PRIVACY POLICY FOR PAPUTU LIMITED

---

1. INTRODUCTION

Welcome to PAPUTU LIMITED ("we," "us," "our," or the "Company"). We are a mobile game development and publishing studio, incorporated as a private company limited by shares under the Companies Act 2006, and registered in England and Wales (Company Registration Number: 17117491).

We are fully committed to protecting your privacy, adhering to the principles of data minimization, and ensuring rigorous transparency regarding how your information is handled. This Privacy Policy comprehensively explains how we collect, use, process, disclose, retain, and safeguard your information when you download, install, access, or play any of our mobile games, applications, websites, and related digital services (collectively, the "Services").

As a forward-thinking game development studio, we are building a robust portfolio of multiple titles. This master policy governs our general data practices across all of our Services, while providing specific, highly transparent technical details for individual games where software architectures and data flows vary (see Section 4).

By downloading, installing, accessing, or playing any of our games, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with these practices, please do not use our Services.

Accessibility: This Privacy Policy is permanently hosted at https://paputugames.com/legal/privacy/ and is available in a machine-readable format. A simplified summary is available at https://paputugames.com/privacy.

---

2. DATA CONTROLLER

For the purposes of the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018, the Data (Use and Access) Act 2025 (DUAA), and the EU General Data Protection Regulation (EU GDPR), the primary Data Controller responsible for determining the purposes and means of processing your personal information is:

PAPUTU LIMITED Company Registration Number: 17117491 Suite 10641, 5 Brayford Square London, United Kingdom E1 0SG

Data Protection Contact: privacy@paputugames.com

Where we engage third-party advertising partners (see Section 6), those partners act as independent Data Controllers for the tracking and advertising data their SDKs collect. Their processing activities are governed by their own privacy policies, linked in Section 6.

---

3. GENERAL INFORMATION WE COLLECT (ACROSS ALL GAMES)

Across our entire portfolio of games, our foundational philosophy is data minimization. We generally do not require you to:

• Create a personalized user account
• Provide an email address, real name, phone number, or physical address
• Submit any form of direct personal identification

to access and play our games. The data processed through our applications typically falls into the following technical categories:

A. Automatically Collected Technical & Advertising Data

To keep our games free-to-play for a global audience and to ensure ongoing software development and stability, our applications rely on thoroughly vetted third-party Software Development Kits (SDKs) to serve advertisements, monitor application stability, and analyze general usage patterns. When your device is connected to the internet, these third-party services may automatically collect:

IMPORTANT: We do not collect, access, or process: your contacts, photos, files, messages, call logs, browsing history, precise GPS location, biometric data (fingerprints, face scans), microphone input, camera input, health data, financial information, or any data from other apps on your device.

B. Device Permissions

Our games may request specific device-level permissions to execute core interactive functions. These permissions operate strictly locally on your device hardware:

These functions do not access your personal files, biometric data, microphone recordings, voice data, camera inputs, or any sensitive device sensors beyond what is explicitly listed.

C. Information We Do NOT Collect

For absolute clarity, PAPUTU LIMITED does not directly collect, store, or process:

• Names, email addresses, or physical addresses
• Payment or financial information (all purchases, if any exist, are processed entirely by Apple or Google)
• Precise geolocation (GPS coordinates)
• Contacts, calendar entries, or messages
• Photos, videos, or media files from your device
• Voice recordings, biometric identifiers, or health data
• Social media account information
• Data from other applications on your device

---

4. GAME-SPECIFIC DATA PRACTICES

Because we utilize distinct mechanics, codebases, features, and third-party integrations for different titles, we provide specific transparency regarding the unique data architecture of each individual game below.

4.1 PAPUTU 8192

Genre: Spatial Puzzle / Number Merge Game Platforms: Android, iOS Engine: React Native (Expo SDK) Package Identifier: com.paputu.Paputu8192

PAPUTU 8192 is architected as a highly responsive, offline-capable application. Its direct data collection profile is strictly limited and highly privacy-preserving.

A. Local Storage Architecture (No Remote Game Servers)

To provide a seamless gaming experience and securely save your deep strategic progression, PAPUTU 8192 utilizes isolated device-level local storage via the @react-native-async-storage/async-storage protocol.

The following data schemas (prefixed internally with 8x8Merge...) are written strictly to your device's local solid-state memory and are never transmitted to, collected by, or stored on remote cloud servers owned or operated by PAPUTU LIMITED:

CAUTION: Because this personal gameplay data resides exclusively on your local device utilizing a debounced persistence architecture, the following actions will permanently and irreversibly delete your gameplay progress and virtual currency:

• Clearing the app's cache or storage data via your Android device's OS settings
• Unistalling the app from your iOS device
• Using the in-game "Delete Account Data" function within the Settings menu

We do not possess cloud backups of this local data and cannot recover it for you under any circumstances.

B. Device Permissions in PAPUTU 8192

C. Advertising Mechanics in PAPUTU 8192

PAPUTU 8192 utilizes an internal AdService.js integration to serve:

• Banner Ads: Dynamically spaced, non-intrusive banner advertisements displayed during gameplay.
• Rewarded Video Ads (Opt-In Only): Voluntary advertisements that grant in-game benefits, including:
  • "Revive For Free" — Limited to 3 uses per game session
  • "Watch Ad to Unlock Reserve Slot" — Grants temporary access to premium inventory slots

These advertisements are delivered via Google AdMob (see Section 6A), which collects the Technical & Advertising Data outlined in Section 3A to ensure ad relevance and combat click fraud.

D. Firebase Integration in PAPUTU 8192

PAPUTU 8192 integrates Firebase Crashlytics and Firebase Analytics (Google LLC) to monitor application stability and diagnose crashes. Firebase processes:

• Crash stack traces and exception reports
• Device model, OS version, and orientation at time of crash
• App state and session metadata
• Anonymized performance metrics

Firebase operates strictly as a Data Processor on our behalf. We rely on aggregate, non-personal data flows for these analytics to improve software stability. See Section 6B for full details.

Future Titles: Additional mobile games released by PAPUTU LIMITED will be sequentially added to this Section 4 with thorough explanations of their specific data architectures and mechanical data flows.

---

5. HOW WE USE YOUR INFORMATION

Across all our Services, the information processed directly by our applications and our authorized third-party partners is utilized strictly for the following operational purposes:

We do not use your information to:

• Build behavioral profiles for purposes beyond advertising
• Train artificial intelligence or machine learning models

---

6. OUR PARTNERS: THIRD-PARTY SERVICES & ADVERTISING

We partner with carefully selected third-party services to fund continued game development, ensure application stability, and deliver a premium user experience. Each partner's legal classification, data practices, and opt-out mechanisms are detailed below.

A. Google AdMob

Role: Joint Controller (for data collection and transmission) / Independent Data Controller (for downstream profiling and processing) Data Collected: Device identifiers, Advertising IDs (IDFA/AAID), IP address, ad interaction data Purpose: Serving banner and rewarded video advertisements within our games

Google acts as an Independent Data Controller for the profiling data they process and use across their broader advertising ecosystem. However, under EU structural frameworks (such as the Fashion ID ruling), we act as Joint Controllers strictly for the initial collection and transmission of this data via their SDK embedded in our games.

Google's Advertising Privacy Policy: https://policies.google.com/technologies/ads Google's General Privacy Policy: https://policies.google.com/privacy

B. Firebase (Google LLC)

Role: Data Processor Data Collected: Crash reports, device diagnostics, session metadata, anonymized usage events Purpose: Application stability monitoring, crash resolution, performance optimization

We have configured Firebase to operate strictly as a Data Processor. We do not voluntarily share Analytics telemetry back into Google's downstream ecosystem.

Firebase Privacy Information: https://firebase.google.com/support/privacy

C. Expo (Infrastructure Provider)

Role: Data Processor Data Collected: IP address, operating system specifications, performance metrics, crash reports Purpose: Application build infrastructure, over-the-air update delivery, development toolchain services

D. Future Partners

As our portfolio grows, we may integrate additional third-party services such as:

• Unity Ads for supplementary advertising networks
• Amplitude for advanced product analytics (operating as a Data Processor)
• RevenueCat for subscription/purchase management

Any new third-party integrations will be transparently disclosed in this section with their full legal classifications prior to deployment.

---

7. YOUR OPT-OUT CONTROLS FOR TARGETED ADVERTISING

You have full control over whether advertising networks can track your device for personalized advertising:

iOS (Apple)

In compliance with the App Tracking Transparency (ATT) framework, you will be prompted upon first launch to grant or deny permission for tracking. You can modify this at any time:

Settings > Privacy & Security > Tracking > Toggle off the specific game

Android (Google)

You can manage your ad tracking preferences:

Settings > Security & Privacy > Privacy > Ads > Tap "Delete advertising ID" or toggle "Opt out of Ads Personalization"

NOTE: Opting out of targeted advertising does not remove ads from our games. You will still see contextual advertisements based on the app's genre rather than your personal interests.

---

8. OVERARCHING LEGAL BASES FOR PROCESSING (UK & EEA USERS)

As a UK-registered entity, if you are a resident of the United Kingdom or the European Economic Area (EEA), we structure our data processing under the following legal bases, compliant with the UK GDPR, EU GDPR, and the Data (Use and Access) Act 2025 (DUAA):

• Consent: Used exclusively for accessing device identifiers (IDFA/AAID) to serve personalized advertisements, in strict compliance with the ePrivacy Directive and UK PECR.
• Performance of a Contract: Used for processing strictly necessary to execute the basic functions of our games.
• Legitimate Interest: Used for structural analytics, app crash reporting, fraud prevention, and serving non-personalized contextual ads.
• Legal Obligation: Complying with applicable laws and lawful governmental requests.

---

9. DATA SECURITY, RETENTION, & INTERNATIONAL TRANSFERS

Data Security

We implement robust administrative and technical security measures appropriate to the nature and sensitivity of the data being processed. For offline-first games like PAPUTU 8192, we avoid centralized cloud databases entirely. Because gameplay data is stored locally on your device, this specific data is protected from centralized cloud breaches on our end.

For data processed by our third-party partners, we require that they maintain industry-standard security certifications and practices, including encryption in transit (TLS 1.2+) and at rest.

Data Retention

International Data Transfers

While PAPUTU LIMITED is incorporated in the United Kingdom, our development teams and trusted third-party partners operate globally. Data may be processed on servers located outside the UK and EEA, including the United States.

We ensure that all international data transfers comply strictly with the UK GDPR and EU GDPR through appropriate legal safeguards, including:

• Adequacy Decisions issued by the UK Secretary of State or the European Commission
• Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) or Addendum approved by the UK Parliament.
• Supplementary measures as recommended by the European Data Protection Board (EDPB) where necessary

---

10. YOUR DATA PROTECTION RIGHTS & DATA DELETION

Depending on your global jurisdiction, you possess specific legal rights regarding your personal data. We are committed to facilitating the exercise of these rights promptly and free of charge.

United States Regional Privacy Rights (CCPA / CPRA / VCDPA / CPA)

By 2026, multiple US states grant specific data protection rights. We grant these rights universally to all US residents:

• Right to Know: Request the categories and pieces of personal information collected.
• Right to Delete: Request deletion of personal information collected.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: You can opt-out of ad tracking using native device controls.
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

12-Month Lookback Disclosure: In the preceding 12 months, PAPUTU LIMITED has not sold personal information for monetary value. However, we have "shared" mobile device identifiers with third-party advertising networks for the purpose of cross-context behavioral advertising.

UK & EEA Residents (UK GDPR / EU GDPR)

You hold rights to Access, Rectification, Erasure ("Right to be Forgotten"), Restriction of Processing, Data Portability, right to Object, right to withdraw Consent for ad-tracking, and the right to lodge a complaint with your local supervisory authority (such as the UK ICO).

Exercising Your Rights (Deleting Data)

Because our current games are architected as offline, local-storage experiences without remote account systems, we do not store your gameplay data on our servers.

To immediately and permanently delete your local game data:

• On iOS: Navigate to your device Settings > General > iPhone Storage > PAPUTU 8192 > Delete App. (iOS does not support deleting local game data without deleting the application).
• On Android: Navigate to your device Settings > Apps > PAPUTU 8192 > Storage > Clear Data & Clear Cache. Alternatively, uninstall the application.
• In-App: Open Settings > Delete Account Data within the game.

For formal Data Subject Access Requests (DSARs) regarding advertising profiles or analytics telemetry stored on remote servers, please note that PAPUTU LIMITED does not possess or control this data. Because partners like Google AdMob operate as Independent Data Controllers, you must submit deletion requests for advertising profiles directly to them via their respective privacy portals (e.g., Google My Activity).

For game-specific privacy inquiries directed at PAPUTU LIMITED, contact: privacy@paputugames.com

Under the DUAA 2025, we will respond to reasonable and proportionate requests within standard statutory timeframes (typically within 30 calendar days).

Dedicated Data Deletion Portal: For step-by-step instructions, visit https://paputugames.com/data-deletion

---

11. CHILDREN'S PRIVACY

Our applications, including the mathematical spatial puzzles in PAPUTU 8192, are intended for a general audience. In strict alignment with the UK ICO's Age Appropriate Design Code (Children's Code), the US Children's Online Privacy Protection Act (COPPA), and equivalent international regulations:

• We do not knowingly collect, solicit, or store personal information from children under the age of 13 (or under 16 in certain European jurisdictions).
• We do not knowingly direct personalized advertising toward children under the applicable age threshold.

Enforcement: We enforce child privacy protections systematically. Depending on the specific application version, we enforce this via a neutral Age Gate at launch, and/or by configuring the Google AdMob SDK globally utilizing the tagForChildDirectedTreatment (TFCD) or tagForUnderAgeOfConsent (TFUA) programmatic flags to ensure that strictly non-personalized, COPPA-compliant advertisements are served to minors.

If you are a parent or guardian and believe your child has provided personal information to our third-party ad networks or analytics services without your consent, please contact us immediately at privacy@paputugames.com. We will:

1. Take immediate steps to ensure ad tracking is disabled for that device
2. Request that our advertising and analytics partners programmatically purge telemetry data associated with that device identifier

---

12. DO NOT TRACK & GLOBAL PRIVACY CONTROL SIGNALS

We respect Do Not Track (DNT) browser signals and Global Privacy Control (GPC) signals where technically feasible.

Please note that GPC is currently a web browser HTTP header extension and applies primarily to our central website (paputugames.com). Native mobile operating systems (iOS/Android) do not natively broadcast GPC signals to downloaded applications. For our mobile games, device-level OS settings (like Apple ATT and Android Ads personalization toggles) act as the primary, enforceable opt-out mechanism for tracking.

---

13. CHANGES TO THIS PRIVACY POLICY

We may comprehensively update this Privacy Policy periodically to reflect:

• New game releases and their unique data architectures
• Updates to our technical SDK integrations or third-party partnerships
• Changes in applicable laws, regulations, or regulatory guidance
• Improvements to our data protection practices

We will notify you of any material changes by updating the "Last Updated" date at the top of this document, and where legally required, obtaining renewed consent before implementing changes that affect the legal basis for processing.

---

14. DISPUTE RESOLUTION

If you have a privacy concern that we have not adequately addressed, you may contact:

• UK Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/
• EU Data Protection Authorities: Contact your local supervisory authority
• Federal Trade Commission (US): For COPPA inquiries.

We are committed to resolving complaints about your privacy and our collection or use of your personal information. We endeavor to respond to all inquiries within 30 calendar days.

---

15. CONTACT US

If you have any questions, concerns, regulatory inquiries, or formal legal requests regarding this Privacy Policy or how your data is handled across any of our Services, please contact the Data Protection Team directly:

PAPUTU LIMITED Company Registration Number: 17117491 Suite 10641, 5 Brayford Square London, United Kingdom E1 0SG

Privacy & Data Protection: privacy@paputugames.com General Legal Inquiries: support@paputugames.com

Privacy Policy: https://paputugames.com/legal/privacy/ Data Deletion Portal: https://paputugames.com/data-deletion Terms of Service: https://paputugames.com/legal/terms/

---

APPENDIX A: DATA DELETION LANDING PAGE SPECIFICATION

The following content specification is intended for deployment at https://paputugames.com/data-deletion to satisfy Google Play's Account Deletion mandate and Apple App Store Review Guidelines.

---

How to Manage and Delete Your Data at PAPUTU LIMITED

At PAPUTU LIMITED, we respect your privacy and believe in total transparency. In compliance with global privacy regulations (including the UK GDPR, EU GDPR, California Delete Act, and CCPA/CPRA) and Google Play / Apple App Store guidelines, this page explains exactly how you can manage, extract, or delete your data from our mobile games.

For Offline-First Games (e.g., PAPUTU 8192)

PAPUTU 8192 does not use a centralized backend server, and it does not require you to create an account to play. All of your gameplay progress, high scores, grid layouts, and virtual currencies are saved locally on your physical device memory.

Because we do not hold this progression data on our corporate servers, we cannot remotely delete it for you. To permanently delete all of your gameplay data, you must do it on your device:

Option 1 — In-App Deletion: Open the game > Settings > Delete Account Data > Confirm

Option 2 — iOS Specific Removal: Navigate to Settings > General > iPhone Storage > PAPUTU 8192 > Delete App. (Note: iOS does not allow you to clear local game data without deleting the application).

Option 3 — Android Specific Removal: Go to your device Settings > Apps > PAPUTU 8192 > Storage > Tap "Clear Data" and "Clear Cache". Alternatively, you can fully uninstall the app.

WARNING: Executing any of these actions will permanently and irreversibly erase your progress. It cannot be recovered.

How to Opt-Out of Advertising Tracking Data

Our games use authorized third-party partners (including Google AdMob) to serve advertisements. These partners may collect unique, anonymous device identifiers to show you relevant ads. You can delete or reset this identifier directly through your device's operating system at any time without uninstalling the app:

• Android: Go to Settings > Security & Privacy > Privacy > Ads and tap "Delete advertising ID"
• iOS: Go to Settings > Privacy & Security > Tracking and turn off the toggle for the specific game

Formal Privacy Requests

Please note that PAPUTU LIMITED does not store or control your advertising profile data. Third-party partners like Google AdMob act as Independent Data Controllers. If you wish to submit a formal Data Subject Access Request (DSAR) to view or delete the advertising profiles built around your device ID, you must contact those providers directly or use their privacy dashboards (e.g., Google My Activity).

If you have legal questions strictly regarding PAPUTU LIMITED's local data practices, please email us directly at:

privacy@paputugames.com

We will process your inquiries promptly in accordance with the UK GDPR and DUAA 2025, typically within 30 calendar days.

---

Copyright 2026 PAPUTU LIMITED. All rights reserved.