Senior Assassin
Senior Assassin

Privacy Policy

Last Updated: April 21, 2026

1. Overview

This Privacy Policy explains how Zinance Inc. ("we," "us," or "our") collects, uses, and discloses information in relation to our mobile application Senior Assassin (the "App"), website (hxh.app), and the related online services operated by Zinance Inc. that link to this Privacy Policy (collectively, the "Services").

This Privacy Policy describes how your personal information is handled when you use the Services. Where your consent is required for specific processing activities (such as the collection of precise geolocation data), we obtain that consent separately as described in the relevant section below. If you have any questions, please contact us at admin@hxh.app. Zinance Inc. is the controller of personal information collected through the Services; our Privacy Officer's contact details are in Section 11.

2. Data We Collect

We collect information to provide and improve our Services. The types of data we collect include:

a. Account Information

When you create an account on Senior Assassin, we may collect:

  • Email address
  • A name you choose to associate with the account (does not need to be your legal name)
  • Avatar or profile picture (if you choose to upload one)
  • A short-lived, one-time verification code sent to your email for sign-in; the code is not retained after verification

b. Gameplay Data

While you use Senior Assassin, we collect data related to your gameplay, such as:

  • Game memberships and roles
  • Target assignments and eliminations/completions
  • Chat messages within games (please be mindful of the information you share)
  • Game scores, progress, and related statistics

c. Location Data

Senior Assassin collects precise geolocation data (GPS coordinates) from your device. Because location data is sensitive personal information, we require your express, informed consent before collecting it. Location data is collected solely for the gameplay purposes described below and is never used for advertising, profiling, or any purpose unrelated to the Services.

Why We Collect Location Data

We collect your location data for the following specific, limited purposes:

  • Live Map & Proximity Alerts: To display your position on the in-game map and to trigger proximity-based alerts during active gameplay.
  • Safe Zone Enforcement: To determine whether you or another player are within a designated safe zone where gameplay actions are restricted.
  • Game Integrity: To verify elimination claims and resolve disputes where location is relevant.

Collection, Consent, and Control

Location data is collected while the App is running and you have granted location permission. Background collection requires a separate, explicit OS-level permission that can be granted or revoked at any time through your device settings.

Location collection requires your affirmative opt-in, which is separate from your general agreement to use the Services and is not bundled with access to non-location features. You may grant foreground-only or foreground-and-background access, and you may withdraw consent at any time through your device settings or the App. Without location consent, live map, proximity alerts, and safe zone enforcement will be unavailable, but your account, chat, and other non-location features remain functional.

Retention of Location Data

Your most recent location point is stored on a volatile in-memory server to power the live map and proximity features. See the retention table in Section 6 for the applicable expiration period. We do not maintain a location history, trail, or session log. If a specific location point is relevant to an open dispute or investigation, it may be preserved solely for that purpose and deleted on resolution.

What Other Players See

  • During Active Gameplay: Other participants in your game can see your current in-game location on the map. In-App Home Privacy controls let you hide your position while within a zone you designate.
  • Outside Active Gameplay: Your location is not displayed to other players when you are not in an active game session.
  • No Location Data Export. The App does not provide other players with a function to download or export your location data.
  • Prohibited Misuse by Other Players. Use of location data obtained through the App for any purpose other than in-game play is prohibited under our Terms of Service and may constitute criminal harassment under applicable law. Report misuse to admin@hxh.app. If you feel unsafe, call 911 or contact your local police service first.

Safeguards for Minors (Users Under 18)

  • A parent or legal guardian may contact us at admin@hxh.app to request that we cease collecting location data from their child under 18. Additional rights available to parents and legal guardians are described in Section 8.
  • Location data is not used for behavioural analysis or any purpose beyond the gameplay functions above for users of any age.

Anti-Misuse Measures

Location data is accessible only to authorized Zinance Inc. personnel on a need-to-know basis and is not disclosed to advertisers or data brokers. Report suspected misuse to admin@hxh.app; reported conduct will be investigated and may result in account suspension and, where warranted, referral to law enforcement.

d. Media Uploads

If game rules require or allow it, you may upload media such as:

  • Elimination/completion videos or photos as proof.
  • Profile pictures.

No biometric processing. Elimination videos and photos may depict faces. Zinance Inc. does not extract, generate, store, or process biometric identifiers — including face templates or face geometry — from uploaded media, and does not run facial recognition or face-matching. Uploaded photos and videos are stored as ordinary media files subject to the retention schedule in Section 6 (or Section 8(d) for users under 18), and may be visible to other participants in the same game as described in Section 5. If we ever introduce a feature that would involve biometric processing, we will obtain separate, specific, informed, written opt-in consent before such processing begins, and — for users under 18 — verifiable parental or guardian consent.

e. Technical & Usage Data

We automatically collect certain technical information when you use our Services, such as:

  • Device type, operating system, and version
  • IP address
  • App version and usage statistics (e.g., features used, crash reports)
  • Limited analytics signals from our website; the mobile App does not set cookies

f. Sensitive Personal Information

Of the categories above, precise geolocation (§2(c)) is "sensitive personal information" under Cal. Civ. Code §1798.140(ae)(1)(G) and equivalent U.S. state laws. We do not collect racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric identifiers, health information, or information concerning sex life or sexual orientation, immigration status, or the contents of personal mail, email, or text messages (other than in-game chat you submit, which is visible to other players in the same game as described in Sections 2(b) and 5). We process precise geolocation solely to provide the gameplay services you request and for service-integrity purposes permitted by 11 CCR §7027(l); see Section 7.3.

3. How We Use the Data

Zinance Inc. does not engage in "sales," "shares," or "targeted advertising" as those terms are defined under applicable U.S. state privacy laws. We do not currently train our own machine-learning or generative-AI models on your personal data, and we do not permit our service providers to use personal data we share with them to train their models for their own purposes. If our practices change, we will update this Privacy Policy and, where required by law, obtain your opt-in consent before the new use begins.

We use the collected data for the following purposes:

  • To provide and maintain core features: account creation, target assignment, live map display, in-game chat, elimination verification, subscription entitlement checks, and other functions you request.
  • For safety, security, and game integrity: drive-detection warnings, safe-zone enforcement, detection of location spoofing or gameplay manipulation, investigation of player reports, and enforcement of our Terms.
  • For content moderation: filtering profanity in in-game chat and reviewing user-submitted reports of misconduct.
  • For analytics and service improvement: understanding aggregate usage patterns, identifying bugs, and improving features. Where feasible, this data is aggregated or pseudonymised; identifiable technical and usage data is retained only for the period stated in Section 6 before being aggregated.
  • To communicate with you: transactional and account-related messages; commercial messages only with the opt-in consent described in Section 4.
  • For legal and regulatory compliance: responding to lawful requests, meeting record-keeping obligations (including the post-deletion retention described in Section 6), defending legal claims, and other purposes reasonably necessary to or compatible with the purposes above, or for which we obtain your consent.

Automated processing. Some core gameplay outcomes are produced automatically: drive-detection warnings displayed on your own device based on GPS speed (warning only — no account consequence); safe-zone entry/exit indicators; and, where a game organizer has configured contactless or auto-approved elimination modes, elimination outcomes within that game. These automated outcomes affect only your participation in an individual game session and do not produce legal or similarly significant effects concerning you within the meaning of Article 22 of the GDPR. If we suspend or terminate your account for violations of our Terms, the decision is reviewed by a Zinance Inc. staff member before it takes effect and you will receive notice and an opportunity to appeal as described in Section 7.5.

4. Electronic Communications

Zinance Inc. sends electronic messages in accordance with applicable law, including Canada's Anti-Spam Legislation (S.C. 2010, c. 23) ("CASL"), the CAN-SPAM Act (15 U.S.C. §§7701 et seq.), the Telephone Consumer Protection Act (47 U.S.C. §227) where applicable, and applicable state commercial-message laws.

Transactional messages. Messages that facilitate, complete, or confirm a transaction or gameplay action you have previously engaged in — including account verification and sign-in codes, security alerts, notifications relating to active gameplay you have joined (such as target assignments, elimination submissions and outcomes, team and game join-request workflows, team-captain promotions, round transitions, and admin-initiated account actions), direct-message alerts, and notices of material changes to this Privacy Policy or our Terms — are sent by default while your account is active. You may disable push delivery through your device's operating-system settings; doing so will prevent our push notifications from reaching your device without closing your account.

Commercial electronic messages. We do not send marketing or promotional electronic messages without your prior express opt-in consent. If we introduce them, consent will be obtained through a clear affirmative action (no pre-checked boxes, never bundled with access to the Services), recorded, and withdrawable. Withdrawing consent to receive commercial messages will not affect your receipt of transactional messages. Any such commercial message will identify Zinance Inc. as sender, provide our contact information (including a valid physical mailing address and a current email address, web URL, or telephone number), and include a working unsubscribe mechanism that is processed as required by applicable law.

Push notifications. Push notifications relating to active gameplay are transactional. Push notifications that announce seasonal events, new features, referral incentives, or other promotional content are treated as commercial electronic messages and require your prior express opt-in. We do not currently send SMS or text messages; if we introduce SMS-based communications in the future, we will obtain any additional consent required under applicable law, including the TCPA for U.S. recipients and applicable state mini-TCPA statutes.

5. Data Sharing and Disclosure

Zinance Inc. does not sell personal information, and does not "share" personal information for cross-context behavioural advertising, as those terms are defined in the California Privacy Rights Act.

We may share your information in the following limited circumstances:

  • With Service Providers (Processors): We use third-party vendors to operate the Services. Categories include, but are not limited to: (i) cloud hosting, database, and content-delivery infrastructure (including object storage and content-delivery services used to store and serve uploaded media); (ii) identity and authentication providers, including providers supporting email-based passwordless sign-in and third-party sign-in (such as Sign in with Apple); (iii) mobile push-notification delivery services and the underlying operating-system push services (including Apple Push Notification service and Google Firebase Cloud Messaging); (iv) app-store payment and subscription-entitlement processors that validate and reconcile in-app purchases; (v) error- and crash-reporting tools; and (vi) customer-support tools. Each processor is bound by a written contract that restricts its use of personal information to the services we specify, as required by Cal. Civ. Code §1798.140(ag)(1) and analogous state laws. Some of these processors are located outside your country of residence; international transfers are described in Section 9.
  • With Other Players (In-Game): Depending on game settings and your privacy selections, other participants in a game you have joined may see information necessary for gameplay, including (for example) your username, avatar, team and game membership, target/hunter role, gameplay status indicators (such as alive/eliminated state, approximate in-game location if you have granted location consent, movement indicators, device-battery indicators, and at-home/activity indicators), subscription-tier badge, elimination history and any elimination media you submit, leaderboard entries, and in-game chat messages you send. The exact fields displayed depend on the game's settings and your selections. Players outside your active games do not see this information.
  • Compelled Legal Process: We may disclose personal information in response to a subpoena, warrant, court order, or other legal process that we reasonably believe compels disclosure.
  • Protection of Rights and Safety: We may disclose personal information where we have a good-faith belief that disclosure is necessary to investigate or prevent fraud, violations of our Terms of Service, or imminent risk of death or serious physical injury to any person, consistent with 18 U.S.C. §2702(b)(5) and (c)(4) and analogous laws.
  • Mandatory Reporting of Child Sexual Abuse Material: If we obtain actual knowledge of apparent child sexual abuse material (as defined in 18 U.S.C. §2256), we will report it to the CyberTipline of the National Center for Missing & Exploited Children as required by 18 U.S.C. §2258A. Consistent with Section 2(d), we do not conduct proactive scanning of uploaded media and do not perform facial recognition, age estimation, or other biometric processing.
  • In Case of Business Transfer: If Zinance Inc. is involved in a merger, acquisition, or sale of all or substantially all of its assets, personal information may be transferred as part of that transaction. We will notify affected users of any material change in the privacy-policy terms applicable to their personal information resulting from the transaction, and where reasonably practicable we will provide this notice in advance of the transfer.

6. Data Storage & Security

Zinance Inc. maintains commercially reasonable administrative, technical, and physical safeguards designed to protect personal information from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. These safeguards include encryption of web traffic using HTTPS, reliance on the encryption-at-rest protections offered by our cloud infrastructure providers for stored data, and restricting access to personal data to authorized personnel.

Data Retention: Zinance Inc. retains personal data only for as long as is reasonably necessary to provide the Services, resolve disputes, enforce our agreements, and comply with our legal obligations. To determine the appropriate retention period, we consider the nature and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the information and whether those purposes can be achieved through other means, and applicable legal and regulatory requirements. When personal data is no longer reasonably necessary for these purposes, it is deleted or de-identified, except where retention is required by law or to preserve records relevant to an active legal proceeding, dispute, or investigation. Shortened retention practices applicable to users under 18 are described in Section 8(d).

The table below provides general guidance on how key categories of personal data are retained. Actual retention may be shorter or longer in a particular case based on the factors described above.

| Data Category | General Retention Approach | |---|---| | Location data (GPS coordinates) | Your most recent location point is held transiently in an in-memory cache to power live map and proximity features and expires automatically; we do not maintain a location history. | | Gameplay data (target assignments, eliminations, scores, game memberships) | Retained for as long as reasonably necessary to support gameplay, leaderboards, season history, dispute resolution, and our legal obligations. | | Chat messages (in-game messages) | Retained for as long as reasonably necessary for gameplay, moderation, dispute resolution, and our legal obligations. | | Media uploads (elimination videos, photos) | Retained for as long as reasonably necessary for game integrity, dispute resolution, moderation, and our legal obligations. | | Account data (name, email, avatar, hashed password) | Retained while your account is active and for a reasonable period thereafter to the extent necessary to comply with legal obligations, enforce our agreements, or resolve disputes. | | Technical & usage data (device info, IP address, crash reports, analytics) | Retained by us and our infrastructure providers for operational, security-monitoring, and debugging purposes consistent with their standard log-retention practices. |

If you have questions about the retention of your data or wish to request deletion, please contact us at admin@hxh.app.

No method of transmission over the Internet or method of electronic storage is completely secure. While we use commercially reasonable measures to protect your personal data, we cannot guarantee its absolute security.

Breach of Security Safeguards

In the event of a breach of security safeguards involving personal information, Zinance Inc. will respond in accordance with PIPEDA, U.S. state breach-notification laws, the EU and UK General Data Protection Regulation, and other applicable regulations. Where notification is required by applicable law, we will provide it within the timeframes and in the manner that the applicable law requires, and will maintain records of security breaches to the extent required by law.

If you believe your personal information held by Zinance Inc. has been compromised, contact us immediately at admin@hxh.app.

7. User Choices & Rights

This section describes the choices and rights you have in relation to your personal information. Rights vary by jurisdiction; we honour the strongest applicable right when laws overlap.

7.1 Choices Available to All Users

  • Access and Update. You can update your display name and avatar from within the App. To update other account information, contact us at admin@hxh.app.
  • Account Deletion. You may delete your account from within the App, or request deletion by contacting us at admin@hxh.app. Deletion is subject to the limited post-deletion retention described in Section 6 and to the response timelines described in §7.5.
  • Location Controls. You can grant, limit, or revoke location permissions at any time through your device's operating-system settings, as described in Section 2(c).
  • Electronic Communication Preferences. You can manage marketing messages as described in Section 4. Transactional messages tied to active gameplay and account security cannot be disabled while your account is active.
  • Push Notifications. You can disable any push notification category from your device's operating-system settings.

7.2 Rights Under Canadian Law (PIPEDA and Provincial Law)

If you are in Canada, you have the following rights under PIPEDA and, where applicable, Quebec's Law 25, Alberta's PIPA, or British Columbia's PIPA:

  • Right of access to the personal information we hold about you.
  • Right to correction of inaccurate or incomplete personal information.
  • Right to withdraw consent, subject to legal or contractual restrictions, with reasonable notice.
  • Right to data portability (Quebec residents): you may request that your computerized personal information be communicated to you or transmitted to another organization in a structured, commonly used technological format.
  • Right to de-indexing and cessation of dissemination (Quebec residents under s. 28.1 of Law 25) where applicable.
  • Right to complain to the Office of the Privacy Commissioner of Canada or, for Quebec residents, the Commission d'accès à l'information du Québec, as described in Section 11.

7.3 Rights Under U.S. State Privacy Laws

Depending on the U.S. state in which you reside, you may have certain rights regarding your personal information under applicable state privacy law (including California). These rights apply as and to the extent provided by your state's law, and each right is subject to its own statutory definitions and exemptions:

  • Right to know / access. Confirm whether we process your personal information and obtain access to that information, including the categories, sources, business purposes, and categories of recipients.
  • Right to delete personal information we collected from or about you, subject to legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to data portability. Obtain a copy of your personal information in a structured, commonly used, and machine-readable format, to the extent technically feasible.
  • Right to opt out of sale, sharing, and targeted advertising. Zinance Inc. does not sell, share (as defined in the California Privacy Rights Act), or process personal information for targeted advertising. Accordingly, we do not currently process Global Privacy Control signals as opt-out preference signals. If our practices change, we will update this policy and provide the required opt-out mechanisms.
  • Right to limit the use and disclosure of Sensitive Personal Information. We collect precise geolocation data, which California law treats as sensitive personal information under Cal. Civ. Code §1798.140(ae)(1)(G). We process this data solely to provide the gameplay services you request and for security, debugging, and service-integrity purposes permitted by the CCPA and its implementing regulations (11 CCR §7027(l)). We do not use or disclose sensitive personal information for the purpose of inferring characteristics about you or for any purpose other than those permitted by the CCPA, and therefore no separate "Limit the Use of My Sensitive Personal Information" link is required. If our practices change, we will update this policy accordingly.
  • Right to non-discrimination. We will not deny Services, charge different prices, or provide a different level or quality of Services because you exercised a privacy right.
  • Right to opt out of profiling that produces legal or similarly significant effects. We do not conduct such profiling.
  • Right to appeal. If we deny your rights request, you may appeal by replying to our written denial with the subject line "Privacy Rights Appeal." We will respond with a written decision within sixty (60) days, explaining our reasoning and, if applicable, informing you of your right to contact your state Attorney General.
  • Nevada residents (NRS 603A.340). We do not sell covered information. Nevada residents may still submit a verified opt-out request to admin@hxh.app; we will record the request and honour it if our practices change.
  • Shine the Light (Cal. Civ. Code §1798.83). We do not share personal information with third parties for their own direct marketing purposes, so we have no disclosure obligations under §1798.83.

7.4 Rights Under the EU GDPR and UK GDPR

If you are in the European Union, the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under Articles 15–22 of the GDPR (or the equivalent UK GDPR provisions):

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure / "right to be forgotten" (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability in a structured, commonly used, and machine-readable format, to the extent technically feasible (Art. 20)
  • Right to object to processing based on our legitimate interests, including profiling (Art. 21). If we engage in direct marketing, you will have an absolute right to object to it.
  • Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22). We do not currently engage in such automated decision-making.
  • Right to withdraw consent at any time where processing is based on consent (Art. 7(3)); withdrawal does not affect the lawfulness of prior processing.
  • Right to lodge a complaint with your supervisory authority (Art. 77) — see Section 11.

7.5 How to Submit a Request

Submit any rights request by emailing admin@hxh.app with the subject line "Privacy Rights Request" and a description of the right you wish to exercise. We will respond within the timeline required by your applicable law — 30 days under PIPEDA, 45 days under CCPA/CPRA and U.S. state privacy laws (extendable once by 45 days with notice), and 1 month under GDPR/UK GDPR (extendable by 2 months for complex requests with notice).

Identity verification. We will verify your identity before disclosing, correcting, or deleting personal information. If you have a password-protected account, we may ask you to re-authenticate; otherwise, we may ask you to confirm data points we hold. The level of verification will be proportional to the sensitivity of the request, and information collected for verification is used only for that purpose. There is no charge for submitting a rights request. Where a request is manifestly unfounded or excessive (for example, repetitive), we may charge a reasonable fee or decline to act, as permitted by applicable law.

Authorized agents. You may designate an authorized agent to submit a request on your behalf by providing (i) a written authorization signed by you, or (ii) a valid power of attorney. We may contact you directly to verify your identity and to confirm that you authorized the agent to act. Parents and legal guardians submitting requests on behalf of minors under 18 should follow Section 8(c).

Appeals. If we deny your request in whole or in part, you may appeal by replying with the subject line "Privacy Rights Appeal." We will respond within sixty (60) days with a written decision. If you are not satisfied, you may contact your state Attorney General or the regulator in Section 11.

8. Children's Privacy

The Services are a general-audience product directed to users aged 13 and older and are not directed to children under 13. Where applicable law requires additional protections for users under 18, Zinance Inc. applies the safeguards described in this Section in addition to the other protections in this Privacy Policy.

a. Age Thresholds

Senior Assassin applies the following age-based requirements for use of the Services:

  • Under 13. The Services are not directed to and are not intended for children under the age of 13. By creating or using an account, each user represents that they are at least 13 years of age. If Zinance Inc. obtains actual knowledge that a registered user is under the age of 13, Zinance Inc. will take steps to terminate the account and delete or de-identify the associated personal information consistent with 16 C.F.R. Part 312.
  • Ages 13 to 17. Users between the ages of 13 and 17 may use the Services subject to the consent of a parent or legal guardian where required by applicable law. A parent or legal guardian may contact Zinance Inc. at admin@hxh.app to exercise the rights described in Section 8(c).
  • EU, EEA, and United Kingdom. Where the EU General Data Protection Regulation or equivalent United Kingdom data protection law applies, the minimum age at which a user may consent to the processing of personal data without parental consent is 16 by default under GDPR Article 8, or the lower age set by applicable national law (including 13 in the United Kingdom and as permitted by certain EU member states). Users below that age in those jurisdictions may use the Services only with the consent of a parent or legal guardian.

b. Parental Consent

Where the consent of a parent or legal guardian is required by applicable law for a user under the age of 18 to use the Services, that consent is provided, as described in Section 2 (Eligibility) of our Terms of Service, when the parent or legal guardian permits the minor to create or use an account. If a legal requirement applicable to Zinance Inc. requires a specific method of verifiable parental consent (for example, the methods described in 16 C.F.R. §312.5(b)) for a particular collection or use, Zinance Inc. will obtain consent through a method that satisfies that requirement before engaging in the collection or use to which it applies.

A parent or legal guardian may withdraw consent at any time by contacting Zinance Inc. at admin@hxh.app, as further described in Section 8(c).

c. Parental Rights

A parent or legal guardian of any user under the age of 18 may, at any time, exercise the following rights by contacting Zinance Inc. at admin@hxh.app:

  • Request deletion. Request deletion of their child's personal information, subject to the exceptions permitted by applicable law (including the limited post-deletion retention described in Section 6) and the identity-verification steps described below.
  • Withdraw consent. Withdraw consent previously provided for the collection or use of their child's personal information, including location data. Where consent is withdrawn, features that depend on the withdrawn consent will no longer be available for the minor's account.
  • California under-18 removal right (Cal. Bus. & Prof. Code §22581). If the minor is a California resident and a registered user, the minor or their parent or legal guardian may request removal of content the minor posted by emailing admin@hxh.app, subject to the exceptions set forth in Cal. Bus. & Prof. Code §22581(b).

To exercise any of the above rights, the parent or legal guardian must contact Zinance Inc. at admin@hxh.app and provide sufficient information to verify their identity and their relationship to the minor user. Zinance Inc. may request reasonable documentation to confirm the requester's identity and authority before processing the request.

Senior Assassin does not currently offer parents or guardians a real-time visibility feature for a minor's in-game location or account activity. Where applicable law requires a specific parental-visibility feature for a covered service, Zinance Inc. will provide it in a manner consistent with that law and with the safety of the minor user. Other participants in a minor's active game may see the minor's in-game position as described in Section 2(c).

d. Enhanced Protections for Users Under 18

All users under the age of 18 are subject to the following enhanced data protections, which apply in addition to the safeguards described elsewhere in this Privacy Policy (including the location-specific safeguards in Section 2(c)):

No behavioural or targeted advertising. Personal information from users under 18 is not used for behavioural or targeted advertising or advertising personalization, consistent with Section 3.

No profiling. Personal data from users under 18 is not used for profiling, automated decision-making, or predictive analysis, except for safety features that are integral to the Services (such as drive detection, which detects whether a user may be operating a motor vehicle during gameplay and triggers appropriate safety warnings).

Data retention. Personal information from users under 18 is retained only as long as necessary for the gameplay purposes described in Sections 2 and 6 and is subject to the retention schedule in Section 6. Zinance Inc. periodically reviews its retention practices to keep them proportionate to those purposes.

Restricted sharing. Personal information from users under 18 is shared only with service providers engaged to support the functionality of the Services, as described in Section 5, and is not disclosed to third-party advertisers, data brokers, or marketing platforms for advertising or marketing purposes.

No sale or sharing of minors' data. Zinance Inc. does not "sell" or "share" (as those terms are defined under the California Consumer Privacy Act) the personal information of users under 18, consistent with Section 5.

Defaults. Consistent with how the Services operate for all users, background location collection requires the user's operating-system permission (Section 2(c)), and profiles are visible only to other participants in the same active game.

e. School-Organized Games

Where a game is organized through or in connection with a school, the school or game organizer may facilitate communication regarding parental consent and the collection of personal data. However, Zinance Inc. remains the controller of personal data collected through the Services and remains accountable for its data practices under the Personal Information Protection and Electronic Documents Act (PIPEDA) and all other applicable privacy legislation, regardless of the role of any school or organizer.

Consent obtained by a school or organizer on behalf of a parent or guardian may be relied upon by Zinance Inc. only where it satisfies the applicable legal standard (for example, the school authorization described in 16 C.F.R. §312.5(c)(6) or the equivalent provision of other applicable law).

Game Organizers who organize games involving minors should review their obligations under Section 5.3 of the Terms of Service, including the requirement to ensure that participation by minors complies with applicable law.

f. Applicable Law

Zinance Inc.'s practices regarding minors' personal data are governed by the following legislation, as applicable:

  • PIPEDA (Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5): Under PIPEDA, the consent of a minor who lacks the capacity to provide meaningful consent must be obtained from a parent or legal guardian.
  • COPPA (Children's Online Privacy Protection Act, 15 U.S.C. §§6501–6506, and the COPPA Rule, 16 C.F.R. Part 312, as amended at 89 Fed. Reg. 2034): Zinance Inc. does not knowingly collect personal information from children under 13. If Zinance Inc. obtains actual knowledge that a registered user is a child under 13, Zinance Inc. will act in accordance with Section 8(a). Where the amended Rule's expanded definitions of personal information apply by operation of law, Zinance Inc. will comply with the Rule as applicable.
  • Provincial, U.S. state, and international privacy laws: Where provincial privacy legislation (such as Quebec's Act respecting the protection of personal information in the private sector, CQLR c P-39.1, or Alberta's PIPA, SA 2003, c P-6.5), the GDPR or UK GDPR, or U.S. state minor-protection laws and age-appropriate design codes impose requirements stricter than those above, Zinance Inc. will comply with the stricter requirement.

Where there is a conflict between the requirements of different applicable laws, Zinance Inc. will apply the stricter requirement.

9. International Data Transfers

Zinance Inc. is a Canadian corporation with its principal office in the Province of Ontario, Canada. We use service providers and infrastructure located in Canada, the United States, and other countries to operate the Services, which means personal information you provide may be transferred to, processed in, and stored in countries outside your own, including countries whose data-protection laws may differ from the laws of your jurisdiction. Where applicable law requires a specific safeguard for a particular cross-border transfer — including, for example, the safeguards required by Quebec's Law 25, the EU General Data Protection Regulation, and the UK General Data Protection Regulation — we implement an appropriate safeguard available under that law.

10. Updates to This Policy

Zinance Inc. may revise this Privacy Policy from time to time. When we do, we will post the revised Privacy Policy on this page and update the "Last Updated" date at the top. Please review this page periodically.

Where applicable law requires additional steps before a change takes effect with respect to personal information already collected — including renewed verifiable parental consent under the Children's Online Privacy Protection Rule (16 C.F.R. Part 312) for users under 13, or refreshed consent under Canadian privacy law for a new purpose — we will take those steps before applying the revised policy to that personal information. A separate consent previously obtained from you (including the location-data consent described in Section 2(c) and any parental or guardian consent described in Section 8(b)) remains governed by its own terms until superseded by a new consent obtained in accordance with applicable law.

11. Privacy Officer and Complaints

11.1 Accountability

Zinance Inc. is accountable for personal information under its control and has designated an individual responsible for compliance with applicable privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Act respecting the protection of personal information in the private sector (Law 25), applicable U.S. state privacy laws, and (where applicable) the EU General Data Protection Regulation and UK GDPR. Where applicable law requires us to designate a data protection officer or a local representative for your jurisdiction, we will provide those contact details in this Privacy Policy.

11.2 How to Contact Us

If you have any questions, concerns, or requests about this Privacy Policy, our data practices, or how your personal information is handled, contact our Privacy Team:

Zinance Inc.

Email: admin@hxh.app

A plain email is sufficient. Please include enough detail for us to understand and look into your question (for example, the email address associated with your account and a description of your concern).

We will respond within the time required by applicable law. Where your message also constitutes a rights request under Section 7, the timelines in Section 7.5 apply to the substantive determination.

11.3 Complaints

If you believe that Zinance Inc. has not handled your personal information in accordance with this Privacy Policy or applicable law, email us at admin@hxh.app with the subject line "Privacy Complaint." If you are not satisfied with our response, or if you do not receive a response within the time required by applicable law, you may lodge a complaint with a competent regulator, including:

  • Office of the Privacy Commissioner of Canada (OPC) — current contact information is available at www.priv.gc.ca.
  • Commission d'accès à l'information du Québec (CAI), for Quebec residents — www.cai.gouv.qc.ca.
  • Your state Attorney General or state privacy regulator, where applicable under U.S. state privacy law (for example, the California Privacy Protection Agency or California Attorney General for California residents).
  • The supervisory authority in your jurisdiction under GDPR Article 77 or UK GDPR (for example, the UK Information Commissioner's Office, or your EU member-state data protection authority; a list is maintained at edpb.europa.eu).

Parents and guardians. If your child is under 18, you may file a privacy complaint on their behalf using the same process above. Please identify yourself as the parent or guardian and include enough information to locate your child's account.