This draft is intended for launch preparation.
1. Scope
This Privacy Policy applies to the processing of personal information by Vastarch and its affiliates (collectively, “we”, “us”, or “our”) in connection with Vastarch websites, games, applications, account systems, customer support, community features, and related products or services (collectively, the “Services”).
If a specific service publishes a separate privacy notice, minor protection notice, SDK directory, or platform-specific privacy rule, that document will prevail for that specific matter. For everything else, this Policy applies.
2. Information We May Collect
2.1 Information you provide
- Phone numbers, email addresses, nicknames, avatars, passwords, verification codes, and third-party account identifiers when you register, sign in, bind, or switch accounts.
- Information generated or provided when you use one-tap mobile sign-in, third-party sign-in, or guest mode for identity recognition, device binding, account upgrade, or account recovery.
- Name, government ID information, real-name verification results, and in certain cases facial verification results or other legally required verification data for identity checks, minor protection, or sensitive operations.
- Order records, payment status, transaction identifiers, reconciliation data, and necessary payment verification materials when you purchase, redeem, subscribe, request invoices, or seek refunds.
- Text, images, videos, recordings, screenshots, evidence, or explanations you submit in support requests, complaints, appeals, reports, campaigns, surveys, community interactions, or infringement notices.
2.2 Information collected automatically
- Device and network data such as device model, OS, device identifiers, language and region settings, browser type, app version, IP address, network type, crash logs, and performance data.
- Service logs and behavioral data such as sign-in times, pages visited, clicks, launch records, interaction history, game progress, payment history, error reports, safety logs, anti-cheat logs, and fraud-prevention logs.
- Location data. Certain features may request precise or approximate location with your permission; if you decline, those features may not work.
- Cookies, local storage, and similar technologies used to keep you signed in, remember preferences, protect security, analyze traffic, and improve the experience.
2.3 Information from third parties
Where permitted by law and subject to required authorization, we may receive information about your use of the Services from third-party sign-in providers, app stores, payment services, identity verification services, SMS providers, security vendors, cloud vendors, or ad measurement partners, such as sign-in identifiers, payment results, verification results, risk labels, attribution data, or device risk information.
3. How We Use Personal Information
We may use relevant information to:
- provide registration, sign-in, identity verification, account management, customer support, security verification, and communications;
- operate websites, games, communities, payments, virtual items, order fulfillment, after-sales handling, and other core functions;
- protect platform, account, and transaction security by detecting unusual sign-ins, cheats, automation, payment fraud, abusive traffic, system attacks, and other prohibited activity;
- maintain, debug, monitor, optimize, and improve the Services, including crash analysis, performance analysis, compatibility analysis, A/B testing, and user research;
- send service notices, campaign messages, safety alerts, version updates, outage notices, or other communications related to contract performance;
- perform analytics, campaign measurement, ad monitoring, push delivery, or operational analysis where authorized or otherwise permitted by law;
- comply with legal obligations, handle complaints and reports, resolve disputes, respond to lawful requests, and protect the lawful rights and interests of us and other users.
If we plan to use personal information for a purpose not described in this Policy, or to use information collected for one purpose in another way, we will provide further notice and obtain consent where required.
4. Legal Bases for Processing
Where applicable law allows, our legal bases may include:
- necessity for entering into and performing a contract with you;
- necessity for compliance with legal obligations;
- necessity for responding to public health emergencies or protecting life, health, or property in emergencies;
- reasonable processing of information you have made public or that has otherwise been lawfully disclosed;
- necessity for maintaining secure and stable operations, combating cheats and fraud, resolving disputes, or protecting lawful rights and interests;
- your consent or separate consent;
- other grounds recognized by law.
5. Sharing, Transfers, and Public Disclosure
5.1 Sharing
We do not sell your personal information. We share it only when necessary:
- with your authorization or consent;
- with payment, identity, SMS, one-tap sign-in, third-party sign-in, cloud, CDN, customer support, security, crash reporting, analytics, ad measurement, or push providers where necessary to operate the Services;
- with regulators, courts, law enforcement, or other competent authorities where required by law;
- where necessary for account security, platform security, anti-cheat, anti-fraud, dispute handling, infringement handling, or overseas operations support.
5.2 Transfers
We do not generally transfer your personal information to another company, organization, or individual. If a merger, split, restructuring, asset transfer, change of control, or similar transaction requires a transfer, we will comply with applicable legal notice obligations and require the recipient to continue protecting the information to a standard no lower than this Policy.
5.3 Public disclosure
We disclose personal information publicly only when:
- you give separate consent;
- disclosure is required by law or by a binding legal process; or
- we need to publish the minimum necessary information for safety notices, prize lists, or enforcement outcomes.
6. Cross-border Transfers and Overseas Operations
The Services may involve overseas publishing, cross-border deployment, overseas nodes, offshore support, or offshore cloud vendors. If we need to provide your personal information outside mainland China, we will follow applicable legal procedures and use contracts, assessments, certifications, encryption, access controls, or other reasonable measures to ensure a level of protection no lower than required by this Policy.
7. Storage and Security
We retain personal information only for as long as necessary to achieve the purposes described in this Policy, unless law, regulators, dispute handling, security review, or anti-cheat evidence preservation requires longer retention. After that, we will delete or anonymize the information as required by law.
We use reasonable and practical security measures, including access controls, privilege separation, encrypted transmission, audit logging, backups, monitoring, environment hardening, and staff permission management.
No internet environment is absolutely secure. If a personal information security incident occurs, we will take remedial action and provide notice where required by law.
8. Protection of Minors
We take minors’ personal information seriously. If you are under 18, you should use the Services with the consent and guidance of your guardian. Depending on legal requirements and business needs, we may apply real-name verification, time limits, spending limits, content restrictions, guardian verification, or high-risk activity review.
For minor protection questions or concerns, please contact Protected email .
9. Your Rights and Response Time
Subject to applicable law, you generally have the right to:
- access and copy your personal information;
- correct or supplement inaccurate or incomplete information;
- request deletion where deletion conditions are met;
- change or withdraw consent;
- request account cancellation;
- ask for an explanation of our processing rules;
- request restriction, portability, or a copy where applicable law provides those rights.
To protect account and data security, we may verify your identity before acting. In general:
- we will respond within 15 business days after receiving a valid request and completing identity verification;
- account cancellation requests will generally be completed within 15 business days after verification, except where retention is required by law;
- eligible deletion requests will generally be completed through deletion or anonymization within 15 business days after confirmation;
- consent withdrawal requests will generally be implemented within 15 business days after verification, without affecting processing already carried out before withdrawal.
You may submit privacy rights requests through Protected email , and general support requests through Protected email .
10. Third-party Services, External Links, and Notices
The Services may include third-party sites, SDKs, payment channels, sign-in interfaces, social sharing tools, or other external links. Those third parties operate independently and apply their own terms and privacy policies.
We may also communicate with you by SMS, email, in-product messages, popups, push notifications, or system messages regarding account safety, order fulfillment, service changes, privacy updates, or legal compliance.
11. Updates to This Policy
We may update this Policy in response to legal changes, regulatory requirements, business development, product changes, security governance needs, or overseas operation arrangements. Updated versions will be communicated through website notices, page prompts, popups, in-product messages, or other reasonable means and will take effect on the stated date.
If an update materially affects your rights or obligations, we will use a more prominent notice and seek renewed consent where required by law.
12. Contact Us
If you have questions, comments, privacy requests, complaints, minor protection concerns, account cancellation requests, or infringement notices, you may contact us at:
- Customer support: Protected email
- Legal: Protected email
- Privacy: Protected email
- Complaints: Protected email
- Infringement notices: Protected email
- Minor protection: Protected email
Appendix A: Third-party SDK Directory
| SDK / Service | Provider | Purpose | Potential data involved | Retention note |
|---|---|---|---|---|
| Analytics SDK (placeholder) | [Provider to be filled] | Measure visits, feature usage, retention, and conversion. | Device identifiers, page visits, event telemetry, network environment details. | Retained for the period required by service delivery; default rule to be filled. |
| Crash Reporting / Performance SDK (placeholder) | [Provider to be filled] | Troubleshooting, stability monitoring, performance analysis, and compatibility optimization. | Crash logs, device model, OS version, app version, network status. | Retained for troubleshooting and security review; default rule to be filled. |
| Anti-cheat / Security Risk SDK (placeholder) | [Provider to be filled] | Detect cheats, automation, device anomalies, payment fraud, or other risk signals. | Device environment details, login logs, risk labels, abnormal behavior records. | Retained for fraud prevention and dispute handling; default rule to be filled. |
Appendix B: Device Permission Notice
| Permission / capability | Purpose | When requested / impact |
|---|---|---|
| Phone number / one-tap sign-in capability | Fast sign-in, account recovery, risk verification, and service notifications. | Requested only when relevant; refusing it may disable one-tap sign-in or SMS verification. |
| Camera / facial verification capability (if applicable) | Enhanced real-name verification, minor protection, or high-risk operation review. | Requested only in specific identity verification flows and not used by default. |
| Photo library / storage access | Upload avatars, screenshots, appeal materials, community content, or support attachments. | Used only when you actively upload content; refusing it does not block basic browsing. |
| Push notification permission | Service notices, campaign reminders, safety alerts, and version updates. | Can be disabled in system settings at any time; disabling it stops push delivery. |
Appendix C: Third-party Sharing Directory
| Recipient type | Sharing scenario | Shared data scope | Control measures |
|---|---|---|---|
| Cloud / CDN / overseas node provider (placeholder) | Site delivery, asset acceleration, overseas access optimization, log hosting, or disaster recovery. | IP address, request logs, device and browser information, cache identifiers. | Restricted by contract and access controls, with corresponding security requirements. |
| Payment, identity, SMS, or third-party sign-in provider (placeholder) | Orders, risk verification, real-name checks, one-tap sign-in, SMS delivery, or federated login. | Phone number, order data, verification results, third-party account identifiers, OTP status. | Shared only when the relevant feature is triggered and managed under law and contract. |