Privacy Policy

Effective date: 10 September 2025

This Privacy Policy explains how Mucca (“we”, “us”, “our”) processes personal data in connection with our Telegram Mini App and related websites. We aim to collect only what we need to run the game and operate fairly and transparently.

Who we are

Mucca is operated by Tonorbit.com(Switzerland). If you are in the EEA/UK/CH, Tonorbit.com is the data controller for your personal data processed in Mucca.

Contact: info@mucca.app

Where this applies

This policy covers our Telegram Mini App and public web pages (e.g., landing and policies). It does not cover third-party services’ own policies (Telegram, Google/Firebase, Tonkeeper/TON, payment providers).

Data we collect

  • Telegram account basics (via initData): Telegram user ID, username, display name, and language. We use this to authenticate you and run the app.
  • Mini-app session info: platform (e.g., iOS/Android/Web), start_param used for referral or campaign attribution, and basic runtime signals (e.g., whether the app is opened within Telegram).
  • Gameplay and app activity: mining participation, wheel spins, lottery entries, task completions, referral relations, earned rewards, boosts usage, and related timestamps.
  • Transactions: in-app reward and payout logs; TON or Telegram Stars purchase events (e.g., invoice ID, transaction hash/payload, amount, status). Blockchain transactions are public and permanent.
  • Communications: messages you send us (support/contact), your opt-in state for direct messages (e.g., whether Telegram allows us to DM you), and our outbound message/job logs.
  • Technical logs: server and security logs (IP address, user agent, request metadata) captured by our hosting and infrastructure providers for reliability, abuse prevention, and debugging.
  • Public website: when you visit our public pages, we may use minimal storage (e.g., local storage) to remember preferences. We currently do not deploy third-party advertising cookies.

How we use data

  • Authenticate you in the Mini App and secure your session.
  • Run game features (mining, wheel, lottery, tasks, referrals).
  • Attribute referrals/campaigns and fight fraud/abuse.
  • Record rewards and purchases and provide receipts/history.
  • Operate support and send essential service messages.
  • Maintain and improve performance, safety, and reliability.
  • Comply with applicable laws and enforce our Terms.

Legal bases (EEA/UK/CH)

  • Performance of a contract — providing the Mini App and core features you request.
  • Legitimate interests — securing the service, preventing abuse, analytics for product improvement, and communicating necessary updates.
  • Consent — where required (e.g., certain notifications/marketing where applicable).
  • Legal obligation — compliance with law, regulatory requests, tax/accounting where applicable.

Data sharing

We do not sell your personal data. We share data only as needed to run the service:

  • Service providers: Google Cloud/Firebase (hosting, database, auth, functions), Cloud Run, and similar infrastructure providers.
  • Telegram Platform: Telegram processes your Mini App session and any Stars purchases. Use is subject to Telegram’s terms and privacy policy.
  • Blockchain networks: when you send/receive on TON, related addresses, payloads, and hashes are published to a public ledger and may be visible to anyone.
  • Legal and safety: we may disclose information to comply with the law, respond to valid legal requests, or protect users, the public, and our rights.
  • Business changes: in a merger, acquisition, or asset transfer, data may be transferred in accordance with this policy.

Data location & transfers

We generally host in the EU (e.g., Google Cloud regions such as europe-west1 / europe-west6). Some processing or support services may involve international transfers. Where required, we use appropriate safeguards (e.g., SCCs or Swiss/EU-adequate regimes).

Retention

We keep data only as long as necessary for the purposes described above. Typical examples: account and gameplay records for the life of the account; transactional and financial records for the period required by law; security logs for a short period to detect abuse. We delete or anonymize data when it is no longer needed.

Security

We use reasonable technical and organizational measures (account isolation, role-based access, least privilege, HTTPS, audit logs). No system is perfectly secure; please protect your Telegram account and devices.

Your rights

Depending on your location, you may have rights to access, correct, delete, restrict or object to processing, and data portability.

  • To exercise rights, contact info@mucca.app with your Telegram ID so we can identify your account.
  • You may also have the right to lodge a complaint with your local supervisory authority.

Children’s privacy

Mucca is intended for users aged 18+. We do not knowingly collect data from children. If you believe a child has used Mucca, contact us and we will take appropriate steps.

Changes to this policy

We may update this policy to reflect changes to our service or legal requirements. We will post the updated version here and update the effective date above. Material changes may also be announced in-app or via our channel.

Contact

For privacy questions or requests, email info@mucca.app.

If you are in the EEA/UK/CH, you may also contact your local data protection authority.