Privacy Policy

Cyber Scam Simulator ("we", "our", or "us") is a cybersecurity awareness training application developed and operated by Octopye Digital Designs. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Cyber Scam Simulator mobile application (the "App"), available on the Google Play Store.

This policy applies to all users of the App. By downloading, installing, or using Cyber Scam Simulator, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the App.

This Privacy Policy is governed by and compliant with the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where we refer to "personal data" or "personal information" in this policy, we mean any information that relates to an identified or identifiable living individual.

Effective date: 1 February 2026.

Information We Collect

Cyber Scam Simulator is designed with a privacy-first approach. We do not require account creation, and we do not collect your name, email address, phone number, or any other personal identifiers unless you voluntarily contact us. The information we collect is limited to the following categories:

Information Collected Automatically:

• Usage Data: Information about how you interact with the App, including scenarios completed, scores achieved, training progress, difficulty levels attempted, and in-app feature usage. This data is stored locally on your device.
• Device Information: Basic device identifiers, device type, operating system version, and app version. This information is collected by third-party services (such as RevenueCat and Expo) to facilitate app functionality, deliver updates, and manage subscriptions.
• Subscription Status: Your subscription status (active, expired, or free tier) is managed and verified through RevenueCat in conjunction with the Google Play Store.

Information You Provide Voluntarily:

• Contact Information: If you choose to contact us via email at [email protected], we will receive your email address and any information you include in your correspondence. This information is used solely to respond to your enquiry.
• Purchase Information: When you subscribe to Cyber Scam Simulator Premium (currently £3.49/month), your transaction is processed entirely by the Google Play Store. We do not receive or store your payment card details, billing address, or financial information. We receive only a confirmation of your subscription status.

Information We Do Not Collect:

• We do not collect your real name, home address, or date of birth.
• We do not require or collect login credentials (no account creation is needed).
• We do not access your device camera, microphone, contacts, or location.
• We do not collect or process biometric data.

How We Use Your Information

We process information only where we have a lawful basis to do so under the UK GDPR. The purposes for which we use your information, along with the corresponding legal basis, are as follows:

• To provide and maintain the App (Contract Performance): Processing your usage data and subscription status is necessary to deliver the core functionality of the App, including tracking your training progress, unlocking achievements, and providing access to premium features.
• To process subscriptions (Contract Performance): Verifying your subscription status through RevenueCat and the Google Play Store is necessary to fulfil our contractual obligations and grant you access to premium content.
• To generate AI-powered training scenarios (Legitimate Interest): For premium users, we use OpenAI's API to generate dynamic cybersecurity training scenarios. No personal data is transmitted to OpenAI; only generic scenario parameters (such as difficulty level and topic) are sent.
• To deliver app updates (Legitimate Interest): We use the Expo platform to deliver over-the-air updates, bug fixes, and improvements to the App. This ensures you always have the most stable and secure version.
• To respond to your enquiries (Consent): If you contact us by email, we process your email address and correspondence to respond to your questions or concerns. You provide this information voluntarily.
• To improve the App (Legitimate Interest): We may analyse aggregated, anonymised usage patterns to understand how users interact with the App, identify areas for improvement, and develop new features. This data cannot be used to identify any individual user.

We will never sell, rent, or trade your personal data to third parties for marketing or advertising purposes.

Third-Party Services

We use a limited number of carefully selected third-party services to operate the App. Each service is used for a specific purpose, and we only share the minimum data necessary for that service to function. Below is a detailed description of each third-party service:

• RevenueCat: We use RevenueCat to manage in-app subscriptions and verify purchase status. RevenueCat receives an anonymous app user identifier and transaction data from the Google Play Store to validate your subscription. RevenueCat does not receive your name, email, or any other personal identifiers from us. View their privacy policy
• OpenAI: We use OpenAI's API to generate AI-powered cybersecurity training scenarios for premium users. No personal data whatsoever is shared with OpenAI. The requests we send contain only generic scenario parameters such as the topic category and difficulty level. OpenAI does not receive any device identifiers, usage history, or personal information. View their privacy policy
• Expo: We use the Expo platform for app development and to deliver over-the-air updates. Expo may collect basic device metadata (such as device type and operating system version) to facilitate update delivery. Expo does not receive personal identifiers from us. View their privacy policy
• Google Play Store: The App is distributed through and subscription payments are processed by the Google Play Store. Google handles all payment processing, billing, and transaction security. We do not receive or have access to your payment details. Google's handling of your data is governed by Google's Privacy Policy.

Data Storage

Cyber Scam Simulator is designed to store your data locally on your device. Your training progress, scenario completion history, scores, achievements, preferences, and character selections are all saved using AsyncStorage, a local on-device storage mechanism built into the App. This data never leaves your device and is not transmitted to our servers or any third party.

We do not operate cloud servers that store your personal data. There is no user account system, and therefore no centralised database of user profiles or personal information. Your data exists solely on the device on which you installed and use the App.

Subscription status is the only piece of information managed externally, through RevenueCat's secure servers in conjunction with the Google Play Store. This is necessary to verify your premium access across app reinstallations.

Please note that if you uninstall the App or clear the App's data through your device settings, all locally stored progress and preferences will be permanently deleted and cannot be recovered.

Data Retention

Because the majority of your data is stored locally on your device, data retention is under your direct control. Your training progress, scores, and preferences are retained on your device for as long as the App remains installed and you do not manually clear the App's data.

If you contact us by email, we will retain your correspondence for up to 12 months after the date of your last communication, after which it will be securely deleted unless we are required by law to retain it for a longer period.

Subscription records managed by RevenueCat and the Google Play Store are retained in accordance with their respective data retention policies and applicable legal requirements.

Data Security

We take the security of your information seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. Our security measures include:

• Local-first architecture: By storing data locally on your device rather than on remote servers, we significantly reduce the attack surface and risk of data breaches.
• Encrypted communications: All communications between the App and third-party services (RevenueCat, OpenAI, Expo) are transmitted over HTTPS using TLS encryption.
• Minimal data collection: We adhere to the principle of data minimisation, collecting only the information that is strictly necessary for the App to function.
• No sensitive data storage: We do not store passwords, payment details, or other sensitive personal information on our systems.
• Third-party security: Our third-party service providers (RevenueCat, Google Play Store) maintain robust security standards and compliance certifications.

While we strive to protect your information using commercially reasonable measures, no method of electronic transmission or digital storage is completely immune to all risks. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents that may arise.

Children's Privacy

Cyber Scam Simulator is intended for users aged 13 and older. We do not knowingly collect, solicit, or process personal data from children under the age of 13. The App does not require account creation or the submission of any personal information, which further reduces the risk of inadvertent data collection from minors.

If you are a parent or guardian and believe that your child under the age of 13 has provided us with personal information (for example, by contacting us via email), please contact us immediately at [email protected]. We will take prompt steps to investigate and delete any such information from our records.

For users aged 13 to 17, we recommend that parents or guardians review this Privacy Policy and supervise their child's use of the App.

Your Rights Under UK GDPR

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights in relation to your personal data:

• Right of Access: You have the right to request a copy of the personal data we hold about you. Given our local-first approach, most of your data is already accessible to you directly on your device.
• Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
• Right to Erasure: You have the right to request the deletion of your personal data. You can delete your locally stored data at any time by uninstalling the App or clearing its data. For any data held by us (such as email correspondence), you can request deletion by contacting us.
• Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where technically feasible.
• Right to Object: You have the right to object to the processing of your personal data where we rely on legitimate interests as the legal basis, including any profiling based on those interests.
• Right to Withdraw Consent: Where we process your data based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, please visit our data deletion page or contact us at [email protected]. We will respond to your request within one calendar month, as required by law.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection. You can contact the ICO at ico.org.uk.

International Data Transfers

Cyber Scam Simulator is operated by Octopye Digital Designs from the United Kingdom. However, some of our third-party service providers are based outside the UK:

• OpenAI is headquartered in the United States. While no personal data is shared with OpenAI (only generic scenario parameters), any data transmitted to their servers is processed in the US.
• RevenueCat operates servers in the United States. Subscription validation data (anonymous app user identifiers and purchase tokens) may be processed outside the UK.
• Google (Play Store) processes subscription and payment data globally in accordance with their own data transfer mechanisms.

Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place in accordance with the UK GDPR. These safeguards may include adequacy decisions, standard contractual clauses, or the service provider's compliance with recognised data protection frameworks.

Cookies and Tracking Technologies

Cyber Scam Simulator is a native mobile application and does not use cookies, web beacons, pixel tags, or similar browser-based tracking technologies.

The App does not serve advertisements and does not use advertising identifiers (such as Google Advertising ID) for the purpose of ad targeting or behavioural tracking. We do not build user profiles for advertising or marketing purposes.

The only identifiers used are anonymous app user identifiers generated by RevenueCat for the sole purpose of subscription management.

Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the App's functionality, legal requirements, or regulatory guidance. When we make material changes, we will update the "Last updated" date at the top of this page.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. For significant changes that affect your rights, we will endeavour to provide notice within the App or through other appropriate means.

Your continued use of the App after any changes to this Privacy Policy constitutes your acceptance of the updated terms.