; portability; information about sharing; withdrawal of consent; and review of automated decisions.

Encarregado / DPO

We have not appointed a formal Encarregado (DPO) under LGPD, as our Brazilian data processing is not systematic or large-scale. The point of contact for LGPD rights requests is privacy@extraturngames.com.

ANPD Complaints

If we do not adequately address your LGPD rights request, you may file a complaint with Brazil's national data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.

Canada — PIPEDA

This section applies to Canadian users under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

We collect only the personal information necessary for the purposes described in this policy.
We obtain your consent at the time of collection or, where appropriate, before using your information for a new purpose.
Withdrawal of consent: You may withdraw consent at any time by contacting us, subject to legal or contractual restrictions. Withdrawal may limit our ability to provide certain App features.
You have the right to access your personal information held by us and to challenge its accuracy.
You may submit an OPC complaint to the Office of the Privacy Commissioner of Canada at priv.gc.ca if your concerns are not resolved by us.

Japan — APPI

This section applies to Japanese users under the Act on the Protection of Personal Information (APPI), as amended effective April 2022.

Cross-Border Transfers (2022 APPI)

We transfer personal information to recipients in the United States, specifically Google LLC, Apple Inc., and RevenueCat Inc. The United States does not have a personal information protection system deemed equivalent to Japan's APPI protections by the Personal Information Protection Commission (PPC). We rely on contractual measures (including processor agreements and standard data-protection clauses) with these recipients to ensure appropriate handling.

Google LLC — subject to EU–US DPF and operates under Google's global privacy commitments; Google Privacy Policy.
Apple Inc. — subject to EU–US DPF; Apple Privacy Policy.
RevenueCat Inc. — operates under RevenueCat's privacy program; RevenueCat Privacy Policy.

You have the right under APPI to request disclosure, correction, addition, deletion, cessation of use, or cessation of third-party provision of your personal information. Requests should be submitted to privacy@extraturngames.com. You may also direct inquiries to the Personal Information Protection Commission (PPC) at ppc.go.jp.

Australia

This section applies to Australian users under the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs).

Tinkavu LLC is a small business operator. Small businesses with an annual turnover of AUD 3 million or less are generally exempt from the Privacy Act. We believe we currently qualify for this small-business exemption. Nonetheless, we apply the data-minimization and rights practices described in this policy as a matter of good practice.

If you are an Australian resident and wish to exercise rights regarding your personal information, contact us at privacy@extraturngames.com. If your concern is not resolved, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Children's Privacy

The App is intended for users aged 13 or older, or the minimum digital age of consent in your country, whichever is higher (in some jurisdictions: 14, 15, or 16). The App is not directed at children under 13 and we do not knowingly collect personal data from children under 13.

If you believe a child under the applicable age has provided us with personal data, contact us at privacy@extraturngames.com and we will delete it promptly.

This App is not subject to COPPA (Children's Online Privacy Protection Act) because it is not directed to children under 13. If that changes, we will update this policy accordingly.

Cookies & Mobile Identifiers

The App does not use browser cookies. The following mobile identifiers apply:

Google Advertising ID (GAID) — Android

AdMob may access the Google Advertising ID on Android devices to serve non-personalized ads and detect ad fraud. We do not use GAID for personalized advertising or cross-app tracking. You can reset or opt out of ad personalization via Settings → Google → Ads on your Android device.

IDFA (Identifier for Advertisers) — iOS

We do not request App Tracking Transparency (ATT) permission on iOS. Because ATT permission is not requested, the IDFA is not used. AdMob on iOS operates in a limited, non-personalized ad mode without access to the IDFA for personalization or cross-app tracking.

Firebase Instance ID

Firebase Authentication generates an internal Firebase UID to identify your account. This is not a device-tracking identifier and is not shared with advertising partners.

RevenueCat Anonymous ID

RevenueCat generates an anonymous identifier for subscription management. This is linked to your Firebase UID but is not used for advertising.

Changes to This Policy

We may update this Privacy Policy from time to time. For material changes (changes to what data we collect, how we share it, or your rights), we will provide affirmative notice by:

Sending an email to the address associated with your account (where we have one), and/or
Displaying a prominent in-app notice at next launch before changes take effect.

For minor, non-material updates (corrections, clarifications), we will update the "Last Updated" date without separate notification. Continued use of the App after a material change takes effect constitutes acceptance only if you have received or been given an opportunity to review the change notice. We will always post the current policy at the URL provided below.

Contact Us

For questions about this Privacy Policy, to exercise any data rights described above, or to report a security concern:

Tinkavu LLC / Extra Turn Games Email: privacy@extraturngames.com Website: extraturngames.com

Last Updated: June 9, 2026 Effective Date: June 9, 2026

← Back to Mobile Hangar