Privacy Policy

§ 01

Definitions and Interpretive Framework

"Personal Data" — any information relating to an identified or identifiable natural person ("Data Subject"), including identifiers, online identifiers, location data, and factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

"Processing" — any operation or set of operations performed on Personal Data, whether or not by automated means, including: collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

"Data Controller" — Arora Labs, the natural or legal person that determines the purposes and means of Processing of Personal Data.

"Data Processor" — any natural or legal person that Processes Personal Data on behalf of the Data Controller, including Google LLC (Firebase), Anthropic PBC, and associated infrastructure providers.

"Application" — the Thinko mobile software application, including all versions, updates, features, and ancillary services.

"User" — any individual who installs, accesses, or uses the Application, including registered users, guest users, and unauthenticated visitors.

§ 02

Data Controller Identity and Contact Information

Arora Labs ("we", "us", "our") is the Data Controller responsible for your Personal Data collected and Processed through the Application.

We endeavour to respond to all substantive privacy enquiries within 30 calendar days of receipt. Where a request is complex or involves a high volume of data, we may extend this period by a further 60 days, subject to providing notification within the initial 30-day period.

§ 03

Categories of Personal Data Collected

3.1 — Identity and Authentication Data

When a User authenticates via Google Sign-In, we receive:

• Full legal name or display name as registered with Google
• Primary email address
• Profile photograph URL
• Unique Google account identifier

This data is transmitted pursuant to OAuth 2.0 authorisation flows and is subject to Google's own privacy documentation.

3.2 — Cognitive Performance and Gameplay Data

The Application records detailed cognitive performance data, including:

• Individual game scores and completion times
• Personal best scores per cognitive task
• Session-level composite brain scores (calculated via proprietary algorithm)
• Daily challenge participation and outcomes
• Quiz performance metrics (accuracy, language selection, difficulty tier, response latency per item)
• Longitudinal streak data and daily session history

3.3 — Behavioural and Interaction Analytics

Subject to applicable law and your consent where required, we collect anonymised or pseudonymised behavioural telemetry via Firebase Analytics, including:

• Screen view events and navigation flow data
• Feature engagement patterns and session duration metrics
• In-app event data (game starts, completions, subscription interactions)
• Device characteristics (OS version, hardware model, screen resolution tier)
• Application version identifiers

3.4 — Notification Infrastructure Data

Where you grant notification permissions, Firebase Cloud Messaging generates and stores a device-specific registration token ("FCM Token"). This token facilitates push notification delivery; it does not contain Personal Data but may be correlatable with your account if authenticated.

3.5 — Guest User Data

Guest Users are not required to provide any Personal Data. Gameplay statistics and settings are persisted exclusively within local device storage and are not transmitted to our servers. Anonymous analytics events may still be collected per Section 3.3.

§ 04

Legal Bases for Processing

4.1 — Performance of Contract (Art. 6(1)(b) GDPR)

Processing is necessary to perform the service agreement constituted by your acceptance of our Terms of Service, including providing account functionality, synchronising game data across devices, and delivering core Application features.

4.2 — Legitimate Interests (Art. 6(1)(f) GDPR)

We Process certain data on the basis of our legitimate interests in operating, maintaining, securing, and improving the Application — provided such interests are not overridden by your fundamental rights and freedoms. This includes fraud prevention, security monitoring, analytics for product improvement, and system stability.

4.3 — Consent (Art. 6(1)(a) GDPR)

Where Processing is not justified under the above bases, we rely on your freely given, specific, informed, and unambiguous consent. This applies to:

• Push notification delivery
• Certain advanced analytics features
• Marketing communications where applicable

You retain the right to withdraw consent at any time without detriment.

4.4 — Legal Obligation (Art. 6(1)(c) GDPR)

We may Process Personal Data to comply with applicable legal obligations, including in response to lawful demands from governmental or regulatory authorities with competent jurisdiction.

§ 05

Third-Party Data Processors and Sub-Processors

§ 06

International Data Transfers

Given the geographic distribution of our sub-processors, Personal Data may be transferred to, stored in, and Processed in jurisdictions outside your country of residence, including the United States of America, where data protection laws may differ from those in your jurisdiction.

Where transfers occur to countries not recognised as providing an adequate level of protection, we implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission (for EEA-originating transfers)
• Google's participation in applicable cross-border data transfer frameworks for Firebase services

By using the Application, you acknowledge the international nature of our operations and the associated data transfers described herein.

§ 07

Data Retention and Deletion

7.1 — Authenticated User Data

Personal Data associated with authenticated accounts is retained for the duration of the active account relationship and for 90 days following account deletion, to facilitate account recovery and satisfy residual legal obligations.

7.2 — Analytics Data

Behavioural analytics data is retained in aggregated or pseudonymised form for a maximum of 26 months from the date of collection, consistent with Firebase Analytics default retention parameters.

7.3 — Guest User Data

Data stored locally on-device for Guest Users is not subject to server-side retention. Such data persists until the Application is uninstalled or local storage is cleared by the User.

7.4 — Account Deletion

To request deletion of your account and all associated Personal Data:

• Use the account deletion function in the Application's Profile section, or
• Contact us at contact@aroralabs.org

Upon verification, we will initiate deletion procedures within 30 days, subject to legal retention obligations.

§ 08

Security Architecture and Technical Safeguards

8.1 — Data in Transit

All communications between the Application and backend infrastructure are encrypted via Transport Layer Security (TLS) version 1.2 or higher.

8.2 — Data at Rest

Personal Data stored in Firebase Cloud Firestore is encrypted at rest using AES-256 encryption, consistent with Google's infrastructure security standards. On-device data is stored using platform-native encrypted shared preferences.

8.3 — Access Controls

Firestore Security Rules enforce strict per-user data isolation — authenticated users can only access their own Personal Data. Administrative access is restricted on a least-privilege basis and requires multi-factor authentication.

8.4 — Incident Response

In the event of a Personal Data breach presenting risk to your rights and freedoms, we will notify you and relevant supervisory authorities within 72 hours of becoming aware of the breach, where technically feasible and legally required.

§ 09

Your Rights as a Data Subject

To exercise any right, submit a written request to contact@aroralabs.org. We will respond within the statutory timeframe applicable in your jurisdiction.

§ 10

GDPR — Specific Provisions for EEA and UK Residents

10.1 — Supervisory Authority

You have the right to lodge a complaint with the competent data protection supervisory authority in your member state (e.g., the UK ICO, the Irish DPC, or your national equivalent) if you consider that our Processing infringes applicable data protection law.

10.2 — Data Protection Officer

Given the scale and nature of our Processing activities, we are not currently required to designate a Data Protection Officer (DPO). Privacy enquiries should be directed to contact@aroralabs.org.

10.3 — Legal Basis Transparency

In accordance with Article 13 GDPR, all lawful bases for Processing are set forth in Section 4 of this Policy. Supplementary information is available upon written request.

§ 11

CCPA — Specific Provisions for California Residents

11.1 — Right to Know

You have the right to request disclosure of:

1. The categories and specific pieces of Personal Information collected
2. The categories of sources from which Personal Information is collected
3. The business or commercial purpose for collecting Personal Information
4. The categories of third parties with whom Personal Information is disclosed

11.2 — Right to Delete

You have the right to request deletion of Personal Information collected from you, subject to certain exceptions under Cal. Civ. Code § 1798.105.

11.3 — Right to Correct

You have the right to request correction of inaccurate Personal Information maintained about you.

11.4 — Non-Discrimination

We shall not discriminate against you for exercising any CCPA rights, including by denying services, charging different prices, or providing a different quality of service.

To submit a verifiable consumer request, contact contact@aroralabs.org with the subject line "CCPA Request".

§ 12

Children's Privacy and COPPA Compliance

The Application is not directed to children under:

• 13 years in the United States (COPPA)
• 16 years in the European Economic Area (Article 8 GDPR)

We do not knowingly solicit, collect, or Process Personal Data from children within the above age thresholds. The Google Sign-In pathway requires users to affirm compliance with Google's minimum age requirements as a prerequisite to account creation.

If you are a parent or legal guardian and believe your minor child has provided Personal Data to us without appropriate parental consent, contact us immediately at contact@aroralabs.org. We will take all commercially reasonable steps to promptly delete the relevant Personal Data.

§ 13

Cookies, Tracking Technologies, and Analytics Opt-Out

The native mobile Application does not employ cookies in the traditional browser-based sense. However, certain functionally analogous tracking mechanisms are utilised:

Advertising Identifier (IDFA / GAID)

Firebase Analytics may utilise platform advertising identifiers for analytics attribution. To disable:

• Android: Device Settings → Google → Ads → Reset advertising ID / Delete advertising ID
• iOS 14+: Device Settings → Privacy & Security → Tracking → disable "Allow Apps to Request to Track"

Firebase Analytics Opt-Out

Disable Firebase Analytics data collection by navigating to Application Settings → Accessibility → Reduce Motion (which also disables non-essential telemetry), or by contacting contact@aroralabs.org to request programmatic opt-out.

Instance ID

Firebase assigns an Instance ID to each Application installation for service-delivery purposes (messaging, crash reporting). This identifier is reset upon reinstallation and does not constitute persistent cross-application tracking.

§ 14

Third-Party Links and Embedded Content

The Application may contain hyperlinks to third-party websites, external support portals, or social media platforms. This Privacy Policy does not govern the data practices of any third-party resource to which we link. We expressly disclaim any responsibility for the privacy practices, security measures, or content of such third-party resources.

We strongly encourage you to review the applicable privacy policy of any third-party service prior to providing Personal Data thereto.

§ 15

Modifications to This Privacy Policy

We reserve the right to amend, update, or revise this Privacy Policy at any time in our sole discretion, including in response to changes in applicable law, technological developments, or modifications to our data Processing activities.

Material changes — defined as modifications that substantively alter the categories of data collected, the purposes of Processing, or your rights — will be communicated via:

• In-application notification
• Email to authenticated users, where technically feasible

The "Last Updated" date at the head of this Policy reflects the most recent revision. Continued use of the Application following the effective date of any modification constitutes acceptance of the revised Policy.

§ 16

Governing Law and Dispute Resolution

This Privacy Policy shall be governed by applicable international data protection law, including:

• EU General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA / CPRA)
• Australian Privacy Act 1988
• All other applicable regional data protection statutes

Nothing herein limits your right to pursue remedies before the competent data protection supervisory authority in your jurisdiction of residence.

Prior to initiating formal dispute resolution proceedings, we encourage you to contact us at contact@aroralabs.org to seek an amicable resolution.

§ 17

Contact Information and Data Subject Requests

All privacy-related enquiries, data subject access requests, complaints, and correspondence should be directed to:

Please include in your correspondence:

• Your full name (for account verification)
• The nature of your request or enquiry
• Your preferred contact method for our response
• Where relevant, the specific Personal Data or Processing activity to which your request pertains