Introduction
This Privacy Policy explains how SpellClock ("we", "our", or "the app"), developed by Galaxicore, collects, uses, stores, and protects your personal information when you use the SpellClock application and related services.
For questions regarding this policy, please contact spellclock@galaxicore.com .
1. Who This Policy Applies To
This policy applies to all users of the SpellClock Android application, including:
- Free users (post-trial)
- Free trial users
- Subscribers (monthly and yearly plans)
- Creators participating in the SpellClock Creator Program
- Administrators and Secretaries (staff accounts)
2. What SpellClock Does
SpellClock is a manual overlay app for tracking enemy battle spell cooldowns in MOBA games — specifically Mobile Legends: Bang Bang, Honor of Kings, and Arena of Valor.
SpellClock does not read, modify, access, or interact with any game data in any way. All timers are started manually by you. The app functions as a visual overlay only.
3. Data We Collect
3.1 Account Data (collected at registration)
| Data | Purpose |
|---|---|
| Email address | Account creation, login credential, OTP verification, transactional emails |
| Password (stored as bcrypt hash) | Authentication — the raw password is never stored |
| Country | Determines agreement version and applicable policies |
| Nickname | Auto-generated display name (e.g., SpellClock1) — not a login credential, not unique |
Your email address is used to greet you in all transactional emails. Your nickname is display-only and may be changed at any time from the Account tab.
3.2 Device Data
| Data | Purpose |
|---|---|
| Device identifier hash (SSAID) | Trial eligibility — anonymized SHA-256 hash only; raw SSAID is never stored |
| Device model name (e.g., Samsung Galaxy S24) | Displayed alongside your FCM token for device identification in your account |
3.3 Subscription and Transaction Data
| Data | Purpose |
|---|---|
| Google Play subscription state | Access control (active, grace, on hold, expired, etc.) |
| Google Play purchase token and order ID | Purchase verification and idempotency |
| Plan type (monthly/yearly) | Access tier determination |
| Subscription price in Philippine Peso (PHP) | Commission calculation for Creator Program participants |
| Payment count | Determines first-payment vs. renewal commission rates; used for upsell messaging |
3.4 Referral and Promotional Data
| Data | Purpose |
|---|---|
| Referral code applied at registration | Links subscriber to a Creator; determines pricing tier |
| Promo code applied at registration | Marketing attribution; determines pricing tier |
| Date referral code was applied | Distinguishes registration-time vs. post-registration referral application |
3.5 App Usage Data
| Data | Purpose |
|---|---|
| Overlay settings (icon size, opacity, button positions, spell presets, timer values) | Sync settings across devices for paid users and free trial users |
| Game profile selection (MLBB, HoK, AoV) | App functionality |
| Completed overlay session count | App review prompt eligibility; canary rollout eligibility |
| Ad credit balance | Tracks earned ad credit for free-tier users |
| Ad consent status | Stored locally in SharedPreferences only |
Overlay settings are stored on our servers for paid subscribers, Creators, Admins, and free trial users. Free post-trial users' settings are stored locally on-device only and are not synced to our servers.
3.6 Push Notification Data
| Data | Purpose |
|---|---|
| Firebase Cloud Messaging (FCM) token | Sending you push notifications (payout alerts, system updates, expiry warnings) |
FCM tokens are deleted immediately upon logout and upon account deletion.
3.7 Crash and Error Data
We use Firebase Crashlytics to collect crash reports from the app. Crashlytics may collect device type, OS version, app version, and a stack trace at the time of a crash. This data is used solely to identify and fix bugs. Please refer to [Google's Privacy Policy](https://policies.google.com/privacy) for Crashlytics data handling.
3.8 Advertising Data
Free post-trial users may watch rewarded ads (user-initiated only). Ads are served via Google AdMob and, where applicable, Meta Audience Network via AdMob mediation. These networks may collect device identifiers and advertising IDs (GAID) in accordance with their own privacy policies and your ad consent choices made at first launch.
- [Google AdMob Privacy Policy](https://policies.google.com/privacy)
- [Meta Privacy Policy](https://www.facebook.com/privacy/policy/)
You are shown a consent screen on first launch covering ad data collection. Ads are never shown while the overlay is active. Ads are never shown to subscribers, Creators, Admins, gifted access users, or free trial users.
3.9 Security and Rate Limiting Data
| Data | Purpose |
|---|---|
| IP address | Rate limiting, abuse prevention, registration velocity checks |
| IP subnet (/24) | Subnet-level rate limiting to detect coordinated bot registrations |
| Login attempt counts | Lockout enforcement |
This data is stored temporarily and purged automatically after 30 days of inactivity.
3.10 Creator Program Data (Creators only)
If you participate in the SpellClock Creator Program, we collect additional data:
In-app:
- Your self-chosen referral code (permanent; cannot be changed after setting)
- Referral statistics (monthly referral counts, renewal counts)
- Commission amounts (stored in Philippine Peso centavos)
- Payout status per month (Pending / Paid / Failed)
- Creator performance tier (Bronze / Silver / Gold / Diamond)
- Creator agreement version and acceptance date
Outside the app (via a separate, secure Google Form):
- Bank account details (bank name, account number, account holder name)
Bank details are collected solely for monthly payout processing. They are stored in our private payout records and are never stored in the SpellClock app database. They are never shared with third parties.
4. How We Use Your Data
- To create and maintain your account
- To verify your identity via one-time password (OTP)
- To activate and manage your subscription through Google Play
- To send you transactional emails (subscription confirmations, expiry warnings, payout notices, etc.)
- To send you push notifications (payout events, system alerts, agreement expiry warnings)
- To sync your overlay settings across your devices (paid tiers and free trial only)
- To calculate and track Creator Program commissions
- To process monthly Creator payouts via direct bank transfer
- To detect and prevent abuse, fraud, and unauthorized access
- To monitor app health and fix bugs via Firebase Crashlytics
- To serve rewarded ads to free post-trial users (user-initiated only, via AdMob)
- To comply with applicable laws and legal obligations
5. Legal Bases for Processing (Republic Act No. 10173 — Data Privacy Act of 2012)
We process your personal data on the following bases:
- **Contract performance:** Processing your subscription, verifying purchases, and providing the service you signed up for
- **Legitimate interests:** Security monitoring, abuse prevention, rate limiting, crash reporting, and app health monitoring
- **Consent:** Ad data collection (governed by your in-app ad consent choice)
- **Legal obligation:** Retaining financial records (commission history, subscription records) as required by applicable Philippine law
6. Data Retention
| Data | Retention Period |
|---|---|
| Account data (email, nickname, settings) | Retained while your account is active; anonymized or deleted after account deletion |
| Subscription and financial records | Minimum 5 years as required by applicable law |
| Commission history (Creator Program) | Minimum 5 years as required by applicable law |
| SSAID hash (device identifier) | 2 years after account deletion, on a legitimate interest basis for trial abuse prevention |
| Session and refresh tokens | Deleted on logout or expiry (7 days for staff; 1 year for regular users) |
| Rate limiting data | Purged after 30 days of inactivity |
| Expired OTPs | Purged within 1 hour |
| Admin action logs | 3 years (general actions); 5 years (financial and restore actions) |
| Crash and error reports (Crashlytics) | Subject to Google's retention policies |
7. Account Deletion
You may delete your account from the Account tab in the SpellClock app (available to Subscriber and Free users). Upon requesting deletion:
- You are automatically logged out immediately
- A **24-hour recovery window** begins, during which your account can be restored by contacting spellclock@galaxicore.com
- After 24 hours, your account is permanently finalized: your email, password hash, nickname, settings, and session data are deleted or anonymized
- Financial records (subscription history, referral records) are retained in anonymized form as required by law
- Your FCM token is deleted immediately upon the deletion request
Accounts that have been deleted 4 or more times are finalized immediately with no recovery window. This is to prevent abuse of the trial system via deletion cycles. This policy is disclosed at the time of deletion.
Creator accounts cannot be self-deleted through the app. Creators must contact spellclock@galaxicore.com to request account closure, pending payout settlement.
8. Data Sharing
We do not sell your personal data to any third party.
We share data with the following parties only as necessary to provide the service:
| Party | Purpose | Data Shared |
|---|---|---|
| Google Play (Alphabet Inc.) | Subscription billing and purchase verification | Purchase tokens, order IDs |
| Google AdMob | Ad serving (free tier users only, with consent) | Device advertising ID (GAID), as applicable |
| Meta Audience Network | Ad mediation (free tier users only, with consent) | Device advertising ID, as applicable |
| Firebase (Google) | Crash reporting, push notifications, App Check | Crash data, FCM tokens, device attestation signals |
| Amazon Web Services (SES) | Transactional email delivery | Email address, email content |
| Cloudflare | Backend infrastructure, CDN, database, workers | All app data passes through Cloudflare infrastructure |
All infrastructure is operated by Cloudflare (Cloudflare Workers, D1, KV, R2, Pages) and hosted on servers globally, with your data stored and processed in accordance with Cloudflare's data processing agreements.
9. Security
We take the following measures to protect your data:
- Passwords stored as bcrypt hashes — never in plain text
- SSAID stored as SHA-256 hash — raw device identifiers are never retained
- All API communication encrypted in transit via HTTPS (TLS)
- Sensitive admin actions require SpellClock PIN verification (bcrypt-hashed)
- Admin portal protected by two-factor authentication (email OTP + password) and bot protection (Cloudflare Turnstile)
- Rate limiting on all authentication endpoints to prevent brute-force attacks
- Device integrity verified via Firebase App Check (Play Integrity) at registration
- All Worker secrets managed via Cloudflare secrets management — never committed to source code
- Database backups encrypted and stored in Cloudflare R2 with tiered retention
Despite these measures, no system is completely secure. If you suspect unauthorized access to your account, contact us immediately at spellclock@galaxicore.com.
10. Children's Privacy
SpellClock is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal information, please contact us at spellclock@galaxicore.com and we will promptly delete it.
11. Your Rights (Republic Act No. 10173)
Under the Philippine Data Privacy Act of 2012, you have the right to:
- **Access** — Request a copy of the personal data we hold about you
- **Correction** — Request correction of inaccurate personal data (e.g., email address)
- **Erasure** — Request deletion of your personal data, subject to legal retention requirements
- **Object** — Object to processing of your personal data in certain circumstances
- **Data portability** — Request your data in a structured, commonly used format
To exercise any of these rights, contact us at: spellclock@galaxicore.com
We will respond to requests within a reasonable time and in accordance with applicable law.
12. Push Notifications
We send push notifications to your device using Firebase Cloud Messaging (FCM). These may include:
- Payout confirmations and alerts (Creator Program participants)
- Gifted access expiry warnings
- Creator agreement expiry reminders
- System status alerts (staff accounts only)
You may disable push notifications at any time through your Android device's notification settings. This does not affect transactional emails.
13. Transactional Emails
We send transactional emails from the following addresses:
- **noreply@spellclock.galaxicore.com** — All subscription, account, and Creator Program emails (38 template types)
- **admin@galaxicore.com** — Admin portal login OTP only (staff accounts)
These emails are transactional in nature and are sent in direct response to your account activity. They are not marketing emails and are not subject to unsubscribe requirements under applicable law; however, you may contact spellclock@galaxicore.com if you have concerns about a specific communication.
14. Cookies and Local Storage
SpellClock is an Android application. We do not use browser cookies. We use Android SharedPreferences to store the following data locally on your device:
- Login state (email pre-fill if "Remember Me" is enabled)
- Ad consent status
- Overlay settings (local copy, synced to server for eligible tiers)
- Completed overlay session count
- Game profile selection
The admin portal (admin.galaxicore.com) uses a secure, HTTP-only session cookie for authentication. This cookie is not used for tracking or advertising purposes.
15. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:
- Sending a transactional email to your registered address
- Updating the "Last Updated" date at the top of this page
The current version is always available at: https://spellclock.galaxicore.com/privacy
Continued use of SpellClock after the effective date of any changes constitutes your acceptance of the updated policy.
16. Contact
For privacy-related questions, data requests, or concerns:
Email: spellclock@galaxicore.com
Website: https://spellclock.galaxicore.com
SpellClock by Galaxicore
Philippines
SpellClock by Galaxicore — spellclock.galaxicore.com
Governed by the laws of the Republic of the Philippines (Republic Act No. 10173 — Data Privacy Act of 2012)