Privacy Policy

Privacy Policy for Wicked Wonderland: Idle RPG

Operator: ,

("we," "us," or "our") respects your privacy. This Privacy Policy explains what information we collect when you download, install, register an account in, and play the mobile game Wicked Wonderland: Idle RPG (the "Game"), when you use our official website (including the icons recharge page at recharge.html on this domain), and when you contact support, how we use that information, with whom we share it, how long we keep it, and the rights you have under applicable laws — including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the California Online Privacy Protection Act (CalOPPA), the Children's Online Privacy Protection Act (COPPA), and (for users in the EEA, the United Kingdom, and Switzerland) the EU/UK General Data Protection Regulation ("GDPR"). The categories of data we collect in the Game are also disclosed in the Data Safety section of our Google Play store listing, which we keep consistent with this Policy.

By creating an account in, using the Game, submitting a recharge order on our website, or otherwise using our services, you confirm that you have read and understood this Policy.

1. Information We Collect

The categories of personal information we may collect (using the categories defined in Cal. Civ. Code § 1798.140) are:

• Account identifiers (provided by you). Because Wicked Wonderland: Idle RPG uses a self-registered account system, you must provide an email address or mobile phone number and a password (or one-time verification code) to create and access your account. You may also choose to provide a display name.
• Device and technical identifiers (collected automatically). Mobile device model, operating-system version and language, app version, IP address, time-zone setting, crash logs, and Android Advertising ID (AAID). The AAID is a resettable, user-controlled identifier — see Section 4 on how to reset or delete it.
• Commercial information. Records of in-app purchases through Google Play (item, amount, transaction time, Google Play order number such as GPA.xxxx) and, if you use our website recharge service, records of icons top-up orders (game account identifier, package selected, amount, transaction or order reference from our payment processor, and fulfillment status). Payment-card and wallet details for Google Play purchases are handled exclusively by Google; for website recharge they are handled by our third-party payment processor(s). We do not receive or store full card numbers, CVV, or bank-account numbers.
• Website recharge information (when you use recharge.html). Your in-game account or player ID, email address, and/or mobile number as entered on the recharge form, plus technical data needed to process the order (e.g., IP address, browser/device type). This is used solely to verify your account, deliver icons, prevent fraud, and provide support.
• Internet or game-activity information. Chapters and stages completed, hero roster and progression, gacha and idle-reward activity, arena and event participation, session length, settings you choose, in-game progress and save data, and similar gameplay telemetry used to operate, analyze, and improve the Game.
• Coarse location. Country/region inferred from your IP address. We do not collect precise GPS coordinates.
• Customer-support correspondence. Information you send us when you contact support (e.g., your message, screenshots, and the email address from which you wrote).
• Inferences. Aggregated insights derived from the above (e.g., difficulty preference, churn signals) used to balance the Game.

We do not knowingly collect, and you should not provide, the following sensitive personal information: government identification numbers, financial-account credentials, precise geolocation, racial/ethnic origin, religious beliefs, union membership, genetic data, biometric identifiers, health data, or data concerning sexual orientation.

2. How and Why We Use Information

We use the information described above for the following business purposes (Cal. Civ. Code § 1798.100; GDPR Art. 6 legal bases noted in brackets):

• To create, operate, secure, and maintain your Game account, including authenticating logins and recovering forgotten passwords [contract performance];
• To deliver the Game's core features, save your progress, and synchronize purchases across re-installs [contract performance];
• To process and fulfil in-app purchases through Google Play Billing and website icons recharge orders [contract performance / legal obligation];
• To provide customer support and respond to your inquiries [contract performance];
• To send transactional notices (e.g., purchase receipts, security alerts, account-deletion confirmations) [contract performance];
• To monitor crashes, debug issues, balance heroes and events, and improve gameplay [legitimate interests];
• To detect, prevent, and respond to fraud, abuse, cheating, and security incidents [legitimate interests / legal obligation];
• To comply with applicable U.S. federal, state (including California), and other laws and to enforce our Terms of Service [legal obligation / legitimate interests];
• To send optional promotional communications, only where you have opted in (you may withdraw consent at any time) [consent].

We will not use your personal information for materially different purposes without first providing notice and, where required, obtaining your consent.

3. How We Share Personal Information

We do not sell your personal information for money, and we do not "share" it for cross-context behavioral advertising as defined under the CCPA/CPRA. We disclose information only as follows:

• Service providers (processors). Cloud hosting, account-system infrastructure, customer-support tooling, crash-reporting, analytics, and similar vendors who process data on our behalf under written agreements that prohibit independent use or onward disclosure. See Section 4 for the SDK categories involved.
• Google (Google Play Billing). In-app purchase payment data is handled by Google LLC under its own terms and privacy policy.
• Payment processors (website recharge). When you pay on our recharge page, your payment is processed by third-party payment service provider(s) acting as merchant or processor under their own terms and privacy policies. We receive only the information needed to confirm payment and credit icons to your account.
• Legal compliance. When required to comply with a subpoena, court order, lawful government request, or applicable law, or to defend our legal rights.
• Protection of rights. When we believe in good faith that disclosure is necessary to protect the safety, rights, or property of , our players, or the public.
• Corporate transactions. In a merger, acquisition, financing, reorganization, or sale of all or part of our assets, your information may be transferred. We will provide notice and, where required by law, obtain your consent.
• With your explicit consent in any other case.

4. Third-Party SDKs, Analytics, and Advertising

To operate the Game we may integrate third-party software development kits ("SDKs") that perform one or more of the following functions: crash and performance reporting, gameplay analytics, install attribution, push notifications, in-app advertising, and ad mediation. Each SDK provider acts under its own privacy policy. The categories of data they may collect include device identifiers (such as the Android Advertising ID), IP address, coarse location inferred from IP, app/device characteristics, and event-level usage data.

The current, authoritative list of SDKs in use, the categories of data they collect, and the purposes for which they are used is published in the Data Safety section of our Google Play store listing. We keep that disclosure synchronized with our actual integrations as we add or remove SDKs, and that listing supersedes any out-of-date examples that may appear elsewhere.

Your controls over advertising and identifiers:

• Android 12 or later: open Settings > Privacy > Ads and tap Delete advertising ID. After deletion, your AAID will be replaced by a string of zeros and apps cannot use it for ad personalization.
• Older Android versions: open Settings > Google > Ads and enable Opt out of Ads Personalization.
• Reset your AAID at any time from the same screen.
• Industry opt-out tools: DAA WebChoices and NAI Consumer Opt-Out.

5. Data Retention

We keep personal information only as long as necessary for the purposes described above or as required by law:

• Active account data (login credentials, profile, save data): kept while your account is active, plus up to 180 days after deletion request to allow account-recovery in the event of accidental deletion or compromise, after which it is permanently deleted or anonymized.
• Purchase and tax records: retained for up to 5 years in line with U.S. federal and applicable state tax/financial recordkeeping requirements; payment-card data is never stored by us.
• Crash logs and gameplay analytics: kept in identifiable form for up to 24 months, then aggregated or anonymized.
• Customer-support correspondence: retained for up to 3 years.
• Information subject to a legal hold: retained for the duration of the relevant proceeding, then deleted.

6. Data Security

We use commercially reasonable technical and organizational safeguards designed to protect your information, including:

• Transport encryption (TLS 1.2 or higher) for all data sent between the Game and our servers;
• Encryption at rest for credentials and other sensitive fields, with hashed-and-salted password storage;
• Role-based access controls and least-privilege principles for our personnel;
• Periodic security review and vulnerability remediation.

No system is 100% secure. If a personal-information breach occurs that affects your rights, we will notify affected California residents in accordance with Cal. Civ. Code § 1798.29 / § 1798.82 and other applicable breach-notification laws within the legally required timeframe.

7. International Data Transfers and Storage Location

We are based in the State of Wyoming, United States, with our principal business address at . Personal information we collect is processed and stored on servers located in the United States and may be processed by service providers in other countries on our behalf. If you are located outside the United States, by using the Game or our website you understand that your information will be transferred to and processed in the United States, which may have data-protection laws different from those in your jurisdiction.

For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable) or another lawful transfer mechanism, with supplementary measures where necessary.

8. Children's Privacy (COPPA)

Wicked Wonderland: Idle RPG is not directed to children under the age of 13 in the United States, nor to children under the applicable age of digital consent in their jurisdiction (16 by default in the EEA, lower in some Member States). We do not knowingly collect personal information from such children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at and we will investigate and, where appropriate, delete the information without delay. Parents may also block in-app purchases through Google Play's parental controls and Google Family Link.

9. Account and Data Deletion

You may request deletion of your account and associated personal information at any time. We provide both an in-app option and a web-accessible request channel, in line with Google Play's account-deletion requirements:

• In-app: open Settings → Account → Delete Account in the Game and follow the on-screen confirmation.
• By email: send a request from the email address associated with your account to with the subject line "Account Deletion Request" and include your in-game player ID or registered email/phone for verification.

What we delete: your login credentials, profile, saved game progress, customer-support history tied to your account, and any other personal information we hold about you that is not subject to a legal retention requirement.

What we may retain (in limited form):

• Purchase, refund, and tax records — retained as required by U.S. federal and applicable state tax law (up to 5 years);
• Aggregated or de-identified analytics that can no longer reasonably be linked to you;
• Records necessary to detect or prevent fraud, abuse, or security incidents (e.g., a list of banned device hashes);
• Information we are required to keep under a legal hold or in response to a lawful government request.

Timing: we will acknowledge your request within 2 business days and complete deletion within 30 days of verification, unless a longer period is required by law. After deletion, your account cannot be recovered. We will confirm completion by email.

10. Your Rights as a California Resident (CCPA / CPRA)

If you are a California resident, you have the following rights under Cal. Civ. Code § 1798.100 et seq.:

• Right to Know — what categories and specific pieces of personal information we have collected about you, the sources, purposes, and the categories of third parties with whom we have disclosed it (covering the prior 12 months).
• Right to Delete — request deletion of personal information we hold about you, subject to statutory exceptions (e.g., information necessary to complete a transaction, comply with a legal obligation, or detect fraud).
• Right to Correct — request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing — we do not sell or share personal information for cross-context behavioral advertising. If that ever changes, we will update this Policy and provide a "Do Not Sell or Share My Personal Information" mechanism.
• Right to Limit Use of Sensitive Personal Information — we do not use sensitive personal information for purposes other than those expressly permitted by the CCPA/CPRA.
• Right to Non-Discrimination — we will not deny service, charge a different price, or provide a lower quality of service because you exercised any of these rights.

How to submit a request: email with your full name, the registered email/phone of your account, the right you want to exercise, and any information needed to verify your identity. We may ask you for additional information to verify the request. We will respond within 45 days and may extend by another 45 days where reasonably necessary, with notice. Authorized agents may submit requests on your behalf with written permission or a valid power of attorney.

11. Your Rights in the EEA, United Kingdom, and Switzerland (GDPR)

If you are located in the EEA, the United Kingdom, or Switzerland, the GDPR (or UK GDPR / Swiss FADP, as applicable) gives you the following rights with respect to your personal data:

• Access — obtain confirmation of whether we process your data and a copy of it;
• Rectification — have inaccurate or incomplete data corrected;
• Erasure ("right to be forgotten") — request deletion in the circumstances set out in GDPR Art. 17 (see Section 9 for our deletion process);
• Restriction — request that we restrict processing in the circumstances set out in GDPR Art. 18;
• Data Portability — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller;
• Object — object to processing based on our legitimate interests, including for direct-marketing purposes;
• Withdraw Consent — where processing is based on your consent, withdraw it at any time without affecting the lawfulness of prior processing;
• Lodge a Complaint with your national data-protection authority. A list of EEA authorities is at edpb.europa.eu; UK residents may contact the ICO at ico.org.uk.

For all EEA/UK/Swiss requests, contact . We will respond within one month, extendable by two further months for complex requests, in line with GDPR Art. 12.

12. CalOPPA Compliance and Do-Not-Track

In accordance with the California Online Privacy Protection Act (Cal. Bus. & Prof. Code § 22575): (a) most browsers offer a "Do Not Track" ("DNT") signal, but no common industry standard yet exists for how to respond — we currently do not respond to DNT signals; (b) third-party SDKs integrated into the Game (see Section 4) may collect information about your activity over time and across services; (c) this Policy describes our practices in full and is the authoritative statement of how we handle your information.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The "Last Updated" date at the top of this page will always reflect the most recent revision. For material changes, we will provide at least 30 days' prior notice via in-game notice or email (where we have one). Your continued use of the Game after the updated Policy takes effect constitutes acceptance of the changes.

14. Contact Us

Address:
Email:
Phone:
Response time: Initial acknowledgment within 1–2 business days; CCPA / GDPR requests handled within statutory deadlines (45 days / 1 month respectively).

15. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the State of Wyoming, U.S.A., without regard to conflict-of-law principles. Disputes arising out of or relating to this Privacy Policy are subject to the exclusive jurisdiction of the state or federal courts located in Sheridan County, Wyoming, except where mandatory consumer-protection or data-protection law in your country of residence (including the GDPR) entitles you to bring proceedings before the courts or supervisory authority of your habitual residence.