Privacy Policy
Last updated: 3 July 2026
0. Who we are
Zavija ("we", "us") is operated by an independent developer based in Santiago, Chile, and is the controller of personal data processed through the Zavija game and the website at zavija.com (the "Services"). Questions — and our full legal identity, available on request: [email protected].
1. The short version
- You can play without giving us your name or email — an anonymous profile is created automatically.
- We collect how you play (puzzles, moves, timings, hints, results) to run the game and to calibrate difficulty and improve our analysis engine.
- We don't sell your data and don't run ads. We use Google Analytics 4 (with your consent) and Sentry (error monitoring) to improve the game — neither receives your name or email; gameplay calibration data stays first-party.
- Payments are handled by our merchant of record — your card details never reach us.
- You can access, correct, delete, or export your data (§9).
2. Information we collect
2a. Gameplay telemetry. When you play we collect the puzzles you attempt, the marks you make and their timing, hints used, resets, and whether and how you complete each puzzle ("solve records").
2b. Account information. For an anonymous profile: a randomly generated account identifier only. If you register or upgrade, we also collect your email address and, optionally, a display name and your chosen language. We support email-link and Google sign-in.
2c. Purchase information. Purchases are processed by our merchant of record, Paddle (§7). From them we receive an order reference, the product purchased, and your country (for tax/price display) — not your payment-card details.
2d. Technical & usage data. Like most online services we process technical data such as IP address, device and browser type, and request logs — used for security, abuse/rate-limiting, debugging, and adapting language/region.
2e. Cookies & local storage. We use cookies/local storage that are strictly necessary to keep you signed in, remember your settings, and run the game (no consent required for these). With your consent, we also use analytics cookies (Google Analytics 4) to understand how the game is used so we can improve it; you can decline, and analytics stay off until you accept (we use Google's Consent Mode). We do not use advertising or cross-site tracking cookies, and we do not sell your data.
3. How we use your information
- To provide the Services — serve puzzles, save progress, generate hints and post-game reviews.
- To measure and calibrate puzzle difficulty and to develop, train, and improve our puzzle-analysis and difficulty-rating systems, including by combining gameplay data across players into aggregated, de-identified research datasets (§5). (This is a core purpose — your gameplay improves the game's difficulty model.)
- To process purchases and grant the entitlements you buy (via the merchant of record).
- To keep the Services secure — prevent fraud, abuse, and cost-flooding, and enforce our Terms.
- To communicate with you about your account, purchases, and material changes.
4. Legal bases (for EEA/UK users)
We rely on: performance of a contract (providing the game and purchases you request); legitimate interests (calibrating difficulty, improving and securing the Services, preventing abuse — balanced against your rights); consent (where required, e.g. certain communications — withdrawable at any time); and legal obligations (e.g. keeping transaction records).
5. De-identified & aggregated data
We may create de-identified and aggregated datasets from gameplay telemetry by irreversibly removing the identifiers that link a record to you and combining your data with that of many other players. Once de-identified or aggregated in this way, the data can no longer reasonably be associated with you; it is no longer personal data subject to this Policy, and we may retain and use it indefinitely and for any purpose, including ongoing research and the calibration of our difficulty and analysis systems. We will not attempt to re-identify it.
6. How we share your information
We do not sell your personal data and do not share it for advertising. We share it only with service providers that help us run the Services, under appropriate safeguards:
- Google Firebase / Google Cloud — authentication, database, hosting, and compute.
- Google Analytics 4 (with your consent) — usage/traffic analytics to improve the game; no name or email.
- Sentry — error and performance monitoring to keep the game stable; payloads are scrubbed of personal data.
- Paddle (merchant of record) — to sell and process your purchases (§7).
- Our transactional-email provider — to send account/purchase emails.
- Authorities, if required by law or to protect rights, safety, and security.
International transfers. We operate on Google Cloud (primarily the southamerica-west1 region) and Firebase, and our providers may process data outside Chile (including in the United States and the EU). Where required, we use appropriate transfer safeguards.
7. Payment data
Purchases are sold and processed by our merchant of record, Paddle, which acts as the seller of record and processes your payment under its own terms and privacy notice. We never receive or store your full payment-card details. We keep only transaction references needed to grant entitlements and to meet our legal record-keeping obligations.
8. Data retention
- Account data is kept while your account exists and for a reasonable period afterward.
- Gameplay telemetry is retained as the source we use to calibrate and improve the game; when you delete your account it is irreversibly de-identified (§5, §9) rather than necessarily destroyed, after which it is no longer personal data.
- Transaction/billing records are retained as long as required by tax and accounting law.
- Strictly-necessary cookies are retained only as needed for your session and settings.
9. Your rights
You may, subject to applicable law: access the personal data we hold about you; correct it; delete it ("right to be forgotten"); export/port it; object to or restrict certain processing; and withdraw consent where processing is based on consent. To exercise any of these, contact [email protected]; you can also delete your account in-app.
Right to deletion — bounded. When you delete your account we delete or de-identify your personal information, including your email and profile details. This right is not absolute. We may retain: (i) transaction and billing records we must keep to meet tax, accounting, and financial-reporting obligations; and (ii) de-identified and aggregated gameplay data as described in §5, which is no longer associated with you.
By jurisdiction:
- Chile — you have rights under Ley N° 19.628 on the protection of private life (and, once in force, the updated data-protection framework of Ley N° 21.719); you may contact us to exercise them.
- EEA/UK (GDPR) — the rights in this section, plus the right to lodge a complaint with your supervisory authority.
- California (CCPA/CPRA) — rights to know, delete, correct, and to opt out of "sale"/"sharing"; we do not sell or share personal information as defined there, and we do not discriminate for exercising rights.
10. Security
We protect your data with measures including encryption in transit and at rest, data minimization (we collect little personal data — §2), server-side access controls, and least-privilege secret handling. No method is 100% secure, but we work to protect your information.
11. Children
The Services are not directed to children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us data, contact [email protected] and we will delete it.
12. Changes to this Policy
We may update this Policy. We will post the updated version at zavija.com and, for material changes, notify registered users by email. Changes take effect when posted (or as stated in the notice).
13. Contact
Zavija, Santiago, Chile — [email protected]. Our full legal identity is available on request.