PRIVACY AND DATA POLICY

ISSUED BY GLITCHERS LIMITED.

1. INTRODUCTION

This Privacy and Data Policy (the "Policy") applies to the Sea Hero Quest mobile and web application (the "Game"), operated by Glitchers Limited ("Glitchers", "we", "us").

Glitchers Limited is registered in England and Wales, company number 08683349. Our registered office is:

Our trading address is:

This Policy should be read alongside our Terms of Service, which set out the contractual terms governing your use of the Game, including the commercial use of data contributed during play.

1.1 Two routes of access

Sea Hero Quest is made available in two distinct ways, and data handling differs between them. This Policy describes both.

• Public access: anyone may download the Game from the Apple App Store or Google Play Store and play it directly. Sections 2 to 9 of this Policy describe how data is handled for public access.
• Research-project access: the Game is also provided to participants in third-party research studies operated by external research institutions. Those institutions hold their own ethical approval and obtain their own consent from participants. Section 10 describes how the Game is used in this context and how data flows between Glitchers and the operating research institution.

1.2 Our role under UK GDPR

For public access (Sections 2 to 9), Glitchers is the controller of the data described in this Policy. For research-project access (Section 10), the operating research institution is the controller and Glitchers acts as a processor providing the Game and the underlying data pipeline.

You have rights under UK GDPR over personal data we process about you. Section 8 explains those rights and how to exercise them.

2. DATA COLLECTED DURING PUBLIC ACCESS

This Section describes the data Glitchers collects when you download and play the Game from a public app store. Section 10 describes the equivalent flows for research-project participants.

2.1 Game-issued identifier

When you first launch the Game, our servers (operated under the Celest platform) issue a Universal Unique Identifier ("UUID") for your installation. The UUID is the only handle by which Glitchers identifies your gameplay data on our servers.

The UUID is generated by our servers without reference to your device identifier, advertising identifier, IP address, name, email address, or any other field that resolves to you as a person. Unless you choose to link your account (see Section 4), no party, including Glitchers, holds any record that connects the UUID to your real-world identity. If you uninstall the Game, replace your device, or clear local storage without linking your account, the data associated with that UUID is no longer accessible to you, and cannot be recovered by Glitchers because we hold no information by which we could identify you.

2.2 Gameplay and navigation data

During play, the Game records gameplay progress (level completion, scores, achievements) and navigation data describing your path through the Game's virtual environments. This data is tagged with the UUID described in Section 2.1 and is transmitted to Glitchers' servers.

Navigation data describes movement within a synthetic game world. It does not correspond to any real-world location, and we hold no auxiliary information by which a session's navigation could be linked to an identifiable individual.

2.3 Demographic questionnaire

After you have agreed to participate in the research aspect of the Game, the Game asks you to complete a short demographic questionnaire. The fields collected are:

• Country of residence
• Year of birth (not date of birth)
• Sex
• Gender

These fields are essential to the scientific value of the dataset. Spatial cognition varies systematically with age, with sex, and across cultural and geographic context, and a research benchmark without these covariates would be of limited utility for the brain-health research the Game supports.

Sex and gender are collected as separate fields. This is a deliberate choice intended to ensure that data from communities historically underrepresented in brain-health research, including but not limited to gender-diverse populations, can be identified within the dataset and included in future scientific studies. If we did not collect this information, those communities would be invisible in our data, and future research would be unable to study or serve them. Collecting these fields separately is, in our view, the more inclusive choice.

We apply data minimisation to these fields. Year of birth is collected in place of date of birth, and country in place of city or region, to reduce identifiability while preserving the resolution required for cognitive science.

We acknowledge that for rare combinations of country, year of birth, sex, and gender, particularly in smaller populations, the demographic profile may correspond to a small group of individuals. Glitchers does not hold any direct identifier (such as a name, email address, or contact detail) by which a player could be identified, and we do not publish or share demographic data in combination with session-level navigation data in a way that increases identifiability risk.

2.4 Support correspondence

If you contact Glitchers for support, for example to report a bug, we will receive whatever information you choose to include in your correspondence, which typically includes your name and email address, and may include details of the issue you are reporting.

For public-access users who have not linked their account (Section 4), we cannot use this correspondence to look up or modify data associated with your UUID, because we hold no record connecting your contact details to a UUID. We can use the information you provide to respond to your support request and to investigate and fix the issue you have reported.

3. HOW WE USE THE DATA

3.1 Operating the Game

Gameplay, navigation, and demographic data are used to operate the Game and to maintain the research dataset that the Game contributes to.

3.2 Scientific research

Aggregated and de-identified data from Sea Hero Quest is used in scientific research on spatial cognition and brain health. This includes research published by Glitchers and by external academic partners. Where external partners receive data, it is provided in forms appropriate to the research and under written agreements specific to each project.

3.3 Commercial use

The data contributed to Sea Hero Quest forms part of a commercial dataset that Glitchers maintains, develops, and uses to produce products and reports. Specifically, we may use the aggregated dataset to:

• Develop normative benchmarks describing population-level patterns in spatial cognition.
• Produce reports and analyses for partner organisations in sectors such as, but not limited to, pharmaceutical, medical technology, and healthcare.
• Develop new products, features, and research applications based on insights from the dataset.
• License access to derived norms, reports, and analyses to commercial and academic partners.

We do not sell raw individual-level data to third parties, and we do not permit third parties to onward-sell data they receive from us. Decisions about how the dataset is used commercially are made by Glitchers.

The contractual basis on which contributed data may be used commercially is set out in our Terms of Service.

3.4 Responding to support requests

Support correspondence is used to respond to your enquiry and to investigate any technical issue you have reported.

3.5 Lawful basis

Where data we process is personal data under UK GDPR, we rely on the following lawful bases:

• Your consent, where you have explicitly agreed to participate in the research aspect of the Game (Article 6(1)(a)).
• Our legitimate interests in operating the Game, maintaining the research dataset, and responding to support requests (Article 6(1)(f)).
• Performance of a contract, for users who subscribe to paid features such as Sea Hero Quest Plus (Article 6(1)(b)).

4. OPTIONAL ACCOUNT LINKING

By default, the data associated with your UUID is accessible only on the device on which you generated it. If you wish to transfer your data between devices, or if you subscribe to Sea Hero Quest Plus or another paid feature requiring an account, you may optionally link your account using a third-party authentication service (currently Unity Authentication) via the OAuth2 protocol.

4.1 What we receive

When you link your account, we request the minimum OAuth scope necessary to obtain a stable, opaque user identifier from the authentication provider. We do not request, receive, or store your email address, name, profile picture, or any other profile information held by the authentication provider.

The identifier we receive is a pseudonymous token. It is treated by UK GDPR as personal data because the authentication provider could, in principle, resolve it to your identity, even though Glitchers cannot. For this reason, the data of linked users is processed as pseudonymous personal data, and the full rights described in Section 8 apply.

4.2 Unlinking

You may remove the link to your authentication provider at any time from within the Game's Settings. When you unlink, Glitchers deletes the association between your UUID and the authentication provider's identifier. The gameplay data previously associated with your UUID remains in the research dataset under the original UUID.

4.3 Sea Hero Quest Plus and paid features

Where account linking is required for a paid feature, payment processing is handled by the relevant app store (Apple App Store or Google Play Store) under their own terms and privacy policies. Glitchers does not receive your payment card details or billing address.

If you have a question about a payment, subscription renewal, refund, or billing for Sea Hero Quest Plus, please contact the relevant app store's support team directly. We are unable to action payment or subscription-billing queries because we do not hold the underlying payment information. For all other queries relating to Plus, you can contact us at support@glitchers.com.

5. DATA SHARING

We share data only as described in this Policy.

6. DATA RETENTION

Research and commercial dataset records (gameplay, navigation, and demographic data) are retained in line with research data retention norms, typically a minimum of ten years from collection, consistent with university research data retention policies.

Support correspondence is retained for no longer than is necessary to respond to your request and to maintain a record of the technical issue raised, and in any case no longer than is reasonably required for our legitimate interests.

If you unlink your account (Section 4.2), the association between your UUID and the authentication provider's identifier is deleted promptly. The underlying gameplay data remains in the dataset under the original UUID, subject to the retention norms above.

7. OWNERSHIP OF THE DATASET

The Sea Hero Quest dataset, in aggregate, is a commercial asset owned by Glitchers. This includes the structured collection of contributed data, the schema and organisation of the dataset, and any norms, benchmarks, analyses, or derivative works produced from it.

The terms on which you contribute data when you play the Game, including the licence you grant to Glitchers to use that data, are set out in our Terms of Service. Nothing in this Policy displaces your rights under UK GDPR over personal data we process about you. Where data we hold about you is personal data under UK GDPR, the rights described in Section 8 continue to apply regardless of any commercial use of the aggregated dataset.

8. YOUR RIGHTS

Where the data we process about you is personal data under UK GDPR, in particular if you have linked your account (Section 4) or have corresponded with us for support (Section 2.4), you have the following rights:

• Access: you may request a copy of the personal data we hold about you.
• Rectification: you may ask us to correct inaccurate data.
• Erasure: you may ask us to delete your personal data, subject to limited exceptions.
• Restriction: you may ask us to restrict processing in certain circumstances.
• Portability: where applicable, you may obtain your personal data in a machine-readable format (CSV or JSON).
• Objection: you may object to processing based on legitimate interests.

To exercise any of these rights, please contact support@glitchers.com. We aim to respond within one month.

If you are unhappy with how we have handled your personal data, you may complain to the Information Commissioner's Office at ico.org.uk, or to your local data protection authority if you are outside the United Kingdom.

9. MINIMUM AGE FOR RESEARCH AND COMMERCIAL USE

Sea Hero Quest is freely playable. The Game does not prevent anyone from downloading and playing it, regardless of age, and players under the relevant minimum age can use the Game in full.

However, data contributed by players below the following thresholds is excluded from our research dataset and from any commercial use:

• In the United Kingdom: data from players who indicate they are under the age of 16 is excluded.
• In all other countries: data from players who indicate they are under the age of 18 is excluded.

Data contributed by these players is stored solely to enable reliable identification and exclusion. It is not used for scientific research, for the development of norms or benchmarks, for reports to commercial partners, or for any other purpose beyond the operation of the Game.

9.1 Why year of birth and country

The combination of country and year of birth (collected in the demographic questionnaire described in Section 2.3) is used to determine whether a player falls below the applicable threshold. Year of birth, rather than date of birth, is collected as a data-minimisation measure: it provides sufficient resolution to apply the age threshold without collecting a more identifying personal field.

9.2 Parental requests

If you are a parent or guardian and have questions about how data from a young user has been handled, or wish to request deletion, please contact support@glitchers.com. Please note the limitation in Section 8 regarding unlinked users.

10. RESEARCH-PROJECT ACCESS

This Section applies if you have received the Game as a participant in a research study operated by a university, hospital, or other research institution. In this case, you will typically have been given a Participation Code by the operating institution.

10.1 Roles and responsibilities

Where the Game is used in a research project of this kind, the operating research institution is the data controller. That institution holds its own ethical approval for the study, obtains your consent under its own consent process, and is responsible for explaining the study to you and for addressing your questions about it.

Glitchers acts as a data processor for those projects. We provide the Game and the underlying data pipeline; we process data on the instructions of the operating institution under a written data-processing agreement specific to each project.

10.2 The Participation Code

The Participation Code links your gameplay data to your participation in the operating institution's study. The linkage between the Participation Code and your real-world identity is held by the operating research institution, not by Glitchers. Glitchers receives gameplay data tagged with the Participation Code and does not hold the means to identify you from it.

10.3 Commercial use does not extend to research-project data

The commercial-use rights described in Section 3.3 apply to data contributed through public access. Data contributed through a research-project access route is governed by the agreement between Glitchers and the operating research institution, and is not used commercially except as specifically permitted by that agreement.

10.4 Support correspondence involving research projects

Where a researcher or participant contacts Glitchers for support about a research-project issue, the correspondence may include the Participation Code or a Project ID. We retain this correspondence for the purpose of resolving the issue raised, in line with Section 6, and we do not use such identifiers to look up or analyse participant data outside that purpose.

10.5 Withdrawal from a research project

If you wish to withdraw from a research project, please contact the operating research institution that recruited you. They are responsible for managing your participation in the study, and will instruct Glitchers as appropriate.

11. SECURITY

Once we receive your data, we apply technical and organisational measures intended to protect it against unauthorised access, loss, or alteration. No system can be made absolutely secure, and we cannot guarantee the security of data transmitted to us over the internet.

12. INTERNATIONAL DATA TRANSFERS

Data we collect may be transferred to and stored at destinations outside the United Kingdom and the European Economic Area, including by our cloud hosting and authentication providers. Where data is transferred to a country that is not the subject of a UK adequacy decision, we put appropriate safeguards in place, including standard contractual clauses or equivalent measures.

If you would like more information about international transfers, please contact support@glitchers.com.

13. CHANGES TO THIS POLICY

We may update this Policy from time to time. The current version is always available at https://seaheroquest.com/privacy-policy. Where changes are material we will, where appropriate, notify you in the Game or by email.

14. CONTACT

Questions, comments, or enquiries about this Policy may be directed to support@glitchers.com. We aim to respond within five business days.

For queries about subscription payments, renewals, or billing, please contact the support team for the app store from which you purchased the subscription, as we do not hold the underlying payment information.

© 2026 Glitchers Limited. Sea Hero Quest and Glitchers are registered trademarks of Glitchers Ltd.