Who we are. This game, Inkwell, is operated by Innovelop, a sole proprietorship registered in South Africa. We are the “responsible party” under the Protection of Personal Information Act, 2013 (“POPIA”) and the “controller” under the EU/UK General Data Protection Regulation (“GDPR”) for the personal information described below.
Inkwell is built to work offline. By default, everything about your play — your level progress, stars, settings, and any purchase entitlements — is stored only on your device and is not sent to us.
You only share personal information with us if you choose to sign in to sync your progress across devices. Signing in is optional. You can be a premium (subscribed) player without an account; in that case your data stays on your device.
Your progress, stars, preferences, undo/attempt counters, purchase status, and your consent choices are stored locally on your device using your device's storage. This information is not transmitted to us and we cannot see it.
Sign-in uses a one-time code sent to your email address (sometimes called “OTP” or “magic link” sign-in). If you use it, we process:
Premium is subscribed inside the Android app, and subscriptions and top-ups are processed by Google Play. Your payment details (card numbers and similar) are handled by the app store under its own privacy terms — we never receive or store them. To manage your subscription and confirm your premium status, we use RevenueCat, which processes a purchase identifier and your entitlement status (but not your card details). Google Play and RevenueCat may process this information outside South Africa and the EU, including in the United States.
If — and only if — you switch them on, we may process anonymous usage statistics to improve the game, and may use your email address to send occasional product news. Both are off by default, and you can turn them off again at any time in Privacy & Data settings. We do not use your information for advertising, and we do not sell it.
We do not knowingly process special categories of personal information (such as health, biometric, religious or political data), and the game is not designed to collect any.
When you sign in, we use the following operators (“processors”) who act only on our instructions under signed data-processing agreements. Each is certified under the EU–U.S. Data Privacy Framework and offers Standard Contractual Clauses for international transfers:
| Processor | What they do for us | Where they process |
|---|---|---|
| Supabase Pte. Ltd | Database, authentication (sign-in codes), and storage of your consent record and synced progress | Singapore; hosting in the United States (via Amazon Web Services) |
| Plus Five Five, Inc. (Resend) | Sending one-time sign-in codes and service emails to your address | United States |
| RevenueCat, Inc. | Managing subscriptions and top-up purchases and validating your premium entitlements | United States |
| Cloudflare, Inc. | Network delivery, performance, and security (processes IP addresses and connection logs) | United States |
Note: We also use GitHub as a software-development tool. GitHub is not in the path of your in-game personal information and does not receive player data through normal use of the game.
Because the processors above operate in the United States and elsewhere, your personal information may be transferred outside South Africa and the European Economic Area when you sign in. POPIA (section 72) and the GDPR (Chapter V) permit this where appropriate safeguards are in place. Our safeguards are the processors' Data Privacy Framework certifications and the Standard Contractual Clauses included in our agreements with them. If you only play offline, no such transfer takes place.
Under POPIA and, where it applies, the GDPR, you have the right to:
You can exercise the data choices yourself in the game under Privacy & Data (including withdrawing optional consent and deleting all your data). For anything else, contact our Information Officer at privacy@innovelop.org.
South Africa — Information Regulator. You may complain to the Information Regulator (South Africa): inforegulator.org.za; complaints email POPIAComplaints@inforegulator.org.za.
EU/EEA/UK. If you are in the EU, EEA, or UK, you may also complain to your local data protection authority.
Inkwell is a single-player puzzle game suitable for a general audience. If you are under the age of 18 (or the age of digital consent in your country), you should only use the game, and only sign in or make any purchase, with the consent and involvement of a parent or legal guardian. Where the law requires it, we rely on a parent or guardian to provide consent on a child's behalf for any processing of personal information.
No contact with other people. Inkwell has no chat, messaging, comments, multiplayer, friend lists, profiles, user-generated content, or any other feature that lets users communicate with or be contacted by anyone else. There is therefore no pathway through the game for a stranger or predator to reach a child. The only personal information involved is what is described in this policy, and only if a player chooses to sign in.
If you believe a child has signed in or provided personal information without the necessary parental consent, contact our Information Officer at privacy@innovelop.org and we will delete it.
Our processors maintain recognised security measures, including encryption of data in transit and at rest, access controls, and independent audits (such as SOC 2 and ISO 27001). No method of transmission or storage is perfectly secure, but we take reasonable steps to protect your information.
If we materially change how we handle your information, we will update this policy and, where required, ask for your consent again inside the game. The “last updated” date above shows the current version.
View Innovelop PAIA manual at home.innovelop.org