PRIVACY POLICY

Effective Date: 2026.01.01

Nebula Technology Inc. (“Nebula”, “we”, “our”, or “us”) operates the website, mobile applications, and services related to Nebula — App & Game Design, Development, Analytics, and Operations (the “Service”). We act as the Data Controller for personal data collected through our Service, unless otherwise specified where we act as a Data Processor on behalf of enterprise partners.

This Privacy Policy describes how we collect, use, store, transfer, and protect personal data, and explains your rights under applicable data protection laws (including GDPR, CCPA where applicable, and other relevant regulations).

1. ROLES AND RESPONSIBILITIES

Depending on the processing activity:

  • Nebula acts as Data Controller for end-user data collected via our applications and websites.

  • Nebula may act as Data Processor when processing data on behalf of enterprise clients (e.g., analytics, advertising attribution, SDK integrations).

We ensure all processing activities are governed by appropriate contractual agreements (Data Processing Agreements where required).

2. SCOPE

This Privacy Policy applies to:

  • Mobile applications and games developed or operated by Nebula

  • Websites and web services

  • Analytics and attribution systems

  • Advertising and marketing services

  • Customer support systems

3. INFORMATION WE COLLECT
3.1 Device and Technical Data

Automatically collected information includes:

  • IP address

  • Device model, OS version

  • Browser type and configuration

  • Language and timezone

  • Advertising identifiers (IDFA, GAID, AAID)

  • Cookies and similar tracking identifiers

  • Network information (ISP, region approximation)

3.2 Usage and Behavioral Data

  • App interactions (clicks, sessions, events)

  • Game progression data

  • Feature usage patterns

  • Crash logs and diagnostics

  • Referral source and attribution data

3.3 User-Provided Data

  • Name, username

  • Email address

  • Country / region

  • Profile information (optional)

  • Payment-related data (processed by third-party payment providers; we do not store full payment card details)

We do not knowingly collect sensitive personal data unless required and legally permitted.

4. PURPOSE OF PROCESSING

We process personal data for:

  • Application and game operation

  • User authentication and account management

  • Analytics and performance optimization

  • Advertising attribution and measurement

  • Fraud detection and prevention

  • Security monitoring and abuse prevention

  • Customer support

  • Legal and regulatory compliance

5. LEGAL BASIS (GDPR)

Where applicable, we process personal data under:

  • Performance of contract

  • Legitimate interests

  • Consent (cookies, marketing)

  • Legal obligations

6. COOKIES AND CONSENT MANAGEMENT

We use cookies and similar technologies for:

  • Essential functionality

  • Analytics

  • Advertising and attribution

  • Performance optimization

Where required, we implement a consent management mechanism (Cookie Banner) allowing users to:

  • Accept all cookies

  • Reject non-essential cookies

  • Customize preferences

Users may withdraw consent at any time.

7. DATA SHARING

We may share data with:

  • Cloud infrastructure providers (e.g., AWS, Google Cloud, Azure)

  • Analytics providers

  • Attribution and advertising partners

  • Crash reporting tools

  • Customer support systems

  • Legal authorities when required by law

All third parties are bound by confidentiality and data protection obligations.

8. SUBPROCESSORS

We use the following categories of subprocessors:

  • Cloud hosting providers (AWS / GCP / Azure)

  • Analytics providers (e.g., mobile analytics platforms)

  • Advertising attribution providers

  • Crash reporting tools

  • Customer support platforms

All subprocessors are subject to Data Processing Agreements (DPA) and security requirements.

9. INTERNATIONAL DATA TRANSFERS

Data may be transferred and processed globally, including:

  • United States

  • European Economic Area (EEA)

  • United Kingdom

  • Canada

  • Asia-Pacific regions

We implement safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms.

10. DATA RETENTION

We retain data only as long as necessary:

  • Account data: active duration + up to 90–180 days after deletion request

  • Analytics data: up to 24 months (then aggregated/anonymized)

  • Security logs: up to 12 months

  • Crash logs: up to 90 days

After expiration, data is securely deleted or anonymized.

11. DATA DELETION & RETURN

Upon request or contract termination:

  • Personal data will be deleted or anonymized within 30–90 days

  • Data may be returned in structured format upon request

  • Backup copies will be deleted according to backup retention cycle (max 90 days)

12. DATA SECURITY MEASURES

We implement industry-standard security controls:

  • TLS encryption in transit

  • Encryption at rest (AES-256 or equivalent)

  • Role-based access control (RBAC)

  • Principle of least privilege

  • Multi-factor authentication (MFA)

  • Audit logging and monitoring

  • Intrusion detection systems (IDS/HIDS)

  • Regular vulnerability scanning and patching

  • Annual penetration testing

13. DATA PROTECTION IMPACT ASSESSMENT (DPIA)

We conduct Data Protection Impact Assessments (DPIA) for high-risk processing activities, including:

  • Behavioral tracking

  • Advertising attribution

  • Cross-border data transfers

14. DATA SUBJECT RIGHTS

Users may exercise:

  • Right of access

  • Right to rectification

  • Right to erasure

  • Right to restrict processing

  • Right to object

  • Right to data portability

  • Right to withdraw consent

Requests: support@nebula.name

Response time: within 30 days (or as required by law)

15. DATA INCIDENT MANAGEMENT

We maintain an incident response program to:

  • Detect and investigate security incidents

  • Contain and remediate breaches

  • Notify affected parties and regulators where required

Notification timeline: without undue delay and within regulatory requirements (typically 72 hours for GDPR where applicable)

16. CHILDREN’S PRIVACY

We do not knowingly collect personal data from children under 13 (or applicable minimum age in relevant jurisdictions). If such data is discovered, it will be deleted promptly.

17. SECURITY GOVERNANCE

We maintain an information security program aligned with industry standards (ISO 27001 / NIST principles), including:

  • Security policies reviewed annually

  • Risk management framework

  • Access control governance

  • Asset inventory management

  • Security KPIs and monitoring

18. THIRD PARTY RISK MANAGEMENT

We evaluate subprocessors and vendors based on:

  • Security posture

  • Compliance certifications

  • Data protection agreements

  • Risk assessments

19. CHANGES TO THIS POLICY

We may update this Privacy Policy periodically. Updates will be published with a revised effective date.

20. CONTACT INFORMATION

Nebula Technology Inc.

Email: support@nebula.name

Data Protection Officer (DPO):

Name: Andy Lee

Email: andy@nebula.name

END OF POLICY

Subscribe to our newsletter

Nebula Technology Inc.

E-mail: Support@nebula.name

Tel: +1 716 906 8722

Address: 1312 17th Street Suite 1160, Denver, CO 80202, US