Privacy Policy

Last updated: May 31, 2026 · Effective on first install

1. Who we are

"Guess The Plate" (the "Service") is a mobile game published by Hole in the Roof Studios LLC, based in Houston, Texas, USA. References to "we," "us," or "our" mean Hole in the Roof Studios LLC. References to "you" mean the person using the Service.

For privacy questions or rights requests, write us at privacy@guesstheplate.com.

2. The data we collect, and why

2.1 Information you give us

• Sign in with Apple identifiers. When you sign in, Apple gives us a privacy-relayed user identifier (an opaque string — not your real Apple ID, not your real email). If you choose to share your name or relay email with us, Apple delivers those on your first sign-in only. We use the identifier to recognize your account across launches and the (optional) email only to send you moderation outcomes if your uploaded content is rejected.
• Nickname. A 3–16-character display name you choose. Public to other players who see your weekly leaderboard ranking. Stored alongside a normalized lowercase form so we can enforce uniqueness without leaking your exact capitalization.
• Profile photo (optional). If you upload a photo, it is first stripped of all EXIF / GPS metadata on your device, then uploaded to encrypted Cloud Storage and scanned by Google Cloud Vision SafeSearch for explicit content before it is ever shown. Photos that pass moderation are served from the public CDN; photos that fail go on a 365-day legal hold (REPORT Act 18 USC §2258A obligation if applicable) and are not visible in the app.
• Reports you file or are filed against you. When you report another user or photo, we store the report alongside the reason you selected and any optional 500-character free text you wrote. Reports are reviewed by a human moderator.

2.2 Information your device sends automatically

• Game progress. Coin balance, current streak, completed plates, trophies unlocked, current week's quest plate, settings preferences. Stored so you don't lose progress when you re-install or change phones.
• Purchase receipts. Apple sends us transaction identifiers when you buy a coin pack, VIP, or no-ads upgrade — we never see your card number. Used to grant your purchase and honor refunds.
• App Check device attestation. A per-device cryptographic token from Apple's App Attest framework that proves the requests are coming from a genuine, unmodified copy of the app. We don't get a device serial number from it; we only see "pass" or "fail."
• Crash logs. If the app crashes, an anonymized stack trace and the iOS version may be sent so we can fix the bug. No personal content is included.

2.3 What we don't collect

• We do not collect your phone's location. The privacy nutrition label declares NO Location data and we enforce this by stripping GPS metadata from any uploaded photo on your device before it leaves.
• We do not embed any third-party advertising SDKs, and the app shows no ads at all — no banners, no interstitials, no rewarded video. Because there is no advertising, there is no ad-related tracking, no IDFA use, and no App Tracking Transparency prompt.
• We do not collect your contacts, calendar, microphone (except in real time during voice mode — see §2.4), camera roll content (we only see the single image you pick), or any health data.

2.4 Voice mode is on-device

When you enable voice answers, your spoken words are processed by Apple's on-device speech recognition engine. Your audio is not sent to our servers. We never receive recordings.

3. How long we keep it

• Account data (Apple ID hash, nickname, progress): for the life of your account, or until you delete it.
• Profile photos that passed moderation: until you replace or delete them, or until your account is deleted.
• Profile photos that failed moderation: retained 365 days under a legal hold so we can respond to lawful requests from authorities (REPORT Act §2258A). Not visible in the app. Then permanently deleted.
• Reports against your account: retained per Article 17(3)(e) GDPR if a moderation action is pending, even after the reported user's account is deleted, so the safety record survives bad-actor escape.
• Cascade audit records: when your account is deleted, we write a pseudonymized record (your user ID is salted-hashed, not stored in clear) of which tables were swept and which retentions invoked which legal basis. Audit retained 7 years; receipt to you retained 24 hours.

4. Account deletion

You can delete your account from Settings → Account → Delete my account inside the app at any time.

1. The deletion request is recorded immediately. You're signed out instantly.
2. A 30-day grace window starts. Signing back in within 30 days with the same Apple ID fully restores your account.
3. At the 30-day mark, a server-side cascade runs and: clears your account record, releases your nickname back to the pool, deletes any approved photos, pseudonymizes any reports you filed (so the safety record survives), and writes the audit entry.
4. Optional: we send a one-time confirmation email to the address Apple privacy-relayed (if you shared one) when the cascade completes.

5. Sharing — who else sees this data

We share data only with the service providers that make the app work. Specifically:

• Apple Inc. — Sign in with Apple, App Store payments, App Attest, on-device speech recognition. Governed by Apple's privacy policy.
• Google Cloud Platform (Firebase) — our backend hosting, database (Firestore), Cloud Storage, Cloud Vision content moderation, and Cloud Functions. We do not use Firebase Analytics, Crashlytics, advertising, or any cross-app tracking SDK. Governed by the Google Cloud Data Processing Addendum. Our default region is us-central1 (Iowa, USA).

We do not sell your data to anyone. We do not transfer your data to third parties for behavioral advertising. If we ever change this we will obtain affirmative consent first and clearly state it here.

6. Your rights

6.1 If you are in the European Economic Area, the UK, or Switzerland (GDPR)

You have the right to access, rectify, port, restrict, object to the processing of, and erase your personal data. Most of these you can exercise directly in-app (your profile, your nickname, account deletion). For others, email privacy@guesstheplate.com — we will respond within 30 days. The legal bases we rely on are: performance of a contract (running the game for you), legitimate interest (security, anti-abuse, basic moderation), and legal obligation (REPORT Act / lawful requests). You also have the right to lodge a complaint with your national data-protection authority.

6.2 If you are in California (CCPA / CPRA)

You have the right to know what we collect, request deletion, correct inaccurate information, and not be retaliated against for exercising any of these rights. We do not "sell" or "share" personal information for cross-context behavioral advertising as those terms are defined under the CCPA. Use the in-app deletion flow or email privacy@guesstheplate.com.

6.3 If you are anywhere else

You have the same rights. Email privacy@guesstheplate.com and we will respond.

7. Children

The Service is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). The App Store age rating for Guess The Plate is 4+ for content suitability, but Sign in with Apple is restricted by Apple to age-eligible Apple ID holders, which is our front-line eligibility check. We do not knowingly collect data from anyone under 13. If we learn that we have, we will delete the account and the associated data promptly. Parents who believe their child has signed in despite the Apple-side gate can write us at privacy@guesstheplate.com for an expedited deletion.

8. International data transfers

Our backend runs in us-central1 (Iowa, USA). If you use the Service from outside the United States, your data is transferred to and processed in the United States. For transfers from the EEA / UK / Switzerland we rely on the European Commission's Standard Contractual Clauses with Google as our processor.

9. Security

All transit is HTTPS / TLS 1.2+. All at-rest storage is encrypted by Google Cloud's default AES-256 with Google-managed keys. Authentication is gated by Sign in with Apple plus Apple's App Attest (device cryptographic proof). Server-side endpoints require both a verified Apple identity token and a valid App Check token; missing or invalid attestation returns HTTP 401. No security control is unbreakable, but we use industry-standard defenses and minimize what we hold so a worst-case leak is minimally harmful.

10. Cookies / tracking on this website

This marketing website (guesstheplate.com) sets no analytics cookies and no advertising cookies. The site is static HTML on Firebase Hosting; the only third-party connection is to Google Fonts to load the typefaces. We do not track which pages you read or how long you stay.

11. Changes to this policy

If we materially change how we collect or use data we will update the "Last updated" date above and surface a notice in the app the next time you launch. Continued use after a change means you accept the updated policy.

12. Contact

Email: privacy@guesstheplate.com
Postal: Hole in the Roof Studios LLC, Houston, Texas, USA (full mailing address on request).

This document is provided for transparency and ease of reading. Where this summary conflicts with applicable law, applicable law controls.