Privacy Policy
Last updated: 14 June 2026
ScoreSync ("we", "us", or "our") operates the ScoreSync web and mobile application. This policy explains what data we collect, why we collect it, how we protect it, and your rights over it.
We collect only what is necessary to run the service. We do not sell your data. We do not advertise to you. We do not share your data with third parties except as described below.
Data we collect
| Data | Why we collect it | Linked to your identity |
|---|---|---|
| Email address | Account creation, sign-in, password reset | Yes |
| Name / username | Display name (provided via Google or Apple sign-in) | Yes |
| Country of residence | Age verification — minimum age varies by jurisdiction | Yes |
| Date of birth | Age verification required by law in multiple jurisdictions | Yes |
| Subscription & purchase history | Manage your plan, unlock Pro features | Yes |
| Push notification token | Deliver BTTS alerts you have opted in to | Yes |
| IP address (guest sessions only) | Rate-limit unauthenticated usage to prevent abuse | Not linked |
We do not collect: precise or approximate location (GPS), contacts, camera or microphone data, browsing history across other sites, or any form of behavioural analytics.
Payment data
Payments are processed by Stripe. Your card number, CVC, and billing address are entered directly on Stripe's secure checkout page — they never reach our servers. We store only Stripe's internal identifiers (customer ID, subscription ID) so we can manage your plan.
Stripe's privacy practices are described at stripe.com/privacy.
Third-party sign-in
Google: If you choose to sign in with Google, we receive your email address, display name, and a Google account identifier from Google's OAuth service. We do not receive your Google password or any other Google account data. Google's privacy practices are described at policies.google.com/privacy.
Apple: If you choose to sign in with Apple, we receive your email address (or Apple's private relay address if you choose to hide your email) and a unique Apple user identifier from Apple's Sign In with Apple service. On your first sign-in Apple may share your name; on subsequent sign-ins only the identifier is passed. We do not receive your Apple ID password or any other Apple account data. Apple's privacy practices are described at apple.com/legal/privacy.
How we use your data
- App functionality — authentication, age verification, delivering your subscription, and sending push notifications you have opted in to.
- Legal compliance — age verification is required in certain jurisdictions for services that present betting-market analytics.
- Security — IP addresses of unauthenticated sessions are used for rate limiting and abuse prevention, then purged after 90 days.
We do not use your data for advertising, personalisation unrelated to the service, or any automated decision-making that has a legal or similarly significant effect on you.
Data retention
- Account data is retained for as long as your account is active.
- Guest session IP addresses are deleted after 90 days.
- Password reset tokens expire after 1 hour and are deleted on use.
- If you delete your account, all personal data associated with it is permanently deleted within 30 days.
Third-party services
| Service | Purpose | Their privacy policy |
|---|---|---|
| Stripe | Payment processing | stripe.com/privacy |
| Google Sign-In | Optional sign-in method | policies.google.com/privacy |
| Apple Sign In | Optional sign-in method | apple.com/legal/privacy |
| Google Fonts | Typography (loaded from fonts.gstatic.com) | policies.google.com/privacy |
| API-Football | Live fixture and results data (no user data shared) | api-football.com |
Your rights
Depending on where you are located, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your account and all associated data.
- Object to or restrict processing.
- Withdraw consent for push notifications at any time from your device settings.
To exercise any of these rights, contact us at the address below. We will respond within 30 days.
Local storage & cookies
ScoreSync stores data directly on your device using browser localStorage — not HTTP cookies. No tracking or advertising identifiers are stored. All items are strictly necessary for the service to function.
| Key | Contents | Purpose | Expires |
|---|---|---|---|
ss_token |
JWT authentication token | Keep you signed in between sessions | 7 days (token expiry) |
ss_user |
Email, username, subscription tier | Display your profile without a server round-trip | Cleared on sign-out |
ss_tips |
Your saved fixture tips | Persist your saved tips locally | Until you clear tips or uninstall |
ss_free_since |
Free trial start timestamp | Enforce the free-tier trial window | Cleared on subscription activation |
ss_match:* |
Match prediction payload | Cache predictions for 48 hours to reduce server load | 48 hours (TTL enforced in code) |
ss_fixtures:* |
Fixture list snapshot for a past date | Freeze past-day predictions so results stay consistent | Until browser storage is cleared |
ss_gdpr |
Flag: privacy notice acknowledged | Suppress the one-time privacy notice after dismissal | Persistent |
Third-party requests made on page load: The app loads fonts from Google Fonts (fonts.gstatic.com), the Google Sign-In library (accounts.google.com), and the Apple Sign In library (appleid.cdn-apple.com). These requests transmit your IP address to the respective provider as part of normal HTTP traffic. They do not set tracking cookies. Google's handling of this data is governed by Google's Privacy Policy; Apple's is governed by Apple's Privacy Policy. If you prefer to avoid these requests entirely, you can use the email/password sign-in method and the app will still function fully.
Legal basis: All storage described above is processed under Article 6(1)(b) GDPR — processing necessary for the performance of the contract (providing the ScoreSync service you signed up for). No consent is required for strictly necessary storage under the ePrivacy Directive.
Security
Passwords are hashed using bcrypt before storage — we cannot read your password. All data is transmitted over HTTPS. Push notification payloads are end-to-end encrypted using the Web Push protocol (VAPID + P-256 ECDH).
Children
ScoreSync is not directed at children. Our minimum age requirement is 18 in most jurisdictions (higher in some). We do not knowingly collect personal data from anyone below the applicable minimum age. Accounts found to belong to underage users are terminated.
Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email or in-app notice at least 14 days before taking effect.
Contact
Privacy questions or data requests: privacy@getscoresync.com