Terms of Service

Overview & Acceptance

These Terms of Service ("Terms") govern your access to and use of the mobile applications published by ECHODATAGRIDAPEX ("we," "us," or "our") on the Apple App Store and Google Play Store (collectively, the "Apps"), as well as our website at echodatagridapex.com (the "Site") and any related services (collectively, the "Services").

By downloading, installing, or using any of our Apps or Services, you agree to be bound by these Terms. If you do not agree, you must not install or use the Apps or Services. We may modify these Terms at any time as described in the "Modifications" section below.

Applicable Rules & Regulations: These Terms incorporate by reference the latest Apple App Store Review Guidelines (2026), Google Play Developer Program Policies (2026), EU Digital Services Act (DSA), EU AI Act, GDPR, UK-GDPR, CCPA/CPRA, all 50 US state privacy laws, Brazil LGPD, India DPDP, China PIPL, Saudi Arabia PDPL, Japan APPI, South Korea PIPA, Canada PIPEDA/Quebec Law 25, and other applicable regional regulations.

Part 1: Account Ownership & Licensing

1.1 Non-Ownership Statement

After downloading and installing applications through the App Store, Google Play, or other authorised channels, the user obtains only a limited, non-transferable, non-rentable, non-lendable license to use the software granted by the Company. The user does not obtain legal ownership of the account or any in-app virtual property (including but not limited to coins, gems, skins, levels, items, premium features, etc.).

1.2 Account Attribution

Accounts are registered and used by the user. Accurate, complete information must be provided during registration (where applicable). Account ownership belongs to the Company; the user is granted only a usage right. The user is responsible for safeguarding account credentials and login information. Loss caused by the user's own improper operations (e.g., leaking passwords, authorising untrusted third parties) resulting in account theft or virtual property loss is the user's sole responsibility.

1.3 Account Recovery

Accounts that have remained inactive for 180 consecutive days with no purchase records may be deactivated by us to free server resources. Before deactivation, users will be notified at least 30 days in advance via in-app push, registered email (if any), or other channels. Upon deactivation, all virtual property and personal data within the account will be permanently deleted (except where retention is required by law), and cannot be recovered.

1.4 Account Use Restrictions

Users must not transfer, rent, lend, or sell accounts to third parties. Accounts must not be used for commercial profit or illegal activities. If we discover a user engaging in prohibited account use, we reserve the right to suspend or ban the account, delete the account's virtual property, and pursue appropriate legal remedies.

Part 2: IAA Advertising & Reward Policy (Detailed Fraud Penalties)

2.1 Reward Acquisition Rules

Users must completely watch the rewarded video advertisement and complete any required interaction (if any), and no abnormal operation may occur during playback (such as switching applications, locking the screen, using plugins to skip, etc.), before the corresponding reward can be obtained. Rewards will be credited immediately after the advertisement playback is complete. If the reward is not credited due to network delay, advertising platform failure, or other reasons, the user may report through in-app customer service channels. We will verify and process within 3 business days.

2.2 Advertising Quality Guarantee

We strictly review the advertising content provided by third-party advertising platforms and strive to filter violent, pornographic, vulgar, false-propaganda, illegal, or otherwise inappropriate advertising. However, advertising content is placed by third parties. If a user discovers non-compliant advertising, they may submit evidence through the in-app "Advertising Complaint" channel. We will verify within 24 hours, block or delete the non-compliant advertisement, and pursue the third-party advertising platform's responsibility.

2.3 Advertising Fraud — Definition & Penalty Rules (Detailed)

Scope of Definition:

Any of the following means of obtaining advertising rewards, evading advertising playback, or interfering with advertising statistics is considered advertising fraud:

• Using plugins, scripts, cracking tools, etc. to skip advertisements, accelerate advertisement playback, or simulate advertisement watching behaviour
• Batch watching advertisements through multiple accounts or multiple devices, obtaining rewards and then reselling or monetising them
• Modifying device parameters (such as device ID, IP address) or using VPN/proxy tools to switch regions for batch advertisement watching
• Frequent switching of applications, locking the screen, or restarting the device during advertisement playback to evade the requirement of complete viewing
• Exploiting advertising platform vulnerabilities to falsely trigger advertisement displays or clicks to defraud advertising revenue
• Other fraudulent behaviours that interfere with normal advertisement playback and statistics

Penalty Rules:

• First Violation: Warn the user, clear the current unused advertising rewards of the account, restrict advertisement watching rights for 7 days
• Second Violation: Ban the account's advertising watching rights for 30 days, clear all advertising rewards in the account, record device violation information
• Third or Subsequent Violations: Permanently ban the account's advertising watching rights, ban the related device's right to use the application, list on the platform blacklist, while reserving the right to pursue the user's legal liability and recover advertising losses
• Serious Circumstances (such as batch fraud, malicious interference with the advertising ecosystem): Permanently ban the account and related devices, report to the App Store/Google Play and other application stores, assist the platform to take further punitive measures, while pursuing the user's civil compensation liability. If a crime is involved, the case is transferred to judicial authorities.

Part 3: IAP Payment, Refunds & Disputes (Detailed Fraud Penalties)

3.1 Final Price Statement

For virtual goods and value-added services purchased by the user in-app, the displayed price includes the price of the goods themselves, application store platform commissions (officially charged by Apple/Google), and any applicable VAT, tariffs, or other related taxes. The final payment price is subject to the application store payment page display. Price adjustments will be notified to the user at least 7 days in advance via in-app announcements, push notifications, etc.

3.2 Payment Rules

Payment operations are completed through the App Store/Google Play official payment channels. We do not directly collect any payment from the user, and do not store any user payment information. After successful payment, virtual goods or value-added services will be credited to the account instantly, and the user may view order details in the in-app "My Orders" section.

3.3 Refund Restrictions

Due to the instant and non-refundable nature of virtual goods and value-added services, once the user has purchased and used them (such as consumed coins, unlocked features), refunds are generally not supported in principle.

Special Circumstances Eligible for Refund (Supporting Documentation Required):

• Payment is successful but the virtual goods or value-added services are not credited, and the issue is verified to be caused by our technical fault
• Minors mistakenly purchase without guardian consent — guardians may provide relevant proof (such as minor's identification documents, payment records) and apply for a refund via the application store or to us
• The application has a major fault causing the user unable to use the purchased value-added services, and the fault cannot be fixed within 7 business days

Refund Process:

Users must submit refund applications through the App Store/Google Play official refund channels or in-app customer service channels, providing relevant proof. We will verify within 3 business days, cooperate with the application store to complete the refund processing, and the refund arrival time is subject to the application store's official regulations.

3.4 IAP Fraud — Definition & Penalty Rules (Detailed)

Scope of Definition:

Any of the following means of obtaining in-app virtual goods or value-added services, evading payment, or defrauding refunds is considered IAP fraud:

• Malicious Refund: Exploiting application store refund policy loopholes to purchase virtual goods, use them, and then apply for refund without returning the used virtual goods
• Cracking Payment Process: Bypassing official payment channels through plugins, scripts, cracked application versions, etc., to obtain virtual goods or value-added services
• Falsifying Payment Records: Forging orders or payment receipts to defraud virtual goods or value-added services
• Using Stolen Payment Methods: Using stolen bank cards or payment accounts to make purchases, or redeeming virtual goods through illegally obtained redemption codes
• Region Arbitrage: Using VPN/proxy tools to switch to low-price regions to purchase virtual goods and evade normal pricing
• Batch Registration Abuse: Batch registration of accounts to exploit application store new user promotions or discount activities for malicious purchase and resale/monetisation of virtual goods
• Other fraudulent behaviours evading payment or defrauding virtual goods or refunds

Penalty Rules:

• First Violation: Warn the user, recover virtual goods obtained through fraud in the account, restrict in-app purchase rights for 15 days
• Second Violation: Ban the account's in-app purchase rights for 90 days, clear all virtual goods in the account, record device violation information, list on the platform blacklist
• Third or Subsequent Violations: Permanently ban the account and related devices, prohibit use of the application and related services, report to the application store and assist the platform to take further punitive measures (such as banning accounts, restricting device download)
• Serious Circumstances (such as batch fraud, malicious stolen-card fraud, causing major economic loss): Permanently ban the account and related devices, pursue the user's civil compensation liability. If a crime is involved, the case is transferred to judicial authorities. We also reserve the right to report to application stores and payment institutions and assist relevant institutions in pursuing the user's liability.

3.5 Unauthorised Transaction Handling

In the event of unauthorised transactions caused by minor misuse or account theft, the user (or guardian) must promptly contact Apple/Google official support, while also notifying us and providing relevant proof (such as minor's identification documents, account theft proof, payment records). We will cooperate with the application store to verify and process, and assist the user in applying for a refund (subject to refund conditions).

Part 4: Anti-Cheat & Security Agreement (Detailed)

To safeguard the normal operation of our applications, protect the legitimate rights and interests of users and us, the following cheating and violation behaviours are strictly prohibited. If violations are discovered, we will take corresponding penalty measures according to the severity of the situation. In serious cases, we will pursue legal liability.

• Using VPN, proxy tools, or other means to bypass regional restrictions or price differences for cross-regional purchases or advertisement watching
• Using any automated script, simulator, plug-in, cracked application, plugin, or other tools to interfere with normal operation, tamper with application data, or obtain improper benefits
• Capturing or modifying packets of application communication protocols, forging data, or interfering with statistics, payment, advertising, or other core functions
• Batch registering accounts, maliciously inflating volume or scores, interfering with application rankings or rating systems, or disrupting the application ecosystem
• Stealing others' accounts or virtual property, or leaking others' account information or personal data
• Modifying device parameters (such as device ID, IMEI, MAC address) to evade violation penalties or repeatedly obtain rewards
• Spreading application cracking methods or cheating tools, inciting others to engage in cheating
• Other violations or cheating behaviours that interfere with normal application operation or infringe the legitimate rights and interests of users or us

4.1 Penalty Measures

Based on the severity of violations, we may take measures including but not limited to: warning, restriction of functions, account ban, device ban, blacklisting, etc. For serious violations, we will pursue civil compensation liability. If a crime is involved, the case is transferred to judicial authorities. We also reserve the right to delete relevant data of violating users and terminate service provision without bearing any compensation liability.

Part 5: Content Moderation (DSA Compliance — Detailed)

Where applications involve user-generated content (UGC), we strictly follow the compliance requirements of the EU Digital Services Act (DSA), establish a complete content moderation mechanism, regulate user content publishing behaviour, and safeguard content compliance:

5.1 Moderation Mechanism

We implement a dual "AI-automated monitoring + human review" mechanism. AI tools monitor user-published content in real-time, identify non-compliant content and initially intercept it. The human review team conducts secondary review of suspected non-compliant content and user-reported content, ensuring both review efficiency and accuracy.

5.2 "Notice and Action" Mechanism

If we discover user-published non-compliant content, we will immediately notify the user, explain the reason for the violation, and delete the non-compliant content within 24 hours. The user may appeal the deletion decision. We will verify and respond with a result within 3 business days.

5.3 Prohibited Content

Users are strictly prohibited from publishing any of the following types of content, including but not limited to:

• Politically sensitive content, content endangering national security, or disrupting social stability
• Racially, gender-, or religiously discriminatory content
• Violent, pornographic, vulgar, bloody, or terror-related inappropriate content
• False information, rumour-mongering, or fraudulent and misleading content
• Content infringing others' intellectual property rights, reputation rights, portrait rights, or privacy rights
• Other content that violates the laws and regulations of countries/regions worldwide or public order and good morals

5.4 User Responsibility

When publishing UGC content, users must guarantee the legality, authenticity, and originality of the content, and must not infringe the legitimate rights and interests of others. If a user publishes non-compliant content, we reserve the right to delete the content, restrict the user's publishing rights, and ban the account. The user must bear all resulting legal liabilities, and if any loss is caused to us, we reserve the right to seek compensation.

5.5 DSA Additional Requirements

We publicly disclose content moderation standards, complaint handling procedures, and non-compliant content handling rules. We regularly publish UGC content moderation reports, accept supervision by users and regulatory authorities. We establish a user appeal mechanism to safeguard users' legitimate rights and interests. Where large-scale UGC content is involved, a dedicated content moderation responsible person is appointed to cooperate with EU regulatory authority inspections.

Technical Compliance Guide — Apple App Store (iOS)

This section combines the latest 2026 Apple App Store policies, iOS 18 system requirements, and global regional compliance requirements to clarify technical execution standards, ensuring applications remain compliant throughout R&D, release, and operation.

iOS-1. Privacy Labels

Privacy label information must be accurately completed in the App Store backend. The "Data Linked to User" option must be strictly checked because data such as IDFA and purchase records will be associated with user profiles. Data collection scope, purpose, and third-party sharing must be accurately filled in and consistent with this Privacy Policy. Providing false information will result in application review rejection or removal.

iOS-2. ATT Mandatory Enforcement (2026 Upgrade Requirements)

• Before obtaining device_id (IDFA), the requestTrackingAuthorization API must first be called to display the user authorisation pop-up. The authorisation text must clearly state the purpose of authorisation (e.g., personalised advertising delivery) and must not mislead users.
• If the user denies authorisation, allow_tracking = false must be passed to all third-party SDKs. IDFA must not be obtained or used without permission, and ATT framework restrictions must not be circumvented by other means.
• Adapt to iOS 18 latest requirements: the ATT authorisation pop-up may only be displayed once and may not harass users with multiple pop-ups. If the user denies authorisation, subsequent requests are not permitted. The user may only be guided to enable authorisation via device system settings.
• User device identifiers must not be obtained through non-ATT channels, and other device parameters (such as MAC address) must not be used as IDFA substitutes to circumvent privacy policy requirements.

iOS-3. Other Technical Compliance Requirements

• Applications must not contain hidden functions or non-compliant code, and must not circumvent App Store review rules (e.g., hidden payment entrances, false feature descriptions)
• Adapt to iOS 18 latest privacy requirements. Access to sensitive data (such as photos, contacts) requires per-instance user authorisation. Default authorisation or forced authorisation is not permitted
• In-app purchase items must clearly label prices and subscription periods. Inducement purchase traps must not be set, and users must not be misled into paying
• If the application contains AI-generated content, it must be clearly labeled on the App Store details page, complying with Apple's AI compliance requirements

Technical Compliance Guide — Google Play (Android)

A-1. Data Safety Form

The Data Safety Form must be accurately completed in the Google Play backend. Encryption for data in transit must be explicitly declared (HTTPS protocol encryption is mandatory). AES-256 encryption must be used for stored data. Data collection scope, purpose, and third-party sharing must be accurately declared. Concealment of data processing activities is not permitted. Providing false information will result in application review rejection or removal.

A-2. SDK Transparency (2026 Upgrade Requirements)

• Google requires developers to take full responsibility for the behaviour of integrated third-party SDKs. All integrated SDK versions must support the latest Android 14+ Privacy Sandbox. Outdated SDKs (which may contain privacy security vulnerabilities) must not be used
• A list of all integrated third-party SDKs must be publicly disclosed in the Google Play backend, with clear SDK name, purpose, and data collection scope, ensuring SDK data processing behaviour is compliant. If an SDK engages in improper data collection, the SDK must be removed immediately and remediated
• Adapt to Android 15 latest requirements. Integrated SDKs must not request permissions unrelated to application functions, must not improperly collect user personal information, and must not interfere with normal device operation
• If the application supports Android 15 Private Space functionality, the logic must be adjusted according to application type. Medical applications must clearly inform users not to install in Private Space to avoid affecting core function operation. Launcher applications must declare relevant permissions and adapt to Private Space application display requirements

A-3. Other Technical Compliance Requirements

• Adapt to Android 15 latest privacy protection measures. Support dynamic OTP (one-time password) hiding — hide sensitive content during screen sharing. Users may manually mark application sensitive fields to safeguard user privacy and security
• Applications must not contain malicious code or advertising plug-ins, must not force push advertisements or induce users to click advertisements, and advertisement display must comply with Google Play advertising policies
• Applications must support 64-bit architecture and must not only provide 32-bit versions, ensuring compatibility with the latest Android devices
• If the application contains subscription services, the subscription management entrance must be clearly labeled in-app. Users must be supported to cancel subscriptions at any time, complying with Google Play subscription policies

Technical Compliance Guide — 2026 Data Residency Compliance

With the global rise of data sovereignty awareness in 2026, multiple countries/regions have introduced stricter data localisation requirements. We must strictly follow the following rules to avoid violations:

• If the application has a substantial user base in a specific country/region (with specific thresholds as defined by local regulations, such as China, India, Saudi Arabia, Brazil, EU, Canada), user data must be stored on compliant servers within that country/region. Unauthorised cross-border transfer is not permitted
• Cross-border data transfer must strictly comply with local regulatory requirements — such as the EU GDPR's adequacy decisions, China's security assessment/standard contract requirements under the Provisions on Promoting and Regulating Cross-border Data Flows, and India's DPDP Act cross-border transfer approval requirements. Data must not be transferred abroad without approval
• With respect to the global data sovereignty disputes mentioned in the 2026 US Trade Report, care must be taken to avoid trade compliance risks arising from cross-border data transfers. If the application targets US users, the CLOUD Act requirements must be followed, while cooperating with US regulatory authorities' data access requests (if any)
• Data storage locations are periodically reviewed to ensure alignment with local regulatory changes. For countries that introduced new data localisation requirements in 2026 — such as Canada, Japan, Bolivia, Colombia, and others — data storage strategies are promptly adjusted to avoid violations
• A data residency compliance ledger is maintained, recording user data storage locations and transfer situations. Regular compliance self-audits are conducted and we cooperate with local regulatory inspections

Technical Compliance Guide — Interaction Design Recommendations

UX-1. Double Confirmation Mechanism

For large-amount IAP purchases (recommended for single transaction amounts ≥ $50 USD / €50), an in-app secondary confirmation pop-up must be added before the purchase, clearly informing the user of the purchase amount, product name, and payment method. The user must manually click "Confirm Purchase" before being directed to the payment page, avoiding mistaken operations.

For auto-renewing subscriptions, after the user clicks the "Subscribe" button, a confirmation pop-up must be displayed again, clearly informing the user of the subscription period, price, and renewal rules to avoid mistaken subscription.

UX-2. Privacy Policy Easy Accessibility (Mandatory Requirement)

The Privacy Policy link must be present in the following three locations simultaneously to ensure users can view it at any time, complying with global compliance requirements:

1. App Store details page (significant position on App Store/Google Play description page)
2. App launch splash screen (or login page) — the user may click the link to view the full Privacy Policy. The splash screen must provide "Agree" and "Decline" buttons. If the user declines, the application cannot be used
3. In-app "Settings" or "About" menu — the link must be placed in a significant position. Clicking it directly displays the Privacy Policy and supports user access at any time

UX-3. Other Interaction Compliance Recommendations

• Permission Requests: When requesting permissions (such as camera, photo album, location), the purpose must be clearly stated. Default authorisation or forced authorisation is not permitted. The user may withdraw authorisation at any time via in-app or device system settings
• Ad Interaction: Rewarded video advertisements must be clearly labeled "Watch the full advertisement to receive reward". A "Skip Advertisement" button (skippable after 5 seconds of ad playback) must be provided. Users must not be forced to watch advertisements
• Complaint Reporting: Convenient complaint reporting channels must be set in-app, including privacy complaints, advertising complaints, UGC content complaints, etc. The feedback processing time limit (no more than 7 business days) must be clearly stated, and processing results must be fed back to the user
• Transparency Display: Significant in-app display of advertising placement rules, algorithmic recommendation logic, and data processing workflows (simplified version), complying with DSA transparency requirements and safeguarding users' right to information
• Screen Sharing Notification: Adapt to Android 15 latest requirements. When screen sharing, screen mirroring, or recording is in progress, a significant notification label must be displayed in the status bar, reminding the user that screen sharing is currently active. The user may click the label to quickly stop sharing

Compliance Risk Management & Periodic Review

RM-1. Compliance Risk Prevention Measures

• Establish Compliance Review Mechanism: Before application R&D and release, conduct comprehensive compliance review of application code, privacy policy, service agreement, and interaction design to ensure compliance with App Store, Google Play policies, and global regional regulations, avoiding violations
• Periodic Compliance Knowledge Updates: Designate personnel to monitor the latest changes in global privacy regulations and application store policies (such as US state privacy laws, EU DSA updates, Android 15/iOS 18 system policy changes), and promptly adjust applications and agreement content
• Third-Party Partner Management: Regularly review the compliance of third-party advertising platforms, SDK providers, and payment processors. Sign compliance agreements, clarify data processing responsibilities, and immediately terminate partnerships if third parties engage in violations
• User Request Handling: Establish a mechanism for handling user data-related requests (access, correction, deletion, complaints) to ensure response and processing within specified timeframes, retaining processing records, and accepting supervision by users and regulatory authorities
• Security Protection: Strengthen application data security protection. Adopt encrypted storage, encrypted transmission, access permission control, and other technologies to prevent data leakage, tampering, and loss. Periodically conduct data security detection and risk assessments
• Employee Training: Periodically conduct compliance training for R&D, operations, customer service, and other related employees. Disseminate privacy regulations, application store policies, and anti-fraud rules to enhance employee compliance awareness and avoid violations caused by improper operations

RM-2. Periodic Review Requirements

Due to the continuously changing global legal environment (especially US state privacy laws and EU DSA implementation rules), as well as continuously updated application store policies and technical standards, we recommend conducting a routine review of this agreement and application compliance every 6 months. The specific review contents include:

• Agreement Clauses: Check whether agreement clauses comply with the latest regulations and application store policies, and whether they need to be supplemented or modified (e.g., new regional compliance clauses, updated fraud penalty rules)
• Application Compliance: Check whether application code, SDK versions, and interaction design comply with the latest technical compliance requirements (e.g., Android 15/iOS 18 adaptation, ATT framework execution)
• Data Processing: Check whether data collection, storage, transmission, and sharing processes are compliant, whether data residency complies with local requirements, and whether third-party data sharing is controllable
• Anti-Fraud Mechanism: Check whether advertisement and IAP anti-fraud rules are perfect, and whether penalty measures need to be updated according to the latest fraud methods
• User Requests: Review user data-related request handling, identify any untimely responses or improper handling, and optimise the processing workflow

Modifications

We reserve the right to modify these Terms at any time. Material changes will be announced at least 30 days in advance via in-app notifications, registered email (if any), or push notifications. Continued use of the Services after the effective date of the modified Terms constitutes acceptance of the modifications.

If you do not agree to the modified Terms, you may stop using the Services and request account deactivation in accordance with the procedure in the Privacy Policy.

Contact & Jurisdiction

These Terms are governed by the laws of England and Wales. Any disputes arising from or in connection with these Terms shall be subject to the exclusive jurisdiction of the courts of England and Wales, without prejudice to mandatory consumer protection laws of your habitual residence.

Contact Channels

• Email (Legal/Compliance): contact@echodatagridapex.com
• Email (Privacy/Data): contact@echodatagridapex.com
• Email (General Support): support@echodatagridapex.com
• Email (Security/Vulnerabilities): contact@echodatagridapex.com
• Email (Business/Partnerships): contact@echodatagridapex.com
• Postal Address: ECHODATAGRIDAPEX, St John's Innovation Centre, Cambridge, United Kingdom

Severability

If any provision of these Terms is held to be invalid or unenforceable, that provision shall be enforced to the maximum extent permitted by law, and the remaining provisions shall remain in full force and effect.

Entire Agreement

These Terms, together with our Privacy Policy and any specific agreement you sign with us, constitute the entire agreement between you and ECHODATAGRIDAPEX regarding the use of the Services, and supersede all prior agreements, communications, and proposals (whether oral or written) on the same subject matter.

Document Version: 2026.1 — Terms of Service + Technical Compliance Deep-Enhancement Edition
Effective Date: June 1, 2026
Last Reviewed: June 2026
Next Scheduled Review: December 2026
Governing Law: England and Wales
Document Owner: ECHODATAGRIDAPEX Legal & Engineering Team