Apps

Privacy Policy

As of: June 2026

1. Controller

SynthScript Inh. Christoph Kretschmer
Hornisgrindestraße 9, 77855 Achern, Germany
Email: info@synthscript.de · Privacy: privacy@synthscript.de

2. General

We process your data exclusively in accordance with the GDPR. This policy informs you about the nature, scope and purpose of data processing when using the "Wombatistan" app (idle/city-building game, iOS and Android; package ID de.synthscript.wombatistan).

3. Playing Without an Account

Wombatistan can be played without actively creating an account. No name, email address or phone number is collected as a requirement. On first launch, an anonymous sign-in takes place, assigning a random, pseudonymous user ID (UID).
Legal basis: Art. 6(1)(b) GDPR

4. Authentication (Firebase Authentication)

We use Firebase Authentication (Google Ireland Limited, Dublin, Ireland) for sign-in. By default this is an anonymous sign-in with a pseudonymous UID. Firebase processes technical metadata server-side, in particular the IP address, device/installation identifier and the timestamp of the login.
Legal basis: Art. 6(1)(b) GDPR

5. Optional Account Linking & Sign-In

Only on your explicit action ("Secure account" / "Sign in") can the anonymous UID be linked to a platform or provider account in order to secure and recover your progress across devices:

  • Google Play Games (Android) → Play Games player identity
  • Game Center (iOS) → Game Center player identity
  • Google Sign-In → a pseudonymous Google identifier and – if you consent – your email address
  • Sign in with Apple → a pseudonymous Apple identifier and – depending on your choice – your email address, optionally via an anonymised Apple relay address

Without such an action, no linking takes place.
Legal basis: Art. 6(1)(a), (b) GDPR

6. Cloud Save (Cloud Firestore)

Your game progress is stored in Cloud Firestore (Google) under saves/{UID}. This includes: placed buildings, resources (e.g. clover/honey), unlocked regions, decrees, timestamps of production cycles as well as a save version and a server timestamp. No personal content beyond the game is stored. For admin accounts, users/{UID}.isAdmin is additionally set.
Storage location: EU – europe-west3 (Frankfurt).
Legal basis: Art. 6(1)(b) GDPR

7. Local Storage on the Device

The game save is additionally stored as a file (wombatistan_save.json) in your device's app documents directory. This file remains local and is only transmitted as a cloud save (see section 6).

8. Advertising (AppLovin MAX)

The app may be partly financed through advertising. For this we use AppLovin MAX (AppLovin Corporation, Palo Alto, CA, USA) as a mediation platform. This may involve processing of advertising identifiers (the IDFA on iOS, the Google Advertising ID/GAID on Android), IP address as well as device and usage data in order to deliver and – with your consent – personalise and measure advertising.

On iOS devices we obtain your permission to access the IDFA via the App Tracking Transparency (ATT) prompt. Within the EU/EEA we ask via a consent dialog whether personalised advertising is permitted. Without consent, only non-personalised, contextual advertising is delivered where technically possible. You can withdraw a granted consent at any time via the app settings.
Legal basis: Art. 6(1)(a) GDPR (consent); for non-personalised advertising Art. 6(1)(f) GDPR.
More information: applovin.com/privacy

9. In-App Purchases (RevenueCat)

In-app purchases are processed through the respective app store (Apple App Store or Google Play) and managed with RevenueCat (RevenueCat, Inc., San Francisco, CA, USA). To provide, validate and restore purchases, RevenueCat processes pseudonymous identifiers (app user ID, anonymised device/purchase identifiers) as well as purchase and transaction status. We receive no payment data (e.g. credit card details) – these are processed exclusively by Apple or Google.
Legal basis: Art. 6(1)(b) GDPR
More information: revenuecat.com/privacy

10. Push Notifications (Firebase Cloud Messaging)

With your consent, we send push notifications (e.g. reminders about production ready to collect or new content). For this we use Firebase Cloud Messaging (FCM, Google) and process a device token. On iOS and newer Android versions you are asked for the notifications permission beforehand. You can disable notifications at any time in your device settings.
Legal basis: Art. 6(1)(a) GDPR

11. Recipients / Processors

  • Google (Firebase Authentication, Cloud Firestore, Firebase Cloud Messaging; on Android additionally Google Play Games Services and the Google Advertising ID) — Google Ireland Limited / Google LLC. The Firebase/Google Cloud Data Processing Terms apply.
  • Apple (Game Center, Sign in with Apple, App Store billing) — iOS only and only upon use initiated by you.
  • AppLovin (advertising/mediation via AppLovin MAX) — AppLovin Corporation, USA.
  • RevenueCat (management of in-app purchases) — RevenueCat, Inc., USA.

12. Identifiers Processed

  • Firebase UID (pseudonymous)
  • Firebase installation/device ID
  • IP address (by Google during authentication/Firestore and by advertising partners)
  • Advertising identifiers: IDFA (iOS, only with ATT consent) or Google Advertising ID/GAID (Android)
  • Push device token (only with consent)
  • RevenueCat app user ID / purchase identifiers (for in-app purchases)
  • optionally Play Games player ID / Game Center player ID / Google or Apple identifier and, where applicable, email address (only upon linking/sign-in)

13. Purposes

Provision of the game, saving and synchronising progress (cross-device with a linked account), account recovery, display and measurement of advertising, processing of in-app purchases, sending push notifications and internal admin diagnostics.

14. Transfers to Third Countries

Firestore data is stored in the EU (Frankfurt). Firebase Authentication and Firebase Cloud Messaging are global Google services; processing may also occur outside the EU (e.g. IP logs). AppLovin and RevenueCat process data, among others, in the USA. Any transfers to third countries are based on the EU Standard Contractual Clauses (Art. 46 GDPR) and the respective providers' further transfer mechanisms.
More information: firebase.google.com/support/privacy

15. Retention & Deletion

The cloud save remains until you delete it. The app includes "Sign out" and "Delete account". The deletion function removes the cloud save, the local save and the Firebase account. You may also send deletion requests to: privacy@synthscript.de

16. Permissions

Android: INTERNET (via Firebase), access to the Google Advertising ID (AD_ID) for advertising and – when notifications are enabled – the POST_NOTIFICATIONS permission. No sensitive runtime permissions such as location, camera or contacts.
iOS: Game Center capability (only upon account linking), push notifications (only with consent) and the App Tracking Transparency prompt (for advertising-related identifiers). No location or photo access.

17. Not Included

Wombatistan explicitly contains no analytics (no Firebase/Google Analytics) and no crash reporting (no Crashlytics/Sentry).

18. Your Rights (GDPR)

  • Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17)
  • Restriction (Art. 18), Portability (Art. 20), Objection (Art. 21)
  • Withdrawal of granted consent with effect for the future (Art. 7(3))

Contact: privacy@synthscript.de

19. Right to Lodge a Complaint

Supervisory authority: LfDI Baden-Württemberg

20. Data Security

We implement technical and organisational measures to protect your data.

21. Changes

Changes will be announced in the app.

22. Contact

privacy@synthscript.de