Privacy Policy — FootPrints

This Privacy Policy explains what data we collect through the FootPrints mobile app,
why we collect it, how long we keep it, with whom we share it, and your rights.
It applies to all users of the app.

If you have questions or want to exercise your rights, contact us:

• Email: contact@footprintsapp.app

1) Data we collect

We only collect data necessary to provide FootPrints.

1. Account and authentication data

• Email and password (managed by Supabase Auth). Passwords are never stored or visible in plain text.
• User identifier (ID) generated by the authentication service.

2. Profile data

• Username and selected favorite team.
• Profile photo (optional). As of now, the selected photo is stored locally on your device and is not uploaded to our servers.

3. Location data

• Foreground location permission to show nearby stadiums/content. Location is used on-device to personalize the experience and is not stored server-side.

4. User-generated content

• Stadium reviews (rating, tags, comment). These are associated with your user ID and stored in our database (Supabase) to display within the app.
• Match photos (if you add them). At this time, photos remain on your device and are not uploaded to our servers.

5. Technical data

• App error logs and minimal technical information necessary for diagnostics. No third‑party analytics SDK is currently integrated.

6. Data from third-party services

• Public football data from API‑Football (via RapidAPI). We do not send your personal data to this API.
• Supabase (authentication and database hosting: profiles, reviews, technical tables).

2) Purposes of processing

• Create and manage your account.
• Personalize the experience (e.g., show stadiums near you).
• Enable search, saving, and display of your reviews.
• Improve the app and ensure its security.

3) Legal bases

• Contract performance: provide the app's core features (authentication, profile, reviews).
• Legitimate interests: security, fraud prevention, service improvement.
• Consent: access to location and photo library (OS permissions). You can withdraw these permissions at any time in your device settings.

4) Sharing and recipients

• Supabase: cloud provider for authentication and database hosting. Your profile data and reviews are stored there.
• API‑Football: used only to fetch public football data. We do not send your personal data to it.
• Expo modules (Location, Image Picker, Image Manipulator): handle permissions and local image processing on your device.

We do not sell your personal data. We do not share your data with third parties other than those necessary to operate the service as described above.

5) International transfers

Depending on the Supabase project region, your data may be stored in the EU or outside it. Where transfers outside the EU occur, we rely on appropriate safeguards (e.g., Standard Contractual Clauses). [Specify your Supabase region here if known].

6) Data retention

• Account and profile data: kept while your account is active and deleted when you request account deletion.
• Reviews: retained as long as your account exists or until you request deletion.
• Local data (profile photo, non‑uploaded photos): remains on your device and can be removed by you at any time (in‑app removal or uninstalling the app).
• Technical logs: retained for as long as needed for diagnostics.

7) Security

• All communications between the app and our servers use HTTPS.
• Authentication sessions are stored on your device via AsyncStorage. Please protect access to your device.
• Supabase enforces database access controls. No measure is perfect, but we implement reasonable security practices.

8) Your rights (GDPR)

Subject to applicable law, you have the following rights:

• Access: obtain a copy of your data.
• Rectification: correct inaccurate data.
• Erasure: request deletion of your data and account.
• Restriction and objection: in some cases, limit or object to processing.
• Portability: receive your data in a structured format.
• Withdraw consent: for consent‑based processing (e.g., location, photos) at any time via device settings.

To exercise your rights, contact us at contact@footprintsapp.app. We may ask you to verify your identity. You can also lodge a complaint with your local data protection authority.

9) Account deletion and deactivation

An account deletion option is available in the app's settings. Until this feature is fully available, you can request manual deletion by email at contact@footprintsapp.app, using the address associated with your account.

10) Children

The app is not intended for individuals under 16. If you are a parent/guardian and believe your child has provided us with data, contact us to request deletion.

11) Trackers and local storage

The mobile app does not use cookies. It uses local storage (AsyncStorage) to keep your session and some preferences.

12) Changes to this policy

We may update this policy to reflect legal or functional changes. We will notify you of material changes. The "Last updated" date appears at the top of this document.

13) Contact

• Email: contact@footprintsapp.app

If you have any questions about this policy or your data, please contact us.