Legal
Privacy Policy
Effective 31 May 2026
TurnLoop Games, Inc. (“TurnLoop,” “we,” “us,” “our”) operates the website at turnloop.games and the mobile game Scandal & Fortune (with its related online services, updates, and content). In this policy these are together the “Services.” This policy explains what personal information we handle across the Services and your choices.
Plain English: this policy covers both the website and the game. Where a practice applies to only one, we say so.
1. Who we are
The controller responsible for the Services is:
TurnLoop Games, Inc.251 Little Falls Drive
Wilmington, New Castle County
Delaware 19808
United States
TurnLoop Games, Inc. is incorporated in the State of Delaware, United States (incorporated 2026-03-02; Delaware File Number 10529681; registered agent Corporation Service Company).
Privacy and data-subject requests: privacy@turnloop.games
Support: support@turnloop.games
Legal notices: legal@turnloop.games
2. What this policy covers
This policy covers the website (a corporate information site) and the Scandal & Fortune game (an account-based mobile game with in-app purchases and advertising). The game is rated 13+ and is not directed to children under 13 (Section 13).
3. Information we collect
3.1 Website. The website has no forms, login, analytics, or advertising. When you load a page, our host (Cloudflare) processes standard request metadata (IP, user agent, request path, timestamp, TLS info, approximate location, security-event data) to deliver and protect the site. If you email us, we process your message and its contents.
3.2 The game. When you install and play Scandal & Fortune, we and the providers in Section 4 process:
- Identifiers: an internal player ID and your assigned codename; social-login identifiers and, from your chosen login provider at sign-in, your name and email (we receive these to create and secure your account), or a Guest device identifier. We display your real name to other players only if you opt in (Section 11).
- Device & technical: device model, OS version, language/region, app and SDK versions, IP address, and advertising identifiers (Apple IDFA, Google GAID, IDFV, Android ID — Section 6).
- Gameplay: progress, in-game purchases, currency and items, raids/sabotage and other game events, and basic anti-cheat signals.
- Crash & performance: crash logs, diagnostics, and stability data.
- Purchases: in-app purchase receipt tokens (not your full card details — Section 9).
- Notifications: your push token (Section 8).
- Safety: player-report records — reporter ID, reported-player ID, a reason category, and timestamp (Section 11).
4. Service providers and SDKs we use
The game includes third-party software development kits (SDKs). Under platform rules we treat data they collect through the game as our collection, and we disclose them. Each provider processes data under its own privacy policy.
| Provider / SDK | Purpose | Data |
|---|---|---|
| Google AdMob (+ Google UMP consent) | advertising mediation + consent | ad/device IDs, IP, ad interactions |
| The ad networks AdMob mediates | ad demand | ad/device IDs, IP |
| Firebase Analytics (Google) | product analytics | app-instance ID, events, device info |
| Firebase Crashlytics (Google) | crash reporting | crash logs, device state |
| Firebase Cloud Messaging / Apple APNs | push notifications | push token, device info |
| Facebook Login (Meta) | optional social login | Facebook ID, name, email, auth tokens |
| Sign in with Apple | optional social login | Apple relay ID, name, (private) email |
| Google Sign-In | optional social login | Google ID, name, email |
| Apple StoreKit / Google Play Billing | in-app purchases | receipt/purchase tokens |
| Unity (engine) | runs the game | diagnostics |
| Cloudflare | game backend + hosting | account data, IP, request metadata |
We do not use website-visitor data for advertising or analytics; the game does use the advertising and analytics SDKs above.
5. How we use information
- Provide the Services — run your account, save progress, run matchmaking and raids, deliver content.
- Purchases — process and validate in-app purchases.
- Security & integrity — prevent fraud, cheating, and abuse; protect players and the Services.
- Support — answer your messages and act on player reports.
- Advertising — show ads (Section 6); for players we treat as minors (under 18) we show non-personalised/contextual ads only.
- Legal — comply with law; establish, exercise, or defend legal claims.
6. Advertising and advertising identifiers
The game shows ads via Google AdMob. Ads may use device/advertising identifiers (Apple IDFA, Google GAID).
- EU / EEA / UK: storing or reading non-essential advertising identifiers requires your prior consent, which we request through a consent prompt (Google UMP / Consent Mode) before any non-essential ad processing. This consent is separate from Apple’s ATT permission below.
- iOS: access to the IDFA for cross-app tracking also requires your permission through Apple’s App Tracking Transparency prompt — a distinct, Apple-specific permission, not the same as GDPR/ePrivacy consent. You can change it in iOS Settings → Privacy & Security → Tracking.
- Android: you can reset or delete your advertising ID, or opt out of ad personalisation, in Android Settings.
- Players we treat as under 18: based on the age information available to us (your declared age at the 13+ gate and any age signal the store provides), we configure advertising for non-personalised/contextual delivery and do not use advertising identifiers to behaviourally profile you; where we cannot determine age, we apply the more protective treatment by default.
7. Tracking technologies in the game
In the app we and our SDKs use device and advertising identifiers (IDFA, GAID, IDFV, Android ID) and similar SDK-set identifiers for the purposes above. These are not browser cookies; you control them through the iOS/Android settings in Section 6. The website’s (minimal) cookie position is in the separate Cookie Notice.
8. Push notifications
If you enable notifications, we store a push token to send game-related messages. iOS asks your permission; Android 13+ asks via the notifications permission. You can turn notifications off in your device settings at any time.
9. In-app purchases
Purchases are processed by Apple (StoreKit) or Google (Play Billing) under their terms; we receive receipt/transaction tokens, not your full card details. Refunds go through the platform. Statutory consumer rights are unaffected. See the Game Terms for virtual-currency and refund terms.
10. Randomised items (loot boxes) and odds
Some collectable cards are randomised virtual items obtainable through gameplay milestones reachable with purchasable currency. We will publish the per-card odds on our Probability Disclosures page and show the same odds in the game before any real-money purchase that feeds the randomised mechanic.
11. Player profile, display name, and social features
- Display name. We receive your real name from your login provider when you sign in (Section 3.2), but by default other players see you only under an assigned codename (e.g.
SilverFox#4821). You can optionally choose to display your real name to other players; this is off by default, you can turn it off again at any time, and it is not available to Guest or private-Apple accounts. If you are a minor, you can turn it on only if you meet the digital-consent age where you live (Section 13). Your displayed name and your ranking are visible to other players — a public disclosure. - Social features. Raids, sabotage, “revenge,” and preset-emoji reactions are visible to the players involved. There is no free-text chat.
- Reporting. You can report a player in-app (a structured report, no free text); we keep the report record (Section 3.2) to review safety and may act on it.
- Competitive features. If we add leaderboards or tournaments, they will display your codename (or, if you opted in, your real name) and competitive history to other players.
12. Legal bases (GDPR / UK GDPR)
- Contract (Art. 6(1)(b)) — to provide the game’s core functions: creating and running your account, saving progress, matchmaking and raids, and processing your purchases.
- Legitimate interests (Art. 6(1)(f)) — security, anti-cheat, fraud and abuse prevention, and basic product diagnostics, balanced against your rights.
- Consent (Art. 6(1)(a) + ePrivacy) — for storing or reading non-essential advertising identifiers in the EU/EEA/UK (we do not rely on legitimate interests for these), and for the optional real-name display (Section 11). You can withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)) — tax, accounting, and other legal requirements.
13. Children’s privacy
The game is rated 13+ and is not directed to children under 13. We do not knowingly collect personal information from children under 13; our age screen is a good-faith gate that does not encourage anyone to misstate their age, and we do not knowingly let advertising or other SDKs collect data from a user before the age gate. If you believe a child under 13 has provided us personal information, contact privacy@turnloop.games and we will delete it.
For players aged 13–17, we apply protections by default: an assigned codename (real-name display is opt-in, off by default, and available only to a minor who meets the digital-consent age where they live — in the EU this varies, e.g. 14 in Spain, 15 in France, 16 in Germany and the Netherlands); non-personalised/contextual advertising with no behavioural profiling or third-party targeted advertising, based on the age information available to us; and data minimisation. We rely on contract, not consent, for core processing (Section 12), so the game’s core functions do not depend on the differing EU child-consent ages. Where local law sets a higher age for certain features or for the country’s store (for example, an 18+ storefront where loot-box mechanics are restricted), that age applies.
14. How we share information
We share personal information with: our service providers and the platforms in Section 4, who process it on our behalf for the purposes shown — this includes hosting and security (Cloudflare), the login providers, crash and analytics tools, and the payment platforms, and they are not permitted to use it for their own purposes; professional advisers (lawyers, accountants, auditors); authorities where legally required or to protect rights and safety; and a successor in a merger, acquisition, or similar transaction. Separately, our advertising SDK (AdMob) shares device and advertising identifiers with ad networks to deliver ads — this may be a “sale,” “sharing,” or “targeted advertising” under some US state laws (see Section 15; the in-app control lets you opt out). We do not otherwise sell your personal information or share it for cross-context behavioural advertising.
15. Your choices and rights
15.1 GDPR / UK GDPR. You may have rights to access, rectify, erase, restrict, port, and object, and to withdraw consent and complain to a supervisory authority. Email privacy@turnloop.games. We respond within one month where GDPR/UK GDPR applies.
15.2 California (CCPA/CPRA). Categories we may process for the game: identifiers (player ID, device/advertising IDs, social-login IDs, name/email from login); commercial information (purchases); internet/network activity (app and ad interactions); approximate geolocation (from IP); and inferences (limited, for game features). We process these for the purposes in Section 5, retain them per Section 21, and do not use sensitive personal information to infer characteristics. California residents may know, access, delete, correct, and opt out of the “sale”/“sharing” of personal information for cross-context behavioural advertising; the game’s advertising may be a “sale”/“sharing.” When the game offers advertising, we will provide an in-app “Do Not Sell or Share My Personal Information” control and honour browser/OS opt-out preference signals where applicable and technically supported. For users under 16 we treat sale/sharing as opt-in only, and for players we treat as minors (under 18) we do not sell or share personal information for cross-context behavioural advertising (see Section 6). You may also email privacy@turnloop.games, use an authorised agent; we do not discriminate against you for exercising rights, verify requests by matching information we hold, and respond within 45 days (extendable by a further 45 days where reasonably necessary).
15.3 Other US states. If you live in a US state with a comprehensive privacy law (for example, Texas (TDPSA), Connecticut (CTDPA), Colorado (CPA), Virginia (VCDPA), Oregon, Delaware, Montana, or Maryland), you may have rights to access, correct, delete, and port your data, to opt out of targeted advertising, the sale of personal data, and certain profiling, and to consent before processing of sensitive data. Use the in-app “Do Not Sell or Share” control or email privacy@turnloop.games; you may appeal a decision. For minors under 18, some states now prohibit targeted advertising and the sale of personal data regardless of consent (for example, Connecticut and Maryland), while others require opt-in consent; because we do not serve personalised advertising to, and do not sell or share the personal information of, players we treat as minors (Sections 6 and 15.2), we apply the more protective rule in every state.
16. Account deletion
You can delete your account and personal data on the web at turnloop.games/account-deletion without reinstalling; once Scandal & Fortune is available you will also be able to delete it in-app (Settings → Delete account). When you request deletion, your account is disabled immediately; you then have 14 days to cancel; if you do not, your data is permanently deleted, completing no later than 30 days after your request. Some records are retained only where the law requires or to keep players safe (e.g. tax/transaction records; fraud-prevention and safety signals), de-identified where feasible. There is no refund for unused virtual currency or items. See the Account Deletion Notice.
17. India
The game is not currently offered in India. India’s Digital Personal Data Protection Act treats everyone under 18 as a child and requires verifiable parental consent and no targeted advertising to children; if we offer the game in India in the future, we will put the required measures in place — such as verifiable parental consent or an adults-only offering — before launching there.
18. Brazil
If you use the game in Brazil, Brazilian law (LGPD and child-protection rules) applies. To comply with Brazilian rules on randomised-item mechanics and minors, the randomised-card mechanic is turned off for installs from the Brazil storefront (it is not a setting players can switch on), and the Brazil storefront age rating applies.
19. EU/UK representative, supervisory authority, and EU contacts
TurnLoop Games, Inc. is established in the United States. We are finalising our EU and UK representation arrangements and will identify our EU/UK representative — or confirm our lead supervisory authority — on this page before the game is offered in the EU or the UK. For data-protection questions, contact privacy@turnloop.games; you may also complain to your local data protection authority (in the UK, the Information Commissioner’s Office).
EU Digital Services Act contact. For EU authorities and users on DSA matters, contact legal@turnloop.games (in English). As a micro/small enterprise, TurnLoop is exempt from most of the DSA’s additional obligations for online platforms.
20. International transfers
We are incorporated in the United States; personal information may be processed in the US, EU, UK, or other locations where our providers operate. Where GDPR/UK GDPR applies and data goes to a country without an adequacy decision, we rely on appropriate safeguards — the EU–US / UK Data Privacy Framework where a provider (such as Google or Cloudflare) is certified, the European Commission’s Standard Contractual Clauses, and the UK International Data Transfer Addendum — and you can request a copy of the relevant safeguard by emailing privacy@turnloop.games.
21. Retention
We keep personal information only as long as needed for the purposes here, unless the law requires longer.
| Data | Retention |
|---|---|
| Account data (profile, progress, codename, revealed name, social/raid connections) | life of the account, then permanently deleted within 30 days of a deletion request |
| Gameplay telemetry | about 24 months |
| Crash / diagnostic logs | about 90 days |
| In-app purchase / transaction records | the tax/accounting period (e.g. Spain 6 years / US 7 years) |
| Push tokens | until invalidated or you disable notifications |
| Player-report records | about 90 days after the report is resolved; a limited de-identified subset may be kept longer to review a report or prevent ban-evasion |
| Fraud / ban-evasion signals | retained as needed for security and fraud prevention, de-identified from your account where feasible |
| Website request metadata | short-term, per Cloudflare’s logging configuration, for security and troubleshooting |
| Email correspondence | for the duration of the matter plus a reasonable business-records period |
22. Security
We use reasonable administrative, technical, and organisational measures appropriate to the Services, including HTTPS/TLS, access controls on our backend and inboxes, and platform-provided protections. No system is perfectly secure. You should not send passwords, government ID numbers, or payment-card numbers to us by email. If a personal-data breach affects you, we will notify you and the relevant supervisory authorities where the law requires.
23. Changes to this Privacy Policy
We may update this policy and will change the effective date. For material changes — especially to consent-based processing — we will give advance or prominent notice and, where the law requires, ask for renewed consent; we do not make material changes by silently editing this page.
24. Contact
For privacy questions or data-subject requests, contact privacy@turnloop.games.
TurnLoop Games, Inc.251 Little Falls Drive
Wilmington, New Castle County
Delaware 19808
United States