Privacy Policy

This Privacy Policy describes how BetFollow ("we," "us," or "our") collects, uses, stores, and protects your information when you use the BetFollow mobile application and website at app.betfollow.app ("App"). By using the App, you consent to the practices described in this policy.

0. Data Controller

The data controller responsible for your personal data is Oancea Lucian, an individual sole trader established in Romania ("Operator"). For any privacy inquiries, contact support@betfollow.app. Physical correspondence address is available upon legitimate written request from supervisory authorities, law-enforcement agencies, or courts of competent jurisdiction.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address (required for account creation)
• Display name (provided by you or imported from Google Sign-In)
• Profile photo URL (if you sign in with Google)
• Nickname (auto-generated at signup, editable by you)

1.2 Authentication Data

Authentication is managed by Firebase Authentication (a Google service). We store your Firebase user identifier to link your authentication to your BetFollow profile. We do NOT store your password — password management is handled entirely by Firebase.

1.3 App Usage Data

When you use the App, we automatically collect:

• Prediction session data (prediction details, picks, outcomes)
• Leaderboard statistics derived from your prediction activity
• Social interactions (follow requests, follow approvals)
• AI feature usage counts (to manage rate limits)
• Preferences (followed leagues, UI settings)

1.4 Device and Technical Data

We may collect technical information including:

• Device push notification token (Firebase Cloud Messaging token) for delivering notifications you opt into
• IP address (automatically logged by our cloud infrastructure)
• General device information transmitted in standard HTTP requests

1.5 Diagnostics (Crash Reports)

On the mobile App only, we use Firebase Crashlytics (a Google service) to collect diagnostic information that helps us detect and fix crashes. This includes:

• Crash reports and non-fatal error logs
• Stack traces
• Device model and operating system version
• Your Firebase user identifier, attached to crash reports in production builds to help us reproduce issues (not attached in development builds)

Crashlytics is not active on the web version of the App. Crashlytics is not active in development builds.

1.6 Product Analytics

We use Firebase Analytics (a Google service) for aggregated product usage measurement — for example, which screens are opened and which features are adopted. This helps us understand how the App is used and prioritize improvements.

On the web App (app.betfollow.app), Firebase Analytics is disabled by default. On first visit you will see a consent banner with Accept and Reject options. We only initialize Analytics if you Accept. You can change your choice at any time in Settings → Privacy → Analytics. Rejecting or revoking consent clears the Firebase Analytics identifier cookies on your browser.

On the mobile App, Analytics is active by default as disclosed in the Apple App Store Privacy Label and the Google Play Data Safety section. You may opt out by deleting the App.

We do NOT use advertising identifiers (IDFA on iOS, Google Advertising ID on Android), we do NOT share analytics data with advertising networks, and we do NOT perform cross-site or cross-app tracking. Analytics data is used by us for product measurement only.

1.7 Information We Do NOT Collect

We want to be clear about what we do NOT collect:

• Financial information (no credit cards, bank accounts, or payment details)
• Precise location data (no GPS tracking)
• Contacts or address book
• Photos, camera, or microphone data
• Browsing history outside the App
• Advertising identifiers (IDFA/GAID) — we do not access or use them
• Health or biometric data

2. How We Use Your Information and Legal Bases (GDPR Art. 6)

For users in the EU/EEA, every processing activity is based on one of the legal grounds set out in GDPR Article 6. The list below pairs each purpose with its corresponding legal basis:

• Account creation, authentication, providing core prediction gameplay and leaderboards: Contract (Art. 6(1)(b)) — necessary to perform our agreement with you.
• Push notifications you opt into: Consent (Art. 6(1)(a)) — you can revoke at any time in your device settings.
• Content moderation (automated nickname screening): Legitimate interests (Art. 6(1)(f)) — maintaining a safe community, balanced against your right to a reasonable user experience.
• Rate limiting of AI features: Legitimate interests (Art. 6(1)(f)) — cost control and fair usage.
• Crash diagnostics (Crashlytics): Legitimate interests (Art. 6(1)(f)) — maintaining App stability.
• Aggregated product analytics: Legitimate interests (Art. 6(1)(f)) — improving the App; no advertising or cross-site/cross-app tracking.
• Security, fraud prevention, and abuse mitigation: Legitimate interests (Art. 6(1)(f)).
• Retaining minimal data after account deletion (email hash for reactivation, anonymized prediction history): Legitimate interests (Art. 6(1)(f)) — preventing duplicate accounts and preserving aggregate historical records.

We do NOT use your information for advertising, targeted marketing, or user profiling for commercial purposes. We do NOT sell your data. Where we rely on legitimate interests, you have the right to object at any time (see "Your Rights" below).

3. Information Visible to Other Users

BetFollow includes social features. Here is what other users can see:

Public (visible to all users):

• Your nickname (searchable by other users)
• Your leaderboard ranking and statistics (performance, accuracy, win rate, streak — all based on prediction activity with no monetary value)

Visible to approved followers only:

• Your display name and profile photo
• Your predictions and session activity
• Your follower and following lists

Private (never visible to other users):

• Your email address
• Your followed leagues and preferences
• Your device token and technical data

The follow system requires approval — other users cannot see your detailed activity unless you approve their follow request.

4. Third-Party Services (Sub-processors)

We use the following third-party services (sub-processors) to operate the App. Each is named explicitly below so you know exactly who processes your data on our behalf:

Firebase (Google LLC)

Used for Authentication (Google Sign-In, Apple Sign-In), Cloud Messaging (push notifications), Crashlytics (mobile crash diagnostics), Analytics (aggregated product usage), and Hosting (landing page). Firebase processes your email, display name, Firebase user identifier, device token, and crash/analytics telemetry as described above. Firebase's privacy policy: https://firebase.google.com/support/privacy

Google Cloud Platform (Google LLC)

Our backend infrastructure runs on Google Cloud Run and Cloud SQL in the europe-west1 region, with Cloud Tasks and Cloud Scheduler orchestrating background jobs. Server logs may contain IP addresses and request metadata. Google Cloud's privacy policy: https://cloud.google.com/terms/cloud-privacy-notice

Google Vertex AI / Gemini (Google LLC)

Used to generate match analysis, news summaries, predicted lineups, and to moderate user-generated content (automated nickname screening). Match fixture data (team names, league, date) and, for nickname moderation, candidate nicknames are sent to Google Vertex AI. Per Google's terms, these inputs are not used to train public models. No other personal data is sent to this service.

Google Maps Geocoding API (Google LLC)

Used to convert venue names (e.g., stadium names from fixture data) into latitude/longitude coordinates for display. Only venue names are sent to this service — no personal user data is shared.

API-Football (api-sports.io, operated by API-SPORTS)

Used to obtain match fixtures, scores, odds, lineups, and statistics. No personal user data is shared — only anonymous API requests for sports data.

We do NOT use any advertising networks, data brokers, or third-party advertising analytics. We do NOT share your personal data for advertising purposes.

5. Data Storage and Security

Your data is stored on secure servers hosted by Google Cloud Platform in the European Union (europe-west1 region). We implement appropriate technical and organizational measures to protect your data, including:

• Encrypted data transmission (HTTPS/TLS for all communications)
• Encrypted database connections
• Authentication via Firebase with industry-standard security
• Secret management via Google Secret Manager
• Access controls limiting who can access production systems

While we take reasonable steps to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this policy. The concrete retention periods are:

• Active account data (profile, predictions, sessions, leaderboard): Retained for the lifetime of your account.
• Server logs (Google Cloud Logging): 30 days (default retention).
• api_cache table (transient sports data cache): Pruned hourly via Cloud Scheduler.
• Crash reports (Firebase Crashlytics): Per Google's Firebase Crashlytics retention policy (typically 90 days for non-fatals, 180 days for crashes).
• Analytics events (Firebase Analytics): Per Google's Firebase Analytics retention (configurable; default 2 months up to 14 months).
• FCM tokens: Retained until the token becomes invalid or the account is deleted.
• AI usage counters: Daily counters that reset automatically each day.

After account deletion:

• PII (email, name, photo, Firebase UID, FCM token): Anonymized immediately.
• Email hash (SHA-256 of your email): Retained indefinitely to enable reactivation if you sign up again with the same email, unless full erasure is requested via support@betfollow.app. SHA-256 is a cryptographic hash and cannot be reversed to recover your email address.
• Social graph (followers/following, leaderboard entries, followed leagues, notifications): Deleted immediately.
• Resolved predictions, session records, balance audit trail: Retained indefinitely in anonymized form (no longer linked to identifiable you).
• Pending predictions are cancelled with a 50% refund to your session score at the moment of deletion.

If you sign up again with the same email address, your previous account will be reactivated with your existing session score and prediction history. Social connections and leaderboard rankings are not restored.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

For All Users:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate personal data
• Deletion: Request deletion of your account and personal data
• Withdraw consent: Withdraw consent for push notifications at any time through your device settings

Additional Rights for EU/EEA Residents (GDPR Chapter III):

• Access (Art. 15): Obtain confirmation as to whether we process your personal data and, if so, a copy of that data.
• Rectification (Art. 16): Correct inaccurate or incomplete personal data.
• Erasure / "right to be forgotten" (Art. 17): Request deletion of your personal data.
• Restriction of processing (Art. 18): Limit how we use your personal data in defined circumstances.
• Data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller.
• Objection (Art. 21): Object to processing based on legitimate interests, including for the purposes listed in Section 2.
• Not to be subject to automated decision-making (Art. 22): Request human review of any automated decision that significantly affects you, including our automated nickname screening.
• Withdraw consent (Art. 7(3)): Withdraw consent for any processing based on consent (e.g., push notifications) at any time, without affecting the lawfulness of processing performed before the withdrawal.
• Lodge a complaint with a supervisory authority (Art. 77): For EU users, you may complain to the Romanian supervisory authority ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal) at https://www.dataprotection.ro/, or to the supervisory authority in your country of residence or workplace.

Additional Rights for California Residents (CCPA/CPRA):

• Know: Know what personal information we collect and how it is used
• Delete: Request deletion of your personal information
• Correct: Request correction of inaccurate personal information
• Opt-out of sale/sharing: Not applicable — we do not sell or share personal information for cross-context behavioral advertising
• Limit use of sensitive PI: Not applicable — we do not collect or process sensitive personal information as defined by the CPRA
• Non-discrimination: Not be discriminated against for exercising your privacy rights
• Shine the Light (Cal. Civ. Code § 1798.83): Not applicable — we do not disclose personal information to third parties for their direct marketing purposes

Additional Rights for Other U.S. State Residents:

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Indiana (ICDPA), Tennessee (TIPA), Delaware (DPDPA), Nebraska (NDPA), New Hampshire (SB 255), New Jersey (NJDPL), or another U.S. state with a comprehensive consumer privacy law, you may have rights substantially similar to those described for California residents — typically including the right to know what personal information we process, the right to access, correct, and delete your personal information, the right to data portability, and the right to opt out of the sale of personal information, targeted advertising, and profiling with legal or similarly significant effects.

BetFollow does not sell personal information, does not share personal information for targeted advertising, and does not engage in profiling that produces legal or similarly significant effects on users. To exercise any rights available to you under your state's privacy law, contact support@betfollow.app. We will respond within the timeframe required by your state's law.

Additional Rights for Brazilian Residents (LGPD):

• Confirmation & access: Confirm and access the personal data we process about you
• Correction: Request correction of incomplete or inaccurate data
• Anonymization or deletion: Request anonymization, blocking, or deletion of unnecessary data
• Revoke consent: Revoke consent at any time

Additional Rights for UK Residents (UK GDPR):

You have the same rights as listed under GDPR above. You may lodge a complaint with the Information Commissioner's Office (ICO).

Other Jurisdictions:

If you reside in a jurisdiction with data protection laws (including but not limited to Australia, Canada, South Korea, Japan, South Africa, or any other country with applicable privacy legislation), you may have additional rights under your local laws. We are committed to honoring your data protection rights to the fullest extent required by applicable law. Contact us to exercise any rights provided under your local jurisdiction.

We do NOT sell personal information. We do NOT share personal information for cross-context behavioral advertising. We do NOT engage in profiling for commercial purposes.

To exercise any of these rights, contact us at support@betfollow.app. We will respond to your request within 30 days (or sooner if required by applicable law).

8. Automated Decision-Making

We use automated systems (Google Vertex AI / Gemini) to screen user-chosen nicknames before they are made visible to other users. This screening is fully automated. A rejected nickname can be retried with a different choice at no cost. No automated decision within the App produces legal or similarly significant effects on you. You have the right to request human review of any automated moderation decision by emailing support@betfollow.app.

9. International Data Transfers

Your personal data is stored in Google Cloud facilities in the europe-west1 region (Belgium). Certain sub-processors (e.g. Firebase Cloud Messaging, Crashlytics, Analytics) may process data across Google's global infrastructure. Where personal data is transferred outside the European Economic Area, Google LLC relies on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) as transfer mechanisms, as applicable. We do not otherwise transfer your personal data outside the EEA.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to your rights, we will notify affected users without undue delay, as required by GDPR Article 34.

11. Children's Privacy

BetFollow is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, please contact support@betfollow.app and we will delete it.

In jurisdictions where a higher minimum age of digital consent applies (for example, 16 under GDPR in certain EU member states), we rely on the applicable local minimum. If we become aware that we have collected personal data from a child below the applicable age without verified parental consent, we will delete such data promptly.

12. Push Notifications

If you opt in to push notifications, we will send you notifications about:

• Prediction results (correct, incorrect, voided)
• Follow requests and approvals from other users
• Activity from users you follow (new predictions)

You can disable push notifications at any time through your device settings. Disabling notifications will not affect your ability to use the App.

13. Cookies and Similar Technologies

The App uses the following client-side storage technologies. All of them are strictly necessary for the App to function — we do not use any of them for advertising, cross-site tracking, or third-party analytics.

Web Cookies

On the web version of the App, we set the following first-party cookie:

• Name: bf_auth
• Domain: .betfollow.app (shared across app.betfollow.app and betfollow.app)
• Purpose: A presence flag set when you sign in, so that when you return to our landing page (betfollow.app) we can redirect you straight to the App (app.betfollow.app) instead of showing you the marketing page.
• Contents: The literal value "1". The cookie contains no authentication token, no personal data, and cannot be used to identify you.
• Security flags: Secure; SameSite=Lax.
• Expiry: 30 days.
• Category: Strictly necessary. Under the ePrivacy Directive and similar laws, strictly necessary cookies do not require prior consent.

Web IndexedDB and localStorage

Firebase Authentication stores your authentication session in your browser's IndexedDB (with localStorage as a fallback) so that you stay signed in between visits. This is strictly necessary to keep you logged in. This data stays in your browser and is not transmitted to us beyond the Firebase authentication flow itself.

Mobile AsyncStorage

The mobile App stores some data locally on your device using AsyncStorage for performance and convenience (e.g., draft predictions, UI preferences, cached league data). This data remains on your device, is not transmitted to our servers (except when explicitly synced as part of App functionality), and is cleared when you log out or uninstall the App.

We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies. Our Firebase Analytics implementation does not rely on cookies for tracking across sites.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will update the "Last updated" date at the top of this policy. For material changes, we may provide additional notice through the App. Your continued use of the App after any changes constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: support@betfollow.app

For EU/EEA residents: You have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.