Privacy overview
Learn about privacy and data handling considerations when you implement Unity In-App Purchasing with D2C capabilities (version 5.4+) in your game.
읽는 시간 5분최근 업데이트: 하루 전
Unity IAP (In-App Purchasing) is an engine-native commerce solution embedded in the Unity Editor with a connected Unity Dashboard. It provides a single abstraction layer on both the frontend and backend that lets developers manage their entire commerce stack and native store purchases without maintaining separate SDKs, or rebuilding integrations every time a platform requirement changes. This section is intended to provide data privacy information about Unity’s products. It is not intended to be used as legal guidance or as a replacement to reading Unity’s Privacy Policy. If you have questions about a term used, please refer to the Glossary below. Data collected with the use of Unity IAP is governed by the Developer Data Framework which sets out how such data is classified and handled. If you have further questions about the privacy implications of your product, please email dpo@unity3d.com with your question. For expediency, please list the product about which you are inquiring.
Personal Data Collected about App Users/Game Players
Default Personal Data Collected (always collected in order for the product to work):- Player ID (Authentication player ID)
- Unity Installation ID
- Device Info
- Session IDs
- Country
- Analytics ID ()
analytics_id - User ID ()
user_id - IDFA ()
iOS - IDFV ()
iOS - IAP SDK IDFI
- End user email
- Linked third-party analytics identifiers (obtained if you have linked a third-party service)
Developer-defined
While this product allows for the collection of developer defined data, we require that you not collect personal data through this mechanism. Our systems will not understand that it is personal data and so such would not be treated as such in retention processes or data subject requests.Relationship under Privacy Laws
Depending on the processing activity, Unity handles your data in one of two roles:- As an independent controller (European law) or business (California law) - Unity determines how and why the data is processed.
- As your processor (European law) or service provider (California law) - Unity processes the data on your behalf, with you acting as the controller or business.
Legal Basis for Processing
Where Unity is a Processor, we do not determine the legal basis for processing. Instead, it is your responsibility as the Controller to determine such a legal basis. In the limited circumstances in which Unity is an Independent Controller, you can find our legal basis for processing data collected through the IAP Service in our Privacy Policy. Please note: As an independent controller, you too should determine your own legal basis.Consent (Opt in) vs Opt out
This product does not have a consent service. If the Developer determines they need to obtain consent, or provide an opt-out, they must implement it client-side in a way determined by the developer.Data Subject Requests
Two of the most common data subject requests based in law are the request for access to personal data and the request for deletion of personal data.Access & Deletion Requests
How a data subject access or deletion request is handled depends on Unity's role in relation to the data:- Where Unity acts as a processor, Unity actions requests only on your instruction. The request must therefore come from you, the developer — Unity will not action these requests if they are received directly from an end user.
- Where Unity acts as a controller (including as an independent controller), the request must come directly from the end user (the data subject).
-
Data for which Unity is a processor
This applies to:- Transaction data (except for CodaPay transaction data, see section below)
- IAP data
You are responsible for receiving and validating requests from your end users and then instructing Unity to action them. Submit your instruction to the email address stated above.
-
Data for which Unity is a controller
The end user must contact Unity directly by using the email address stated above:- Webshop account login data
- CodaPay transaction data
- Unity, Developer and CodaPay operate as independent controllers
- Transaction and billing data used for Unity's own purposes — Unity is an independent controller where it uses this data for its own legitimate business purposes, including internal financial reporting and auditing, complying with legal and regulatory obligations; and security monitoring and fraud prevention. Requests relating to this processing come directly from the end user.
Dependencies
Unity Product Dependencies
- Unity Authentication SDK: Enabling this product also enables Authentication. Refer to Unity Authentication SDK for more information.
Payment Dependencies
Platform payment processing: If you distribute through the Apple App Store or Google Play, payments are processed at the platform level under each platform's terms.- Apple App Store — Refer to the Apple App Store terms.
- Google Play — Refer to the Google Play terms.
Personal Data Retention
Orders, configs, and OAuth tokens stored are retained until the Controller or Data Subject chooses to delete them. Service logs data is stored for 90 days.Child Privacy
If required to do so under applicable laws, you (the developer) must obtain verifiable parental consent prior to submitting child-user data as outlined in the Unity Terms of Service through the IAP Service which includes the Webshop Service.Privacy Policy Requirements
It is never appropriate to use Unity’s privacy policy for your application. You will need to ensure that the personal data practices are reflected in your Privacy Policy, as required in the Unity Terms of Service.Data Processing Agreement (DPA)
The Unity DPA applies to the transfer of data for this product.Glossary & Notable Laws
- GDPR - The General Data Protection Regulation (GDPR) took effect in the European Economic Area (EEA). References to GDPR also encompass UK GDPR which is the UK’s version of GDPR which applies post-Brexit.
- CCPA - The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (“CPRA”).
- PIPL - In November of 2021, Personal Information Protection Law (PIPL) took effect in China.
- LGPD - The Brazilian General Data Protection Law
- VCDPA - The Virginia Consumer Data Protection Act
- CPA - The Colorado Privacy Act
- CTDPA - The Connecticut Data Protection Act
- UCPA - The Utah Consumer Privacy Act
- PIPEDA - The Canadian Personal Information Protection and Electronic Documents Act
- COPPA - The Children’s Online Privacy Protection Act (COPPA) imposes restrictions on how data can be collected and used from children under the age of 13.
- CARU - A self-regulatory organization for the promotion of responsible privacy practices to children under the age of 13
- DPA - A Data Processing Addendum (or Data Processing Agreement) forms part of a contract and governs the rights and obligations of each party concerning the processing of personal data.
- ATT - iOS 14 and later requires publishers to obtain permission to track the user's device across applications. This device setting is called App Tracking Transparency, or ATT.