POLÍTICA DE PRIVACIDAD

Your Privacy Matters (KiRicochoAPP Privacy Policy)

1. WHO WE ARE

KiRicochoAPP is a mobile entertainment application for football fans, developed and operated by the KiRicochoAPP team ("Controller"). We are the data controller responsible for your personal information collected through this App.

For any privacy-related inquiries, please contact our Data Protection contact at privacy@kiricochoapp.com.

2. WHAT DATA WE COLLECT AND WHY

We collect only the minimum data necessary to provide our services. The following table summarizes all data we collect, its purpose, and our legal basis:

3. DATA WE DO NOT COLLECT

We are equally clear about what we do NOT collect. KiRicochoAPP does not collect:

• Payment card numbers, bank account details, or any financial instrument data. All billing is handled exclusively by Apple or Google.
• Continuous or background location tracking. GPS is captured once, at the moment you take a logbook photo, and only if you grant permission.
• Contact lists, call logs, or SMS data from your device.
• Biometric data of any kind.
• Data from other apps installed on your device.
• Advertising identifiers (IDFA / GAID) or cross-app tracking data.
• Any data about the people mentioned as "friends" in your Logbook beyond the text you type.

4. HOW WE USE YOUR DATA

We use your data exclusively for the following purposes:

• To operate and deliver the App's core features: match schedules, ritual counters, logbook, sound effects, and plan management.
• To authenticate your identity via Google Sign-In or Apple Sign-In and maintain your session.
• To synchronize your Logbook entries and preferences to the cloud (Supabase) when you are signed in.
• To verify your subscription status and grant access to paid features.
• To improve App stability by analyzing crash reports and device compatibility (no personal data is involved in this).
• To send you in-app notifications about upcoming matches if you have enabled that permission.
• To respond to your support requests and enforce these Terms.

5. HOW WE STORE YOUR DATA — SUPABASE

Our backend infrastructure is powered by Supabase (supabase.com), a cloud database platform. Your account data, ritual counters, and cloud-synced Logbook entries are stored in Supabase databases hosted on AWS infrastructure in the United States.

Supabase uses AES-256 encryption for data at rest and TLS 1.2+ for data in transit. Supabase is SOC 2 Type II compliant.

Data stored locally on your device (SharedPreferences) includes: your display name, custom emoji, and the list of favourite matches. This data never leaves your device unless you are signed in and have enabled sync.

Logbook photos uploaded to the cloud are stored in Supabase Storage (private buckets). They are only accessible via authenticated requests from your own account.

6. RITUAL ACTION DATA

When you apply a ritual (Mufa or Antimufa) to a team or player, the following data is recorded in our database:

• The ID of the match (e.g., a UUID referencing the match in our schedule table).
• The ID of the player or team target (a position number, not a real person's name or biometric data).
• The type of ritual applied (e.g., "red_card", "ball", "coach").
• A timestamp of the action.
• Your user ID (if signed in) or an anonymous session identifier (if Guest).

7. LOCATION DATA (GPS) — DETAILED

The App requests the "While Using the App" location permission exclusively to capture GPS coordinates at the moment you attach a photo to a Logbook Entry. This is the full scope of our location data use:

• Location is never collected in the background.
• Location is never collected unless you are actively creating a Logbook Entry and a photo is being saved.
• The GPS coordinates are embedded in the Logbook Entry record and are used only to display a map pin when you review that entry.
• You can deny or revoke location permission at any time through your device settings. Doing so will not prevent you from using any other feature of the App.
• If you are signed in, GPS coordinates associated with Logbook entries are stored in Supabase as part of the entry record.
• We do not share your location data with any third party, advertising network, or analytics provider.

8. PHOTOS & CAMERA — DETAILED

The App requests camera and photo library permissions exclusively for the Logbook feature. Here is the precise scope:

• Camera permission: Used to capture a new photo directly from within the App when creating a Logbook Entry.
• Photo library permission: Used to select an existing photo from your gallery when creating a Logbook Entry.
• Photos are NOT accessed passively or continuously. The picker is only opened when you explicitly tap "Attach Photo".
• Photos uploaded to the cloud are stored in private Supabase Storage buckets. They cannot be accessed by other users of the App.
• Photos stored locally (Guest mode) remain on your device and are managed only by you.
• We do not use your photos for facial recognition, AI training, advertising, or any purpose other than displaying them in your personal Logbook.

9. THIRD-PARTY SERVICES & DATA SHARING

We do not sell, rent, or trade your personal data to any third party. We share data only with the following infrastructure providers, and only to the minimum extent necessary to operate the App:

• Supabase Inc. — Database, authentication, and file storage. Data is processed according to Supabase's Data Processing Agreement (DPA) and Privacy Policy (supabase.com/privacy).
• Google LLC — Google Sign-In OAuth 2.0 and Google Play billing. Governed by Google's Privacy Policy (policies.google.com/privacy).
• Apple Inc. — Apple Sign In and App Store In-App Purchase. Governed by Apple's Privacy Policy (apple.com/legal/privacy).
• Law enforcement or government authorities — Only if required by a valid legal obligation, court order, or to protect the safety of our users.

10. DATA RETENTION

We retain your data only for as long as necessary to provide the service or as required by law:

• Account data (name, email): Retained while your account is active. Deleted within 30 days of an account deletion request.
• Ritual actions: Retained for the duration of the World Cup 2026 tournament and up to 90 days after its conclusion for statistical finalization. After that, data is anonymized or deleted.
• Logbook entries (cloud-synced): Retained indefinitely while your account is active. Deleted within 30 days of an account deletion request.
• Logbook photos (cloud-synced): Deleted from storage within 30 days of account deletion.
• Purchase and subscription records: Retained for 7 years to comply with tax and financial regulations.
• Device and crash data: Retained for a maximum of 12 months.

11. YOUR RIGHTS & CHOICES

You have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@kiricochoapp.com:

• Right of Access: You may request a copy of all personal data we hold about you.
• Right of Rectification: You may request correction of inaccurate data.
• Right of Erasure ("Right to Be Forgotten"): You may request deletion of your account and all associated personal data.
• Right to Restrict Processing: You may request that we stop processing your data for specific purposes.
• Right to Data Portability: You may request your data in a structured, machine-readable format.
• Right to Object: You may object to data processing based on our legitimate interests.
• Right to Withdraw Consent: For data processed based on your consent (e.g., GPS), you may withdraw at any time without affecting prior processing.

12. GDPR — EUROPEAN USERS

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) or equivalent local law applies to our processing of your data.

Our legal bases for processing are: (a) performance of a contract — to deliver the App's features you request; (b) legitimate interests — for security, fraud prevention, and technical improvements; (c) your explicit consent — for GPS capture and optional notifications; and (d) legal obligation — for financial record retention.

International data transfers: Your data may be transferred to and processed in the United States (Supabase / AWS). We ensure adequate protections through Supabase's Standard Contractual Clauses (SCCs) with the European Commission.

You have the right to lodge a complaint with your national data protection supervisory authority. For EU-wide disputes: edpb.europa.eu. For UK: ico.org.uk.

13. CCPA — CALIFORNIA RESIDENTS

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

• Right to Know: You have the right to know what personal information we collect, use, disclose, and sell.
• Right to Delete: You have the right to request deletion of your personal information.
• Right to Opt-Out of Sale: We do NOT sell your personal information. This right is therefore automatically satisfied.
• Right to Non-Discrimination: Exercising your CCPA rights will not result in denial of services or different pricing.
• To exercise your rights, contact us at privacy@kiricochoapp.com. We will verify your identity before fulfilling any request.

14. CHILDREN'S PRIVACY

KiRicochoAPP is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and you believe your child under 13 has provided us with personal information, please contact us immediately at privacy@kiricochoapp.com. We will delete that information from our systems within 30 days.

For users between 13 and 17 years of age: in-app purchases require parental consent as configured through the App Store or Google Play family settings.

15. DATA SECURITY

We implement industry-standard security measures to protect your data:

• All data in transit is encrypted using TLS 1.2 or higher.
• All data at rest in Supabase is encrypted using AES-256.
• Authentication tokens are stored in Flutter Secure Storage (uses Android Keystore / iOS Keychain).
• Access to our backend database is restricted by Row Level Security (RLS) policies — users can only read and write their own data.
• API keys and service credentials are never embedded directly in the App binary that users can inspect.
• We conduct periodic reviews of access permissions and security configurations.

16. NOTIFICATIONS

If you grant notification permissions, the App may send you alerts about upcoming matches in the World Cup 2026 schedule and ritual-related reminders.

Notification permissions are optional and can be revoked at any time through your device settings. Revoking notification permissions does not affect any other feature of the App.

We do not use push notifications for advertising or marketing purposes.

17. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will update the "Last updated" date at the top of this document and notify you of material changes through an in-app notice.

Your continued use of the App after any changes constitutes your acceptance of the updated Policy. If you do not agree with the updated Policy, you must stop using the App and may request deletion of your account.

18. CONTACT & DATA PROTECTION

For any privacy-related requests, questions, or concerns, please contact us through the following channels:

• General privacy inquiries: privacy@kiricochoapp.com
• Data deletion requests: privacy@kiricochoapp.com (subject: "Data Deletion Request")
• GDPR / CCPA specific requests: privacy@kiricochoapp.com (subject: "GDPR Request" or "CCPA Request")
• Security vulnerabilities: security@kiricochoapp.com
• We aim to respond to all privacy requests within 5 business days and to complete requests within 30 calendar days.