Privacy Policy

This Privacy Policy explains how Loophole ("we", "us", "our") collects, uses, shares, and protects your personal information when you use our game and website. By using Loophole, you agree to the practices described in this policy.

1. Information We Collect

Account Information

When you create an account, we collect your email address and password through Firebase Authentication. You may optionally provide additional profile information such as your first name, last name, nickname, and profile picture.

Gameplay Data

We collect data generated through your use of the game, including the messages you send to the AI during gameplay, AI responses, your scores, the number of messages used per level, and your win/loss status. The first level can be played anonymously without an account — anonymous gameplay data is stored without a user identifier and may be linked to your account if you later sign up.

Device and Technical Data

When you interact with our services, we automatically collect your IP address, browser or app user agent string, the API endpoints you access, and timestamps of your requests. If you enable push notifications, we store your device push notification tokens.

Purchase Data

If you subscribe to Loophole Pro, your purchase is processed through the App Store or Google Play. We receive subscription status information (active, expired, or cancelled) through RevenueCat, our subscription management provider. We do not receive or store your payment card details.

Audit Logs

For security purposes, we log authentication events such as account creation, logins, failed login attempts, and logouts. These logs include your user ID, IP address, and timestamp.

2. How We Use Your Information

We use the information we collect to:

• Operate the game and process your gameplay sessions
• Maintain leaderboards and display your scores
• Authenticate your identity and secure your account
• Process and manage your subscription
• Send you transactional emails such as password reset links and welcome messages
• Send push notifications if you have opted in
• Detect and prevent abuse, fraud, and security incidents
• Analyze usage patterns to improve the game experience

We do not sell your personal data to third parties.

3. Third-Party Services

We share data with the following third-party services to operate Loophole:

AI Providers (OpenAI / Azure OpenAI)

Your in-game messages and conversation history are sent to OpenAI or Azure OpenAI Service to generate AI responses during gameplay. These providers process message content on our behalf. Please review their respective privacy policies for details on how they handle data.

Firebase (Google)

We use Firebase Authentication to manage user accounts and Firebase Cloud Messaging to deliver push notifications. Google processes your email address, authentication credentials, and device tokens as part of these services.

RevenueCat

We use RevenueCat to manage in-app subscriptions. RevenueCat receives your anonymized user identifier and subscription status from the App Store or Google Play.

Brevo

We use Brevo to send transactional emails such as password resets and welcome messages. Brevo receives your email address and first name for this purpose.

PostHog

Our website uses PostHog for privacy-friendly product analytics. PostHog is configured with in-memory persistence (no cookies) and no auto-capture, collecting only explicitly tracked events such as button clicks.

4. Data Storage and Security

Your data is stored in a PostgreSQL database hosted on secure infrastructure. All data is transmitted over HTTPS. We implement access controls, audit logging, and other reasonable security measures to protect your information. While no system is completely secure, we take the protection of your data seriously.

5. Data Retention

We retain your account data and gameplay history for as long as your account is active. Audit logs and request logs are retained for security and abuse-prevention purposes. If you delete your account, your personal profile data will be removed, though anonymized gameplay data may be retained for leaderboard integrity.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and personal data
• Object to or restrict certain processing of your data
• Receive your data in a portable format

To exercise any of these rights, please contact us at the address below. We will respond within 30 days.

7. Children's Privacy

Loophole is not directed at children under 13 (or under 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

8. International Data Transfers

Your data may be processed in countries other than your own, including the United States, where our third-party providers operate. We ensure appropriate safeguards are in place for international data transfers in accordance with applicable law.

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the date at the top of this page. Your continued use of Loophole after any changes constitutes acceptance of the updated policy.

10. Contact

If you have questions about this Privacy Policy or want to exercise your data rights, please contact us at privacy@loopholegame.com.