Privacy Policy

Last updated: 2026-06-05

This Privacy Policy explains how we handle personal information when you use the Trivia Racing mobile app, web app, and website (together, the "Service"). It also includes the disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), for California residents.

Trivia Racing is designed to collect as little personal information as possible.

1. Who we are

The business responsible for your personal information is:

• Code3
• Železnička 14, 22320 Inđija, Republic of Serbia
• Tax ID (PIB): 107254196 · Company ID (MB): 62611421
• Email: legal@code3.dev

2. Personal information we collect

We collect only what we need to operate the game. The categories below match the CCPA/CPRA categories in Cal. Civ. Code § 1798.140(v).

2.1 Anonymous account data

• Device identifier (UUID): a random identifier generated by the app on first launch and used to recognise your installation. This becomes your anonymous account.
• Account ID: a server-side UUID that ties your data together.

CCPA category: Identifiers.

2.2 Profile data (provided by you)

• Nickname (alphanumeric, 2–32 characters)
• Chosen character, kart body, and kart wheels

CCPA category: Identifiers (only if your nickname identifies you).

2.3 Gameplay data (generated by play)

• Match results: mode, category, rounds, placement, points
• Skill rating (Glicko-2: rating, deviation, volatility) and a history of rating changes
• Number of games played per mode
• Per-question answer telemetry: which question you answered, whether it was correct, response time, and power-up use — used to calibrate question difficulty and show you post-race statistics
• Cosmetic and content unlocks, and power-up inventory counts
• Approximate latency (ping) — measured during a match for fairness; not stored long-term

CCPA categories: Internet or other electronic network activity information; Inferences (skill rating).

Trivia questions themselves come from our own pool and from public collections (the Open Trivia Database and OpenTriviaQA — see the Terms of Service for licenses). Question content is not personal information; your answers to questions are covered above.

2.4 Linked sign-in data (only if you link Apple or Google)

• The opaque user identifier ("sub") returned by Apple or Google so we can recognise you on a new device. We do not receive your password and do not request your email, name, contacts, or profile picture from those providers.

CCPA category: Identifiers.

2.5 Mailing list (only if you subscribe on the website)

• Email address (lower-cased)
• The source tag of the form you used (e.g. promo_launch)
• A truncated SHA-256 hash of your IP address (the raw IP is not stored)
• Your browser's User-Agent string (truncated to 512 characters)
• Subscribed/unsubscribed timestamps

CCPA categories: Identifiers; Internet or other electronic network activity information.

2.6 Purchase data (only if you buy something)

• Payments are processed entirely by Apple — we never receive your card number, billing address, or other payment instrument details.
• We receive and store purchase events from our purchase-management provider (RevenueCat): the product identifier, the reported price, the event type (e.g. purchase, refund), and a timestamp, tied to your Account ID.
• Purchase records are retained for accounting and legal purposes, including after account deletion (without the rest of your account data).

CCPA category: Commercial information.

2.7 Push notification token (only if you enable notifications)

• If you turn on Notifications in the Profile screen, we store a push token for your device so we can send you notifications. Turning the toggle off deletes the token from our servers; deleting your account deletes it too.

CCPA category: Identifiers.

2.8 Server logs

Our servers keep short-lived technical logs of requests (IP address, User-Agent, timestamp, request path) for security, abuse prevention, and debugging. These logs are rotated on a short schedule.

CCPA categories: Identifiers; Internet or other electronic network activity information.

3. Sensitive personal information

We do not collect "sensitive personal information" as defined by the CPRA (e.g. government ID, financial account, precise geolocation, race or ethnicity, religious beliefs, contents of communications, genetic or biometric data, health, sexual orientation). Because we do not collect it, we have nothing to "limit the use of" under Cal. Civ. Code § 1798.121.

4. What we don't collect

• No real name (unless you choose to use one as your nickname)
• No phone number, postal address, or date of birth
• No payment instrument details — card numbers and billing addresses stay with Apple (we only receive the purchase events described in section 2.6)
• No contact list, photos, or files
• No precise or coarse geolocation
• No advertising identifiers (IDFA / GAID)
• No advertising SDKs, and no third-party analytics SDKs at launch (purchase processing uses RevenueCat — see section 2.6)

5. Sources of personal information

• Directly from you: nickname, character/kart choices, email if you subscribe, choice to link Apple/Google.
• Automatically from your device or browser: device UUID, User-Agent, IP address (used for hashed dedupe and short-lived logs).
• From Apple or Google, only if you initiate a sign-in: the opaque "sub" identifier.
• From RevenueCat / Apple, only if you make a purchase: the purchase events described in section 2.6.
• Generated by the Service: match results, rating, answer telemetry, unlocks.

6. Business and commercial purposes for which we use personal information

• Provide, operate, and maintain the Service (account creation, profile, gameplay, sync across devices)
• Run matchmaking and the skill-rating system
• Protect the Service against cheating, abuse, and fraud (rate-limiting, hashed-IP deduplication, short-lived request logs)
• Communicate with you about the Service if you joined the mailing list, and respond to your requests
• Improve the game using aggregate, non-identifying statistics
• Comply with legal obligations and enforce our Terms

7. How we share personal information

We disclose personal information only to the service providers we strictly need to run the Service, under written contracts that restrict their use of the information to providing services to us:

• Our cloud hosting and database provider
• Apple and Google, only if you link a sign-in (they act independently for the authentication exchange and have their own privacy policies)
• RevenueCat, our purchase-management provider, only if you make an in-app purchase
• Expo's push-notification service, only if you enable notifications (it relays messages to Apple's push infrastructure)
• An email-delivery provider, only if you join the mailing list

We may also disclose information when required by law, to respond to lawful requests from public authorities, or to protect our rights, users, and the Service.

8. We do not "sell" or "share" your personal information

We do not sell personal information for money or other valuable consideration, and we do not "share" personal information for cross-context behavioral advertising, as those terms are defined in the CCPA/CPRA. We have not done so in the preceding 12 months.

Because we do not sell or share, we do not need a "Do Not Sell or Share My Personal Information" link. We also do not knowingly sell or share the personal information of consumers under 16 years of age.

9. How long we keep your data

• Account, profile, rating, unlocks, answer telemetry: for as long as your account exists.
• Match history: kept while useful for matchmaking and rating; older entries may be aggregated or deleted.
• Push notification tokens: until you turn notifications off or delete your account.
• Mailing list: until you unsubscribe; we retain a record of the unsubscribe so we don't email you again.
• Server logs: short-lived (typically days, not months).
• Deleted accounts: deleting your account in the app removes your account data immediately and permanently. Purchase records are retained as required for accounting and legal compliance, no longer tied to a live account. If you instead email us a deletion request, we act on it within 30 days of verification.

10. Your California privacy rights (CCPA/CPRA)

If you are a California resident, you have the following rights with respect to your personal information:

• Right to know: request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collecting it, and the categories of third parties to whom we disclose it.
• Right to delete: request deletion of personal information we collected from you, subject to limited exceptions (e.g. completing a transaction you requested, security, or legal compliance).
• Right to correct: request correction of inaccurate personal information we maintain about you.
• Right to opt out of sale or sharing: as noted above, we do not sell or share personal information, so there is nothing to opt out of.
• Right to limit use of sensitive personal information: we do not collect sensitive personal information, so there is nothing to limit.
• Right to non-discrimination: we will not deny you the Service, charge you a different price, or provide a different level of quality because you exercised any of these rights.

10.1 How to exercise your rights

Submit a request by emailing legal@code3.dev with the subject line "California Privacy Request" and a description of what you want to do.

10.2 Verification

To protect your data, we need to verify it's really you before acting on a "know," "delete," or "correct" request. Because most of our accounts are anonymous, we typically verify by asking you to send the request from the email address you used to subscribe, or by asking you to send your in-app Account ID (tap the ID at the bottom of the Profile screen to copy it) from the device that holds the account. We will not use information you provide for verification for any other purpose.

10.3 Authorized agents

You may use an authorized agent to submit a request on your behalf. We will require written proof of the agent's authorization and may still verify your identity directly.

10.4 Response times

We confirm receipt of a request within 10 business days and respond substantively within 45 calendar days. We may extend the response period by an additional 45 days when reasonably necessary, in which case we will let you know.

10.5 "Shine the Light" (Cal. Civ. Code § 1798.83)

California residents may request information about our disclosures of personal information to third parties for those third parties' direct-marketing purposes. We do not disclose personal information to third parties for their direct-marketing purposes.

11. Self-service controls in the app

• Delete your account from Profile → Delete account. This immediately and permanently deletes your server-side account — profile, rating, race history, answer telemetry, unlocks, linked sign-in credentials, and push tokens — and wipes the local profile on your device. Purchase records are retained for accounting (see section 9).
• Turn notifications on or off from the Profile screen — turning them off deletes your push token from our servers.
• Unsubscribe from emails using the link in any email we send.

12. Security

We use industry-standard practices to protect data in transit (TLS) and at rest, restrict access to production systems, hash sensitive identifiers where it is enough for our purposes (e.g. mailing-list IPs), and do not store passwords. No system is perfectly secure; please contact us promptly if you believe an account has been compromised.

13. Children

Trivia Racing is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us so we can delete it. We do not knowingly sell or share the personal information of consumers under 16 years of age.

14. International users

We are based in the Republic of Serbia. If you access the Service from outside Serbia, you understand that your information will be processed in Serbia and the European Union, which may have data-protection laws different from those of your country.

15. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top and, for material changes, give appropriate notice in the app or on this page.

16. Contact

Questions, requests, or complaints about your personal information? Email legal@code3.dev or write to:

Code3
Železnička 14
22320 Inđija
Republic of Serbia