Privacy Policy
Last updated: 13 June 2026
This Privacy Policy explains how Many Many Things Ltd ("we", "us", "our") collects and uses your personal data when you use the Sudo Games mobile application (the "App"), and the rights you have over that data.
Many Many Things Ltd is the data controller for the personal data described in this policy. We are a company registered in England and Wales under company number 17253592, with our registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. You can contact us about privacy at ops@manymanythings.co.uk.
1. Our approach in short
Sudo Games is built to be private by design. A few things are worth knowing up front:
- The App is local-first. If you play as a guest or do not subscribe, your games, settings and progress stay on your device and are not sent to us.
- The AI companions run entirely on your device. Your chat messages and the game information used to generate companion responses are processed locally and are never sent to us or to any third party for AI processing.
- Cloud data is hosted in the EU. When data does sync to the cloud, it is stored on servers located in Ireland (European Union).
- We do not show ads and we do not use advertising identifiers (such as Apple's IDFA or Google's Advertising ID). We do not track you across other companies' apps or websites.
- Analytics is off until you turn it on. We only collect usage analytics if you choose to allow it, and you can change your mind at any time.
The rest of this policy gives the detail.
2. The personal data we collect
The data we collect depends on how you use the App. The categories are:
Account and identity data. When you create the App generates a random identifier on your device to keep your data together. If you sign in with Apple or with an email address, we also process your Apple user identifier or your email address, and a cloud account identifier. We never see or store your Apple password, and we do not store passwords ourselves (sign-in is handled by our authentication provider).
Profile data. Your chosen display name, your avatar configuration (a set of style choices used to draw a cartoon avatar; not a photo), and a unique friend code.
Gameplay data. Records of games you have played, such as the game type, the outcome, when it finished, the number of players, and whether it was offline or online. For online matches we also process the match state, the moves made, and the identifiers of the players involved.
Social data. If you use the friends features, we process your friend connections, friend requests you send or receive, and any players you block.
Safety reports. If you report another player, we process your report: the reason you choose, an optional short note you add, the identifier of the player you reported, the context (their profile, their name, a match, or a specific synced message), and your own identifier as the reporter. We use this to look into the report and to deal with repeat problems.
Companion chat for online matches. In online games, the messages your on-device companion produces are stored so they can be shown to the other players in that match. (Companion responses are still generated on-device; only the resulting text is synced for multiplayer.)
Push notification data. If you turn on notifications, we store a device push token so we can send you alerts (for example, when it is your turn or you receive a friend request), together with your notification preferences.
Consent records. A record of your analytics consent choice, the version of this policy you saw, and when you made the choice. We keep this as proof that we asked for and respected your preference.
Usage analytics (only with your consent). If you allow analytics, we collect information about how you use the App, such as which screens you view, which games you start and finish, and which settings you change, along with standard technical information that our analytics provider collects automatically (such as your device type, operating system, app version, language and approximate location derived from your IP address). We do not use this to identify you to advertisers.
Diagnostics and crash data (only with your consent). As part of analytics, we collect information about errors and crashes so we can fix problems.
Support, feedback and bug reports. If you contact us, send feedback, or (in internal test builds only) submit a bug report, we process what you send us. Bug reports from internal test builds may include screenshots you choose to attach and technical details such as app version, device model, operating system, the screen you were on, your locale, and an analytics identifier, so we can investigate. These reports are sent to our issue tracker (GitHub). Feedback may include an email address if you choose to provide one.
We do not collect your real name, postal address, phone number, photos from your camera or photo library (except a screenshot you deliberately attach to a bug report in an internal build), precise location, contacts, or any special-category data such as health or biometric information.
3. How and when we collect it
We collect personal data:
- Directly from you, when you set up your profile, choose a display name and avatar, sign in, send a friend request, submit feedback, or play.
- Automatically from your device, when you use the App. The on-device identifier is generated on first launch. Gameplay records are created as you play. If you have allowed analytics, usage and technical data is collected as you interact with the App.
- From third parties, when you sign in with Apple (we receive an identity token), and from the app stores in relation to your Sudo Pro subscription status.
4. Why we use your data, and our legal basis
Under UK and EU data protection law we must have a lawful basis for using your personal data. The table below sets out what we do, why, and our legal basis.
| What we do | Why | Lawful basis |
|---|---|---|
| Run the App, store your games, settings and progress | To provide the App you asked for | Performance of a contract / our legitimate interest in providing a working app to guests |
| Maintain your profile, display name and avatar | To personalise your experience and identify you to friends and opponents | Performance of a contract; legitimate interests |
| Sign you in and keep your account secure | To let you back up, sync and play online securely | Performance of a contract |
| Sync your data across devices (Sudo Pro) | To deliver a feature of your subscription | Performance of a contract |
| Enable online play, friends, invites and blocking | To provide multiplayer and social features | Performance of a contract; legitimate interests |
| Handle reports about other players and screen display names | To review reports, act on rule-breaking, and keep players safe | Legitimate interests; legal obligation (online safety) |
| Send push notifications you have enabled | To alert you about turns, invites and friend activity | Consent (device permission); performance of a contract |
| Manage your Sudo Pro subscription | To provide and bill for paid features | Performance of a contract; legal obligation (record-keeping) |
| Provide bot protection on sign-in | To keep the service secure and prevent abuse | Legitimate interests |
| Usage analytics and crash diagnostics | To understand how the App is used and to fix and improve it | Consent |
| Handle your support messages, feedback and bug reports | To respond to you and resolve issues | Legitimate interests; consent |
| Keep records of your privacy choices | To demonstrate we respected your preferences | Legal obligation; legitimate interests |
| Keep limited records to prevent abuse and rate-limit requests | To protect the service and other users | Legitimate interests |
Where we rely on consent (for example, analytics or push notifications), you can withdraw it at any time, and withdrawing it does not affect anything we did before you withdrew it. Where we rely on legitimate interests, we have considered your rights and interests and balanced them against ours; you can object to this (see section 11).
5. On-device AI
The companion personalities and chat in the App are generated by AI language models that run on your device, using Apple Foundation Models on iOS or Gemini Nano (via Android AICore) on supported Android devices. The prompts and chat messages used for this are processed locally on your device and are not transmitted to us, to Apple, to Google or to anyone else for AI processing. Your device's built-in AI is provided by Apple or Google and is governed by their own terms and privacy notices. For online matches, only the resulting companion message text is synced so it can be shown to the other players.
6. Who we share your data with
We do not sell your personal data. We share it only as set out below.
With other players. When you play online, your display name, avatar and moves, and your companion's chat messages for that match, are visible to the other players in that match. Your friend code is shared by you when you choose to give it to someone.
With our service providers (processors and partners). We use a small number of trusted providers to run the App. They only process your data on our instructions, or as independent controllers where noted:
| Provider | Purpose | Data involved | Where | More information |
|---|---|---|---|---|
| Supabase | Cloud database, authentication, real-time multiplayer, storage | Account, profile, gameplay, social, safety reports, push tokens, consent records | EU (Ireland) | supabase.com/privacy |
| RevenueCat | Subscription management | Account identifier and subscription status (no card details) | United States | revenuecat.com/privacy |
| Apple | Sign in with Apple; Apple Push Notification service; App Store billing | Apple identity token; push token; purchase data | United States / global | apple.com/legal/privacy |
| Google Play billing; Android push (where applicable) | Purchase data; push token | United States / global | policies.google.com/privacy | |
| Cloudflare | Bot protection on sign-in | IP address and device signals during the sign-in check | Global | cloudflare.com/privacypolicy |
| PostHog (analytics) | Usage analytics and crash diagnostics, only with your consent | Usage events, device and technical data, analytics identifier | EU | posthog.com/privacy |
| GitHub | Receiving support feedback and bug reports (internal builds) | The contents of your report, including any attached screenshots and technical details | United States | github.com/site/privacy |
For legal reasons. We may disclose personal data if required by law, court order or a valid request from an authority, or to establish, exercise or defend legal claims, or to protect the rights, safety and property of our players, the public or us.
In a business transfer. If our business or its assets are sold or reorganised, personal data may be transferred to the new owner, who will continue to be bound by this policy or a policy at least as protective.
7. Storing and transferring data internationally
Cloud data is stored in the European Union (Ireland), and our analytics provider stores data in the EU. Because we are based in the UK, data may also be handled in the UK. Transfers between the UK and the EU are covered by the UK's adequacy regulations and the EU's adequacy decision for the UK.
Some of our providers (for example, RevenueCat, Apple, Google, Cloudflare and GitHub) are based in or operate from outside the UK and EEA, including the United States. Where personal data is transferred to a country that does not have UK or EU "adequacy" status, we put an appropriate transfer mechanism in place for that provider before relying on it. Depending on the provider, this is the UK International Data Transfer Addendum to the European Commission's Standard Contractual Clauses, or the provider's certification under the UK and EU extensions to the Data Privacy Framework. You can ask us which mechanism applies to a particular provider using the contact details in section 14.
8. How long we keep data
- Data on your device stays there until you delete it, remove the App's local data, or uninstall the App.
- Account, profile, gameplay and social data in the cloud is kept while your account exists. If you delete your account, this data is deleted from our systems. Game-history records are kept as a log while your account exists and are removed when your account is deleted.
- Push tokens are kept while they are valid and are removed when you sign out, delete your account, or the token becomes invalid.
- Consent records are kept for as long as needed to show we handled your preferences correctly.
- Analytics data is retained by our analytics provider according to its retention settings and then deleted or aggregated.
- Support, feedback and bug reports are kept for as long as needed to deal with the matter and a reasonable period afterwards. Screenshots attached to internal-build bug reports are stored with access limited by time-limited links of up to 90 days.
- Safety reports are kept for up to 12 months from when they are made and then deleted, so we can spot and act on repeat problems. Where a report leads to action on an account, a limited record of that action may be kept while the account exists.
- Abuse-prevention and rate-limit records are kept only briefly and then automatically removed.
Where we are required to keep certain records for longer (for example, to meet legal or tax obligations), we will do so and then delete them.
9. Security
We take reasonable technical and organisational measures to protect your personal data. Data in transit is encrypted using industry-standard transport security, access to cloud data is restricted by row-level security rules so that you can generally only reach your own data, and access to our systems is limited to people who need it. Sign-in passwords are handled by our authentication provider and stored in hashed form; we do not see them.
No method of transmission or storage is completely secure, so we cannot guarantee absolute security. If a personal data breach is likely to result in a risk to your rights, we will notify the relevant regulator, and you, as required by law.
10. Cookies, local storage and tracking
The App is a mobile app and does not use website cookies for advertising. It stores data locally on your device (using on-device storage) so the App can work offline and remember your settings and progress. This on-device storage is essential to the App's operation.
We do not use advertising identifiers (Apple's IDFA or Google's Advertising ID), and the App does not present an App Tracking Transparency prompt because it does not track you across other companies' apps or websites. Our analytics provider uses an identifier to recognise your device for analytics purposes only, and only if you have given consent.
11. Your rights
Under UK and EU data protection law you have the right to:
- be informed about how we use your data (this policy);
- access the personal data we hold about you;
- rectify data that is inaccurate or incomplete;
- erase your data ("right to be forgotten") in certain circumstances;
- restrict our processing of your data in certain circumstances;
- data portability - to receive certain data in a portable format;
- object to processing based on our legitimate interests; and
- withdraw consent at any time where we rely on it (for example, analytics or notifications).
You can exercise several of these rights directly in the App: you can change your display name and avatar, toggle analytics consent and notification preferences in Settings, remove your device's data, and delete your account and the cloud data we hold about you. For anything else, contact us at ops@manymanythings.co.uk and we will respond within one month. There is normally no charge, and we may need to verify your identity before acting on a request.
If you have a concern we have not resolved, you have the right to complain to the UK's data protection regulator, the Information Commissioner's Office (ICO), at ico.org.uk or on 0303 123 1113, or to the data protection authority in the EU country where you live. We would, however, appreciate the chance to address your concerns first.
12. Children
The App is intended for people aged 13 and over and is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at ops@manymanythings.co.uk and we will delete it. If you are between 13 and 18, please make sure a parent or guardian is happy for you to use the App and has agreed to our Terms of Service.
Age assurance
When you first open the App, we ask about your age before collecting a display name, avatar, or any analytics. We have built this to follow the ICO's Age Appropriate Design Code (the Children's Code) and to keep the amount of data we hold to a minimum:
- We do not ask for, or store, your date of birth. On iPhones that support it (iOS 26 and later), we use Apple's Declared Age Range feature, which only tells us a broad age range that you or your parent already shared with the device, and routes younger users through Apple's parental-approval flow. Elsewhere we ask only for your year of birth and immediately discard it, keeping a single coarse "age band" on your device.
- The age band stays on your device. We do not send it to our servers and we never attach it to analytics.
- If you are below the age of digital consent for your country (13 in most places, up to 16 in some EU states), the App runs in a fully offline mode: you can play locally, but there is no account, no online multiplayer, no cloud sync, and no analytics. Nothing leaves your device.
- High-privacy defaults and no profiling. Analytics is off by default for everyone, we do not profile children, and the age step is shown neutrally without nudging you toward any answer.
13. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated policy in the App and on our website and update the "Last updated" date above. Where changes are significant, we will bring them to your attention in the App. Please review this policy occasionally so you stay informed.
14. Contact us
For any question or request about this policy or your personal data:
Many Many Things Ltd Company number 17253592 71-75 Shelton Street Covent Garden London, WC2H 9JQ United Kingdom Email: ops@manymanythings.co.uk