Confirm registered office: Rua das Acacias, 40A, 3090-380 Figueira da Foz, Portugal.
Confirm company registration / VAT number: PT 518249891.
Confirm public privacy contact and support mailbox.
Decide whether to create a dedicated privacy address such as privacy@badduckstudio.com.
2. App build verification
List every SDK in the final Unity project.
Compare Unity packages with the Partners and SDKs Notice.
Current audit note: Unity Analytics may be enabled in project settings; confirm whether it enters the final build and either disable it or disclose it consistently.
Crash Reporting appears off in the audit, but confirm final Unity services and dashboards.
Confirm Unity Mobile Notifications behaviour, including Android 13+ notification permission where applicable.
Confirm support form status, Cloudflare Worker endpoint, Resend sender domain and support data disclosures. If another form backend is later enabled, update this site, store disclosures and SDK notices.
Review guest login identifiers and avoid device-derived identifiers where possible.
Confirm every mediation partner enabled in Unity LevelPlay / AdMob dashboards.
Remove unused partner names from the published notice.
Add any active partner missing from the notice.
3. Consent implementation
EU/EEA/UK/Switzerland: do not initialise non-essential ads, analytics or tracking before valid consent where required.
Implement Accept all, Reject non-essential and Manage choices.
Store consent version, region, timestamp and selected categories.
Provide a Settings screen to reopen consent choices.
Pass consent and opt-out flags to AdMob, Unity LevelPlay and other active SDKs.
Test rejection path: no personalised ads, no non-essential analytics, no unauthorised identifiers.
4. Children and age handling
Current declared position: the game is a general-audience word game that may also be directed to or used by children.
Check app-store age rating, store screenshots, keywords, trailer and visual style.
For children under 13 or other local child thresholds: disable targeted ads unless valid parental consent and all required notices are in place.
Google Play: if the target audience includes children, comply with Families Policy and use only Families Self-Certified Ads SDKs for children and users of unknown age.
Apple: if children are a target audience, ensure age rating, privacy labels, ATT usage and account deletion flow match App Store rules.
For Brazil: review ECA Digital requirements and ANPD guidance before launch.
For UK: apply high privacy defaults if the app is likely to be accessed by under-18 users.
For Australia: monitor the Children's Online Privacy Code before and after it comes into force.
5. Store declarations
Google Play Data Safety must match these documents and SDK behaviour.
Apple App Privacy labels must match these documents and SDK behaviour.
Apple privacy manifest / required reason API declarations must match the final iOS build and embedded SDKs.
Account deletion URL and in-app deletion flow must be available if account creation is available.
AdMob/Google consent configuration must match regions where ads are served.
6. Regional publishing
EU/Portugal: confirm CNPD reference, ADR/Livro de Reclamacoes applicability and consent flow.
Brazil: confirm LGPD rights channel and ECA Digital position.
US: confirm whether "Do Not Sell or Share" / targeted advertising opt-out is needed.
UK: confirm PECR and Children's Code compliance position.
Australia: confirm APP coverage and overseas disclosure language.
New Zealand: confirm indirect collection notice and overseas disclosure language.
7. Final legal review
Have a Portuguese lawyer confirm Portuguese consumer, ADR and Livro de Reclamacoes obligations.
Have privacy counsel review GDPR/UK GDPR/PECR consent implementation if serving ads in Europe.
Have Brazil counsel review LGPD/ECA Digital if Brazil is a target market.
Re-run this checklist after each SDK, monetisation or data-flow change.
