Diamond Loot · HustlrStudioz

Privacy Policy

App: Diamond Loot: Get Redeem CodeUpdated: May 17, 2026Effective: May 17, 2026

Introduction & Scope

Welcome to Diamond Loot, developed and operated by HustlrStudioz. This Privacy Policy explains what personal data we collect, why we collect it, who we share it with, how long we keep it, and your rights.

This policy applies to:

The Diamond Loot Android app (dev.hustlrstudioz.diamondloot)
Our website at https://hustlrstudioz.dev
All related support channels (email, in-app support)

By downloading, installing, or using Diamond Loot, you acknowledge you have read and understood this Privacy Policy. If you do not agree, please do not use the app.

Information We Collect

2.1 Account & Identity Information

Data	Source	Why
Firebase User ID (UID)	Firebase Authentication	Unique identifier across all systems
Email address	Google Sign-In	Account identification, support
Display name	Google Sign-In	Personalisation, leaderboard
Profile picture URL	Google Sign-In	Display in app UI (not stored on our servers)
Account creation timestamp	Generated on signup	Fraud prevention, redemption eligibility
Anonymous auth token	Firebase Auth	Allows usage before Google Sign-In

Google Sign-In is only prompted before your first gift card redemption. Your profile picture is never stored on our servers — only the public Google URL is referenced.

2.2 In-App Activity & Progress Data

Data	Purpose
Coin balance	Core functionality
Lifetime coins earned	Analytics, fraud detection, leaderboard
Spin / scratch / slot cooldown timestamps	Enforcing fair daily limits
Daily activity counts	Enforcing daily earning limits
Streak days and last streak date	Daily streak feature
Redemption history	Payout verification, support
Referral code & referred-by UID	Referral reward attribution
Transaction log	Fraud prevention, audit trail, support

2.3 Device & Technical Information

Data	Purpose
Device model and manufacturer	Crash reporting, compatibility
Android OS version	Compatibility, crash diagnosis
App version	Support, bug fixes
IP address	Fraud detection, geographic compliance
Firebase Instance ID / FCM token	Push notification delivery
Play Integrity attestation result	Anti-cheat — verifying device and app are genuine

2.4 Advertising Identifiers

Data	Source	Purpose
Google Advertising ID (GAID)	Android device	Ad personalisation, attribution, frequency capping
App set ID	Android device	Analytics, fraud detection (non-advertising)

You can reset or opt out of personalised ads via: Settings → Privacy → Ads → Reset Advertising ID.

How We Collect Information

Directly from you

When you sign in with Google
When you contact support

Automatically when you use the app

Firebase Analytics (usage patterns, screen views, custom events)
Firebase Crashlytics (crash reports)
Google AdMob (ad impressions, clicks, performance)
Our Cloud Functions (coin grants, redemptions, cooldown timestamps)

From third parties

Google (account info via Sign-In)
Firebase / Google Play Services (device attestation via Play Integrity)
AdMob (ad serving and reporting)
Offerwall partners (task completion postbacks)

How We Use Your Information

Purpose	Legal Basis
Core app functionality (coin balance, redemptions, notifications)	Contract performance
Fraud prevention & fair economy	Legitimate interests
Advertising via AdMob	Consent
Analytics & product improvement	Legitimate interests
Support & communications	Legitimate interests / Consent
Legal & compliance	Legal obligation

Third-Party Services & Data Sharing

Partner	Data Shared	Purpose
Google Firebase	UID, email, usage events, crash logs	Auth, database, analytics, crash reporting
Google AdMob	Advertising ID, IP address, app usage	Ad serving and reporting
Google Play Integrity	Device attestation request	App authenticity verification
GiftPort	Denomination requested, transaction ID	Gift card fulfilment

We do not: sell your personal data, share survey answers, share gift card codes, or share your coin balance or transaction history with ad networks.

Advertising & Ad Networks

Diamond Loot is free and supported by advertising through Google AdMob.

Ad types

Rewarded video ads — entirely voluntary, earn extra spins/cards
Interstitial ads — full-screen at natural break points, minimum 45-second gap enforced

Opt out of personalised ads

Android 12 and below: Settings → Google → Ads → Opt out of Ads Personalisation
Android 13 and above: Settings → Privacy → Ads → Delete Advertising ID

Frequency capping

Minimum 45 seconds between any two interstitial ads
Maximum 6 interstitial ads per session
Never shown on the Rewards/Redeem screen
Never shown during active game animations

Reward & Offerwall Partners

When you enter the offerwall, we pass a hashed, anonymous version of your Firebase UID (SHA-256, one-way, irreversible) to the provider. We do not share your name, email, or any personally identifiable information.

Task completions are verified via server-to-server postback with cryptographic signature verification. Your app never self-reports task completions.

In-App Currency & Reward Economy

Coins (◆) are a virtual in-app currency. They cannot be purchased with real money, cannot be transferred between accounts, and have no cash value except when redeemed for gift cards.

When you redeem coins, the gift card code is stored AES-256 encrypted in our database, associated only with your Firebase UID. The full code is only revealed when you explicitly tap "Reveal Code".

Every coin grant is logged with: source, amount, balance before/after, timestamp, and an idempotency key preventing double-crediting. You can request a copy of your transaction log by contacting us.

Fraud Prevention & Security

Behaviour	Detection	Action
Clock manipulation	Server-side timestamps (device clock never trusted)	Cooldown enforced from server time
SQLite/local DB editing	All coin writes via Cloud Functions only	Edits have no effect; re-synced from server
Emulator farming	Firebase App Check + Play Integrity	Requests from non-genuine devices rejected
Self-referral fraud	Server: inviter UID ≠ invitee UID	Referral voided, no coins granted
Referral farming	Inviter account must be >24 hours old	Reward withheld until age requirement met
Multiple accounts	Device fingerprint cross-reference	Only first account eligible for rewards
Offerwall tampering	HMAC signature verification	Invalid signatures rejected

If you believe your account was incorrectly banned, contact founder@hustlrstudioz.dev with your Firebase UID. We review appeals within 7 business days.

Data Retention

Data type	Retention period
Active account data	Duration of account + 30 days after deletion
Coin transaction logs	12 months from transaction date
Redemption records	24 months from redemption date
Crash logs (Crashlytics)	90 days
Analytics events (Firebase)	14 months (Firebase default)
Support emails	24 months
Fraud-flagged account data	Indefinitely (anonymised after 12 months)
FCM push tokens	Until account deletion or token expiry

Data Security

Technical measures

Firebase Security Rules: coins field can only be modified by Cloud Functions
AES-256 encryption for gift card codes at rest
HTTPS/TLS 1.2+ for all data in transit
Firebase App Check + Play Integrity on every Cloud Function call
Idempotency keys on all coin grant operations
Completely separate development and production Firebase projects
API keys stored in Firebase Functions environment config — never in app code or APK

Organisational measures

Production Firebase console access restricted to studio owner
No third-party developer has access to the production database
Gift card codes are never printed in server logs

In the event of a data breach, we will notify affected users and the appropriate supervisory authority within 72 hours of becoming aware, in accordance with applicable law.

Your Rights & Data Control

Right	How to exercise
Access — copy of all data we hold	Email: founder@hustlrstudioz.dev, subject "Data Access Request". Response within 30 days.
Correction — fix inaccurate data	Edit directly in app settings, or contact us
Deletion — right to be forgotten	In-app: Profile → Settings → Delete Account. Or email us with subject "Account Deletion Request".
Portability — data in JSON format	Email: founder@hustlrstudioz.dev
Restrict processing	Contact founder@hustlrstudioz.dev
Object to processing	Contact us. Note: objecting to fraud prevention may result in account termination.
Opt out of personalised ads	Android device settings (see Section 6)
Disable push notifications	Device Settings → Apps → Diamond Loot → Notifications

Children's Privacy

Diamond Loot is not directed at children under 13. We do not knowingly collect personal information from anyone under 13.

If you are a parent or guardian and believe your child under 13 has created an account, contact us immediately at founder@hustlrstudioz.dev. We will verify the claim, delete the account and all data within 72 hours, and confirm deletion by email.

International Data Transfers

Our backend infrastructure (Firebase) is operated by Google and may process data in the United States, Europe, and Asia. Google complies with standard contractual clauses and equivalent data protection frameworks.

India — Digital Personal Data Protection Act 2023

HustlrStudioz acts as the Data Fiduciary under the DPDPA 2023. Your rights as a data principal include:

Confirmation and access — know what personal data we process
Correction and erasure — have inaccurate or unnecessary data corrected or erased
Grievance redressal — have grievances addressed within a reasonable timeframe
Nomination — nominate an individual to exercise your rights in the event of death or incapacity

To exercise DPDPA rights: Email founder@hustlrstudioz.dev with subject "DPDPA Data Rights Request". We acknowledge within 72 hours and resolve within 30 days.

California Residents — CCPA

California residents have rights under CCPA/CPRA:

Right to know — request disclosure of what we collect, use, share, or sell
Right to delete — request deletion of personal information (see Section 12)
Right to opt-out of sale — we do not sell personal information
Right to non-discrimination — we will not deny services for exercising privacy rights

To exercise CCPA rights: Email founder@hustlrstudioz.dev with subject "CCPA Privacy Request".

European Users — GDPR

Processing activity	Legal basis
Account creation and authentication	Contract performance
Coin earning and redemption	Contract performance
Fraud prevention	Legitimate interests
Analytics (Firebase)	Legitimate interests
Ad personalisation (AdMob)	Consent
Push notifications (transactional)	Contract performance
Push notifications (marketing)	Consent
Legal compliance	Legal obligation

HustlrStudioz acts as the data controller. You also have the right to lodge a complaint with your national data protection authority.

Our fraud detection system uses automated analysis. If your account is restricted as a result, you have the right to request human review by contacting us.

Changes to This Policy

When we make significant changes, we will:

Update the "Last Updated" date at the top of this page
Display an in-app notification on your next app open
For material changes affecting your rights, send a push notification or email

Significant changes include: adding a new third-party partner, changing use of advertising identifiers, changes to your data rights, or changes to retention periods.

Previous versions are available upon request at founder@hustlrstudioz.dev.

Contact Us

General enquiries

Within 7 business days

Data access requests

Within 30 days

Deletion requests

Within 30 days

Account ban appeals

Within 7 business days

Urgent matters (use subject: URGENT)

Within 24 hours

Contact

Email: founder@hustlrstudioz.dev

Website: hustlrstudioz.dev

Grievance Officer (India — DPDPA): Same email, subject: "DPDPA Grievance"

This Privacy Policy was written specifically for Diamond Loot by HustlrStudioz. It covers all SDKs and integrations active as of May 17, 2026.
© 2026 HustlrStudioz · hustlrstudioz.dev