Terms of Service

Version: 2026 Global Full-Compliance Deep Enhanced Edition

Part II: Service Agreement (Terms of Service)

1. Account Ownership and License Scope

• License only, no ownership transfer: after downloading/installing through App Store/Google Play, users receive a limited, non-transferable, non-rentable software usage license. Users do not obtain legal ownership of account systems or virtual assets (including coins, gems, skins, levels, props, and similar digital items).
• Account attribution: account system ownership belongs to the company; users hold usage rights. Users must keep credentials secure. Loss caused by user-side leakage or unsafe authorization is user responsibility.
• Account recycling: accounts inactive for [180] consecutive days with no payment records may be deactivated. We provide a 30-day prior notice via in-app push and/or registered email where available. After deactivation, account virtual assets and personal data are permanently deleted except where law requires retention.
• Usage restrictions: account transfer, rental, lending, resale, commercial exploitation, or illegal use is prohibited. We may suspend/ban accounts, remove virtual assets, and pursue liability for violations.

2. IAA Advertising and Reward Policy (Detailed Fraud Penalty Rules)

• Reward eligibility: users must fully watch rewarded video ads, complete required interaction if any, and avoid abnormal operations (app-switching, lock screen, plugin bypass, etc.) during playback to receive rewards.
• Delivery timing: rewards are credited immediately after eligible completion. If delayed due to network/platform issues, users may report in-app and we verify within 3 working days.
• Ad quality controls: we screen third-party ads to reduce violent, pornographic, vulgar, false, or illegal ad creatives. Ad content is third-party delivered; users can file ad complaints with evidence. We verify within 24 hours and remove violating ads where confirmed.

IAA Fraud Definition (Detailed)

Any behavior that improperly gains rewards, bypasses ad playback, or manipulates ad measurement is considered ad fraud, including but not limited to:

• Using plugins/scripts/cracking tools to skip, accelerate, or simulate ad watching.
• Using multi-account or multi-device batch viewing to harvest rewards for resale/monetization.
• Manipulating device parameters (device ID/IP), VPN/proxy region switching for batch ad consumption.
• Frequent app-switching, lock-screen, reboot behavior designed to bypass full-watch requirements.
• Exploiting ad platform vulnerabilities to trigger fake impressions/clicks and steal ad revenue.
• Any other behavior interfering with normal ad playback/measurement.

IAA Penalty Matrix

• First violation: warning, clear unused ad rewards, restrict ad-view permissions for 7 days.
• Second violation: suspend ad-view permissions for 30 days, clear all ad rewards, record device-level violation markers.
• Third and subsequent violations: permanent ad-view ban for account and related devices, blacklist inclusion, legal claims reserved.
• Severe cases (batch fraud, malicious ecosystem attacks): permanent account/device ban, platform reporting to App Store/Google Play, civil claims and judicial referral where applicable.

3. IAP Payment, Refund, and Dispute Handling (Detailed Fraud Penalty Rules)

• Final pricing: displayed prices may include item value, platform commission (Apple/Google), VAT/duties/taxes where applicable. Final payable amount is governed by the app store checkout page. Price adjustments are announced at least 7 days in advance.
• Payment channel: all payments are handled by official App Store/Google Play channels. We do not directly process user payment credentials. Order records are available in-app.

Refund Rules

• Due to immediate and consumable nature, used virtual goods/services are generally non-refundable.
• Special refundable scenarios with proof:
  • Successful payment but non-delivery caused by our verified technical fault.
  • Minor unauthorized purchases without guardian consent, with valid identity and payment evidence.
  • Major application failure that prevents use of purchased value-added services and cannot be fixed within 7 working days.
• Refund process: request through App Store/Google Play channels or in-app support with required proof. We verify within 3 working days and coordinate processing. Arrival timing follows store rules.

IAP Fraud Definition (Detailed)

Any behavior intended to gain digital goods/services without legitimate payment, evade payment obligations, or abuse refund policy is considered IAP fraud, including but not limited to:

• Malicious refund abuse after consuming purchased value.
• Payment flow cracking by plugins/scripts/modded clients bypassing official billing.
• Forged order records or payment receipts.
• Purchases using stolen cards/accounts or illegally obtained redemption codes.
• VPN/proxy region switching to exploit lower regional pricing.
• Batch account registration abusing newcomer discounts for resale monetization.
• Any other payment-evasion or fraudulent refund tactics.

IAP Penalty Matrix

• First violation: warning, reclaim fraudulently obtained virtual goods, restrict IAP access for 15 days.
• Second violation: restrict IAP for 90 days, clear all virtual goods, record device violations, add to blacklist.
• Third and subsequent violations: permanent account/device ban, service termination, platform escalation for additional action.
• Severe cases: permanent bans, civil compensation pursuit, judicial referral when unlawful conduct is suspected.

Unauthorized Transactions

For unauthorized transactions caused by minor misoperation or account theft, users/guardians should promptly contact Apple/Google support and notify us with supporting evidence. We assist verification and refund coordination where conditions are met.

4. Anti-Cheat and Security Protocol (Detailed)

To protect operational order and legal rights, the following conduct is strictly prohibited:

• Using VPN/proxy or equivalent means to bypass region restrictions or pricing rules for cross-region purchases/ad viewing.
• Using scripts, emulators, cheats, modded apps, plugins, or automation tools to tamper with app behavior/data or gain unfair benefits.
• Packet sniffing/modification, protocol forgery, or tampering with ad/payment/statistical functions.
• Mass account creation, ranking manipulation, review/score farming, ecosystem disruption.
• Account theft, virtual property theft, or leakage of others' account or personal data.
• Device parameter spoofing (device ID/IMEI/MAC etc.) to evade penalties or repeatedly farm rewards.
• Distribution of cracking methods/tools or incitement of cheating.
• Any other conduct harming normal operations or lawful rights of users/platform.

Penalties include warning, feature limitation, account ban, device ban, blacklist, data deletion, service termination, civil claim, and judicial referral as appropriate.

5. Content Moderation (DSA Compliance, Enhanced)

If the app includes UGC, we maintain a DSA-aligned moderation framework:

• Review mechanism: dual-layer AI automated detection plus human moderation for complaint and suspicious content review.
• Notice-and-action mechanism: when violating content is identified, user notification is issued and content is removed within 24 hours where required.
• Appeal channel: users may appeal moderation actions; we verify and provide response within 3 working days.
• Prohibited content categories:
  • Political-security illegal content and social stability threats.
  • Racial, gender, religious, or equivalent discrimination.
  • Violent, pornographic, vulgar, gory, or terror-related content.
  • Disinformation, rumors, fraud, deceptive claims.
  • Infringement of IP, reputation, portrait, privacy, and other legal rights.
  • Any content violating law, public order, or morality.
• User responsibility: users must ensure legality, authenticity, and non-infringement of UGC. Violations may result in deletion, posting restrictions, account bans, and liability pursuit.
• DSA additional obligations: publication of moderation standards, complaint workflow, enforcement details, periodic moderation reporting, user appeal safeguards, and designated responsible officers for large-scale UGC operations.

6. Age Eligibility and Guardian Responsibility

• Users must meet minimum legal age requirements in their jurisdiction to independently use paid features and contractual services.
• Where local law requires guardian consent for minors, guardian authorization is mandatory before paid transactions or data processing that requires consent.
• If a guardian discovers unauthorized minor activity, they may contact support for verification and remedial handling according to law and store policy.

Part III: 2026 Technical Compliance Execution Guide (Mandatory)

This guide integrates 2026 Apple App Store and Google Play policy updates with regional legal obligations, including Android 15 and iOS 18 adaptation requirements.

1. Apple App Store (iOS) Requirements

• Privacy Labels: accurately declare data labels in App Store Connect, including data linked to users where IDFA/purchase records are associated. Collection scope, purposes, and third-party sharing must match this policy. False declarations may lead to rejection/removal.
• ATT enforcement (2026 enhanced):
  • Before reading IDFA, call requestTrackingAuthorization and present transparent purpose text.
  • If user denies authorization, pass allow_tracking = false to third-party SDKs and do not bypass ATT constraints.
  • Under iOS 18 adaptation, ATT prompt should not be repeatedly spammed; denied users may only be guided to device settings.
  • No non-ATT identity workaround (e.g., using substitute identifiers to bypass policy intent).
• Additional iOS compliance: no hidden features or review bypass code; sensitive permission requests require clear contextual purpose; IAP items must clearly display price/subscription cycle; AI-generated content should be clearly disclosed in app listing where applicable.

2. Google Play (Android) Requirements

• Data safety form: accurate declarations in Play Console, transport encryption (HTTPS), and storage encryption practices (e.g., AES-256 where applicable). False declarations may cause rejection/removal.
• SDK transparency (2026 enhanced):
  • Developers are responsible for third-party SDK behavior and must maintain up-to-date, policy-compatible SDKs (including Android privacy sandbox compatibility where required).
  • Maintain public disclosure of integrated SDK lists, use purposes, and data scope in policy documentation.
  • Android 15 adaptation: no irrelevant permission requests, no unauthorized personal data collection, and no harmful background interference.
  • If private space support is relevant, adjust logic according to app type and policy guidance.
• Additional Android compliance: support 64-bit architecture; no malicious ad plugins or forced deceptive ad interactions; clear in-app subscription management entry for cancellation.

3. 2026 Data Residency Compliance

• For high-user-volume jurisdictions (such as China, India, Saudi Arabia, Brazil, EU regions, Canada), local storage and lawful transfer controls apply according to local law.
• Cross-border transfers require lawful mechanisms (such as adequacy decisions, standard contractual safeguards, security assessments, or authority approvals where required).
• US-facing operations should consider lawful authority request workflows and trade-compliance implications of cross-border data governance.
• Regularly review storage locations and legal updates (including newly localized jurisdictions), then adjust strategy in time.
• Maintain a data residency compliance ledger documenting storage location, transfer routes, and audit results.

4. Interaction Design Compliance Recommendations

• Dual confirmation:
  • For large-value IAP (recommended threshold >= USD/EUR 50), add in-app secondary confirmation with amount, item, and payment method before store checkout redirect.
  • For auto-renewing subscriptions, add a second confirmation clearly showing cycle, price, and renewal rule.
• Privacy policy accessibility (mandatory): privacy policy link must appear in all three places:
  • App store listing page (prominent location).
  • App launch/splash or login page with agreement interaction.
  • In-app Settings/About menu with direct access.
• Permission prompts: clearly explain purpose for camera, album, location, and similar requests. No forced consent.
• Ad interaction: rewarded videos should clearly state reward condition; provide skip where policy allows (e.g., skippable after defined period for non-reward ad formats).
• Complaint channels: include privacy/ad/UGC complaint channels with processing target not exceeding 7 working days and response feedback.
• Transparency displays: visibly provide simplified ad logic, recommendation logic, and data handling process summaries.
• Screen sharing warning: where platform supports, show clear indicators during casting/recording/screen sharing and provide fast stop control.

Part IV: Compliance Risk Control and Periodic Review

1. Risk Control Measures

• Build pre-release compliance review covering code, policy documents, terms, and interaction design.
• Assign owners to monitor ongoing legal and app-store policy updates and execute timely policy/feature adjustments.
• Continuously audit third-party ad/SDK/payment partners and terminate non-compliant vendors promptly.
• Maintain user rights request workflows for access/correction/deletion/complaint handling with full record retention.
• Strengthen security controls with encryption, access control, data loss prevention, and regular security testing.
• Run routine staff training for engineering, operations, and support teams on privacy policy and anti-fraud obligations.

2. Periodic Review Requirement

Due to evolving global legal frameworks (especially US state privacy laws and EU DSA implementation details) and continuous store policy updates, this agreement and implementation status should be reviewed at least every 6 months.

• Clause review: update legal text for new regional obligations and fraud control requirements.
• App compliance review: check codebase, SDK versions, ATT and Android/iOS adaptation status.
• Data processing review: verify collection/storage/transfer/sharing and residency compliance.
• Fraud control review: update ad and purchase anti-fraud rules for new abuse patterns.
• User request audit: inspect timeliness and quality of rights request processing and optimize procedures.

Contact for Questions, Feedback, Complaints, and Reports

• Business Support: support@ngocambient.com
• Customer Contact: contact@ngocambient.com
• Address: Hoa Lac High-Tech Park, Hanoi, Vietnam