Privacy Policy โ Fitz & Pop Arcade
Last updated: 11 July 2026
This Privacy Policy explains how FITZ&POP'S TABLETOPS PTE. LTD. collects, uses, discloses, and protects your personal data when you access or use the Fitz & Pop Arcade at play.fitzpop.top (the "Arcade" or "Service").
This Policy is issued in accordance with Singapore's Personal Data Protection Act 2012 ("PDPA") and describes how we comply with our obligations under it, including the Consent, Notification, Purpose Limitation, Access and Correction, Accuracy, Protection, Retention Limitation, and Transfer Limitation Obligations, as well as the Do Not Call provisions governing marketing.
Data controller. The organisation responsible for your personal data (the data controller) is:
FITZ&POP'S TABLETOPS PTE. LTD. (UEN 202509377D) 133 New Bridge Road, #10-03, Chinatown Point, Singapore 059413 ("Fitz & Pop", "we", "us", or "our")
By using the Service, you acknowledge that you have read and understood this Policy. Where the PDPA requires your consent for a particular purpose, we rely on the consent you give (or are deemed to give) as described below.
1. Personal Data We Collect
We collect the following categories of personal data:
1.1. Identity data from your sign-in provider (SSO)
When you sign in with Google or Facebook (Meta), we receive from that provider:
- your display name;
- your email address;
- your Google or Facebook account identifier; and
- your avatar / profile image.
We only receive the information that your sign-in provider shares with us based on the permissions you grant. We do not receive or store your Google or Facebook password.
1.2. Gameplay data
As you use the Arcade, we collect data about how you play, including:
- game sessions and which games you play (for example, Krafting Krowns, You.Goat.Magic!, BLOODRUSH, Best Friend);
- scores, results, and leaderboard positions;
- move logs and in-game actions;
- clicks and interactions within the games;
- the percentage of games you complete; and
- how often and how long you play.
1.3. Attribution and marketing data
To understand how users find us and to measure our campaigns, we collect:
- UTM parameters (campaign, source, medium, and similar tags in the links you arrive through);
- the referrer (the web page or source that led you to the Arcade);
- Facebook / Meta click identifiers (fbclid); and
- data about which advertisement or campaign brought you to the Service.
1.4. Technical and usage data
We collect technical information generated when you use the Service, including:
- your device type and settings;
- your browser type and version;
- your IP address; and
- cookies, session identifiers, and similar technologies (see Section 6).
We do not intentionally collect special categories of sensitive personal data (such as health, religious, or political data) through the Arcade, and we ask that you do not submit such data to us.
2. How and Why We Use Your Personal Data (Purposes)
In accordance with the Purpose Limitation Obligation under the PDPA, we use your personal data only for purposes that a reasonable person would consider appropriate in the circumstances and that we have notified to you. Those purposes are:
2.1. To operate the Arcade (necessary to provide the Service)
- to create and manage your Arcade profile;
- to authenticate you through Google or Facebook sign-in;
- to save your games and progress;
- to run leaderboards, scores, and profiles; and
- to provide customer support and respond to your requests.
2.2. Product analytics and improvement
- to understand how the Arcade and its games are used;
- to measure engagement, completion rates, and performance;
- to fix bugs, maintain security, and improve the games and the platform; and
- to develop new games and features.
2.3. Marketing โ only with your separate opt-in consent
Only where you have given us separate, opt-in marketing consent, we use your personal data to:
- send you marketing about the Arcade and about products and services related to the Arcade, including our own and our partners' board games, digital games, and crowdfunding campaigns (for example, Kickstarter campaigns);
- build Facebook / Meta Custom Audiences and similar audiences so that we can show relevant advertising to you and to people like you; and
- measure the effectiveness of our advertising and ad conversions.
Marketing consent is optional and separate from your acceptance of our Terms and Conditions. You do not need to agree to marketing to use the Arcade, and you may withdraw your marketing consent at any time (see Sections 5 and 8).
3. The Legal Basis for Processing (Consent under the PDPA)
3.1. Consent for core services. By creating an Arcade profile and using the Service, you consent to our collection, use, and disclosure of your personal data for the purposes in Sections 2.1 and 2.2, which are necessary to provide, secure, and improve the Service.
3.2. Separate consent for marketing. For the marketing purposes in Section 2.3, we rely on your separate opt-in consent, which you may give or decline independently, and withdraw at any time.
3.3. Deemed consent and legitimate interests / business improvement. Where permitted by the PDPA โ including its deemed consent, legitimate interests, and business improvement provisions โ we may collect, use, or disclose certain personal data (for example, technical data needed to deliver the site, prevent fraud, and secure the Service) without separately seeking consent, provided we have assessed that such processing is appropriate and does not have an adverse effect on you that outweighs the benefit.
3.4. Withdrawing consent generally. You may withdraw any consent you have given, subject to legal or contractual restrictions and reasonable notice, by contacting us (see Section 12). Withdrawing consent necessary to provide the Service may mean we can no longer provide the Arcade to you. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
4. Who We Share Your Personal Data With
We do not sell your personal data. We share personal data only as described below, and, where the recipient acts as our data intermediary (processor), we require them by contract to protect your data in a manner consistent with the PDPA.
| Recipient | Role | Data shared / purpose |
|---|---|---|
| Authentication and analytics | Google sign-in (identity data); analytics on usage of the Service | |
| Meta / Facebook | SSO, advertising, measurement | Facebook sign-in (identity data); Meta Pixel / Conversions API and Custom Audiences for advertising and conversion measurement (marketing-consent users) |
| Stripe (future) | Payment processing | When paid features launch, payment and billing data to process in-app purchases |
| LaunchBoom / ReservationFunnel | Crowdfunding campaign funnels | Attribution and contact data used to run and measure crowdfunding / pre-launch campaigns (marketing-consent users) |
| Google Cloud | Cloud hosting and infrastructure | Hosting and storage of the Service and its data |
We may also disclose personal data:
- to our professional advisers (such as lawyers, accountants, and auditors);
- where required to comply with applicable law, regulation, legal process, or a lawful request by a public authority; and
- in connection with a merger, acquisition, reorganisation, or sale of assets, in which case personal data may be transferred to the successor entity, subject to this Policy.
5. Marketing and the Do Not Call Provisions
5.1. We will send marketing communications only where you have given us opt-in consent to do so, and in compliance with the PDPA's Consent and Do Not Call provisions.
5.2. Every marketing email will contain a clear way to unsubscribe. You may also withdraw marketing consent at any time by emailing privacy@fitzpop.top. We will action your request within a reasonable period and, in any event, within the timeframes required by the PDPA.
5.3. Even if you opt out of marketing, we may still send you non-marketing service messages (such as account, security, or legal notices) that are necessary to operate the Service.
6. Cookies and Similar Technologies
6.1. We use cookies, session identifiers, and similar technologies to keep you signed in, remember your preferences, secure the Service, understand usage, and โ for users who have given marketing consent โ support advertising and measurement (including the Meta Pixel).
6.2. You can control cookies through your browser settings. Disabling certain cookies may affect your ability to sign in or use parts of the Service. Where required, we will present a cookie / consent notice and obtain consent for non-essential cookies before they are set.
7. International Transfers of Personal Data
7.1. Some of the third parties listed in Section 4 (including Google, Meta, Stripe, LaunchBoom / ReservationFunnel, and Google Cloud) may store or process personal data on servers located outside Singapore. As a result, your personal data may be transferred to, and processed in, countries whose data-protection laws may differ from those of Singapore.
7.2. In accordance with the Transfer Limitation Obligation under the PDPA, before transferring personal data outside Singapore we take reasonable steps to ensure that the receiving organisation is bound by legally enforceable obligations to provide a standard of protection for the transferred data that is comparable to the protection under the PDPA โ for example, through contractual clauses, the recipient's certification, or other lawful transfer mechanisms.
8. Your Rights under the PDPA
Subject to the exceptions permitted under the PDPA, you have the following rights in relation to your personal data:
- Access. You may request confirmation of, and access to, the personal data we hold about you and information about how it has been used or disclosed in the year before your request.
- Correction. You may request that we correct any personal data about you that is inaccurate or incomplete.
- Withdrawal of consent. You may withdraw consent previously given for the collection, use, or disclosure of your personal data (including marketing consent), subject to legal or contractual restrictions and reasonable notice.
- Portability. Where and to the extent the PDPA's data portability provisions apply, you may request that certain data be transmitted to another organisation.
To exercise any of these rights, contact us at privacy@fitzpop.top. We may need to verify your identity before actioning a request, and we may charge a reasonable fee for an access request as permitted by the PDPA (we will inform you of any fee in advance). We will respond within the timeframes required by the PDPA.
9. Accuracy
In line with the Accuracy Obligation, we take reasonable steps to ensure that personal data we collect is accurate and complete, particularly where it is likely to be used to make a decision affecting you or disclosed to another organisation. Please help us by keeping the information associated with your account up to date, and by informing us of any changes.
10. Protection and Security
10.1. In line with the Protection Obligation, we implement reasonable technical, organisational, and administrative security measures to protect personal data in our possession or control against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. These measures include access controls, encryption in transit where appropriate, and reliance on reputable infrastructure and processing providers.
10.2. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. In the event of a data breach that meets the notification threshold under the PDPA, we will notify the Personal Data Protection Commission (PDPC) and affected individuals as required by law.
11. Retention of Personal Data
11.1. In line with the Retention Limitation Obligation, we retain personal data only for as long as it is necessary to fulfil the purposes for which it was collected, or as required or permitted by applicable law (for example, for tax, accounting, or dispute-resolution purposes).
11.2. When personal data is no longer needed for any legal or business purpose, we will take reasonable steps to delete it, anonymise it, or otherwise cease to retain it in a form in which you can be identified. If you request deletion of your account, we will action the request subject to any retention we are required or permitted to apply.
12. Data Protection Officer and Contact
We have designated a Data Protection Officer (DPO) responsible for overseeing compliance with this Policy and the PDPA. To make an access, correction, or consent-withdrawal request, to ask a question about this Policy, or to raise a concern about how we handle your personal data, please contact:
Data Protection Officer FITZ&POP'S TABLETOPS PTE. LTD. (UEN 202509377D) 133 New Bridge Road, #10-03, Chinatown Point, Singapore 059413 Email: privacy@fitzpop.top
If you are not satisfied with our response, you have the right to lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore.
13. Children's Privacy
The Service is not directed at children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at privacy@fitzpop.top and we will take steps to delete it.
14. Changes to This Privacy Policy
We may update this Policy from time to time. Where we make material changes, we will take reasonable steps to notify you (for example, by posting the updated Policy at play.fitzpop.top with a revised "Last updated" date, or by notice within the Service). Your continued use of the Service after the changes take effect constitutes acceptance of the updated Policy, except where your fresh consent is required by law, in which case we will seek it.
Arcade