Car Paint - Privacy Policy

Last updated: 11.03.2026

This Privacy Policy explains how THE CODE IS LAVA SRL ("we", "us", "our") collects, uses, shares, and protects information when you use the Car Paint game and related services (the "Service").

1. Who We Are

• Controller: THE CODE IS LAVA SRL
• Email: [email protected]

2. Information We Collect

Account and profile information

• Username and password for accounts created directly with us. Passwords are stored as a secure hash.
• Account identifiers and timestamps, such as user ID, created/updated dates, and linked sign-in method.
• Optional email address if you provide one during registration.
• Email address and basic profile data that may be provided by Google Sign-In or Sign in with Apple, subject to those providers' settings and policies.

Gameplay and community data

• Game progress and achievements, including level progress, missions, mystery progress, free play summaries, total cars painted, challenge activity, and claimed objectives.
• Coins, owned colors, owned vehicles, upgrades, purchases, and reward status.
• Leaderboard, challenge, and public profile data, including username, scores, selected vehicle, and other profile elements made visible to other players.

Purchases and rewards

• Product identifiers, purchase status, and transaction-related information received from Apple App Store or Google Play to deliver purchased coins and in-game rewards.
• Ad reward session data and reward claim status used to validate rewarded ads.
• We do not receive or store your payment card details.

Analytics and app activity

• We use Mixpanel to collect analytics about app usage and in-app interactions, such as app opens, screen views, gameplay events, purchases, rewards, challenge activity, and settings changes.
• Mixpanel may process identifiers linked to your account, such as your user ID and username, together with event and device-related metadata.

Notifications and device registration

• We use Firebase Cloud Messaging to support push notifications.
• This may include push token or device registration token, notification permission status, locale, timezone, platform, and notification interaction data.

Ad-related data

• We use Appodeal to serve interstitial and rewarded ads. Appodeal and its downstream ad partners may collect data such as device identifiers, advertising identifiers, IP address, app interaction data, ad performance data, diagnostics, and approximate location derived from IP address.
• Ad partners may use this information for ad delivery, fraud prevention, frequency capping, measurement, and related ad operations, subject to their own policies and user choices where applicable.

Technical data

• Server and service logs may include IP address, device type, operating system version, app version, timestamps, request metadata, and diagnostics used for security, fraud prevention, support, and debugging.

Local device storage

• We store auth token, refresh token, and locale preference on your device using secure storage to keep you logged in and remember language settings.

3. How We Use Information

• Provide, maintain, and operate the Service and keep your account active.
• Authenticate users through password login, Google Sign-In, and Sign in with Apple.
• Save progress, process gameplay actions, manage leaderboards and challenges, and deliver rewards.
• Process purchases and validate rewarded ad grants.
• Send and manage push notifications and register your device for notification delivery.
• Measure usage, improve the Service, and understand engagement through analytics.
• Serve ads and measure ad performance.
• Maintain security, prevent fraud and abuse, troubleshoot issues, and comply with legal obligations.

4. Legal Bases (EEA/UK)

• Contract: to provide the Service you request.
• Legitimate interests: to secure, analyze, support, and improve the Service.
• Consent: where required for personalized ads, tracking, or notifications.
• Legal obligations: to comply with applicable law.

5. Sharing and Disclosure

• Service providers that host our backend, infrastructure, and support systems.
• Analytics provider Mixpanel.
• Push notification provider Firebase Cloud Messaging.
• Authentication providers Google Sign-In and Sign in with Apple.
• Appodeal and its advertising partners for ad delivery, measurement, and fraud prevention.
• Apple App Store, Google Play, and payment-related platform providers to complete purchases and validate transactions.
• Authorities or other parties when required by law or necessary to protect rights, safety, or the integrity of the Service.

We do not sell your personal information for money. We may share limited data with advertising partners as part of ad delivery and measurement, as described above and subject to applicable law.

6. International Transfers

We and our service providers may process data in countries other than where you live. When required, we use appropriate safeguards to protect data transferred internationally.

7. Data Retention

We keep data for as long as needed to provide the Service, maintain your account, comply with legal obligations, resolve disputes, and enforce our agreements. You can request account deletion in the app settings. Some logs, analytics records, and fraud-prevention records may be retained for a limited period where reasonably necessary.

8. Your Rights

• Access, correct, or delete your personal data.
• Object to or restrict certain processing.
• Request data portability where applicable.
• Withdraw consent for notifications or personalized advertising where consent is the legal basis.

US (CCPA/CPRA) and Canada (PIPEDA) rights may include the right to know, access, delete, correct, and opt out of certain sharing. To exercise your rights, contact us using the email above.

9. Children and Families

The Service is intended for a general audience. If a child under 13 (or under 16 in the EEA/UK) uses the Service, a parent or guardian must review and consent where required by law. If you believe a child provided personal data without required consent, contact us to request deletion.

10. Security

• We use reasonable administrative, technical, and organizational safeguards to protect data, including password hashing and encryption in transit where supported.
• No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

11. Changes

We may update this Policy from time to time. We will update the "Last updated" date and provide additional notice if required by law.