Back

Privacy Policy · Privacy Policy

How DuelIQ handles your data, what is collected, and your rights.

PRV-001 Version 1.0 Updated: May 06, 2026 In effect

Privacy Policy — DuelIQ

This Privacy Policy explains what data is collected when you use the DuelIQ ("App") mobile game, how it is used, and what rights you have. By creating an account and playing the App, you agree to this policy.

DuelIQ is a real-time 1v1 trivia duel game. Some features (account, matchmaking, leaderboards, friends, in-app purchases) require us to process personal data, as described below.

1. Data We Collect

1.1 Data You Provide

  • Account credentials: Email address and password (the password is stored only as a one-way hash; we never see or store your raw password).
  • Profile information: Username (3-16 characters), avatar selection, optional display name.
  • Authentication tokens: When you sign in, we issue access and refresh tokens stored on your device.
  • Friend interactions: Friend requests, accepted friendships, and challenge messages you send to other players.
  • In-app communication: Optional emoji or quick reactions sent to your opponent during or after a match (no free-text chat).

1.2 Automatically Collected Data

  • Match data: Selected category, bet amount (in virtual coins), per-question answer, response time, ELO change, win/loss outcome, opponent's anonymous ID, and match duration.
  • Game economy data: Coin balance, XP, level, daily login streak, completed quests, badges earned, and avatar inventory.
  • Connection data: IP address (used for rate limiting, anti-cheat, and approximate region detection), device type, operating system version, app version, language and timezone.
  • Push notification token: A device-specific token (issued by Expo Push / FCM) used to send match invites, challenge alerts, and promotional notifications you've opted into.
  • Purchase data: Through RevenueCat and Google Play Billing, we record which coin packages or premium subscriptions you bought, the transaction ID, and the purchase status (active / expired / refunded). We do not see or store your credit card or payment method.
  • Diagnostic data: Crash reports, performance traces, and breadcrumbs (last screens visited, last actions taken) collected by Sentry to help us fix bugs.
  • Analytics events: Anonymized usage events (match started, match completed, category selected, purchase made, etc.) collected by PostHog to help us improve the game.
  • Advertising data: Through Google AdMob, we may process the device Advertising ID, IP address, device type, operating system version, language settings, and ad-interaction metrics.

1.3 Data Stored Locally on Your Device

The following information is stored on-device (in encrypted MMKV storage) and never leaves your device unless you explicitly trigger a sync or upload:

  • UI preferences (theme, sound, haptics, language)
  • Pending match state (if you lose connection mid-game so we can restore the round)
  • Local cache of leaderboard, friends list, and match history (refetched from server)
  • Onboarding completion flags

If you uninstall the App, this local data is removed with it. The server-side copy of your account remains until you delete the account (see §6).

2. How We Use the Data

We use the data we collect only for the following purposes:

  • Account and authentication: To create your account, verify your email, sign you in, and maintain your session.
  • Matchmaking: To find suitable opponents based on your ELO and bet selection, and to assign a bot opponent if no human is found within 30 seconds.
  • Gameplay integrity: To run real-time matches, validate answers, calculate scores, prevent cheating, and update your ELO and coin balance.
  • Leaderboards and social features: To display your username, avatar, and ELO on global / weekly / friend leaderboards, and to deliver friend requests and challenges.
  • In-app purchases: To process coin pack and premium subscription purchases, restore previous purchases, and enforce premium entitlements.
  • Notifications: To send you match invites, challenge alerts, daily reward reminders, and other notifications you've consented to.
  • Customer support: To investigate and respond to your support requests.
  • Crash diagnostics and performance: To identify, reproduce, and fix bugs.
  • Analytics: To understand which features are used, where players drop off, and how to improve the game.
  • Advertising: To serve ads (banner, interstitial, rewarded) and measure ad performance via Google AdMob.
  • Legal compliance: To meet our obligations under tax, anti-fraud, and consumer protection laws.

We do not sell your data and do not share it with third parties for their own marketing.

3. Third-Party Services

The App relies on the following services. Each provider has its own privacy policy that applies in addition to this one:

Service Purpose Policy
DuelIQ Backend (Yoatech) Account, matchmaking, leaderboards, game economy This document
Expo / EAS Push notification delivery and OTA updates https://expo.dev/privacy
Firebase Cloud Messaging (FCM) Android push notification transport https://firebase.google.com/support/privacy
RevenueCat In-app purchase management and subscription validation https://www.revenuecat.com/privacy/
Google Play Billing Payment processing for in-app purchases (Android) https://policies.google.com/privacy
Google AdMob Ad serving, ad personalization, and ad measurement https://policies.google.com/technologies/ads
Sentry (functional-software.com) Crash diagnostics and performance monitoring https://sentry.io/privacy/
PostHog Product analytics (anonymized event tracking) https://posthog.com/privacy

These services process data under their own standards and legal obligations. Sentry and our backend are hosted in the European Union (Germany) for data residency.

4. Personalized Advertising

Google AdMob may show personalized ads based on your interests. Inside the App we display a Google-certified consent screen (UMP / Funding Choices) that asks for your permission before any personalized advertising data is collected. You can change your choice anytime:

  • Android: Settings → Google → Ads → "Opt out of Ads Personalization"
  • Reset advertising ID: Available from the same menu
  • Inside DuelIQ: Settings → Privacy → "Reset ad consent" (will re-show the consent dialog on next launch)

If you are located in the European Union, the United Kingdom, or any other region with GDPR-equivalent rules, the consent screen is required by law and your preferences are stored both on your device and on AdMob's servers.

5. Virtual Coins, Bets, and Simulated Gambling

DuelIQ uses an in-game currency called coins. Coins can be earned for free (registration bonus, daily login, winning matches, completing quests, watching rewarded ads) or purchased with real money through Google Play Billing. Players may bet coins on a match; the winner takes the pool.

This is simulated gambling only:

  • Coins have no real-world cash value and cannot be withdrawn, traded, or sold for real money.
  • Coin purchases are non-refundable except where required by Google Play's refund policy or applicable consumer law.
  • The App is rated for ages 13+ because of this simulated gambling mechanic.

DuelIQ does not offer real-money gambling and is not a licensed gambling product.

6. Children's Privacy

The App is not directed at children under 13. During registration we ask you to confirm that you are at least 13 years old. If you are between 13 and 18, you should obtain parental or guardian consent before creating an account, in accordance with KVKK Art. 5 / GDPR Art. 8.

We do not knowingly collect personal information from children under 13. If you believe your child has provided us with data, please contact us at bubiziyorar@gmail.com and we will delete the account and associated data as soon as possible.

7. Data Retention

  • Active accounts: Account, profile, match history, and leaderboard data are stored for as long as your account is active.
  • Account deletion request: When you request account deletion (in-app: Settings → Account → "Delete account", or by emailing us), your account is soft-deleted within 24 hours and permanently erased within 30 days, except for records we are legally required to retain.
  • Inactive accounts: Accounts that have not been signed into for 24 consecutive months may be marked inactive; we may anonymize or delete inactive accounts after notifying you at the email on file.
  • Match logs: Detailed per-question logs are retained for 90 days for anti-cheat investigations, then aggregated.
  • Crash reports (Sentry): Retained for 90 days, then auto-deleted.
  • Analytics events (PostHog): Retained for 12 months, then aggregated to anonymous cohorts.
  • Purchase records: Retained for at least 10 years to comply with Turkish tax law (Law No. 213) and similar obligations elsewhere. Purchase records are linked to your anonymous user ID, not your name.
  • Advertising data: Subject to Google AdMob's retention policies.

8. Your Rights

Depending on your jurisdiction (GDPR, CCPA, KVKK, etc.), you have the right to:

  • Access — Know what data we process about you.
  • Rectification — Request correction of inaccurate data.
  • Erasure ("right to be forgotten") — Request deletion of your data.
  • Restriction — Limit how we process your data.
  • Portability — Receive your data in a machine-readable format.
  • Objection — Object to processing for direct marketing or analytics.
  • Withdraw consent — Withdraw any previously given consent (e.g., for personalized ads).
  • Lodge a complaint — File a complaint with the competent data protection authority (KVK Kurulu in Turkey, or your local DPA in the EU/UK).

To exercise these rights, contact: bubiziyorar@gmail.com. We respond within 30 days.

You can also delete your account directly from the App: Settings → Account → Delete account.

9. Data Security

  • All communication between the App and our servers uses TLS 1.3 encryption.
  • Passwords are hashed with bcrypt (cost factor 12) before storage; we never see your raw password.
  • Server-side access is restricted by role-based access control and audited.
  • The Android build pins the SSL certificate of api.dueliq.com so the App will refuse to connect to a server impersonating us.
  • Match results are validated server-side; client cannot self-report a win.
  • Rate limiting and anomaly detection are in place to prevent brute-force, scraping, and abuse.
  • Database backups are encrypted at rest (AES-256).

No system is 100% secure; in the unlikely event of a data breach affecting your personal data, we will notify you and the competent authorities within 72 hours of becoming aware, in accordance with KVKK Art. 12 / GDPR Art. 33.

10. International Data Transfers

DuelIQ's primary servers are hosted in the European Union. Some sub-processors (Google AdMob, Google Play Billing, PostHog) may process data in the United States. Such transfers rely on the European Commission's Standard Contractual Clauses (SCCs) or applicable adequacy decisions.

11. Changes to This Policy

We may update this policy from time to time. When we make material changes (e.g., adding a new sub-processor, changing data retention) we will:

  • Update the effective date at the top of this document.
  • Display a notice inside the App on next launch, and require re-consent where the law requires it.
  • Email registered users for substantive changes.

The current version is always available at https://dueliq.com/privacy.

12. Contact

For questions, requests, or complaints about this policy:

Data Controller: Yoatech Email: bubiziyorar@gmail.com Postal address: (provide upon request via email)

This Privacy Policy is published in English. A Turkish translation is available at https://dueliq.com/privacy/tr. In case of inconsistency between translations, the English text prevails.