기술 자료

In-App Purchasing

Client API

SDK API

In-App Purchasing

Privacy overview

Learn about privacy and data handling considerations when you implement Unity In-App Purchasing with D2C capabilities (version 5.4+) in your game.
읽는 시간 5분최근 업데이트: 하루 전

Unity IAP (In-App Purchasing) is an engine-native commerce solution embedded in the Unity Editor with a connected Unity Dashboard. It provides a single abstraction layer on both the frontend and backend that lets developers manage their entire commerce stack and native store purchases without maintaining separate SDKs, or rebuilding integrations every time a platform requirement changes. This section is intended to provide data privacy information about Unity’s products. It is not intended to be used as legal guidance or as a replacement to reading Unity’s Privacy Policy. If you have questions about a term used, please refer to the Glossary below. Data collected with the use of Unity IAP is governed by the Developer Data Framework which sets out how such data is classified and handled. If you have further questions about the privacy implications of your product, please email dpo@unity3d.com with your question. For expediency, please list the product about which you are inquiring.
참고
This page applies to Unity IAP 5.4 and later only. Earlier versions of the IAP SDK don't collect any personal data. If you use an earlier version, refer to Privacy overview for IAP versions earlier than 5.4.

Personal Data Collected about App Users/Game Players

Default Personal Data Collected (always collected in order for the product to work):
  • Player ID (Authentication player ID)
  • Unity Installation ID
  • Device Info
  • Session IDs
  • Country
Optional Personal Data Collected (personal data which may be collected at choice/action of the end user/Developer):
  • Analytics ID (
    analytics_id
    )
  • User ID (
    user_id
    )
  • IDFA (
    iOS
    )
  • IDFV (
    iOS
    )
  • IAP SDK IDFI
  • End user email
  • Linked third-party analytics identifiers (obtained if you have linked a third-party service)

Developer-defined

While this product allows for the collection of developer defined data, we require that you not collect personal data through this mechanism. Our systems will not understand that it is personal data and so such would not be treated as such in retention processes or data subject requests.

Relationship under Privacy Laws

Depending on the processing activity, Unity handles your data in one of two roles:
  • As an independent controller (European law) or business (California law) - Unity determines how and why the data is processed.
  • As your processor (European law) or service provider (California law) - Unity processes the data on your behalf, with you acting as the controller or business.
To find which role applies to you and to Unity for a given activity, refer to Unity's Data Processing Addendum. Where Unity is a Processor, we do not determine the legal basis for processing. Instead, it is your responsibility as the Controller to determine such a legal basis. In the limited circumstances in which Unity is an Independent Controller, you can find our legal basis for processing data collected through the IAP Service in our Privacy Policy. Please note: As an independent controller, you too should determine your own legal basis. This product does not have a consent service. If the Developer determines they need to obtain consent, or provide an opt-out, they must implement it client-side in a way determined by the developer.

Data Subject Requests

Two of the most common data subject requests based in law are the request for access to personal data and the request for deletion of personal data.

Access & Deletion Requests

How a data subject access or deletion request is handled depends on Unity's role in relation to the data:
  • Where Unity acts as a processor, Unity actions requests only on your instruction. The request must therefore come from you, the developer — Unity will not action these requests if they are received directly from an end user.
  • Where Unity acts as a controller (including as an independent controller), the request must come directly from the end user (the data subject).
At this time, the IAP Service has no native (self-serve) functionality to support these requests. Both processor instructions and controller requests are submitted to unity-iap-contact@unity3d.com where Unity will manually action the request.
  1. Data for which Unity is a processor

    This applies to:
    • Transaction data (except for CodaPay transaction data, see section below)
    • IAP data

    You are responsible for receiving and validating requests from your end users and then instructing Unity to action them. Submit your instruction to the email address stated above.


  2. Data for which Unity is a controller

    The end user must contact Unity directly by using the email address stated above:
    • Webshop account login data
    • CodaPay transaction data
      • Unity, Developer and CodaPay operate as independent controllers
    • Transaction and billing data used for Unity's own purposes — Unity is an independent controller where it uses this data for its own legitimate business purposes, including internal financial reporting and auditing, complying with legal and regulatory obligations; and security monitoring and fraud prevention. Requests relating to this processing come directly from the end user.
참고
The same transaction records may be both processed on your behalf (Section 1) and used by Unity as an independent controller (Section 2). The two roles are distinct, and requests are routed according to the role engaged.

Dependencies

Unity Product Dependencies

  • Unity Authentication SDK: Enabling this product also enables Authentication. Refer to Unity Authentication SDK for more information.

Payment Dependencies

Platform payment processing: If you distribute through the Apple App Store or Google Play, payments are processed at the platform level under each platform's terms.
  • Apple App Store — Refer to the Apple App Store terms.
  • Google Play — Refer to the Google Play terms.
Payment providers: You can choose to enable a payment provider. When you do, you enter into your own agreement directly with that provider, which governs your use of their service.

Personal Data Retention

Orders, configs, and OAuth tokens stored are retained until the Controller or Data Subject chooses to delete them. Service logs data is stored for 90 days.

Child Privacy

If required to do so under applicable laws, you (the developer) must obtain verifiable parental consent prior to submitting child-user data as outlined in the Unity Terms of Service through the IAP Service which includes the Webshop Service.

Privacy Policy Requirements

It is never appropriate to use Unity’s privacy policy for your application. You will need to ensure that the personal data practices are reflected in your Privacy Policy, as required in the Unity Terms of Service.

Data Processing Agreement (DPA)

The Unity DPA applies to the transfer of data for this product.

Glossary & Notable Laws

  • GDPR - The General Data Protection Regulation (GDPR) took effect in the European Economic Area (EEA). References to GDPR also encompass UK GDPR which is the UK’s version of GDPR which applies post-Brexit.
  • CCPA - The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (“CPRA”).
  • PIPL - In November of 2021, Personal Information Protection Law (PIPL) took effect in China.
  • LGPD - The Brazilian General Data Protection Law
  • VCDPA - The Virginia Consumer Data Protection Act
  • CPA - The Colorado Privacy Act
  • CTDPA - The Connecticut Data Protection Act
  • UCPA - The Utah Consumer Privacy Act
  • PIPEDA - The Canadian Personal Information Protection and Electronic Documents Act
  • COPPA - The Children’s Online Privacy Protection Act (COPPA) imposes restrictions on how data can be collected and used from children under the age of 13.
  • CARU - A self-regulatory organization for the promotion of responsible privacy practices to children under the age of 13
  • DPA - A Data Processing Addendum (or Data Processing Agreement) forms part of a contract and governs the rights and obligations of each party concerning the processing of personal data.
  • ATT - iOS 14 and later requires publishers to obtain permission to track the user's device across applications. This device setting is called App Tracking Transparency, or ATT.