1. GLOBAL DATA PRACTICES (ARCHITECTURE)

Vectixore LTD operates a diverse portfolio of applications ranging from general utility tools to high-security forensic solutions and digital entertainment (games) under various brands including Panixircus Entertainment. Our approach to data privacy is adaptive to the specific purpose of each application:

• General Utility & Entertainment Products: For our standard applications and games, we strictly adhere to Data Minimization principles, processing only the absolute minimum data required for functionality and user experience.
• High-Assurance & Forensic Products: For applications requiring legal validity, identity verification, or cryptographic sealing (such as PocketNotary), we process sensitive and biometric data under strict forensic protocols.

By using our Services, you acknowledge that the following data practices apply where relevant to the specific functionality of the application being used.

---

1.1. Handwritten Signature Data

Where applicable, we collect the visual representation (image) and vector paths (stroke data) of the signature you draw on the screen.

• Purpose: This data is processed strictly as "Document Content" to be embedded into the PDF.
• Disclaimer: Vectixore LTD does NOT perform graphological analysis or dynamic biometric verification (pressure/speed analysis) on this signature. We only cryptographically seal the image provided.

1.2. Identity Document & NFC Data (High-Assurance Verification)

To achieve "Substantial Assurance" (NIST IAL2 / eIDAS High) levels of identity verification in our secure applications, the App accesses the NFC controller of your device to communicate with the RFID chip embedded in your government-issued Identity Document (Passport or National ID Card).

A. Data Extracted via OCR (Optical Character Recognition):

• MRZ Data: We scan the "Machine Readable Zone" to extract Document Number, Expiry Date, Date of Birth, and Issuing State.
• Purpose: To unlock the encrypted NFC chip (PACE/BAC protocols) and visual verification.

B. Data Extracted via NFC (Chip Read):

• DG1 (Data Group 1): High-fidelity text data (Full Name, Document Type) stored immutably on the chip.
• DG2 (Data Group 2 - Biometric Face): The high-resolution, digitally signed biometric facial image stored by the issuing government.
• SOD (Document Security Object): The digital signature of the issuing government (Country Signing Certificate Authority - CSCA).
• Purpose:
  • Anti-Forgery: We validate the SOD against the ICAO Public Key Directory (PKD) to cryptographically prove the physical ID is authentic and not a clone.
  • Face Matching: We compare the DG2 Chip Image against your "Live Selfie" (Section 1.3) to prove ownership.

1.3. Biometric Data (Liveness & Matching)

• Forensic Face Photo (Liveness): We capture a visual photograph of your face at the moment of signing.
• Process: This image is compared (1:1 Matching) against the trusted image extracted from the NFC Chip (DG2).
• Liveness Detection: We analyze the video stream for micro-movements and depth to ensure the user is a real human and not a photo/screen (Presentation Attack Detection).
• Authentication Signal: We utilize your device's native biometric sensors (Fingerprint/FaceID) as a secondary local authentication layer. We do NOT receive raw fingerprint templates from the OS.

1.4. Permanent Audit Trail (Hash Registry)

We retain the SHA-256 Hash (Digital Fingerprint) and the Server Timestamp of your document indefinitely.

• Purpose: To validate the authenticity and existence of a document at a specific point in time, even after the file itself is deleted.
• Privacy: A Hash is a mathematical summary (one-way function); it cannot be reversed to reveal the content of your document.

1.5. Virtual Goods Data (Stamina & In-Game Assets)

We process your "Stamina" balance, transaction history, and virtual assets across our games and utility apps.

• Legal Nature: Virtual items (e.g., "Stamina") are virtual licenses/data points with no real-world monetary value. They cannot be refunded, exchanged for cash, or transferred between accounts, except through authorized in-app mechanisms provided by Vectixore LTD or Panixircus Entertainment.

1.6. Phone Number & Identity Binding

Your phone number is collected strictly for SMS-based identity verification (OTP) and account security (2FA).

• Identity Binding: We cryptographically link the verified Phone Number to the Verified ID Document (NFC) to create a persistent "Mobile Identity."

1.7. Network & Device Data

• IP Address: Collected during server connections (Time Sync, Cloud Relay, Auth) for security logs and fraud prevention.
• Device Integrity: We collect Device Model, Hardware IDs, and Root/Jailbreak Status to verify that the environment has not been tampered with.
• Advertising ID (AAID/IDFA): Collected solely for analytics, attribution, and fraud prevention (e.g., detecting asset abuse).

1.8. Location & Motion Data

• GPS Coordinates: Processed locally to generate forensic seals where required. Coordinates may be sent to third-party maps platforms (e.g., Google Maps) strictly to generate a static map snapshot for the Service.
• Motion Sensors: We process Gyroscope and Accelerometer data locally to verify "Proof of Human" presence (Anti-Bot).

1.9. Referral & Interaction Data

If you participate in our referral programs, we process Referral Codes and the linkage between accounts strictly to distribute rewards. We do not access your contact list without explicit permission.

1.10. Customer Support & Diagnostics

• Support: If you contact us, we collect your email, device info, and message content to resolve issues.
• Diagnostics: We collect crash logs, battery level, storage status, and thermal state via Firebase Crashlytics to identify bugs and improve stability.

1.11. Cloud Relay (Transient Storage)

When using "Cloud Relay," encrypted files are temporarily stored on our secure infrastructure (Google Cloud/Firebase).

• Transmission: Data is transmitted via TLS 1.2 or higher.
• Storage: Files are stored as AES-256 Encrypted Binary Blobs. Vectixore LTD does not possess the decryption keys.
• Retention: Files are automatically deleted from active servers 7 Days after upload.

1.12. Inactive Account Policy

Vectixore LTD reserves the right to delete accounts (and associated Virtual Goods) that have been inactive for a period of 24 Months. The Hash Registry is exempt from deletion to ensure legal validity.

1.13. Children's Privacy & Age Assurance

Our Service identifies and protects minor users through active technical measures. We utilize the Google Play Age Signals API to detect users under the age of 13 (or 16-18 in certain jurisdictions). We do not knowingly collect personal data from children without parental consent for any purpose other than legal compliance and safety. If we become aware of unauthorized collection, we will remove the information immediately.

1.14. Roles & Responsibilities

• Vectixore LTD is the Data Controller for Account Data (Phone, IP, Logs, Virtual Assets).
• You (The User) are the Data Controller for the Content of your documents/files. Vectixore LTD acts strictly as a Data Processor regarding such content.

1.15. Do Not Track (DNT) Signals

Our systems do not currently recognize or respond to "Do Not Track" signals, as no uniform standard has been adopted across the industry.

1.16. Global Age Compliance (Mandatory Disclosures)

Pursuant to global regulations such as the Brazil Digital ECA and the UK Online Safety Act, we implement the following protocols:

• Age Verification: We receive technical age range signals (e.g., minor or adult) from Google Play. We do NOT receive raw identity or birth date data.
• Loot Box Restriction: We strictly prohibit and technically disable the sale of loot boxes or randomized virtual goods to users identified as minors in regulated jurisdictions (e.g., Brazil).

1.17. Automated Minor Protection (Firebase & Advertising)

When a minor user is detected via the Age Signals API:

• Restricted Data Processing (RDP): We automatically trigger Firebase RDP mode, ensuring Google acts only as a service provider and is prohibited from using minor data for commercial profiling.
• Compliance Tagging: All advertising requests are tagged with TFCD (Child-Directed) or TFUA (Under Age of Consent) flags to disable behavioral tracking and interest-based advertising.

2. GLOBAL RIGHTS & JURISDICTION

2.1. Rights of the Data Subject

Regardless of your location, Vectixore LTD grants you the following rights, subject to the critical exception below:

• Right to Access: Request a copy of your Account Data.
• Right to Rectification: Correct inaccurate Account Data.
• Right to Erasure: Request account deletion.
• Right to Portability: Request data in a machine-readable format.
• Right to Restriction: Limit processing for analytics.

2.2. Governing Law

To the extent permitted by local law, this Privacy Policy shall be governed by the Laws of England and Wales. You agree to submit to the exclusive jurisdiction of the courts located in London, United Kingdom.

2.3. Severability

If any provision is held unenforceable, such provision will be interpreted to accomplish its objectives to the greatest extent possible, and remaining provisions will continue in full force.

2.4. Contact & DPO

To exercise your rights, please contact our Data Protection Officer (DPO):

• Email: info@vectixore.com
• Subject: "Data Subject Request"
• Response Time: 30 Days.

ACCOUNT & DATA DELETION

In accordance with Global Privacy Regulations and Google Play Policies, users have the right to request the permanent removal of their accounts and associated data.

Go to Data Deletion Request Form →

* Caution: Requesting data erasure will result in the immediate and irreversible loss of all Virtual Goods and assets.

3. COOKIES & LOCAL STORAGE PROTOCOLS

Vectixore LTD employs advanced client-side storage technologies, including HTTP Cookies, HTML5 Local Storage, and Session Tokens, to ensure the operational integrity, security, and performance of our Services across all brands (Vectixore, Panixircus Entertainment).

3.1. Technical Definitions

• HTTP Cookies: Small text files used to maintain stateful sessions.
• HTML5 Local Storage: A client-side database used for preference data and UI states.
• Session Tokens (JWT): Used for secure, stateless authentication.

3.2. Categories of Data Storage

A. Strictly Necessary (Kernel)

Essential for the Service to function. These do not store PII for marketing.

• Security Tokens (CSRF/XSRF): To prevent Cross-Site Request Forgery.
• Authentication State: To verify identity across screens.

B. Performance & Telemetry (Analytics)

Used to collect anonymous technical data for system optimization.

• Crash Reporting: (e.g., Firebase Crashlytics) Collects stack traces during failure.
• Latency Metrics: Measures performance of cryptographic operations.

C. Advertising & Attribution (Mobile Only)

Used in ad-supported applications to prevent fraud and attribute installs.

• Advertising ID (AAID/IDFA): Used for frequency capping and anti-fraud.
• Attribution: Used to determine installation source campaigns.

3.3. Management & Control

• Browser/Device Settings: You can block cookies or reset Advertising IDs via your device privacy settings.

4. REGIONAL ANNEXES

ANNEX A: EUROPE (GDPR - EU/UK/Swiss)

Applicable Law: General Data Protection Regulation (GDPR) / UK GDPR.

• Article 15-22 Rights: Including Access, Rectification, Erasure (subject to exceptions), Portability, and Objection.
• Minor Safety: Processing of age-related technical signals is conducted under Art. 6(1)(c) (Legal Obligation).

ANNEX B: USA (CCPA / CPRA / VCDPA)

Applicable Law: California Consumer Privacy Act & State Laws.

• Right to Know & Delete: Vectixore LTD does not sell your personal information.

ANNEX C: BRAZIL (LGPD & Digital ECA)

Applicable Law: Lei Geral de Proteção de Dados (Lei 13.709/2018) and the Digital Child and Adolescent Statute (Digital ECA).

• Enforcement: We confirm the use of Google Play Age Signals to comply with loot box prohibitions and minor profiling bans under the Digital ECA.
• Person in Charge: The DPO at info@vectixore.com.

ANNEX D: TURKEY (KVKK / LPPD)

Applicable Law: Law on Protection of Personal Data No. 6698.

• Legal Basis: Technical signals for age verification are processed pursuant to Article 5/2(ç) (Legal Obligation of the Data Controller).
• Data Controller: Vectixore LTD (United Kingdom). All Article 11 rights are recognized.

ANNEX E: SOUTH AFRICA (POPIA)

Applicable Law: Protection of Personal Information Act.

ANNEX F: CANADA (PIPEDA)

Applicable Law: Personal Information Protection and Electronic Documents Act.