Privacy Policy

Sportsup is operated by Marcus Hedlund as a sole trader (enskild näringsidkare under Swedish law). A registered company will be formed later.

Address: Övre Husargatan 20, 413 14 Gothenburg, Sweden.

Country of operation: Sweden.

Contact and GDPR requests: info@sportsup.se. We respond within 30 days.

Privacy identifier (App Store category: Device ID). A random identifier generated locally on your phone at first launch and stored in the app's local storage. We use it to deduplicate sessions, improve question quality, and look up your records if you contact support for deletion. It is not linked to your name, email, or any other personal identifier. You can see and copy it under Sportsup > Settings > About > Privacy identifier, and you can erase it at any time via Settings > About > Erase local privacy data.

Supabase anonymous auth user id (App Store category: User ID). The first time the app contacts our backend it creates an anonymous Supabase auth session. The resulting user id is used to gate database access (row-level security), to verify which paid packs your device may load, and to prevent abuse of the entitlement sync endpoints. The id is anonymous: it is not tied to an email, phone number, or social login, and you never see or enter it.

Purchase history (App Store category: Purchase History). When you buy a pack, Apple processes the payment and issues a receipt. The receipt is shared with RevenueCat to determine which packs your Apple ID owns, and the resulting entitlement is mirrored to our backend so that Restore Purchases works on a new device. We never see your payment card details.

Gameplay events (App Store categories: Gameplay Content and Product Interaction). When you answer or skip a question we send the following to our backend: privacy identifier, question id, pack id, player index within the session (not a real name), whether the answer was correct, optional difficulty and odds band, penalties awarded, current streak, chosen 1/X/2 index, session id, question index within the session, number of players in the session, app version, and timestamp. None of this contains your name, email, IP address, or precise location.

Local on device. Player names, sound and haptic settings, language preference, locally cached pack content, and pending analytics waiting for a connection. These never leave the phone except as described above.

Age confirmation metadata. At first launch the app asks for your full date of birth and verifies that the date corresponds to an age of at least 18. The date of birth itself is NOT persisted. We retain only the timestamp of confirmation, the app version at the time of confirmation, the policy version identifier (currently "exact-dob-v1"), and a flag if the age gate was declined. These fields stay on the device.

No advertising identifier (IDFA), no advertising SDK, no third-party ad tracking.

No sale of personal data and no sharing with data brokers.

No account email, password, phone number, or social login in v1.

No retained date of birth after age verification.

No precise location, no contacts, no photos, no microphone recordings, no health data.

No payment card data. Payment details are handled by Apple, not by Sportsup.

Vercel, our hosting provider, logs standard web traffic (IP address, browser, referrer) for operational purposes. We use no cookies, no analytics tools, and do not collect email addresses. Web fonts are self-hosted, so no third party receives information about you when you visit the site.

Apple App Store and StoreKit. Distribute the app, process in-app purchases, and issue receipts. See Apple's privacy policy.

RevenueCat. Receives Apple receipts and returns entitlement information (which packs you own). RevenueCat's webhook forwards those receipts to our backend; we persist only the fields needed to verify the purchase and delete the raw webhook payload within 30 days. See RevenueCat's privacy policy.

Supabase. Our backend for anonymous auth, gameplay analytics storage, and entitlement checks. Region: eu-west-1. See Supabase's privacy policy.

Expo / EAS. We build and ship the app with Expo Application Services. EAS handles build infrastructure and over-the-air update delivery; it does not perform runtime user tracking on our behalf. See Expo's privacy policy.

Vercel. Hosts this website. See Vercel's privacy policy.

Transfers to the US: RevenueCat, Vercel, and Expo are US companies. Transfers occur under the EU-US Data Privacy Framework and, where the DPF does not apply, under the European Commission's Standard Contractual Clauses (SCC). Supabase data is stored in the EU.

Diagnostics. RevenueCat and Apple's own frameworks (StoreKit, UIKit, OS logs) may collect standard diagnostics such as crash logs and performance metrics under their own privacy policies. Sportsup does not enable any additional diagnostics SDK on top of that.

Data linked to you. User ID (Supabase anonymous auth user id), used for App Functionality. Purchase History, used for App Functionality. Device ID (the local Privacy identifier), used for App Functionality and Analytics.

Data not linked to you. Product Interaction, used for Analytics. Gameplay Content, used for App Functionality and Analytics.

We do not declare any "Data Used to Track You" because we do not track users across other apps or websites and do not use the data for advertising.

Sportsup does not track users across apps or websites owned by other companies. The data we collect is not used for third-party advertising or advertising measurement, and the app does not present the App Tracking Transparency prompt because it does not perform tracking as Apple defines it.

Global, cross-user statistics are disabled in v1. The Stats screen in the app shows local-only data computed from your own device's gameplay history.

The odds shown on each 1/X/2 question are computed locally. They are either a static difficulty band built into the pack or a rolling band derived from your device's own answer history. They are not aggregated across users in v1 and they are not predictions, wagers, or any form of stake.

Legitimate interest (GDPR Art. 6(1)(f)) for anonymous statistics, anti-abuse protection, and operational logs. Our interest is improving the app and keeping the service running.

Contract (GDPR Art. 6(1)(b)) for delivering the packs you purchase in the app.

Legal obligation (GDPR Art. 6(1)(c)) for retaining purchase receipts under Swedish accounting law.

Gameplay events: 12 months, then deleted or aggregated.

Privacy identifier and Supabase anonymous user id: as long as the app is installed. Both are cleared when you uninstall the app or use Settings > About > Erase local privacy data.

Age confirmation metadata (timestamp, app version, policy version, decline flag): kept on the device until you erase local privacy data or uninstall.

Raw RevenueCat webhook payloads: max 30 days, then deleted automatically. We retain only the processed entitlement fields needed to verify a purchase.

Purchase receipts (processed): as long as required by Apple and Swedish accounting law (typically 7 years).

Web access logs: per Vercel defaults (a few days).

Under GDPR you have the right to: access, rectification, erasure, restriction of processing, data portability, and objection to processing based on legitimate interest. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at https://www.imy.se.

How to request deletion or any other right: email info@sportsup.se from any address, state which right you wish to exercise, and include the Privacy identifier shown under Sportsup > Settings > About > Privacy identifier. We respond within 30 days and delete the gameplay events tied to that id. Purchase receipts are kept as long as Swedish accounting law requires, but we anonymize them as far as the law allows.

We do not use automated decision-making or profiling.

Providing data is neither a statutory nor a contractual requirement. You can use the website without providing any data, and you can stop sending gameplay events at any time by using Settings > About > Erase local privacy data or by uninstalling the app.

Sportsup is rated 18+ in the App Store because of frequent alcohol references and is intended for users 18 and older.

At first launch the app asks for your full date of birth and verifies that the date corresponds to an age of at least 18. The date of birth itself is not stored. We retain only the timestamp of confirmation, the app version at the time of confirmation, the policy version identifier, and a flag if the age gate was declined.

We do not display targeted advertising to children and do not knowingly collect personal data from anyone under 18. The app does not show ads at all. If you believe a minor has used the app, contact info@sportsup.se with the Privacy identifier shown in Settings > About and we will delete any gameplay events tied to that identifier.

We may update this policy. The date at the top reflects the most recent change.

Questions or GDPR requests: info@sportsup.se.