Privacy Policy

Effective date: June 22, 2026 Last updated: June 22, 2026 App: Paw Merge Idle (the "App") Operator: Appazzola LLC, 231 E Canal St, Hershey, PA 17033 ("Appazzola", "we", "us", "our") General contact: contact@appazzola.com Privacy and legal contact: legal@appazzola.com

1. Scope

This Privacy Policy explains how we and our service providers collect, use, disclose, retain, and protect information when you use Paw Merge Idle. It covers gameplay, local saves, Firebase authentication, cloud save, public leaderboards, display-name moderation, player mail, events, local reminders and notifications, advertising, analytics, crash reporting, in-app purchases, subscriptions, and support interactions.

This policy does not apply to third-party websites, app stores, payment processors, ad networks, or identity providers except where we describe how they help us operate the App.

2. Summary

Paw Merge Idle is a casual idle/merge game. You can play with local progress, and the App may also create an anonymous Firebase account so progress can be saved to the cloud when Firebase is available. You may optionally link Google Sign-In or Sign in with Apple.

The App uses:

Firebase Authentication for anonymous, Google, and Apple sign-in.
Cloud Firestore for cloud-save storage.
Firebase Cloud Functions for leaderboard score validation, display-name moderation, reports, account deletion, legal-acceptance recording, RevenueCat webhook handling, Apple Sign in account-lifecycle notifications, scheduled cleanup, and moderation/support notifications.
Firebase App Check to verify that backend requests come from authentic builds of the App, using Google Play Integrity on Android and Apple App Attest (with DeviceCheck fallback) on iOS.
Firebase Analytics in production builds for gameplay and product analytics.
Firebase Crashlytics in production builds for crash diagnostics.
Google Mobile Ads / AdMob for rewarded and interstitial advertising.
Google User Messaging Platform (UMP) for consent collection where required.
Apple App Tracking Transparency (ATT) on iOS where tracking permission is required.
Local notifications for optional offline earnings, daily streak, event, and quest reminders.
RevenueCat to manage in-app purchase and subscription entitlements.
Google Fonts for app typography, unless fonts are bundled or cached on your device.
Apple App Store and Google Play for purchases, subscriptions, refunds, billing, and store account management.

The App does not require precise location, contacts, photos, camera, microphone, phone number, or postal address to play. Notifications are optional and can be managed through the App and your device settings.

3. Information We Process

Depending on your device, platform, region, settings, consent choices, and how you use the App, we and our service providers may process the following categories of information.

3.1 Gameplay and Save Data

The App stores gameplay and progression data locally on your device and, when Firebase is available, in Cloud Firestore under your Firebase user ID. This may include:

Catnip, gems, stars, free spawns, boosts, timers, cooldowns, offline earnings, streaks, quest progress, achievements, prestige progress, and merge-board state.
Unlocked cats, rooms, room items, item levels, cosmetics, themes, skins, paw skins, themed decor, and decor positions.
Event progress, remote-event state, player-mail read status, player-mail reward-claim status, and IDs of mail or event rewards you have claimed.
Purchase and entitlement flags such as remove-ads status, starter pack status, and Cat Club subscription status.
Settings such as sound, music, and vibration preferences.
Save timestamps and cloud-save update timestamps.
Leaderboard-related progress values used to validate and submit scores, such as lifetime catnip earned, prestige count, and golden paws claimed.

3.2 Leaderboards, Display Names, Reports, and Moderation

When Firebase leaderboards are enabled, the App may process:

A guest display name, such as Guest######, automatically assigned to your Firebase user ID.
Any leaderboard display name you choose, plus a normalized lowercase version used to reserve names and prevent duplicates.
Leaderboard rows that include your Firebase user ID, display name, score, board ID, rank position derived from scores, and update timestamp.
Display-name reports submitted by other players, including reporter Firebase user ID, reported Firebase user ID, board ID, reported display name, optional report reason, report status, and timestamps.
Moderation state such as report counts, forced-rename flags, leaderboard bans, risk flags related to refunds, and manual moderation actions.

Leaderboard rows are readable by signed-in players and may show your display name, score, and rank. Firebase user IDs are used internally to key rows and identify your own row; they are not intended as user-facing names, but they are part of the leaderboard record.

3.3 Player Mail, Events, and Server-Authored Content

The App may fetch server-authored player mail, announcements, patch notes, compensation messages, gifts, and event definitions from Cloud Firestore. These records may include message IDs, titles, body text, visibility windows, reward amounts, event names, event windows, and event configuration payloads.

The player-mail and event records themselves are generally broadcast records, not personal messages authored by individual users. Your personal save may store which mail IDs you have read or claimed, which event rewards you have claimed, and related gameplay progress so rewards are not granted twice and can sync across devices when cloud save is available.

3.4 Account and Sign-In Data

The App may process:

Anonymous Firebase user identifiers created by Firebase Authentication.
If you choose Google Sign-In, Google account identifiers and profile data made available through the sign-in flow, such as email address, display name, and profile information depending on your Google settings.
If you choose Sign in with Apple, Apple account identifiers and information Apple provides, such as email address, private relay email address, full name, and identity token information depending on your Apple settings and prior choices.
Authentication state, linked providers, sign-in timestamps, and related account metadata maintained by Firebase.
If you use Sign in with Apple, server-to-server notifications Apple sends us about your Apple account lifecycle, such as consent revocation, account deletion, and email-forwarding preference changes, including notification identifiers and event metadata. When Apple notifies us that you revoked consent or deleted your Apple account, we delete the linked Firebase account and its associated data.

3.5 Purchase and Subscription Data

For in-app purchases and subscriptions, we and our service providers may process:

Product IDs, purchase status, subscription status, entitlement status, renewal status, expiration status, restoration status, refunds, chargebacks, and related transaction metadata.
RevenueCat app user identifiers. The current app configuration uses a Firebase-based app user ID prefix (firebase:) when Firebase Authentication is available.
Store country, currency, price, offering, package, and product metadata made available by Apple, Google, or RevenueCat.

We do not receive or store your full payment card number. Apple and Google handle payment processing under their own terms and privacy practices.

3.6 Advertising and Ad Measurement Data

The App uses AdMob to request, load, display, measure, and protect rewarded and interstitial ads. AdMob and its partners may process information such as:

Advertising identifiers, device identifiers, IP address, approximate location inferred from network information, device type, operating system, app version, language, region, ad unit, ad placement, ad interactions, ad completion, ad performance, and fraud-prevention signals.
Consent choices collected through UMP and device-level settings such as iOS ATT status or Android advertising settings.

Depending on your consent choices, region, and platform settings, ads may be personalized, non-personalized, or limited. Ad availability is not guaranteed.

3.7 Analytics Data

In production builds, the App uses Firebase Analytics to understand app performance, gameplay balance, monetization, and feature usage. Analytics events may include:

Session start and whether Firebase or ads initialized.
Progression events, merges, cat unlocks, prestige, quests, achievements, streaks, offline rewards, currency earn and spend events, room item purchases, skin purchases, theme/decor purchases, mail reward claims, event participation, and rewarded or interstitial ad events.
In-app purchase and entitlement grant events.
Device and app information such as app version, platform, general region, language, device model, and operating system information.

Analytics data is not intended to include names, email addresses, postal addresses, phone numbers, or payment card data.

3.8 Crash and Diagnostics Data

In production builds, the App uses Firebase Crashlytics to help identify and fix crashes and fatal errors. Crashlytics may process:

Crash stack traces, error messages, app state at the time of a crash, device and operating system information, app version, Firebase installation identifiers, and related diagnostics.

Crashlytics collection is disabled in debug builds in the current codebase.

3.9 Device, App, and Local Storage Data

The App may process:

Device type, operating system, app version, language, general region, app configuration, SDK status, and technical logs.
Local storage through Flutter shared_preferences or equivalent platform storage for save data and settings.
Consent and privacy choices stored by SDKs such as Google UMP and Apple ATT.
Notification permission status, scheduled local-notification identifiers, reminder timing, and device timezone information used locally to schedule reminders for offline earnings, daily streaks, events, and quests.
Font-request or cache-related technical data processed by Google Fonts if runtime font fetching occurs, such as IP address, user agent, and requested font files under Google's policies.

3.10 Legal Acceptance Records

When you accept the Terms of Service and this Privacy Policy in the App, we record your acceptance both locally on your device and, when Firebase is available, in our backend as an audit record. The backend record includes your Firebase user ID, the accepted document versions, a server-side timestamp, and your sign-in provider type (such as anonymous, Google, or Apple). These records are retained as evidence of consent and contract acceptance.

3.11 App Integrity and Anti-Abuse Data

The App uses Firebase App Check to help verify that requests to our backend come from authentic, unmodified builds of the App. App Check uses Google Play Integrity on Android and Apple App Attest (with DeviceCheck fallback) on iOS. These platform attestation services may process device and app integrity signals under Google's and Apple's own policies. We receive attestation tokens rather than raw device details.

3.12 Support and Direct Communications

If you contact us, we may process your email address, message contents, attachments, account identifiers you provide, device or app details you provide, and any information needed to respond to your request.

If you use the in-app support email shortcut or a system share sheet, your device may open a third-party mail, messaging, or sharing app. Those apps process your communication under their own terms and privacy practices.

3.13 Local Notifications and Reminders

If you enable notifications, the App may schedule local reminders on your device, such as offline earnings, daily streak, event start, and daily quest reminders. These reminders are generated by the App and delivered through your device operating system. The current App does not use a remote push-notification provider to send personalized push messages from our servers.

The App cancels pending local reminders when you return to the foreground and may reschedule future reminders when the App goes to the background. You can disable notifications through the in-app Settings screen where available or through your device settings.

4. Information We Do Not Intentionally Collect

The App does not intentionally require or request:

Precise GPS location.
Contacts, photos, camera, microphone, calendar, health, or fitness data.
Postal address or phone number.
Payment card numbers.
Public chat messages or open-ended user-generated public content. Leaderboard display names, scores, ranks, and display-name reports are processed as described above.
Remote personalized push notifications. Current reminders are local notifications scheduled on your device.

If future versions add these features or permissions, this policy and the store disclosures must be updated before release.

5. How We Use Information

We use information to:

Operate the App and provide gameplay.
Save, restore, sync, and protect progress.
Enable guest, anonymous, Google, and Apple sign-in.
Create, validate, display, and moderate leaderboard names and scores.
Fetch and display player mail, announcements, gifts, compensation messages, and time-limited event content.
Track mail and event reward claims so rewards are granted correctly and not duplicated.
Schedule and manage optional local reminders when notifications are enabled.
Process, validate, restore, and honor purchases and subscriptions.
Provide remove-ads, Cat Club, item packs, virtual currency, boosts, cosmetics, and other entitlements.
Load and show ads, grant rewarded-ad benefits, measure ad performance, enforce frequency limits, and prevent ad fraud.
Analyze gameplay, balance the economy, improve retention, identify bugs, and understand feature usage.
Diagnose crashes, improve stability, and maintain security.
Prevent cheating, fraud, abuse, unauthorized automation, chargeback abuse, and security incidents.
Communicate with you about support, account, privacy, and legal requests.
Comply with laws, enforce our Terms, and protect our rights, users, and services.

We do not sell personal information for money. Some advertising or analytics uses may be considered "sharing", "targeted advertising", or "cross-context behavioral advertising" under certain privacy laws. See the "Your Choices and Rights" section for available controls.

6. Legal Bases for EEA, UK, and Similar Regions

Where GDPR, UK GDPR, or similar laws apply, our legal bases may include:

Contract: operating the App, saving progress, enabling sign-in, cloud save, purchases, subscriptions, and entitlements.
Legitimate interests: security, fraud prevention, crash diagnostics, service improvement, support, analytics that do not require consent, and enforcement of our Terms, balanced against your rights and freedoms.
Consent: personalized advertising, access to device identifiers for tracking where required, cookies or local storage where legally required, and other processing that requires consent.
Legal obligations: tax, accounting, consumer protection, app-store, regulatory, and dispute-resolution obligations.

You may withdraw consent where consent is the legal basis, but withdrawal does not affect processing that occurred before withdrawal.

7. Local Saves, Firebase Accounts, and Cloud Save

The App stores progress locally on your device. Local data may be deleted or become unavailable if you delete the App, clear app data, reset your device, switch devices, sign out to a new guest account, or overwrite progress through gameplay.

When Firebase is available, the App creates or uses a Firebase account. On first launch, the App currently attempts anonymous Firebase sign-in. Cloud Firestore stores your save payload under your Firebase user ID so progress can be restored or synchronized.

If you later use Google Sign-In or Sign in with Apple, the App may link your anonymous Firebase account to that provider or switch to the existing provider-linked account. Signing out and restoring anonymous play may create a new anonymous Firebase account and may make prior cloud progress unavailable unless you sign back into the previous account or restore purchases through the store systems.

Cloud save is provided on a best-effort basis and may be unavailable, delayed, conflicted, or interrupted.

Deleting your Firebase account through the in-app delete flow deletes cloud save data, leaderboard rows, display-name reservation, the Firebase Authentication user, and backend account records we control for that Firebase user ID, including legal-acceptance audit records stored under that user account in the current backend. It does not delete local data until the App can clear data on your device, and it does not delete records controlled by Apple, Google, RevenueCat, AdMob, identity providers, or other third parties.

8. Advertising, Consent, and Tracking Choices

The App uses AdMob rewarded and interstitial ads. Rewarded ads are optional and provide in-game benefits only after the App receives confirmation that the ad qualifies for a reward. Interstitial ads may appear at natural gameplay breaks and do not provide a reward.

For users in the EEA, UK, and Switzerland, Google requires publishers using AdMob to use a Google-certified consent management platform that integrates with the IAB Transparency and Consent Framework when serving ads. The App uses Google UMP for this purpose. Where Google UMP indicates a privacy options entry point is required, the App exposes an Ad Privacy Choices control in Settings → Legal that re-presents the UMP privacy options form.

On iOS, the App may request permission through Apple's App Tracking Transparency framework before SDKs access the Identifier for Advertisers (IDFA) for tracking. You can manage this permission in iOS Settings.

On Android, you can manage advertising choices through Android and Google settings where available, including resetting or deleting your advertising ID and limiting ad personalization.

Ad choices may affect whether personalized, non-personalized, or limited ads are available. If consent is not available or cannot be confirmed in a regulated region, ads may be suppressed or limited.

9. In-App Purchases and Subscriptions

The App may offer:

Cat Club monthly subscription.
Remove-ads or ad-related entitlements.
Starter packs.
Catnip packs.
Gem packs.
Other virtual items, boosts, cosmetics, passes, or unlocks.

Apple App Store and Google Play process purchases and subscriptions. RevenueCat helps us retrieve offerings, validate purchases, sync entitlements, restore access, and apply subscription or purchase benefits in the App.

Purchase and subscription information may be shared between the App, Apple, Google, RevenueCat, and Firebase identifiers as needed to provide and protect entitlements. We do not receive your full payment card details.

Manage subscriptions, cancellation, refunds, family sharing, purchase history, and payment methods through Apple App Store or Google Play account settings.

10. Service Providers and Third Parties

We use service providers to operate the App. Their own terms and privacy policies govern their processing.

Category	Provider or Platform	Purpose
Authentication	Firebase Authentication, Google Sign-In, Sign in with Apple	Anonymous sign-in, optional provider sign-in, account linking
Cloud save	Cloud Firestore	Store and retrieve save payloads
Player mail and events	Cloud Firestore	Fetch announcements, gifts, compensation messages, event definitions, and related broadcast content
Backend operations	Firebase Cloud Functions	Leaderboard validation, display-name moderation, reports, account deletion, legal-acceptance recording, RevenueCat webhook handling, Apple Sign in account-lifecycle notifications, scheduled cleanup, moderation/support notifications
App integrity	Firebase App Check, Google Play Integrity, Apple App Attest / DeviceCheck	Verify backend requests come from authentic App builds, prevent abuse
Analytics	Firebase Analytics	App, gameplay, retention, monetization, and feature analytics
Crash diagnostics	Firebase Crashlytics	Crash reporting and stability diagnostics
Ads and ad consent	Google Mobile Ads / AdMob, Google UMP, AdMob ad partners	Ads, consent, ad delivery, ad measurement, fraud prevention
Purchases	Apple App Store, Google Play, RevenueCat	Purchases, subscriptions, entitlements, restoration
Local notifications	Apple, Google, Android, iOS, macOS, and the `flutter_local_notifications` SDK	Device-level notification permission, local reminder scheduling, and delivery
Fonts	Google Fonts	App typography and font delivery where runtime font fetching or caching occurs
Platform privacy controls	Apple ATT, Android and Google settings	Tracking and advertising choices
Support and sharing	Email, system mail apps, system share sheets, and any support tools we later adopt	Respond to user requests; let you send support messages or share App content if you choose

We may disclose information to service providers, app stores, regulators, law enforcement, professional advisors, or counterparties in a business transaction where permitted by law and as needed for the purposes described in this policy.

11. Retention

We retain information only as long as reasonably needed for the purposes described in this policy, unless a longer retention period is required or permitted by law.

Local gameplay data: remains on your device until you delete it, clear app storage, uninstall the App, reset through in-app controls if available, or overwrite it through normal gameplay.
Cloud save data: retained while the associated Firebase account remains active and as needed for restoration, security, fraud prevention, disputes, legal compliance, and operations. Anonymous guest cloud saves with no purchase history may be deleted after 365 days of inactivity.
Leaderboard, display-name, and moderation data: retained while the associated Firebase account remains active, while leaderboard rows are needed to operate the feature, and as needed for moderation, security, fraud prevention, disputes, legal compliance, and operations.
Player mail and event data: broadcast mail and event definitions are retained as long as needed to operate the feature. Per-player read, claimed, and event-progress state is retained as part of local and cloud save data.
Account data: retained by Firebase Authentication and linked identity providers according to their settings and policies, and as needed to provide the App.
Analytics data: retained according to Firebase Analytics project retention settings.
Crashlytics data: retained according to Firebase Crashlytics settings and Google Firebase policies.
Advertising data: retained by Google AdMob and its partners under their own policies. We do not separately store raw ad-request logs outside analytics and app state.
Purchase and entitlement records: retained by Apple, Google, RevenueCat, and us as needed to honor purchases, restore entitlements, prevent fraud, resolve disputes, and comply with tax, accounting, and consumer-protection obligations.
Local notification data: retained on your device as long as reminders are scheduled or notification settings are stored by the App or operating system. Pending reminders can be cancelled by opening the App, disabling notifications, clearing App data, or uninstalling the App, subject to platform behavior.
Legal acceptance records: retained as evidence of consent and contract acceptance for as long as reasonably needed for legal-compliance, dispute-resolution, and record-keeping purposes. In the current backend, the in-app account deletion flow deletes legal-acceptance audit records stored under the deleted Firebase user account, unless we have separately retained records where legally permitted or required.
Support messages: retained as long as needed to handle your request, maintain records, resolve disputes, and comply with law.

If you request deletion, we will delete or de-identify personal data we control unless retention is needed for legal, security, fraud-prevention, accounting, dispute-resolution, or operational reasons.

12. Your Choices and Rights

Depending on your platform, region, and settings, you may be able to:

Play as a guest or anonymous Firebase user instead of linking Google or Apple sign-in.
Edit your leaderboard display name, where the feature is available and subject to moderation and name availability.
Sign out and restore anonymous play, understanding that this may create a new account and make prior progress unavailable.
Delete local data by uninstalling the App, clearing app storage, or using any in-app reset/delete controls if provided.
Use the Delete account & data control in Settings to permanently delete your Firebase account, cloud save, leaderboard rows, and associated backend data we control.
Manage or disable optional notifications through the App or your device settings.
Understand that deleting an account may not remove aggregate analytics, purchase records needed for refunds/accounting/fraud prevention, records separately retained where legally permitted or required, or records controlled by Apple, Google, RevenueCat, AdMob, identity providers, or other third parties.
Contact us to request access, correction, deletion, export, restriction, or objection for personal data we control.
Manage Google Sign-In through your Google account.
Manage Sign in with Apple and Hide My Email through your Apple account.
Manage ad tracking on iOS through App Tracking Transparency settings.
Manage advertising choices on Android and through Google settings where available.
Use the Ad Privacy Choices entry in Settings → Legal to re-present the Google UMP privacy options form, where required and available.
Manage purchases, refunds, cancellations, and subscriptions through Apple App Store or Google Play.

To exercise privacy rights, contact legal@appazzola.com. We may need to verify your request and may ask for information such as your Firebase user ID, purchase identifiers, or support details so we can locate relevant records.

Deleting the App or local save data does not automatically delete data held by Apple, Google, Firebase, AdMob, RevenueCat, or identity providers. You may need to use those providers' privacy and account tools for data they control.

13. California and Other U.S. State Privacy Rights

Residents of California and other U.S. states may have rights under applicable privacy laws, including rights to know, access, correct, delete, obtain a copy of, or opt out of certain uses of personal information.

Categories of personal information we may collect include:

Identifiers, such as Firebase user IDs, provider account identifiers, email address if provided by a sign-in provider or support request, advertising identifiers, and device identifiers.
Internet or electronic network activity, such as app usage, ad interactions, analytics events, diagnostics, and crash data.
Commercial information, such as purchase, subscription, entitlement, refund, and chargeback status.
Gameplay and account state, such as cloud-save progress, leaderboard rows, display names, mail read/claimed state, event participation, and moderation records.
Approximate location inferred by service providers from IP address or device/network information for ads, analytics, fraud prevention, and compliance.
Inferences drawn from gameplay, purchase, and usage activity for analytics, app improvement, advertising, and personalization where permitted.

We do not sell personal information for money. We may disclose information to service providers and may "share" information for cross-context behavioral advertising or targeted advertising if personalized ads are enabled and permitted by your consent choices and applicable law.

To exercise rights or opt out where legally required and technically available, contact legal@appazzola.com and use platform-level or in-app ad/privacy controls.

We will not discriminate against you for exercising privacy rights.

14. Children

The App is not directed to children under 13 and is not intended for use by children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided personal information to us, contact legal@appazzola.com and we will take appropriate steps to delete it.

Parents or guardians may contact us to review, correct, or delete information associated with their child where required by law.

If the App is later distributed in the Apple Kids Category, Google Play Families program, or any child-directed category or channel, this policy, the App's SDK configuration, ads, analytics, data collection, and consent flows must be updated before release.

15. International Transfers

We and our service providers may process information in the United States and other countries where we or they operate. These countries may have privacy laws that differ from the laws where you live. Where required, we rely on appropriate safeguards for international transfers, such as contractual protections used by our service providers.

16. Security

We use reasonable administrative, technical, and organizational measures designed to protect information. Firestore rules in the current codebase restrict each user's save document to the authenticated Firebase user ID, and backend functions require Firebase App Check attestation in addition to authentication. No transmission or storage system is completely secure.

You are responsible for keeping your device, platform accounts, and sign-in credentials secure.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version at https://appazzola.com/privacy/paw-merge-idle and update the effective date or last-updated date. If changes are material, we may provide additional notice in the App, through the app stores, or by other appropriate means.

18. Contact

Questions, privacy requests, or legal requests: legal@appazzola.com General contact and support: contact@appazzola.com

Reference Sources

Apple App Review Guidelines, including privacy-policy requirements: https://developer.apple.com/app-store/review/guidelines/
Apple Standard EULA and App Store licensing references: https://www.apple.com/legal/internet-services/itunes/dev/stdeula/
Google Play User Data policy and privacy-policy expectations: https://support.google.com/googleplay/android-developer/answer/10144311
Google Play Data safety guidance: https://support.google.com/googleplay/android-developer/answer/10787469
Google AdMob EU user consent policy and CMP requirements: https://support.google.com/admob/answer/7666519 and https://support.google.com/admob/answer/13554116
Android notification runtime permission reference: https://developer.android.com/develop/ui/views/notifications/notification-permission
Apple UserNotifications permission reference: https://developer.apple.com/documentation/usernotifications/asking-permission-to-use-notifications
Google Fonts privacy information: https://developers.google.com/fonts/faq/privacy
Firebase privacy and security information, including Crashlytics retention reference: https://firebase.google.com/support/privacy/
Firebase Data Processing and Security Terms: https://firebase.google.com/terms/data-processing-terms/
RevenueCat privacy and security references: https://www.revenuecat.com/privacy/ and https://www.revenuecat.com/security-and-compliance/

This policy is provided for Paw Merge Idle users and is not legal advice to any other party.