Privacy Policy
PowerZ Privacy Policy
Last updated: 28 April 2026
Effective date: 28 April 2026
1. Introduction
PowerZ SAS ("PowerZ", "we", "us", or "our") operates the PowerZ educational mobile game (the "Game" or "Service"), a children's educational RPG distributed on iOS and Android. We are headquartered at 95 avenue du Président Wilson, 93100 Montreuil, France.
We take the protection of personal data seriously, particularly because most of our users are children. This Privacy Policy explains what data we collect, how we use it, who we share it with, how long we keep it, and what rights you have.
Four commitments we want to be upfront about:
- No third-party advertising. PowerZ does not display third-party advertisements in the Game, does not participate in any advertising network, and does not share player data with advertisers or data brokers. We do not use cross-app advertising identifiers (such as IDFA on iOS or AAID on Android) for advertising purposes. The only marketing communications we send relate to our own subscription offers and in-app purchases.
- Minimum necessary data. We collect only the data we genuinely need to operate the Game, ensure security, comply with legal obligations, and improve the experience.
- EU-based data hosting and in-house analytics. Player data is hosted in the European Union (France). Our product analytics infrastructure is operated in-house, so player behavioural data does not flow to third-party analytics platforms.
- Children-first design. The Game is intended for children aged 4 to 12 and is published with kids- and family-oriented classifications on the Apple App Store and Google Play. Our practices are designed with their protection as a primary consideration, in line with GDPR, the GDPR-K provisions on children, the U.S. Children's Online Privacy Protection Act (COPPA), and the applicable platform requirements for apps designed for children.
This Policy applies globally to all users of the Game, regardless of location. We apply European Union data protection standards (GDPR) as a baseline worldwide, and supplement this with country-specific protections where required (in particular for U.S. and Canadian users).
2. Definitions
- "Account" means the user account created to access the Game.
- "Child" means a user under the age of 13 (United States) or under the applicable digital age of consent in their country of residence (15 in France, 13–16 across other EU Member States, 13 in the United Kingdom).
- "Parent" means a parent or legal guardian of a Child.
- "Personal Data" means any information relating to an identified or identifiable individual.
- "Service Provider" or "Subprocessor" means a third party that processes Personal Data on our behalf.
3. Information We Collect
3.1 Information You Provide
When creating an Account and using the Game, we collect:
- Account information: email address (player and/or parent), username, declared age (collected at sign-up), password (stored hashed).
- Parental gate information: at the time of an in-app purchase, the user is asked to declare a date of birth as part of our parental gate (see Section 11.2). This information is verified at the moment of the purchase to confirm that the person initiating the purchase is an adult; the declared date of birth is not stored on PowerZ servers.
- Purchase information: purchase history, subscription status, transaction identifiers. Payment card details are processed directly by Apple (App Store) or Google (Google Play) and are not collected, stored, or accessible by PowerZ.
- Customer support correspondence: content of any communications you send us.
3.2 Information Collected Automatically
When you use the Game, we automatically collect:
- Game activity data: progress, achievements, levels reached, time spent in Game, session timestamps, in-Game events.
- Performance data: anonymous performance metrics used by our adaptive difficulty system (see Section 7).
- In-Game communications: content of in-Game messages, processed for moderation purposes (see Section 8).
- Technical and device information: IP address, device identifier (IDFV on iOS, Android Advertising ID where collected for attribution), device model, operating system version, language and region settings, app version, network connection type, crash logs and diagnostic data.
- Cookies and similar technologies: see Section 14.
3.3 Information We Do Not Collect
We do not collect:
- Precise geolocation (GPS).
- Contacts, photos, microphone, or camera data.
- Behavioural advertising identifiers used for cross-app tracking.
- Biometric data.
- Government identifiers (passport, social security, ID numbers).
4. How We Use the Information
We use Personal Data for the following purposes:
| Purpose | Categories of data used |
|---|---|
| Creating and maintaining your Account | Account information |
| Determining the applicable legal regime (notably the digital age of consent in your country) | IP address, declared age |
| Providing and operating the Game | Account information, Game activity data, technical data |
| Adapting the difficulty of the Game in real time using Artificial Intelligence | Anonymous performance data |
| Moderating in-Game communications | In-Game messages |
| Processing in-app purchases and managing subscriptions | Purchase information, Account information |
| Communicating with you about your Account (transactional emails, security notices) | Email address |
| Sending you marketing communications about our own subscription offers and in-app purchases (with your consent or your parent's consent) | Email address, Account information |
| Detecting and preventing fraud, abuse, and security incidents | Technical data, Account information, Game activity data |
| Measuring and improving the Game (statistics, analytics, debugging) | Technical data, Game activity data |
| Complying with our legal and regulatory obligations | All categories as required |
5. Legal Bases for Processing (GDPR)
For users located in the European Union, the United Kingdom, or any other jurisdiction with a similar legal framework, we rely on the following legal bases under Article 6 GDPR:
- Performance of a contract (Art. 6(1)(b)): for creating and maintaining your Account, providing the Game, processing purchases, adapting difficulty, and operating core features.
- Compliance with a legal obligation (Art. 6(1)(c)): for tax, accounting, fraud prevention, and responses to lawful requests from authorities.
- Consent (Art. 6(1)(a)): for marketing communications, optional cookies, and any processing requiring consent under applicable law. You may withdraw your consent at any time (see Section 12).
- Legitimate interests (Art. 6(1)(f)): for security, fraud prevention, anti-abuse measures, debugging, and aggregate analytics. We have assessed that these interests are not overridden by your rights and freedoms.
For Children, we additionally comply with Article 8 GDPR and obtain parental authorisation where required by the digital age of consent applicable in the country of residence (see Section 11).
6. Marketing Communications
PowerZ sends marketing communications only to promote its own Game, subscription offers, and in-app purchases. We never share email addresses or other Personal Data with third-party advertisers.
You (or, for a Child's Account, the parent) can opt out of marketing communications at any time by:
- Clicking the "unsubscribe" link in any marketing email; or
- Updating the notification preferences in your Account; or
- Contacting us at dpo@powerz.tech.
Opting out of marketing communications does not affect transactional and service messages that are necessary to operate your Account (e.g., security alerts, password resets, subscription status, terms updates).
7. Automated Decision-Making and AI
PowerZ uses an Artificial Intelligence system to adapt in-Game difficulty in real time to the player's level. This system processes anonymous performance data (e.g., success rate on a puzzle, response time) and adjusts the difficulty of upcoming content accordingly.
Transparency disclosures (Article 13(2)(f) GDPR):
- Existence: an automated system contributes to determining the difficulty of the content you receive in the Game.
- Inputs: anonymous in-Game performance data only. The system does not use your identity, age, location, or any sensitive personal information.
- Logic: the system identifies a player's recent performance patterns and selects content variants of appropriate difficulty from a pre-existing catalog.
- Significance and consequences: this processing affects only the difficulty of educational content presented to the player. It does not produce any legal effect or similarly significant effect on the player within the meaning of Article 22 GDPR. The system does not block access, suspend Accounts, restrict features, or trigger any penalty.
This automated processing is necessary for the performance of the Game (Article 6(1)(b) GDPR) and is therefore an integral part of the Service.
8. In-Game Communications and Moderation
8.1 Communication Features
The Game offers two types of in-Game communication features:
- Preset messages and emojis, drawn from a curated set of safe expressions; and
- Free-form text chat, where players can type their own messages.
Communications may take place in groups or, equivalently, in one-to-one configurations (technically a group of two players). PowerZ does not allow the sharing of media (photos, video, voice, audio, files) in any communication. All in-Game communications are limited to text.
8.2 Moderation
To protect children, all in-Game communications, including free-form text chat, are subject to automated AI-based moderation prior to being shown to other players. Moderation may include filtering, masking, or blocking of inappropriate content (e.g., personal information, harmful or unsafe content, attempts to contact children outside the Game).
Our AI moderation is performed by OpenAI, using a GPT model (currently gpt-5.4-nano). The data shared with OpenAI for moderation purposes is limited to:
- the content of the message to be moderated; and
- a generic "Player" identifier, with no name, age, email, device identifier, or other personally identifying information of the sender.
We rely on OpenAI's contractual data protection commitments and, where applicable, on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses for the transfer of moderation data outside the European Economic Area.
Under OpenAI's standard data processing terms, OpenAI may retain API inputs and outputs for up to 30 days for the purpose of abuse and misuse monitoring, after which the data is deleted. The pseudonymisation described above (player identifiers replaced by a generic "Player" placeholder) limits the exposure of identifiable information during this retention period.
In addition to automated moderation, PowerZ staff review escalations and reports from the automated system. If we become aware of content that suggests illegal activity, child endangerment, or imminent risk of harm, we may escalate to and cooperate with the competent authorities in accordance with applicable law (in particular U.S. and French reporting obligations).
8.3 Outcomes of Moderation
When a message does not pass automated moderation, it is blocked and is not delivered to the recipient. When patterns of conversation appear inappropriate even if no individual message has been blocked, the recipient receives an in-Game warning advising them to consider blocking the sender (see parental controls and block list below).
PowerZ does not automatically mute or ban senders based on moderation outcomes. Where appropriate, situations are escalated to PowerZ staff for review as described in Section 8.2.
8.4 Parental Controls and Player Protections
Parents can manage their child's communication experience through the following controls:
- Disable incoming messages: prevent the child from receiving messages from other players.
- Disable outgoing messages: prevent the child from sending messages to other players.
- Block list: block specific players, preventing further communication from them.
Players are reminded not to share personal information (such as real name, address, school, or contact details) in in-Game communications. Our pre-moderation system attempts to detect and mask such content automatically, but we cannot guarantee detection of all sensitive content.
9. Information Sharing and Service Providers
We share Personal Data only in the limited circumstances described below.
9.1 Service Providers
We rely on a limited number of trusted Service Providers to operate the Game. Each is bound by a written data processing agreement requiring appropriate confidentiality, security, and data protection commitments.
| Category | Provider | Purpose | Data location |
|---|---|---|---|
| Cloud hosting (data) | OVH SAS | Hosting of the Game backend, databases, and player data storage | EU (Gravelines, France) |
| Game compute servers | Hetzner Online GmbH | Real-time game session compute. No personal data is stored on these servers. | US (Ashburn, VA and Hillsboro, OR) |
| Mobile attribution | Adjust GmbH | Measuring marketing campaign performance and install attribution, configured in COPPA-compliant mode (no use of advertising identifiers, no sharing with advertising networks) | EU (Germany) |
| Crash and error monitoring | Sentry, Inc. | Detecting and diagnosing technical errors and crashes | US (with EU-U.S. Data Privacy Framework certification and Standard Contractual Clauses) |
| In-app purchase processing | Apple Inc. (App Store) and Google LLC (Google Play) | Processing payments for subscriptions and one-time purchases | US |
| AI moderation of in-Game communications | OpenAI, L.L.C. | Automated moderation of in-Game messages. Only the message content and a generic "Player" identifier are transmitted; no name, age, email, device identifier, or other identifying information is shared. | US |
| Email communications | Mailjet (Sinch France) | Sending transactional and marketing emails | EU (France) |
| Customer support | In-house (handled by PowerZ staff via dpo@powerz.tech) | Managing support and privacy requests | EU (France) |
| Product analytics | In-house (self-hosted ClickHouse) | Aggregate product analytics | EU (France, on OVH infrastructure) |
PowerZ does not integrate Firebase, Crashlytics, RevenueCat, or any other third-party SDK beyond Adjust and Sentry. All other backend functionality (product analytics via self-hosted ClickHouse, web analytics via self-hosted Snowplow, game logic, account management, customer support tooling) is operated on PowerZ's own infrastructure, hosted in France. The majority of services are self-hosted, which limits the number of third parties that can access player data.
We will update this Policy whenever we add or change a Service Provider that processes Personal Data.
9.2 Other Disclosures
We may also disclose Personal Data:
- With your express consent (or, for a Child, with parental consent).
- To comply with the law, including in response to subpoenas, court orders, or other valid legal process, and to cooperate with law enforcement and regulatory authorities.
- To protect our rights, users, or property, including to enforce our Terms of Service, prevent fraud, or address security risks.
- In the context of a corporate transaction such as a merger, acquisition, financing, reorganisation, or sale of assets. In such case, we will require the recipient to honour this Policy and we will notify users in advance where required by law.
We never sell Personal Data, and we never share Personal Data with third-party advertisers.
10. International Data Transfers
Some of our Service Providers are located outside the European Economic Area (EEA) or the United Kingdom, in particular in the United States. When we transfer Personal Data to such recipients, we rely on appropriate safeguards under GDPR Chapter V, in particular:
- EU-U.S. Data Privacy Framework certification, where applicable;
- Standard Contractual Clauses adopted by the European Commission;
- UK International Data Transfer Agreement or UK Addendum, where applicable.
You can request a copy of the safeguards in place for a specific transfer by contacting us at dpo@powerz.tech.
11. Children's Privacy
The Game is intended for children aged 4 to 12. We treat children's data with particular care and apply additional protections.
11.1 Age Verification at Signup
When creating an Account, the user (or the user's parent) declares the age. We do not currently verify this declared age through documentary evidence at the point of Account creation. We rely on the declaration made by the user or parent. If we become aware that an Account belongs to a child below the applicable age threshold without proper authorisation, we will take appropriate measures, which may include applying additional protections, requesting parental authorisation, or deleting the Account.
11.2 Parental Authorisation
Before a purchase can be initiated within the Game, the user is asked to declare a date of birth. This step is intended as a parental gate to deter children from initiating purchases on their own. We acknowledge that this is a self-declaration and not a verification of age supported by documentary evidence. The declared date of birth is verified at the moment of the purchase only and is not retained by PowerZ after verification.
The actual processing of any in-app purchase is performed by the operating system platform (Apple App Store on iOS, Google Play on Android), which requires authentication by the device account holder. Where parents have configured platform-level parental controls (such as Apple Family Sharing's "Ask to Buy" or Google Play's parental controls), all purchases initiated from a child's device are subject to parental approval at the platform level.
PowerZ does not currently implement a documented Verifiable Parental Consent ("VPC") mechanism at the point of Account creation. Our reliance on platform-level controls and an in-Game age gate is intended as a layered approach, and we are working to strengthen our parental authorisation framework. Parents who wish to review or restrict their child's use of the Game can contact us at dpo@powerz.tech at any time.
11.3 Data Collected from Children
For a Child's Account, we collect only the data described in Section 3, with the following additional limitations:
- No third-party advertising or behavioural targeting.
- No sharing of Personal Data with third parties for their own marketing purposes.
- In-Game communications are subject to AI moderation (Section 8).
- Marketing communications regarding our own offers are addressed to the parent's email, not to the child.
11.4 Parental Rights
A parent or legal guardian may, at any time:
- Review the Personal Data collected about their child;
- Request correction or deletion of their child's data;
- Refuse further collection or use of their child's data;
- Withdraw consent previously granted.
To exercise these rights, please contact us at dpo@powerz.tech. We will respond within 30 days. We may need to verify the identity of the requester before acting on the request, in order to protect the child's data.
11.5 U.S. Children — COPPA
If you are a parent or legal guardian of a child located in the United States, you have specific rights under COPPA, including the rights described in Section 11.4. We do not condition a child's participation in the Game on the disclosure of more Personal Data than is reasonably necessary.
11.6 Application Store Classifications
PowerZ is published with kids- and family-oriented classifications on the Apple App Store and Google Play. These classifications subject the Game to additional review and compliance requirements imposed by the platforms in respect of apps designed for children, in addition to the applicable legal requirements described in this Policy. We design the Game with the constraints of these programs in mind, including limitations on the use of third-party software development kits, advertising identifiers, and data collection practices for child users. Where third-party software development kits are integrated in the Game, they are configured in the most privacy-preserving mode available, in particular without the use of advertising identifiers and without sharing data with advertising networks.
12. Your Rights
Subject to the conditions and exceptions provided by applicable law, you have the following rights:
- Right of access — to obtain confirmation of whether we process Personal Data about you, and to receive a copy of that data.
- Right to rectification — to have inaccurate or incomplete data corrected.
- Right to erasure ("right to be forgotten") — to have your Personal Data deleted in certain circumstances.
- Right to restriction of processing — to ask us to limit processing in certain circumstances.
- Right to data portability — to receive your data in a structured, commonly used, machine-readable format, and to transmit it to another controller.
- Right to object — to object to processing based on our legitimate interests, including profiling.
- Right to withdraw consent — at any time, where processing is based on consent.
- Right not to be subject to a solely automated decision that produces legal effects or similarly significantly affects you (Article 22 GDPR). As explained in Section 7, our adaptive difficulty system does not fall within the scope of Article 22.
- Right to lodge a complaint with a supervisory authority. In France, this is the Commission Nationale de l'Informatique et des Libertés (CNIL — www.cnil.fr). You can find the contact details for other EU supervisory authorities at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
To exercise any of these rights, contact us at dpo@powerz.tech. We will respond within 30 days (extendable by two further months for complex requests, in which case we will inform you).
You can also access and update much of your information directly under "My Account" in the Game.
13. California Residents (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
- Right to know what categories of Personal Information we have collected, the sources, the purposes, and the categories of recipients.
- Right to delete your Personal Information.
- Right to correct inaccurate Personal Information.
- Right to opt out of "sale" or "sharing" of Personal Information. PowerZ does not sell or share Personal Information for cross-context behavioural advertising.
- Right to limit the use of Sensitive Personal Information. We do not use Sensitive Personal Information beyond what is necessary to provide the Service.
- Right to non-discrimination for exercising your rights.
For users under 16, we do not sell or share Personal Information without affirmative opt-in consent.
To exercise these rights, contact dpo@powerz.tech. We will verify your identity before responding.
14. Cookies and Similar Technologies
We use cookies and similar technologies (such as device identifiers and SDKs) to:
- operate the Game and remember your preferences;
- measure how the Game is used (web analytics, via our self-hosted Snowplow infrastructure on the Game's web view; product analytics, via our self-hosted ClickHouse infrastructure);
- measure the effectiveness of our own marketing campaigns (attribution, via Adjust as described in Section 9).
Because our analytics infrastructure is self-hosted on PowerZ's own servers in France, the data collected through cookies and similar technologies for analytics purposes is not shared with any third-party analytics provider.
Where required by law, we obtain your consent before using non-essential cookies and similar technologies. You can manage your preferences at any time through the in-Game settings or your device settings.
15. Data Retention
We retain Personal Data only for as long as necessary for the purposes described in this Policy, taking into account legal, accounting, and reporting obligations.
| Category of data | Retention period |
|---|---|
| Account data (active Account) | For the duration of the Account. We do not delete Accounts based on inactivity; an Account is retained until the user (or the parent for a child's Account) requests its deletion. |
| Account data after a deletion request | The Account and associated player profile(s) are deleted. We may retain certain data we are legally required to keep (in particular billing records, see below). |
| Game events and game saves after Account deletion | After Account deletion, events and saves generated by the Account are retained in fully anonymised form. The mapping linking the profile UUID to the deleted Account is destroyed at the time of deletion, so the remaining UUID cannot be re-associated with the deleted user. Once anonymised in this manner, this data falls outside the scope of GDPR and is retained for product improvement and aggregated analytics purposes. |
| Game activity data (during Account life) | For the duration of the Account |
| Technical logs (server logs, IP addresses) | 14 days |
| Crash and error reports | Retained according to Sentry's default retention configuration (typically up to 90 days). |
| In-Game communication and moderation logs | The content of moderated messages is not retained beyond the duration of moderation processing. The moderation decision (accepted / refused) is retained in association with the player's profile UUID for safety and abuse-prevention purposes. After Account deletion, the link between the UUID and the user's identity is destroyed (see anonymisation row above), and the moderation decision data becomes anonymous. |
| Customer support correspondence | Retained in association with the Account for the duration of the Account. Deleted upon Account deletion, subject to the backup retention described below. |
| Purchase and billing records | 10 years (French accounting and tax obligations under the Code de commerce) |
| Marketing consent records | Duration of consent + 3 years after withdrawal (proof of consent) |
| Backups | We maintain backups for disaster recovery purposes according to a rotation schedule: one daily backup for each of the last 7 days, one weekly backup for each of the last 4 weeks, one monthly backup for each of the last 12 months, and one yearly backup for each of the last 5 years. Personal Data deleted from active systems (including following a deletion request) may persist in backups until the corresponding rotation cycles complete. Backups are used solely for disaster recovery and are not used to reconstruct deleted Accounts. |
Where we retain data beyond active use for legal or evidentiary purposes, we restrict access to that data and use it only for those purposes.
16. Security
We implement appropriate technical and organisational measures to protect Personal Data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption in transit using TLS for all communications between the Game and our servers.
- Application-layer encryption of sensitive fields (such as authentication credentials) before they are written to our self-hosted databases. This means sensitive data is encrypted by our application code before storage and remains encrypted even at the database level, providing defence-in-depth beyond infrastructure-level encryption alone.
- Passwordless authentication for player accounts via magic links sent to the Account's email address. PowerZ does not store passwords for player accounts, eliminating the risk of password leaks.
- Multi-factor authentication required for administrative access to PowerZ infrastructure.
- Hosting in the European Union for player data, on infrastructure located in France (OVH, Gravelines).
- Self-hosted core services (databases, analytics, customer support tooling), which limits the number of third parties with access to Personal Data.
- Access controls and authentication for our staff, with the principle of least privilege.
- Staff training on data protection.
- A documented incident response process, including notification of personal data breaches to the competent supervisory authority within 72 hours where required by Article 33 GDPR.
No system is completely secure, and we cannot guarantee absolute security. If you become aware of a security issue, please contact us immediately at dpo@powerz.tech.
17. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, our Service, or applicable law. The "Last updated" date at the top of the Policy indicates when it was last revised.
For material changes, we will notify you in advance through the Game, by email, or through any other appropriate channel. Where required by law, we will obtain renewed consent (in particular, parental consent for material changes affecting children).
18. Contact Us
For any question regarding this Policy or your Personal Data, you can contact our Data Protection Officer at:
Email: dpo@powerz.tech
Postal address:
PowerZ SAS
Attn: Data Protection Officer
95 avenue du Président Wilson
93100 Montreuil
France
For questions related to GDPR compliance and the rights of EU residents, you can also contact the supervisory authority in your country of residence. In France: Commission Nationale de l'Informatique et des Libertés (CNIL), 3 Place de Fontenoy, 75007 Paris (www.cnil.fr).
PowerZ SAS, registered with the Bobigny Trade and Companies Register under SIREN 885 261 602, with its registered office at 95 avenue du Président Wilson, 93100 Montreuil, France.