Welcome to aco.media!
aco.media ("aco.media", "we", "us" or "our") is dedicated to protecting your privacy. This Privacy Policy ("Policy") explains how we collect, use, and share your personal data (also known as personal information in certain jurisdictions) when you use our mobile game applications, websites, and other online products and services (collectively, the "Services"), including but not limited to Block Blast!. The Services are provided by aco.media ("the Data Controller"), with headquarters at 60 PAYA LEBAR ROAD, #04-16, PAYA LEBAR SQUARE, SINGAPORE 409051, which is responsible for determining the means and purposes of processing your personal data.
Please review this Policy before using our Services. You can manage your privacy preferences at any time through the in-game settings interface. If you have any questions, please contact us using the details provided in Section 9 Contact Us.
This Policy will help you understand the following content:
1. What Personal Data We Collect
We will collect personal data in a lawful and fair manner: (a) personal data you provide directly to us; (b) personal data collected automatically when you use our Services; and (c) personal data we receive from third parties. We will only collect personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
1.1 Personal Data You Provide to Us
- Account Profile: We collect the nickname and avatar you select from our pre-defined internal library. These profile elements are provided by the game and are not customizable or open-ended.
- Customer Service Data: We collect data that you provide directly to us when you contact customer support, give feedback, participate in surveys or activities, or subscribe to our communications. This may include your nickname, contact email address, the content of your request, screenshots or attachments you choose to provide, and our communication records with you. The specific data collected varies based on the service you are using.
- User Uploaded Images: To provide the requested feature and to fulfill our legal obligation to maintain a safe environment, we may process the images you uploaded. This includes using automated tools and human review to detect prohibited content. Any images you upload within the Service are strictly for your own use and system processing. These images are not shared with or visible to other users of the app. Please do NOT upload images containing personal data, such as real photos of people, identity documents, or private details (e.g., phone numbers, addresses).
- Camera Access: To enable the live camera view during gameplay, we will request access to your device's camera. Your camera data is processed locally in real-time on your device only. We do not collect, record, store, or upload any camera data to our servers or any third-party servers. You may revoke camera permission at any time via your device settings.
1.2 Personal Data We Collect Automatically
When you use our Services, we automatically collect certain data, which includes:
- Identifiers Data: a unique, randomly generated user ID, device ID (e.g. IDFV, Android ID), advertising ID (e.g. IDFA, GAID), third-party unique ID (e.g. Pangle ID, AppsFlyer ID), IP-derived country and region information (raw IP addresses are not retained);
- Device & Technical Data: device model, device time zone, device country, system language, information of CPU, information of storage capacity, information of screen, information of network, information of operating system, and other technical data;
- Gameplay Data: data about your interaction with our Services, for example, game access time, usage logs, progress, achievements, play time and other gameplay information;
- Ad Interactive Data: data about your interaction with advertisements within our Services. For example, information that you have viewed or clicked an ad. We use this information for advertising measurement, optimization, and fraud prevention.
1.3 Personal Data We Receive from Third Parties
We may receive information about you from authorized third parties, specifically in the following scenarios:
- App Marketplaces
Logins: If you choose to log in using your Google or Apple Account, we use their authentication services to verify your identity. We only collect the necessary login tokens to maintain your session. Once verification is completed, the login tokens are promptly deleted.
In-App Purchases: If you make in-app purchases through Google Play or the App Store, we receive transaction details (e.g., Device ID, transaction time, encrypted order details, and status) to fulfill your order. We do not collect or store any payment card details. All financial transactions are processed securely and exclusively by Google Play or the App Store.
Please note that data handled by these platforms is governed by their own privacy policies. We recommend reviewing them here:
- https://policies.google.com/privacy
- https://www.apple.com/legal/privacy/
- Social Media Platforms
By using the in-game sharing feature, you will be redirected to an external social media platform. This is a one-way redirection; we do not access your social media profile or personal data. Please be mindful of your privacy and review your content before posting on external platforms.
1.4 About Sensitive Personal Data
Sensitive personal data refers to personal data that, once leaked or illegally used, will easily lead to infringement of human dignity or harm to the personal or property safety of a natural person. The scope of sensitive personal data may vary pursuant to different applicable data protection laws. Our Services are not designed to collect sensitive personal data. If we become aware that sensitive personal data has been inadvertently collected, we will take steps to delete it promptly.
2. How We Use Your Personal Data
We use your personal data for the following purposes:
| Purpose | Examples of Processing Activities | Personal Data Categories | Legal Basis (where applicable) |
|---|---|---|---|
| Service Provision & Maintenance | To deliver games and ensure they function correctly on users' devices, provide updates, and fix bugs or crashes. |
| Contractual necessity |
| To facilitate users' in-game subscriptions through verification of subscription details. |
| ||
| To enable account login, verification, and to enable the account functions you request. |
| ||
| To fulfill the terms of activities in which users participate (e.g., reward distribution) |
| ||
| Game Performance and User Experience Enhancement | To improve game stability, security, and performance by analyzing how users interact with our games and identifying areas for enhancement. |
| Legitimate interests |
| To understand user trends, preferences, and interactions with our games, informing data-driven decisions to refine and optimize our existing services and the gaming experience. |
| ||
| Service Communications | To deliver essential, non-promotional communications related to the services we provide to you. This includes critical security updates, bug fixes, and important updates to our Terms or Policies. |
| Contractual necessity or Legitimate interests |
| Marketing and Promotional Communications | To send you push notifications about new features, testing invitations, and other promotional content that we believe may be of interest to you. These communications are based on your consent. |
| Consent |
| Customer Support and Inquiry Response | To provide timely and accurate customer support, respond to inquiries, handle complaints, and improve services based on users' feedback. |
| Contractual necessity or Legitimate interests |
| Survey and Activity Administration | To administer voluntary surveys and other activities. |
| Consent |
| Advertising | To deliver personalized/targeted Ads; To measure ad performance, prevent fraud, and limit ad frequency. |
| Consent |
| To deliver non-personalized/contextual Ads; To measure ad performance, prevent fraud, and limit ad frequency. |
| Legitimate interests | |
| Security Assurance | To enhance game safety, detect and prevent fraud, verify identities, and protect user accounts. |
| Legitimate interests |
| Legal Compliance | To comply with our legal obligations, such as retaining transaction records as required by tax and commercial law, or content safety review required by law. |
| Fulfillment of legal obligation |
Where we rely on legitimate interests, we have assessed that our processing is necessary for our legitimate business purposes and does not override your fundamental rights and freedoms. These interests include improving service quality, maintaining security, preventing fraud, understanding how our Services are used, and responding to user inquiries. You may object to such processing where required by applicable law.
3. How We Share Your Personal Data
We do not disclose your personal data to third parties without a valid legal basis. Such processing is justified on the basis of your consent, the necessity for the performance of a contract with you, compliance with a legal obligation, or the necessity for the purposes of our legitimate interests. We may share your personal data with the following categories of third parties:
- Our affiliates. We may share your personal data with companies within our corporate family where necessary for the purposes set out in this Policy and we ensure they are contractually bound. For international data transfers, we ensure an adequate level of data protection by implementing appropriate legal mechanisms, such as the Standard Contractual Clauses.
- Technical service providers. We engage the following third-party service providers (Data Processors) to perform functions on our behalf in delivering our Services. We enter into data processing agreements with these providers that contractually obligate them to protect your data and process it only according to our instructions:
- Cloud storage: We use the cloud storage service provided by Amazon Web Services (privacy policy: https://aws.amazon.com/privacy).
- Crash/Error monitoring:We use the "Bugsnag SDK" provided by SmartBear (Ireland) Limited (privacy policy: https://smartbear.com/privacy).
- Push notifications:We use the "Firebase Cloud Messaging" service provided by Google LLC through "Google Firebase SDK" (privacy policy: https://policies.google.com/privacy).
- Privacy management:We use the "Google UMP SDK" provided by Google LLC for privacy management (privacy policy: https://policies.google.com/privacy).
- Advertising partners.
We work with third-party advertising partners to provide advertisements and measure their effectiveness.
- Our advertising partners may process personal data as independent controllers, or in certain cases as joint controllers with us, depending on the specific processing activity and applicable law. We encourage you to review their privacy policies to understand how they process your data. A comprehensive list of our main partners is available in the Advertising Partners List.
- For the purposes of ad delivery and performance analysis, we may share certain Identifiers Data, Device & Technical Data and Ad Interactive Data. We ensure that such data sharing is conducted in accordance with applicable data protection laws and the following user controls:
Legal Basis and Your Control:
- EEA and UK: This sharing for personalized advertising is based exclusively on your consent, which we obtain and manage through a Consent Management Platform (CMP). Your preferences are transmitted to our advertising partners to ensure your choices are respected. You may withdraw or modify your consent at any time through the in-game privacy settings. If you withdraw consent, you will still see ads, but they will not be tailored to your interests.
- United States: Under the CCPA/CPRA, you have the right to opt-out of the "selling" or "sharing" of your personal data for cross-context behavioral advertising. You can exercise this right at any time by using the "Do Not Sell or Share My Data" in our in-game settings. Residents of certain U.S. states may have similar rights. You may also contact us by [email protected].
In addition, we may disclose your personal data in the following cases:
- In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or part of our business or assets, your personal data may be transferred as part of that transaction. Where required by applicable law, we will provide notice before your personal data becomes subject to a different privacy policy;
- Where required to do so by applicable law, regulation, legal process, or enforceable governmental request, or where we believe disclosure is necessary to protect our rights, investigate fraud, enforce our Terms, or protect the safety of users or others.
4. International Transfer of Personal Data
Due to the global nature of our operations, your personal data may be transferred to, stored in, and processed by our affiliated companies, service providers and advertising partners in countries outside your country of residence.
Our data storage servers are located in the eastern United States.
Where the transfer of your personal data to a recipient located in a foreign country constitutes an international or cross-border transfer under applicable law, we rely on approved legal transfer mechanisms and implement appropriate safeguards to protect your data.
5. Data Security and Data Retention
We are committed to keeping your personal data safe. We take reasonable and appropriate administrative, technical, organizational, and physical security and risk management measures in accordance with applicable laws to ensure that your personal data is adequately protected against accidental or unlawful destruction, damage, loss or alteration, unauthorized or unlawful access, disclosure or misuse, and all other unlawful forms of processing of your personal data in our possession.
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes set out in this Policy. We will either delete or anonymize your personal data when it is no longer required to satisfy the purposes set out in this Policy unless otherwise specified by applicable laws.
6. Your Legal Rights
Your legal rights regarding your personal data vary depending on your jurisdiction, and may include the following:
- Right to access your data. You have the right to access personal data we hold about you, how we use it, and who we share it with.
- Right to correct your data. You have the right to correct any personal data held about you that is inaccurate.
- Right to delete your data. You can delete or remove certain personal data that we have stored about you. However, please note that we may need to retain certain personal data where we have valid legal grounds under applicable data protection laws. If that is the case, we will inform you of such valid grounds.
- Right to restrict data processing. You have a right to request us to stop processing the personal data we hold about you other than for storage purposes in certain circumstances (such as where you believe such data to be inaccurate, our processing is unlawful or that we no longer need to process such data for a particular purpose).
- Right to object. You have the right to object to the processing of your personal data where we rely on legitimate interests as our legal basis. Upon receiving your objection, we will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where the processing is necessary for the establishment, exercise, or defense of legal claims.
- Withdrawal of consent. You may withdraw your consent at any time through the in-game privacy settings. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Please note that even if you withdraw consent for tailored advertising, you may still receive non-personalized advertisements.
- Right to portability (applicable to EEA, UK and Brazil users). You have the right to receive a copy of certain personal data we process about you in a structured, electronic format. Additionally, you have the right to have us transmit such personal data directly to another controller, where technically feasible. However, please note that we may not be able to provide you with personal data if providing it would interfere with another's rights (e.g. where providing the personal data we hold about you would reveal data about another person or our trade secrets or intellectual property) or there are other limitations recognized under data protection laws.
- Right to lodge complaints. You have the right to lodge complaints about the data processing activities carried out by us before the competent data protection authorities, where existing.
You can exercise your rights entitled by the privacy laws in your jurisdiction at any time by contacting [email protected]. We may ask you to verify your identity and your jurisdiction before taking further action on your request. We will respond to your request within the time frames required by applicable law (e.g., typically 30 days under GDPR/UK GDPR and 45 days under CCPA/CPRA). If we decide not to respond to your request for the above rights, we will explain the reasons.
7. Children's Privacy
Our Services are designed and provided to users of various age groups. We do not knowingly collect personal data from, or serve targeted advertisements to, children as defined and required by applicable laws. If you believe that we may have personal data from or about a child, or have served targeted advertising to a child in violation of our policies, please contact us via [email protected].
8. Changes to this Policy
This Policy may be changed from time to time. If we change anything important about this Policy (e.g., the type of personal data we collect), we will provide a prominent link together with the updated policy for your reference on our Services. By continuing to use the Services, you acknowledge that you have read and understood the updated Policy.
9. Contact Us
If you have any questions, complaints, feedback, or other inquiries regarding personal data protection related to the use of our Services, including any requests to exercise your legal rights, please contact us through the following ways:
- Through the in-game settings interface;
- Via email at [email protected].
- By mail at 60 PAYA LEBAR ROAD, #04-16, PAYA LEBAR SQUARE, SINGAPORE 409051.
10. Special Terms for Apple Arcade
This section applies if you are playing our game through Apple Arcade.
We do not collect, access, or store any of your personal data as part of the normal operation of our Apple Arcade game. This version contains no advertisements, no third-party tracking SDKs, and no in-app purchases. As part of the Apple Arcade service, we may periodically receive anonymized, aggregated usage data from Apple. This data cannot be used to identify any individual. We will only collect personal information (such as your email) if you contact our customer support.
For more information on how Apple processes your data, please see https://www.apple.com/legal/privacy/data/en/apple-arcade/.
11. Regional Terms
- Legal Basis
In each case where we process your personal data, we do so lawfully in accordance with one of the legal basis set out under European data protection laws. To learn more about our legal basis under GDPR, see Section 2 How We Use Your Personal Data.
- International Transfer
We transfer your personal data to third countries on the basis of the following safeguards:
- Adequacy Decisions: We transfer data to countries that benefit from an adequacy decision by the European Commission or the UK government (as applicable). This includes transfers to countries that benefit from adequacy decisions, such as Argentina and Israel. It also includes transfers to the United States, but only when the recipient is a commercial organization certified under the EU-U.S. Data Privacy Framework (and listed on the official roster). For transfers to recipients in the United States that are not certified under the DPF, we rely on Standard Contractual Clauses as described below.
- Standard Contractual Clauses (SCCs): For transfers to countries without an adequacy decision, we rely on the European Commission's and/or UK's approved Standard Contractual Clauses. Prior to such transfers, we conduct a Transfer Impact Assessment (TIA). Where the TIA indicates that the laws of the third country do not provide a level of data protection equivalent to that in the EEA/UK, we implement supplementary technical, contractual, and organizational measures to ensure your data is protected. These SCCs (including copies) can be accessed via https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en.
- Local Representative
Our representative in the European Economic Area (EEA) is:
The DPO Centre Europe Limited
Alexandra House, 3 Ballsbridge Park, Dublin, D04C 7H2, Ireland
Email: [email protected] - Supervisory Authority
If you are in the EEA you may lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
- Your Privacy Rights
In addition to the privacy rights described in Section 6 Your Legal Rights, you may have the following rights:
- Exercising the right to know
You have a right to request additional information about the categories of personal information collected, sold, disclosed, or shared; purposes for which this personal information was collected, sold, or shared; categories of sources of personal information; and categories of third parties with whom we disclosed or shared this personal information.
- Exercising the right to Opt-Out of sale or sharing
Under the CCPA/CPRA, "sale" and "sharing" of personal information are defined broadly. While we do not sell your data in the traditional sense for money, our disclosure of certain personal data (such as advertising identifiers) to third-party advertising partners for cross-context behavioral advertising may be considered a "sale" or "sharing" under these laws.
You have the right to direct us to stop such "sales" or "sharing" of your personal information. You can exercise this right at any time by using the "Do Not Sell or Share My Data" in our in-game settings.
- Exercising the right to know
- Authorized Agents
You may designate an authorized agent to make a request on your behalf. For security, we require the authorized agent to provide proof that you have given them permission to act for you, and we may need to verify your identity directly.
- Non-Discrimination
We will not deny, charge different prices for, or provide a different level of quality of services if you choose to exercise these rights, unless allowed under applicable law.
- Appeals
If you wish to appeal any of our decisions regarding a rights request under US privacy laws, you may also contact us by [email protected]. We will respond to your appeal within the time period required by applicable law.
- Legal Basis
If you are a resident of Brazil, we process your personal data in accordance with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados - "LGPD"). We rely on valid legal bases under the LGPD to process your data, including the performance of a contract, compliance with legal obligations, our legitimate interests, or your consent. For details on the specific legal basis we rely on for each processing purpose, see Section 2 How We Use Your Personal Data.
- International Transfer
Where your personal data is transferred outside Brazil, we ensure compliance with the LGPD by relying on adequate protection recognized under applicable law, contractual safeguards, or other legally permitted transfer mechanisms.
- Additional Rights Under the LGPD
In addition to the rights described in Section 6 Your Legal Rights, Brazilian residents may also exercise the following rights:
- the right to confirm whether we process your personal data;
- the right to anonymization or blocking of unnecessary, excessive, or unlawfully processed data;
- the right to obtain information about the public and private entities with which we have shared your data;
- the right to be informed about the possibility of denying consent and the consequences of such denial.
For Privacy Policy specific to Users in South Korea, please see https://aco.media/KR/privacyus.html
- International Transfer
Where we transfer your personal information outside Japan, we comply with the Act on the Protection of Personal Information ("APPI") by relying on adequate protection recognized under applicable law, contractual safeguards with recipients, or your consent where required.
- Additional Rights Under the APPI
In addition to the rights described in Section 6 Your Legal Rights, individuals in Japan may also exercise the following rights:
- the right to request notification of the purpose of use of your retained personal data;
- the right to request suspension of use or cessation of third-party provision of your retained personal data where it has been handled in violation of applicable law.
- Security Management Measures
We take necessary and appropriate measures to prevent leakage, loss, or damage of personal information and otherwise ensure the secure management of personal information, including administrative, technical, and organizational safeguards.