THBT

Privacy Policy

Effective date: 23 April 2026 · Last updated: 23 April 2026

1. Who we are

THBT (the "Service," "we," "us") is a two-team trivia game. The Service is operated by [OWNER LEGAL NAME], based in the United Arab Emirates. If you have any questions about this policy, contact us at mohammadahmedahmed@gmail.com.

2. Information we collect

We only collect what we need to run the game and manage your account:

Account data: your email address and a hashed password (PBKDF2-SHA256, 120,000 iterations; we never store your plaintext password).
Game data: game history (team names you typed, scores, winner, timestamp), categories/subcategories picked, remaining free games.
Subscription data: if you subscribe, we record the tier (weekly / monthly / yearly) and when the subscription started. Billing is handled by Apple; we do not see your payment card.
Technical data: IP address and basic request metadata are present in our web-server logs for security and abuse prevention. Logs are rotated automatically and not cross-referenced with accounts except when investigating abuse.
Language preference: EN or AR, stored locally in your browser so the app remembers your choice.

We do not collect: real name, phone number, address, contacts, microphone, camera, location, health data, or advertising identifiers. We do not use third-party analytics, ad SDKs, or cross-app tracking.

3. How we use it

To authenticate you and let you pick up where you left off (email + password hash).
To run the game and track your free games left / subscription entitlement.
To let you see your own game history (future feature — not currently exposed in-app).
To detect abuse (unusual login patterns, attempted brute-force).
To respond to support requests you send us directly.

We do not sell your data. We do not share it with advertisers. We do not build a profile on you for marketing.

4. Who we share it with

Apple — subscription purchases go through Apple's In-App Purchase system. Apple handles the payment and sends us a receipt we can verify.
Our hosting provider — the server that runs THBT physically stores the database. The provider cannot see decrypted account passwords (we only store salted hashes).
Legal authorities — only if compelled by a valid UAE court order or lawful request from a competent authority.

We never share your data with third parties for marketing, profiling, or profit.

5. Your rights

You can:

Access the data we hold about you — email us and we will provide it within 30 days.
Delete your account — see Data deletion instructions. All account records and game history tied to your email are removed within 30 days. We may retain a minimal record of the deletion itself (email hash + timestamp) for fraud prevention, and any billing records legally required to be kept by UAE tax / accounting law.
Correct inaccurate data — email us.
Export your data — email us, we'll send a JSON dump of your account and game history.
Withdraw consent by deleting your account, at any time.

6. Data retention

Active accounts: data retained while the account exists.
Inactive accounts (no login for 24 months): we may automatically delete or anonymize. We will send an email warning first.
After deletion request: full erasure within 30 days, except billing records where UAE law requires longer retention.
Web server logs: rotated automatically; raw logs retained for up to 30 days.

7. Security

We protect your data through:

HTTPS on every connection (TLS 1.2+, Let's Encrypt certificates).
PBKDF2-SHA256 (120,000 iterations) password hashing — we cannot recover your plaintext password, and neither can anyone else.
Nightly encrypted database backups with retention policy.
No plaintext passwords in logs, errors, or responses.
Restricted server access (SSH key only for admins; password auth disabled).

No system is perfectly secure. If we ever become aware of a breach affecting your account data, we will notify affected users within 72 hours.

8. Children's privacy

THBT is rated for players 12+. We do not knowingly collect data from children under 13. If you believe a child under 13 has created an account, email us and we will remove it.

9. International transfers

Our servers are physically located outside the UAE. By using the Service, you consent to your data being processed on those servers. We apply the same protections described in this policy regardless of where the data is processed.

10. Changes to this policy

We may update this policy as the Service evolves or as regulations require. Material changes will be announced in-app at least 14 days before taking effect. The current version is always available at thbt.ae/privacy.

11. Contact

Questions, complaints, or requests:
mohammadahmedahmed@gmail.com

Note to owner before App Store submission: replace [OWNER LEGAL NAME] with your legal entity name (individual or company), confirm the retention windows above match UAE accounting regulations for your structure, and consider having a UAE-qualified lawyer review this document. Remove this yellow box before launch.