Privacy Policy
Effective date: April 13, 2026
Privacy at a Glance
- You can play core scored modes without creating an account, but account-based features such as cloud sync, leaderboards, Free Practice access, and push notifications require sign-in.
- In the production database, Acordle stores a SHA-256 hash of your email address rather than the plain-text email. Your plain-text email may still be processed transiently when needed for authentication flows, such as one-time verification emails.
- Acordle stores gameplay, progress, settings, leaderboard data, and, when you are signed in, optional Free Practice session data to provide the app's features.
- Acordle uses Firebase Analytics, Crashlytics, Firebase Cloud Messaging, and Google AdMob. Push notifications are optional and currently used for monthly ranking notifications.
- Acordle also operates the public website at acordle.com. The website processes basic technical request data through hosting, nginx, and Cloudflare infrastructure, and stores a local language preference in your browser when needed.
- Acordle offers a one-time in-app purchase called Full Version. Purchase verification is performed server-side.
- If you delete your account, most private account data is deleted or cleaned, but certain records are retained to preserve ranking integrity, purchase integrity, and service continuity, as explained below.
1. Introduction
Acordle ("we", "our", or "the app") is a mobile application for iOS and Android designed to help users learn and memorize guitar chords. This Privacy Policy explains what data Acordle processes, why it is processed, and how that data is handled.
Acordle also operates the public website at https://acordle.com, including landing, download, FAQ, legal, and account-deletion pages.
Some features are optional or only available when you sign in, such as cloud sync, leaderboards, Free Practice session logging, push notifications, and the Full Version purchase flow.
2. Data Controller
The data controller responsible for your personal data is:
- Developer: Guillermo Señas
- Address: P.O. Box 1021, 39080 Santander, Spain
- Contact: [email protected]
3. Data We Collect
| Category | Data | Purpose |
|---|---|---|
| Account (optional) | Nickname, locale, login method, login counters, account timestamps, and a SHA-256 hash of your email address in the production database | Create and identify your account, sync progress, and provide leaderboard features |
| Email sign-in (optional) | Your plain-text email address is processed to send one-time verification codes; OTP records also include hashed OTP data, request IP address, expiry, and locale | Authenticate you by email and help prevent abuse of the OTP flow |
| Notifications (optional) | FCM device token and your per-user notification preference | Send monthly ranking notifications only, when you opt in |
| Purchases | Product ID, platform, canonical purchase key, transaction/order ID when available, verification status and timestamps, hashed receipt/token references, and where needed for later revalidation, encrypted store-reference data plus manual-review markers | Verify the one-time Full Version purchase, restore ownership, investigate suspicious cases manually, and prevent purchase abuse |
| Technical Security | IP addresses used during authentication, OTP requests, game submissions, and Free Practice session logging, plus device strings sent by the app for gameplay and jam-session records | Security, rate limiting, debugging, purchase integrity, and abuse prevention |
| Public website | Technical request data processed by hosting, nginx, and Cloudflare infrastructure, such as IP address, user-agent, requested URL, timestamps, HTTP status codes, approximate country, and security-related request metadata | Serve the website, protect it, diagnose issues, prevent abuse, and understand aggregate traffic and reliability |
| Gameplay | Scores, settings, unlocked progress, mastery data, detailed game history, per-chord gameplay data, leaderboard records, and optional Free Practice session data (including last selected key, chord list, and logged chord timeline) | Provide the core game, sync progress, calculate stats, restore Free Practice state, and power leaderboards |
| Analytics | Minimal Firebase Analytics events and automatic Firebase/GA4 app metrics (for example
game_started, free_practice_access,
purchase_flow_result, account_deletion_result,
ad_impression_result, and standard engagement metrics) |
Measure feature usage, monetization outcomes, and app reliability |
| Crash reports | Crash logs, device/runtime state, authenticated user ID when available, and selected gameplay context such as nickname, mode, level, chord, orientation, or session ID | Diagnose crashes and non-fatal errors |
| Local device storage | Session token, notification preference, cached entitlements/trial state, ad pacing state, pending notification deep-link data, purchase-flow recovery data, and one-time entitlement notice state shown by the app | Keep you signed in, preserve app state, control notifications, recover purchase flows, and avoid repeating the same entitlement notice unnecessarily |
| Website local preference | A local language preference stored in your browser when you choose or are redirected to a localized version of the website | Show the correct localized version of the website without using advertising or analytics cookies |
| Advertising | Ad request and delivery data processed by Google AdMob; this may include device and advertising-related identifiers depending on platform, consent status, and Google's SDK behavior | Display ads to non-full users and measure ad delivery |
If you use social sign-in, Acordle validates the provider token and uses the email address returned by that provider to link or create your Acordle account. The production database stores the email hash rather than the plain-text email address, but the plain-text email is still processed transiently when needed to verify identity or send OTP emails.
4. Third-Party Services
We use the following third-party services that may collect data according to their own privacy policies:
| Service | Provider | Purpose | Privacy Policy |
|---|---|---|---|
| Firebase Analytics | Google LLC | Usage analytics | Link |
| Firebase Crashlytics | Google LLC | Crash reporting | Link |
| Firebase Messaging | Google LLC | Push notifications | Link |
| Google AdMob | Google LLC | Advertising | Link |
| Sign in with Apple | Apple Inc. | Authentication | Link |
| Google Sign-In | Google LLC | Authentication | Link |
| Facebook Login | Meta Platforms, Inc. | Authentication | Link |
| App Store | Apple Inc. | Payment verification | Link |
| Google Play Store | Google LLC | Payment verification | Link |
| Cloudflare | Cloudflare, Inc. | Website delivery, security, DNS, CDN, and traffic analytics | Link |
5. Advertising
Acordle displays Google AdMob ads only for users who do not have the Full Version entitlement. Current ad placements are interstitials at some game starts and leaderboard interactions, plus a banner at the end of a scored game.
Consent is handled through Google's User Messaging Platform (UMP). Depending on the outcome of that flow:
- If ads can be requested with consent: standard AdMob ad requests are used.
- If consent is unavailable, denied, or the consent flow fails: Acordle falls back to non-personalized ad requests.
The current app code does not expose a dedicated always-available privacy options screen for reopening the UMP form. Additional ad/privacy controls may also depend on your device or platform settings.
6. Public Website, Cookies, and Local Preferences
The public website is served through hosting, nginx, and Cloudflare infrastructure. Those systems may process technical request data such as IP address, user-agent, requested URL, timestamps, HTTP status codes, approximate country, and security-related metadata to deliver the website, protect it, diagnose issues, prevent abuse, and understand aggregate traffic.
The Acordle website itself does not currently set advertising or analytics cookies. It may store a local language preference in your browser so that the correct localized version can be shown. This local preference is used only for localization and not for advertising or analytics.
If we later add website analytics or advertising technologies that require consent, we will update this policy and, where required, request consent before using them.
7. Children's Privacy
Acordle is not intended for children under 13 (or a higher age where required by local law). We do not knowingly target or collect personal data from children in that age range. If you believe a child has provided personal data to Acordle, please contact us at [email protected].
As a conservative measure, Acordle defaults to non-personalized ads for all users until explicit consent is granted.
8. Data Retention
- Account data: Retained while your account is active. You can request deletion at any time.
- Account deletion: Deletion removes private tables such as synced progress, user stats, OTP records, and registered notification tokens, and clears IP/device data from stored gameplay and Free Practice history. However, some records are intentionally retained for integrity and continuity purposes, including the soft-deleted user record (which currently preserves the user ID, nickname, locale, and creation timestamp), historical ranking/history records, entitlement state, free-trial history, purchase verification records, and related anomaly/review metadata needed to investigate refunds, restore ownership, or confirm manual entitlement decisions. You may also request account deletion or data removal via our account deletion page or by contacting us via email.
- Leaderboard and historical game data: May be retained and displayed with deleted-account indicators to preserve ranking integrity and historical stats.
- Analytics and crash data: Retained according to the applicable Firebase configuration and provider retention policies.
- Website technical data: Retained according to the applicable hosting, nginx, Cloudflare, and security-log configurations. Local website language preferences remain in your browser until you change them or clear browser storage.
- Local data: Stored only on your device and deleted when you uninstall the app or clear app data, except where your operating system or store provider keeps its own independent records.
9. Legal Bases for Processing
Depending on the feature you use, Acordle relies on one or more of the following legal bases under the GDPR:
- Performance of a contract or steps at your request: to create and operate your account, authenticate you, sync progress, provide gameplay features, restore purchases, process account deletion requests, and deliver the core app functionality you ask us to provide.
- Consent: where required, for optional push notifications, certain analytics/advertising choices, and other optional features that depend on your prior agreement.
- Legitimate interests: to secure the service and website, prevent fraud and abuse, enforce rankings and purchase integrity, diagnose crashes, monitor reliability, understand aggregate website traffic, and keep historical records necessary for service continuity and leaderboard integrity.
- Legal obligations: where processing or retention is required to comply with applicable law, accounting, tax, consumer-protection, or law-enforcement obligations.
10. International Data Transfers
Some third-party providers used by Acordle may process personal data outside your country, including outside the EEA, the UK, or Switzerland. In particular, some providers such as Google, Apple, Meta, or related infrastructure providers may process data in the United States or other countries.
Where required, we rely on appropriate safeguards for those transfers, such as adequacy decisions, the provider's applicable contractual safeguards, or other lawful transfer mechanisms recognised under applicable data-protection law.
11. Your Rights (GDPR / EEA Users)
If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):
- Access: Request a copy of your personal data.
- Rectification: Request correction of inaccurate data.
- Erasure: Request deletion of your personal data ("right to be forgotten").
- Restriction: Request restriction of processing.
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Revoke previously granted consent at any time.
You also have the right to lodge a complaint with the competent data-protection supervisory authority, in particular in the country of your habitual residence, place of work, or the place of the alleged infringement.
To exercise any of these rights, please contact us at [email protected]. We will respond without undue delay and, in any event, within one month, subject to extensions permitted by applicable law.
12. Data Security
We implement appropriate technical and organizational measures to protect your data, including encrypted connections (HTTPS/TLS) for all data transfers. However, no method of electronic transmission or storage is 100% secure.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. We encourage you to review this page periodically.
14. Contact
If you have any questions or concerns about this Privacy Policy, please contact us:
- Email: [email protected]
- Website: https://acordle.com