FluubyMonster Maker & Collector
FluubyMonster Maker & Collector
Fluuby ("we", "our", or "the app") is a monster-collecting mobile game where players generate AI-powered monster characters, build collections, trade on a marketplace, mine for rare monsters, and send gifts to friends. This Privacy Policy explains what personal information we collect, why we collect it, how we use it, and your rights regarding it.
By downloading or using Fluuby, you agree to the data practices described in this policy. If you do not agree, please uninstall the app and contact us to delete your account.
Platform: iOS (App Store) and Android (Google Play). Bundle ID: com.khenitech.fluuby.
You sign in exclusively through Google Sign-In or Apple Sign-In. We never store passwords. When you sign in, we receive from the authentication provider:
During first-time setup and via the Edit Profile screen, you may provide:
On your first app launch, we call ipapi.co (a third-party geolocation service) using your device's IP address to detect your country. This is used solely to pre-fill the country field in your profile setup. The result is cached on your device for 24 hours and never sent to or stored on our servers. You can override or clear this at any time by editing your profile.
We store the following content you create or interact with:
We use Firebase Analytics to understand how the app is used. The following events are tracked:
| Event | Parameters |
|---|---|
| login | method (google / apple) |
| logout | โ |
| monster_generated | rarity, coins_spent |
| monster_saved | rarity, monster_id |
| monster_deleted | rarity |
| collection_viewed | monster_count |
| companion_set | monster_id |
| monster_gifted | rarity, is_twin |
| gift_claimed | rarity |
| store_purchase | rarity, price, is_auction |
| store_bid | rarity, amount |
| store_listing_cancelled | rarity |
| coins_purchased | coin_count, package_label |
| coins_used | coin_count |
| tutorial_open / tutorial_complete | โ |
| screen_view | screenName |
No analytics event includes personal text you type (such as monster names or your bio). Analytics data is linked to a Firebase user ID (your UID).
On iOS and Android, Firebase Crashlytics automatically records crash reports when the app crashes or encounters an unhandled error. Each report includes: your UID, the error message, a stack trace, your device model and OS version, and the app version. Crash reporting is not active on web browsers.
On iOS and Android, if you grant notification permission, we retrieve a Firebase Cloud Messaging (FCM) device token and store it in your user settings document in Firestore. This token is used solely to send you push notifications from our server (e.g., game events). Revoking notification permission in your device settings will invalidate the token.
Firebase and RevenueCat may automatically collect:
| Purpose | Legal Basis (GDPR) | Data Used |
|---|---|---|
| Provide the game โ accounts, monsters, marketplace, gifting, mining | Contract performance | UID, email, display name, game content |
| Show your public profile to other players | Contract performance / Legitimate interest | Username, bio, country, display name, photo |
| Process in-app purchases and credit Monster Coins | Contract performance | UID, purchase confirmation from Apple / Google |
| Tag monsters with a birth country (game lore) | Legitimate interest | Profile country or IP-detected country |
| Diagnose bugs and improve stability | Legitimate interest | Crash reports (UID, error details, device info) |
| Understand feature usage and improve the game | Legitimate interest | Analytics events (linked to UID) |
| Send push notifications (opt-in) | Consent | FCM device token |
| Measure advertising campaign performance (ad attribution) | Legitimate interest / Consent (iOS ATT) | Device Advertising Identifier (IDFA, ATT-gated on iOS), anonymous device ID, app events, purchase data โ shared with Meta |
| Comply with legal obligations | Legal obligation | Varies |
We use the following third-party services. Each has its own privacy policy:
| Provider | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Google Firebase | Authentication, Firestore database, Storage, Analytics, Crashlytics, Cloud Messaging | UID, email, display name, photo, all game content, analytics events, crash logs, FCM token | policies.google.com/privacy |
| RevenueCat | In-app purchase management and entitlement tracking | UID, purchase transaction data from Apple App Store / Google Play | revenuecat.com/privacy |
| Base44 | AI monster image generation | Text prompt describing the monster (no personal information included) | base44.com/privacy |
| Google Sign-In | User authentication | OAuth token โ processed by Google; we receive UID, email, display name, photo URL | policies.google.com/privacy |
| Apple Sign-In | User authentication | OAuth identity token โ processed by Apple; we receive UID, email (may be relayed), display name | apple.com/legal/privacy |
| Meta Platforms (Facebook) | App install attribution and advertising measurement via the Meta SDK. Helps us understand which ad campaigns lead to installs and purchases so we can run better ads. | Device Advertising Identifier (IDFA โ only if you grant App Tracking Transparency permission on iOS), anonymous Facebook ID (fbAnonId), app events (installs, purchases, monster saves), iOS SKAdNetwork postbacks (no personal data) | facebook.com/privacy/policy |
| ipapi.co | IP-based country detection (one-time per 24h, on profile setup) | Your device IP address is sent to ipapi.co servers; country result is cached locally only | ipapi.co/privacy |
| Apple App Store | App distribution and payment processing for iOS IAP | Payment and purchase data handled entirely by Apple | apple.com/legal/privacy |
| Google Play | App distribution and payment processing for Android IAP | Payment and purchase data handled entirely by Google | policies.google.com/privacy |
We do not sell your personal data. We do not share data with data brokers or any parties beyond those listed above. We do share limited data with Meta Platforms for advertising attribution purposes as described in the table above โ this sharing is governed by the App Tracking Transparency (ATT) framework on iOS and the Advertising ID controls on Android.
Fluuby offers optional in-app purchases of "Monster Coins" โ a virtual in-game currency. Purchases are processed exclusively by Apple (iOS) or Google (Android). We do not receive, store, or process your payment card details.
Upon successful purchase confirmation from Apple/Google, RevenueCat notifies us and we credit Monster Coins to your account. Purchase data retained by RevenueCat includes your UID and the transaction details received from Apple/Google.
Available packages: 10 Coins, 20 Coins, 50 Coins. Prices displayed in-app. Monster Coins have no real-world monetary value and are non-refundable except as required by applicable law or Apple/Google refund policies.
Push notifications (FCM): If you grant permission, your device receives push notifications via Firebase Cloud Messaging. Your FCM token is stored in your Firestore user document and used to deliver notifications. You can withdraw permission at any time in your iOS or Android notification settings.
Local notifications: When you start a mining job, the app schedules a local notification on your device (entirely on-device, no server involved) to alert you when the mine is complete. No personal data is transmitted. The notification message contains only the mine tier name.
| Data Category | Retained Until |
|---|---|
| Account (Firebase Auth) | You delete your account |
| Profile (userSettings document) | You delete your account |
| Monsters you own | You delete them, gift them away, or delete your account |
| Monsters transferred to other players | Retained in the new owner's collection until they delete them |
| Marketplace listings you created | Until sold, cancelled, or you delete your account |
| Gift records | Until the gift is completed (confirmed/claimed) or cancelled |
| Market trade history (ledger) | Retained indefinitely for marketplace integrity (your UID and display name may appear); contact us to request removal |
| Mining jobs | Until claimed or you delete your account |
| FCM push notification token | Until you revoke notification permission or delete your account |
| Firebase Analytics events | Up to 26 months (Firebase default retention) |
| Firebase Crashlytics reports | 90 days (Firebase default retention) |
| IP-detected country (device cache) | 24 hours (local device only) |
| Monster images (Firebase Storage) | Until the monster is deleted or you delete your account; images of transferred monsters may remain in storage until the new owner deletes them |
You can view and update your display name, username, bio, and country at any time by going to Profile โ Edit (pencil icon) in the app.
You can permanently delete your account by going to Profile โ Delete Account. This action:
Note: monsters you previously transferred to other players remain in their collections. Your display name may remain visible in market trade history records; contact us if you wish to have this removed.
You can disable push notifications at any time in your iOS or Android notification settings. You can disable local (mining) notifications by turning off all notifications for Fluuby in your device settings.
You can limit Firebase Analytics data collection on iOS via Settings โ Privacy & Security โ Tracking and on Android via Settings โ Google โ Ads โ Opt out of Ads Personalization.
On iOS, the app will request your permission to use the Advertising Identifier (IDFA) for ad attribution via Apple's App Tracking Transparency (ATT) prompt. If you tap "Ask App Not to Track", we will not access your IDFA and Meta will only receive anonymised, aggregated attribution data via Apple's SKAdNetwork. You can change this decision at any time in Settings โ Privacy & Security โ Tracking โ Fluuby.
On Android, you can opt out of personalised advertising by going to Settings โ Google โ Ads โ Delete advertising ID or by resetting your advertising ID. The Meta SDK respects this setting and will not use the Advertising ID for targeting if you have opted out.
If you are located in the European Union or European Economic Area, you have the right to: access your personal data, correct inaccurate data, request erasure ("right to be forgotten"), object to processing, request restriction of processing, and data portability. To exercise these rights, contact us at contact@khenitech.com. You also have the right to lodge a complaint with your local data protection authority.
California residents have the right to know what personal information we collect and how it is used, request deletion of personal information, and opt out of the "sale" of personal information (we do not sell personal information). To exercise your rights, contact us at contact@khenitech.com.
You may request a copy of the personal data associated with your account by emailing contact@khenitech.com with the subject line "Data Export Request". We will respond within 30 days.
As required by Google Play policy, you can request deletion of your account and all associated data even without opening the app. To do so, email contact@khenitech.com with the subject line "Account Deletion Request" and include the email address associated with your Fluuby account. We will process the deletion within 30 days and confirm when complete.
Fluuby does not respond to browser "Do Not Track" (DNT) signals because the app does not engage in the cross-site tracking that DNT is designed to prevent. We do not track you across third-party websites.
Fluuby is rated 12+ on the Apple App Store and Teen (13+) on Google Play due to its in-app purchases and simulated trading marketplace. The app is not directed at children under 13. We advise parents and guardians to supervise use by minors and to use device parental controls to restrict in-app purchases.
We do not knowingly collect personal information from children under 13 without verifiable parental consent. If you believe a child under 13 has created an account in Fluuby, please contact us immediately at contact@khenitech.com with the subject "COPPA โ Child Account". We will promptly delete the account and all associated data.
If you are a parent or guardian and have consented to your child's use of Fluuby, you may contact us to access, correct, or delete your child's information.
We take reasonable technical and organisational measures to protect your data:
No system is 100% secure. If you suspect unauthorised access to your account, please contact us immediately.
Fluuby uses Google Firebase infrastructure. Your data may be processed in the United States or other countries where Google operates data centres. Google maintains Standard Contractual Clauses (SCCs) and other legally recognised data transfer mechanisms to comply with applicable data protection laws, including GDPR. By using Fluuby, you acknowledge and consent to this transfer.
RevenueCat and Base44 may also process data internationally. Please refer to their respective privacy policies linked in Section 5.
As required by Apple, we disclose the following data practices:
| Data Type | Collected | Linked to Identity | Used for Tracking |
|---|---|---|---|
| Contact Info (Email) | Yes | Yes | No |
| Identifiers โ User ID | Yes | Yes | No |
| Identifiers โ Device ID (IDFA, ATT-gated) | Yes (iOS, if ATT granted) | Yes | Yes โ shared with Meta for ad attribution |
| Usage Data (product interaction, app launches) | Yes | Yes | Yes โ shared with Meta for ad attribution |
| Diagnostics (crash data, performance data) | Yes | Yes | No |
| Purchases | Yes | Yes | Yes โ shared with Meta for purchase attribution |
| Advertising Data | Yes (anonymous, via Meta SDK) | Yes (if ATT granted) | Yes โ used for ad campaign measurement |
| Location (coarse, IP-inferred) | Yes (once, temporary) | No | No |
| User Content (monster images, names, bio) | Yes | Yes | No |
Some data (Device ID, product interactions, purchase history) is shared with Meta Platforms for advertising attribution purposes. On iOS, IDFA access requires your explicit consent through Apple's App Tracking Transparency prompt. If you deny tracking, only anonymous SKAdNetwork attribution is used โ no personal data is linked.
As required by Google Play, the following data safety summary applies:
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective date" at the top of this page and, where appropriate, notify you through an in-app notice or via the email address associated with your account. The updated policy will be posted at fluuby.web.app/privacy.
Continued use of Fluuby after the effective date of any change constitutes your acceptance of the revised policy.
The "Monster Stock" tab within the Monster Store displays candlestick charts, price trends, and trade volumes for monster rarities. Please note:
For questions, data requests, or concerns about this Privacy Policy, please contact:
We will respond to all inquiries within 30 days. For urgent data deletion requests, please include "URGENT DATA REQUEST" in your email subject line.