Game · Zombie Rush
Privacy Policy
Effective: 2026-05-04 · Last updated: 2026-05-04
The short version. Zombie Rush is a free Android game published by OffCoder. There is no sign-up, no login, no account, no email collection, no chat, and no user-generated content. Your game progress is saved only on your device. The game shows ads through Google AdMob and supports optional in-app purchases through Google Play Billing — both are operated by Google and bring their own data practices. We do not sell your personal information for money. We run no servers and we collect no personal data ourselves.
1. Who we are
"Zombie Rush", "the Game", or "the App" is a free-to-play hyper-casual 3D shooter for Android, distributed on Google Play and published by OffCoder ("OffCoder", "we", "us", "our"). OffCoder operates from India. OffCoder is presently operated as a sole proprietorship pending incorporation; once OffCoder is incorporated as a registered legal entity, this Policy will be updated to reflect the entity name, registered office address, and any applicable tax registrations.
For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDPA"), OffCoder is the Data Fiduciary in respect of the limited personal data described in this Policy. For users in the European Economic Area, the United Kingdom, and Switzerland, OffCoder is the data controller within the meaning of Regulation (EU) 2016/679 ("GDPR") and the UK GDPR. For users in Brazil, OffCoder is the controller within the meaning of the Lei Geral de Proteção de Dados, Lei n° 13.709/2018 ("LGPD"). For users in California, OffCoder is the business within the meaning of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA / CPRA").
2. App identification
- App name: Zombie Rush
- Platforms: Android (Google Play). iOS is planned; this Policy will be updated when the iOS build ships.
- Genre & audience: Hyper-casual 3D shooter. Rated for age 12+ / PEGI 12 / IARC Teen (cartoon violence, no blood realism, no gambling, no in-app communication).
- Not directed at children under 13 for purposes of the Children's Online Privacy Protection Act, "COPPA". This is a mixed-audience app under Google Play's Families Policy and is not opted into the "Designed for Families" programme.
3. Data we collect — short summary
The Game collects no account data. There is no sign-up, no login, no email, no profile, no in-game chat, and no user-generated content. Your game progress (coin balance, permanent upgrade levels) is saved only in the App's private storage area on your device and never leaves it.
The only personal data processed in connection with the Game is:
- data the Google Mobile Ads SDK ("AdMob") collects to serve advertisements;
- Android system-level data collected by Google Play Services on every Play app, including optional crash and performance reporting;
- if you make an in-app purchase, the data Google Play Billing processes to complete the payment and return a receipt.
In-app purchases. We do not collect, store, or have any access to your card number, UPI VPA, billing address, tax identifier, or any other payment-instrument data. Google Play handles the entire transaction. We receive only a Google-issued purchase receipt (a token + product identifier) which is used solely to unlock the purchased item locally on your device.
4. Data we collect — full breakdown
| Category | Specific items | Source | Purpose | Recipient |
|---|---|---|---|---|
| Device identifiers | Android Advertising ID (AAID), App-Set ID | Google Play Services / AdMob SDK | Ad serving, frequency capping, fraud prevention, measurement. Personalized ads only with your consent in EEA / UK / Switzerland. | Google AdMob |
| Device information | Device model, OS version, language, country (from IP), screen size, app version | AdMob SDK | Ad rendering and targeting | Google AdMob |
| Approximate location | Country / region inferred from IP address | AdMob SDK | Regional ad targeting and fraud detection | Google AdMob |
| Ad-interaction events | Ad impressions, clicks, completions of rewarded video | AdMob SDK | Ad measurement and advertiser billing | Google AdMob |
| Diagnostic data | Crash logs, ANRs (app-not-responding), basic performance data | Google Play Services (only when you have opted in via the Play Store) | Diagnose crashes, improve stability | |
| Local game progress | Coin balance, permanent upgrade levels | Stored only in app sandbox (user://player_data.json on device) | Save your in-game progress between sessions | No one — stays on device |
| Purchase receipt | Google Play purchase token, product SKU, purchase time | Google Play Billing | Unlock purchased non-consumables (e.g. "Remove Ads"). Validate consumable purchases (e.g. coin packs) before granting | Google Play (Google receives the actual payment data; we do not) |
| Payment data | Card number, UPI VPA, billing address, tax identifier, etc. | Never seen by us — entered into Google Play's payment UI | Process the transaction | Google Payments only |
We do not collect: name, email, phone number, postal address, photos, contacts, microphone audio, camera footage, precise GPS location, financial or payment-instrument information, biometric or health data, browsing history outside the App, or files outside the App's sandbox.
5. Third-party services
The following third parties are the only recipients that may receive data through the Game. Each operates as an independent data fiduciary / controller under its own privacy practices for the data it collects directly from your device — we are not a processor of that data and have no access to it.
- Google AdMob (Google Ireland Ltd. / Google LLC) — serves the in-game advertisements. Function: ad serving, ad measurement, fraud prevention. Privacy policy: policies.google.com/privacy; partners list: support.google.com/admob/answer/9012903; partner-sites data practices: policies.google.com/technologies/partner-sites. User control: from your Android device Settings → Privacy → Ads → Reset advertising ID / Delete advertising ID.
- Google Play Services (Google LLC) — provides the AdMob SDK runtime, the Google User Messaging Platform ("UMP") consent SDK, the Play Install Referrer, and crash reporting.
- Google Play Billing (Google LLC) — processes in-app purchases. All card data, billing addresses, and tax information are handled by Google; we receive only the receipt token and product identifier. Refunds and disputes for in-app purchases are handled by Google Play customer support, not by us.
- Mediation networks — none integrated as of the effective date above. If we add mediation in a future release we will list each network here and update the effective date; the relevant network's privacy policy will be linked from the AdMob console.
We do not endorse, control, or assume any responsibility for the content of advertisements served by Google AdMob or its partner networks. Complaints about specific advertisements should be addressed to AdMob via the in-ad "Why this ad?" control or to the advertiser identified by that control.
6. Cookies and similar trackers
The Game is a native Android application — there are no browser cookies. The closest analogues are:
- Android Advertising ID (AAID) — described above. Resettable from Android settings.
- App-Set ID — Google's cross-app identifier scoped to the OffCoder developer account. Used inside our apps for analytics and frequency-capping; cannot identify you across other developers' apps.
No third-party analytics SDKs (Firebase Analytics, Adjust, AppsFlyer, GameAnalytics, Singular, Mintegral, etc.) are integrated as of the effective date above.
7. Lawful basis for processing
Under DPDPA we rely on the legitimate-use grounds in §7 of the Act (in particular, §7(a) — personal data voluntarily provided for a specified purpose) and your consent for personalised advertising. Under GDPR / UK GDPR we rely on:
- Personalised advertising — your consent (Article 6(1)(a) GDPR), collected via the Google UMP consent form on first launch in the EEA, the United Kingdom, and Switzerland.
- Non-personalised / contextual advertising — our legitimate interests (Article 6(1)(f) GDPR) in funding a free game through advertising.
- Fraud prevention — our legitimate interests (Article 6(1)(f) GDPR) in protecting the Game and Google's ad systems from invalid traffic.
- Crash reports and diagnostics — our legitimate interests (Article 6(1)(f) GDPR) in diagnosing crashes and improving stability.
- Local save data — does not leave the device, so no GDPR processing by us.
8. Retention
- Local save (
player_data.json): retained on your device until you uninstall the App or clear app storage from Android settings. - Ad-event data on Google's side: retained per Google AdMob's own retention policies (typically 26 months for ad-event logs by default). We do not have direct access to that data and we do not keep our own copy.
- Purchase records on Google's side: retained by Google per Google Play Billing's own policy. We retain only the local Google-issued receipt token to verify ownership of "Remove Ads" or other non-consumable products on the same device.
- Server-side data retained by us: none. We run no servers.
9. International data transfers
Data flowing to Google AdMob and Google Play Billing is processed by Google entities globally (including in the United States, Ireland, Singapore, and other Google data-centre regions) under Google's own Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the EU–US Data Privacy Framework where Google entities are certified, and other recognised transfer mechanisms. We perform no international transfers ourselves because we run no servers.
10. Children's privacy
The App is not directed to children under 13 years of age. We do not knowingly collect personal data from children under 13 (or under the higher digital-consent age applicable in your jurisdiction — for example 16 in the European Economic Area and the United Kingdom by default, 18 in India under DPDPA).
The App is not opted into Google Play's "Designed for Families" programme and is not marketed to children. AdMob is configured to request non-personalised ads when the user has indicated they are under the age of consent, or when the request is flagged as child-directed (using AdMob's tag_for_under_age_of_consent / tag_for_child_directed_treatment parameters).
If you are a parent or legal guardian and you believe a child has provided personal data through the Game, please contact us at privacy@offcoder.com with the subject line Zombie Rush — child data; we will work with Google to delete the data promptly and free of charge.
11. Your rights
Depending on where you live, you have the following rights with respect to the limited personal data described in this Policy. Most of the data is processed by Google as an independent fiduciary / controller, so for that data your rights are exercised primarily against Google — we will, however, route your request to Google or assist you on a best-effort basis.
- EEA / UK / Switzerland (GDPR / UK GDPR): right of access, right of rectification, right of erasure, right to restrict processing, right of data portability, right to object, right to withdraw consent, and right to lodge a complaint with a supervisory authority (in the United Kingdom: the Information Commissioner's Office, ico.org.uk; in other EEA Member States: the supervisory authority of your habitual residence).
- California (CCPA / CPRA): right to know, right to access, right to delete, right to correct, right to opt out of "sale" or "sharing" of personal information, right to limit use of "sensitive personal information", and right to non-discrimination. We do not sell your personal information for money. Personalised advertising served via Google AdMob may, however, qualify as "sharing" within the meaning of the CPRA when cross-context behavioural advertising is enabled. Our "Do Not Sell or Share My Personal Information" route is the in-app consent revocation flow described in §12 below; you may also email us with the subject line "CCPA request".
- India (DPDPA 2023): right to access, right to correction, right to erasure, right to grievance redressal. The Grievance Officer for OffCoder is contactable at legal@offcoder.com; the Grievance Officer's individual identity will be published on the OffCoder website once OffCoder is formally registered as a legal entity.
- Brazil (LGPD): right to confirmation of processing, right of access, right to correction, right to anonymisation, blocking or deletion of unnecessary or excessive data, right to portability, right to delete data processed with consent, right to information about with whom data is shared, right to information about the possibility of denying consent, and right to revoke consent.
Exercise any of the above by emailing privacy@offcoder.com from the email address you wish identification verified against. We respond within: 30 days (DPDPA / GDPR / UK GDPR / Brazil LGPD) and 45 days (CCPA / CPRA), each extendable by a further period for complex or numerous requests with notice within the original window. Requests are handled free of charge unless they are manifestly unfounded or excessive within the meaning of Article 12(5) GDPR, in which case we may charge a reasonable fee or refuse, with the burden of justifying the refusal resting with us.
12. Consent management
On first launch in the EEA, the United Kingdom, and Switzerland, the Google UMP consent form is displayed before any ad request is made. You may revoke or change your consent at any time from the in-game "Privacy settings" button (where present in the current build); revoking consent causes only non-personalised advertisements to be served thereafter. If the in-game button is not present in the current build, you may also reset or delete the Android Advertising ID from the device-level setting described in §5.
13. Security
- All ad-related and billing-related network traffic is encrypted in transit by the Google Mobile Ads SDK and the Google Play Billing library — both enforce TLS at the SDK level.
- The local save file is stored in the App's private sandbox directory on Android, which is inaccessible to other apps without root privileges.
- We run no servers, so there is no server-side breach risk on our side. Security incidents that occur on Google's side are handled by Google under Google's own incident-response process.
14. Disclaimers and limitation of liability
The Game is provided "as is" and "as available", without warranty of any kind, whether express or implied, to the maximum extent permitted by applicable law. We expressly disclaim all implied warranties of merchantability, fitness for a particular purpose, non-infringement, accuracy, completeness, timeliness, and uninterrupted or error-free operation. We do not warrant that the Game will meet your requirements, that defects will be corrected, that any advertisement served through the Game will be accurate, lawful, or appropriate for you, or that the Game is free of viruses or other harmful components.
To the maximum extent permitted by applicable law, our aggregate liability arising out of or in connection with your use of the Game — regardless of the form of action and whether in contract, tort (including negligence), strict liability, or otherwise — is limited to the greater of (a) the amount you actually paid us through Google Play Billing in the twelve (12) months immediately preceding the event giving rise to liability, or (b) one hundred US Dollars (US$100) or the equivalent in your local currency. Nothing in this Policy excludes or limits any liability that cannot be excluded or limited by applicable law (including, where applicable, liability for fraud, gross negligence, wilful misconduct, or death or personal injury caused by negligence).
The Game depends on third-party services (Google AdMob, Google Play Services, Google Play Billing). Disruption, failure, modification, or discontinuation of any of those services is outside our reasonable control and is not a breach of this Policy by us.
15. Changes to this Policy
We may update this Policy from time to time. The Last updated date at the top of this page reflects the most recent change. Material changes (those that meaningfully expand the categories of data collected, the parties data is shared with, or how it is used) will be flagged at the top of this page, and — for users in the EEA, the United Kingdom, and Switzerland — fresh consent will be requested before any change in legal basis takes effect. Continuing to use the Game after the effective date constitutes your acceptance of the updated Policy. If you do not agree, please uninstall the App.
16. Governing law and jurisdiction
This Policy is governed by, and will be construed in accordance with, the laws of India, without regard to its conflict-of-laws principles. Subject to any non-waivable consumer-protection right you have under your local law, the courts at Bengaluru, Karnataka, India have exclusive jurisdiction over any dispute arising out of or in connection with this Policy. The dispute-resolution process more fully described in the OffCoder Terms of Service §17 (good-faith negotiation followed by arbitration in Bengaluru under the Arbitration and Conciliation Act, 1996, with consumer-redress mechanisms expressly preserved) applies to disputes about this Policy as well.
17. Contact
For privacy questions, rights requests, or grievances relating to Zombie Rush:
- General privacy / rights requests / Grievance Officer (DPDPA): privacy@offcoder.com (subject line
Zombie Rush — <your topic>helps us route faster) - Lawful requests / takedowns: legal@offcoder.com
- Security disclosures: security@offcoder.com
A postal address will be published on the OffCoder website once OffCoder is formally registered as a business entity; until then, the email channels above are the canonical contact routes for this Policy.