1. Introduction and Who We Are

ohSnap Inc ("ohSnap", "we", "us", or "our"), a US company registered at 2131 E Williams St, Suite 108, Apex, NC 27539, USA, is the data controller for personal information collected through the MCON Controller mobile application (the "App") for iOS and Android. Our Privacy Compliance Officer can be reached at info@ohsnap.com.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the App. Please read it carefully before using the App.

The App is intended for users aged 13 and over. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at info@ohsnap.com and we will delete it promptly.

2. Information We Collect

2.1 Information You Provide Directly

The App does not require an account, and you can use most features without giving us any personal information. The only personal information you provide is through the optional in-app feedback form:

• The message text you write
• An email address, if you choose to enter one (this field is optional — you can submit feedback without it)

Shared store links. You may also share an Apple App Store or Google Play Store link with MCON via your phone's system share sheet. When you do, the App parses the link locally to extract the game identifier and add the game to your in-app library. The link is processed on your device and stored as part of your custom-games list (see Section 2.5). Shared content other than recognised App Store or Play Store URLs is ignored.

2.2 Information Collected Automatically

When you use the App, the following information is collected automatically via Google's Firebase services:

• Pseudonymous identifiers: a Firebase installation ID, a Crashlytics installation ID, and (only if you enable push notifications) a Firebase Cloud Messaging device token. These identifiers are not linked to your real-world identity.
• Device and app information: device model, operating system and version, app version, system language, time zone, and screen size.
• Approximate location: derived from your device's IP address at the country, region, or city level. We do not collect GPS coordinates and the App never requests precise-location permission from your device.
• App-usage events: which screens you open, how long you spend on each tab, search queries you type into the Explore page (truncated to 90 characters), filters and sort modes you apply, buttons you press, controller settings you change, games you launch, add to, or remove from your library, and the outcomes of firmware updates. These are recorded as pseudonymous activity tied to the installation ID.
• Bluetooth controller data: when you connect a MCON controller, the App reads the controller's hardware identifier (Bluetooth MAC address), controller name, battery level, and firmware version. The MAC address is used as a local lookup key to remember your per-controller settings on this device and is not transmitted to ohSnap or any third party. The controller name and firmware version may be included in the App-usage events described above (for example, when reporting which firmware version a successful update reached) so we can correlate behaviour with controller revisions.
• Installed game detection (Android only): on Android devices, the App queries the system to determine whether specific games from our supported catalog are installed on your device. This query runs locally through the Android package manager and is limited to the predefined list of games we support — we have no visibility into apps outside that list. The result (each catalog game's installed / not-installed state) is used to mark games as "installed" in your in-app library and to compute the aggregate library-composition counts described in App-usage events. We do not transmit the list of installed games as a list; only counts and events tied to games you actively interact with are reported.
• Motion sensors: the App reads accelerometer and orientation data from your device to power on-screen visual effects such as tilt-based animations on the home screen. Motion sensor data is processed in real time on the device and is never transmitted or persisted.
• Crash diagnostics: when the App crashes, Firebase Crashlytics collects a stack trace, the state of the App at the time of the crash, and the device specifications listed above.
• Performance diagnostics: app start time, screen rendering performance, network request latency, and durations for specific operations such as audio initialisation and controller connection. We use this information to identify slow paths and ship optimisations. Performance diagnostics are collected via Firebase Performance Monitoring and are governed by the same in-App "Share anonymous analytics" toggle as the App-usage events above — disabling that toggle stops performance collection at the SDK level.

2.3 Information from Third Parties

We may receive limited information from:

• Apple and Google — confirmation that the App was downloaded or updated from the App Store / Play Store (Apple and Google do not share your personal identity with us).
• Analytics and crash-reporting providers (Firebase) — see Section 5.

2.4 Information We Do Not Collect

To be explicit: we do not collect your real name, postal address, phone number, GPS coordinates, microphone audio, camera images, contacts, calendar entries, or payment information. The App does not use artificial intelligence or machine-learning systems to process your data. We do not track you across other apps or websites. We do not use Apple's IDFA or any equivalent cross-app advertising identifier.

2.5 Information Stored Only on Your Device

The following information is stored locally on your device and is never transmitted to ohSnap or any third party:

• Custom games you have added to your library (game name, store identifier, package or bundle identifier, URL scheme, and artwork URL).
• Per-controller settings (button layout, joystick deadzones, trigger thresholds, gyroscope preferences, auto-shutdown timer), keyed by controller.
• Recently played game timestamps used to surface your most-used games.
• A cached copy of our public game catalog so the App functions without network access between catalog refreshes.
• Cached game artwork URLs retrieved from the iTunes Search API.
• App preferences such as your chosen wallpaper, the analytics opt-out state, and dismissed tip dialogs.
• Bluetooth pairing data for connected controllers, managed by your device's operating system.

This information is removed when you uninstall the App. Locally- stored content such as a chosen wallpaper can also be cleared at any time from the App settings drawer.

3. Cloud-Streaming Game Services

When you launch a cloud-streaming game such as Xbox Cloud Gaming or GeForce NOW from the App's Explore page, MCON opens an in-app web view that connects directly to that service's website. Your login session and any cookies set by that service are stored locally on your device by the web view, isolated from the rest of MCON's data.

MCON does not see, store, or transmit your login credentials for those services. To sign out of a cloud-gaming service from MCON, contact that service directly or clear MCON's app data in your device's system settings. Cloud-streaming providers operate under their own privacy policies, which we encourage you to review separately.

4. How We Use Your Information

We use the information we collect to:

• Operate, maintain, and improve the App and the MCON controller experience
• Diagnose crashes and fix bugs
• Understand which features are most useful so we can prioritise development
• Deliver controller firmware updates and notify you when updates are available
• Respond to your feedback or support requests
• Send you optional push notifications (only if you grant notification permission)
• Detect and prevent abuse, fraud, or security incidents
• Comply with applicable law

Legal bases for processing (GDPR). If you are located in the European Economic Area or Switzerland, our legal bases are:

• Performance of a contract — providing the App services you request
• Legitimate interests — improving the App, ensuring security, diagnosing crashes, and understanding product usage in a privacy-respecting way
• Consent — for optional features such as push notifications and analytics (the in-app opt-out toggle)
• Legal obligation — where we are required to retain or disclose information by applicable law
• Vital interests — in rare cases where processing is necessary to protect your vital interests or those of another natural person (for example, in response to an emergency)

5. How We Share Your Information

We do not sell your personal data. We do not share or process your personal data for cross-context behavioural advertising or targeted advertising of any kind. We do not use advertising cookies, advertising SDKs, or third-party advertising identifiers (such as Apple's IDFA) in the App. We share information only in the following circumstances:

5.1 Service Providers

We share data with trusted third-party providers who help us operate the App. Each is contractually required to process your data only on our instructions and in line with applicable data-protection law.

5.2 Platform Providers

Apple and Google receive information necessary to deliver the App through their respective app stores and to operate push-notification infrastructure. Their handling of your data is governed by their own privacy policies.

5.3 Cloud-Streaming Services

See Section 3. Cloud-streaming providers receive information you exchange directly with them through the in-app web view. We do not act as an intermediary for those services.

5.4 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of ohSnap, our users, or others.

5.5 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred to the acquiring entity, subject to the same protections described in this Policy.

6. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These include:

• Encryption of data in transit (TLS) and at rest with our service providers
• Access controls and authentication on our backend systems
• Limited employee access on a need-to-know basis

No method of transmission over the internet or electronic storage is completely secure. While we take reasonable precautions, we cannot guarantee absolute security.

7. Your Rights

7.1 In-App Controls

• Analytics opt-out. Open the App settings drawer and toggle "Share anonymous analytics" off. This disables event collection at the SDK level — no further data is sent to Firebase Analytics from your device.
• Push notifications. You can disable push notifications inside the App or via your device's system notification settings.
• Wallpaper image. Any wallpaper you choose is stored locally; remove it any time from the App settings drawer.
• Uninstall. Uninstalling the App stops all data collection.

7.2 EU / EEA Residents (GDPR)

If you are located in the European Economic Area or Switzerland, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Erase your personal data ("right to be forgotten") in certain circumstances
• Restrict processing in certain circumstances
• Object to processing based on legitimate interests
• Data portability — receive your data in a structured, machine-readable format
• Withdraw consent at any time where processing is based on consent
• Lodge a complaint with your local supervisory authority in your country of residence

7.3 California Residents (CCPA / CPRA)

California residents have the rights described in Section 7.2, plus the right to know what categories of personal information we collect and how we use it, and the right to non-discrimination for exercising privacy rights.

Categories of personal information we collect. Under the CCPA, the categories of personal information we have collected about California residents in the past twelve months, and our business or commercial purposes for collecting each, are:

• Identifiers — pseudonymous Firebase installation and Crashlytics installation IDs, Firebase Cloud Messaging device tokens, IP address, and (locally on your device only) the Bluetooth MAC address of a connected MCON controller. Purposes: operating the App, delivering push notifications, diagnosing crashes, remembering per-controller settings on your device.
• Internet or other electronic network activity — app-usage events such as screens you open, time spent on each tab, search queries you type into the Explore page (truncated to 90 characters), filters and sort modes you apply, controller settings you change, and games you launch, add to, or remove from your library. Purposes: improving the App, understanding feature usage, prioritising development.
• Geolocation data — approximate location at the country, region, or city level, derived from your IP address. We do not collect precise (GPS-level) location and the App never requests precise-location permission. Purposes: regional analytics, complying with regional regulations.
• Sensory data (limited) — accelerometer and orientation readings, processed in real time on your device for visual effects and never transmitted or persisted.
• Inferences — none. We do not derive profiles or inferences about you for any purpose.

We do not collect the following CCPA categories: personal-record identifiers (e.g., real name, postal address, phone number, SSN, driver's licence), commercial information (purchases, payment data), financial information, biometric information, audio or visual information, professional or employment information, or education information through the App. We also do not collect "sensitive personal information" as defined under the CPRA.

Sources. We collect identifiers and electronic network activity directly from your use of the App and from our service providers (Google's Firebase services). We collect geolocation information from your device's IP address. We do not purchase personal information from data brokers or other third parties.

Disclosures. We disclose the categories above to the service providers listed in Section 5 for the business purposes described there. We do not sell or share any category of personal information for cross-context behavioural advertising, so no "Do Not Sell or Share My Personal Information" link is required. No "Limit the Use of My Sensitive Personal Information" link is required because we do not use sensitive personal information for purposes that would trigger a right to limit.

7.4 Other US State Privacy Laws

Residents of California, Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, and Virginia, and residents of other US states with comprehensive privacy statutes, have rights similar to those described in Section 7.2 (such as the rights to access, correct, delete, and port their personal information, and to opt out of certain processing). The mechanism for exercising those rights is set out in Section 7.5.

Residents of Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, and Virginia additionally have the right to appeal our decision to deny a privacy request. To appeal, follow the instructions in our response to your original request, or email info@ohsnap.com with the subject line "Privacy Request Appeal". We will inform you of any action taken or not taken in response to the appeal, together with a written explanation of the reasons. If your appeal is denied, you may contact your state's Attorney General or equivalent regulator.

7.5 How to Exercise Your Rights

Email info@ohsnap.com with your request, addressed to the Privacy Compliance Officer. We will respond within 30 days (or within the timeframe required by your local law). We may need to verify your identity before fulfilling a request — at a minimum, this typically involves confirming the email address associated with your request.

Authorised agents. If you would like to designate another person to submit a request on your behalf, that person may send the request from their own email address and include written authorisation from you (for example, a signed letter or a power of attorney). We may still need to verify your identity directly and confirm that the agent is acting with your permission before fulfilling the request.

Non-retaliation. We will not deny, charge different prices for, or provide a different level or quality of service to any user who exercises their rights under this Policy.

7.6 Nevada Residents

Under Nevada Revised Statutes Chapter 603A, Nevada residents may opt out of the sale of certain personal information for monetary consideration. As stated in Section 5 and Section 7.3, we do not sell personal information for monetary consideration to anyone, so no such opt-out is necessary. If our practices change in the future, we will update this Policy and provide a means to opt out as required by law. You may contact us at info@ohsnap.com with the subject line "Nevada Privacy Request" with any related question.

8. Data Retention

We retain personal data only for as long as needed for the purposes described in this Policy:

• Feedback messages are retained for as long as we need them to investigate the issue raised and improve the App, and for a reasonable period thereafter for accountability.
• Analytics events are retained for up to 14 months in Firebase. Aggregated, non-identifying summaries may be kept longer for trend analysis.
• Crash reports are retained according to Firebase Crashlytics' default retention (currently 90 days per issue).
• Push-notification tokens are retained while the App is installed; they expire automatically when the App is uninstalled.

When you request deletion under Section 7, we permanently delete the relevant personal data within 30 days, except where we are required to retain it by law.

9. International Data Transfers

ohSnap is based in the United States. Our service providers (Google, Supabase) may process data outside your country of residence, including in the United States. Where such transfers occur from the EEA or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or the EU–US Data Privacy Framework, as applicable.

10. Cookies and Tracking Technologies

The App is a native mobile application and does not use HTTP cookies in the traditional sense. It does use analytics SDKs (Firebase Analytics) and crash-reporting SDKs (Firebase Crashlytics) that store small amounts of pseudonymous identifier data locally on your device to function. You can disable analytics via the in-app toggle (Section 7.1).

The cloud-streaming web view (Section 3) is a sandboxed browser-like environment that may store cookies set by the cloud-streaming service you visit. Those cookies are scoped to that service and are not accessible to ohSnap.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. For material changes, we will provide additional notice — for example, via an in-app banner or push notification. Your continued use of the App after changes are posted constitutes your acceptance of the updated Policy.

12. Contact Us

For any question, complaint, or request related to your personal data, contact our Privacy Compliance Officer:

ohSnap Inc
Re: Privacy Compliance Officer
2131 E Williams St, Suite 108
Apex, NC 27539, USA
Email: info@ohsnap.com