Privacy Policy

Last updated: May 17, 2026

1. The short version

• We collect the minimum data needed to run the game: an OAuth subject id from Apple or Google, an optional nickname and avatar you choose, and your in-game activity (predictions, coin / gem / credit-score movements).
• We do not collect your contacts, location, calendar, photos library, health data, microphone, browsing history, or biometrics.
• We do not sell your data and have no ad SDK that reads your in-game activity.
• All in-app currency is virtual. We never request payment instruments directly; in-app purchases are handled end-to-end by Apple StoreKit.
• You can delete your account and associated data at any time — see section 10.

2. Information we collect

We collect only what we need to operate the game and meet App Store requirements:

• Authentication identifier. When you sign in, Apple or Google sends us a stable subject id (and, if you choose to share it, your email address). We never see your password or your full Apple ID account. If you sign in with Apple and pick "Hide My Email", you give us only a relay address that you control.
• Profile. Your chosen nickname, optional bio (up to 280 characters), optional avatar JPEG you upload, and optional country code. All of these are visible to other players on leaderboards and inside games you participate in.
• In-game activity. Predictions you place, games you create, coin / gem / credit-score balances, dispute votes, daily check-ins, and Lucky Wheel spins. Every movement is recorded in an append-only ledger so you can audit your own history.
• Purchase records. If you buy a gem pack, Apple processes the payment. We receive a StoreKit transaction id and a verified receipt so we can credit the corresponding gems to your account. We never see your credit card number.
• Device + diagnostics. Basic technical data — iOS version, device model, app version, anonymous push token if you allow notifications — to keep the app stable and deliver alerts. Crash reports may include a non-identifying stack trace.
• Server logs. Our backend records HTTP request timestamps, paths, status codes, and your IP address for abuse detection and debugging. Logs are retained no longer than 30 days, then purged.

3. What we never collect

• Contacts, address book, or phone numbers.
• Precise or coarse location, GPS, or wifi-based location.
• Photo library beyond the single avatar JPEG you explicitly pick.
• Microphone, camera, calendar, reminders, or health-related data.
• Browsing history outside the app.
• Biometric data of any kind.
• Your credit card number, bank details, or any payment instrument — these stay with Apple StoreKit.

4. How we use your information

We use the data we collect to:

• Authenticate you, run your account, and credit your starting and ongoing in-game currency.
• Match you to predictions, settle results, and pay out coins / credit points.
• Render leaderboards using your public profile (nickname, avatar, country, totals).
• Send push notifications you opted into (game settled, dispute filed, closing-soon reminders).
• Diagnose crashes, prevent abuse, and improve app stability.
• Deliver rewarded video ads through Google AdMob in the free tier (see section 6).
• Verify in-app purchases with Apple StoreKit before crediting gems.

5. Third-party services

Coin Cup relies on the following third parties to operate. Each is a separate data controller with its own privacy practices:

• Apple Sign In + StoreKit. Account creation and in-app purchases. Apple's privacy practices: https://www.apple.com/legal/privacy/.
• Google Sign In. Optional alternative to Apple Sign In. Google's privacy policy: https://policies.google.com/privacy.
• Google AdMob. Serves the rewarded ads you can watch to earn bonus coins. AdMob may use the iOS Advertising Identifier (IDFA) for ad measurement and personalization if you allow tracking in Settings → Privacy & Security → Tracking.
• Apple Push Notification service (APNs). Delivers push notifications. Apple is the data processor.
• Cloudflare. Hosts our backend, edge cache, and the audit-grade ledger database. Cloudflare may process your IP address and TLS metadata to route requests; see https://www.cloudflare.com/privacypolicy/.

6. Advertising & App Tracking Transparency

Coin Cup uses Apple's App Tracking Transparency (ATT) framework. The first time the app needs to serve personalized ads, iOS will ask whether you want to allow tracking across other companies' apps and websites.

• If you allow tracking, we may share your IDFA and ad-interaction data with AdMob for personalized advertising.
• If you decline, rewarded ads are still shown but not personalized, and we do not share your IDFA with ad partners.
• You can change this preference any time in Settings → Privacy & Security → Tracking.

Rewarded ads are opt-in: you only see one if you explicitly tap "Watch ad +20 coins". They never appear inside a prediction flow or interrupt a match.

7. In-app purchases & billing

Coin Cup offers optional consumable gem packs (USD $0.99 to $99.99) through Apple StoreKit. Gems unlock spins on the Lucky Wheel — a cosmetic mini-game that pays out virtual coins by chance. Gems and coins are virtual currency only and have no cash value. They cannot be redeemed, transferred between players, or exchanged for real-world prizes.

Refund requests are handled by Apple: https://support.apple.com/HT204084.

8. Data retention

We keep your data while your account is active:

• Profile, balances, prediction history, audit ledger. Retained for the life of the account so you can audit your own history. Deleted at most 30 days after you request account deletion.
• Server logs (IP, request path, status). Retained for 30 days for abuse detection and debugging, then purged.
• Push notification token. Retained while the app is installed and notifications are enabled. Cleared automatically once Apple reports the token as invalid.
• Purchase receipts. Retained while your account is active plus the minimum period required to meet tax and audit obligations.

9. Account deletion

You can delete your account at any time:

• From inside the app: open Profile → Delete account. Confirmation immediately scrubs your personal data — nickname, avatar, bio, country, and any email saved on your linked Apple/Google identity — and revokes all active sessions.
• By email: send a deletion request from the address linked to your Apple ID or Google account to [email protected]. We confirm and complete the deletion within 30 days.

So that other players' game history is not broken, your activity (games you created and predictions you placed) is preserved but anonymized — your nickname appears as "Deleted user" everywhere it would otherwise show. Signing in again with the same Apple ID or Google account afterwards creates a fresh new account; it does not restore the old one.

10. Your rights

Depending on where you live (e.g., EU/EEA under GDPR, California under CCPA), you may have the right to:

• Access a copy of the personal data we hold about you.
• Correct inaccurate data — most fields are editable in Profile → Edit profile.
• Request deletion (see section 9).
• Object to or restrict certain processing.
• Opt out of personalized advertising through iOS ATT.
• Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email [email protected].

11. Children's privacy

Coin Cup is rated 12+ on the App Store and is not intended for children under 13. We do not knowingly collect data from children under 13. If you are a parent or guardian and believe a child has used the app, contact us and we will delete the associated data.

12. Data security

All traffic between the app and our backend is encrypted over HTTPS (TLS 1.2+). Authentication tokens are stored only as one-way SHA-256 hashes — we never keep your raw session token. Our backend runs on Cloudflare with the standard set of platform-level protections. No system is perfect; if you believe you've found a security issue, please email us at [email protected].

13. International users

Coin Cup is operated from outside the EU. When you use the app, your data may be transferred to and processed in countries where our providers (Apple, Google, Cloudflare) operate. By using the app you consent to this transfer. Where applicable (e.g., GDPR / CCPA / UK GDPR), you retain the rights granted by your local law.

14. Affiliation disclaimer

Coin Cup is a fan project and is not affiliated with, endorsed by, or sponsored by FIFA, US Soccer, Canada Soccer, the Mexican Football Federation, or any tournament organizer. All team names and match schedules are referenced for identification purposes only.

15. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be reflected by a new "Last updated" date at the top of this page and, where appropriate, an in-app notice the next time you open Coin Cup.

16. Contact

Questions, data requests, or security reports: [email protected].