Privacy Policy

When you sign up for IFSCORES we collect:

• Account: email, bcrypt-hashed password, chosen username.
• OAuth: basic profile returned by Apple or Google if you use social login.
• Presets & favorites: rules you build, matches you star, trigger history.
• Device: push token, app version, platform.
• Analytics: screen + session metrics (Firebase Analytics + PostHog).

• Authenticate your session (JWT).
• Deliver push notifications (Firebase FCM / Apple APNs).
• Understand which features earn their keep.
• Verify support requests.
• Detect brute-force logins (5 fails → 15-min lock).

Only where technically required:

• BetsAPI — live sports feed (no personal data shared).
• Firebase (Google) — push + analytics.
• Apple / Google — app payment + OAuth.
• RevenueCat — subscription sync.
• Resend — transactional email.
• Sentry — error tracking (PII-scrubbed).
• Cloudflare R2 — encrypted backups.

Your data is never sold.

• Passwords hashed with bcrypt (work factor 12).
• Admin accounts require TOTP 2FA.
• All traffic over TLS 1.3.
• Database backed up daily to encrypted object storage (30-day retention).
• Access logs kept for 30 days only.

From inside the app you can:

• Export all your data (Settings → Account). GDPR Article 20 / KVKK Madde 11 / LGPD Art. 18 / CCPA § 1798.130.
• Delete your account — 30-day grace period then permanently erased. Right to erasure: GDPR Art. 17, KVKK Madde 11, LGPD Art. 18, APPI Art. 30, PIPL Art. 47.
• Correct inaccurate data.
• Restrict processing or object to certain uses.
• Control notifications per event type.

IFSCORES honors data-subject requests from residents of every jurisdiction we service, including but not limited to:

• EU / EEA / UK — GDPR + UK GDPR.
• Türkiye — KVKK (Kanun No. 6698).
• Brazil — LGPD (Lei nº 13.709/2018).
• Japan — APPI (個人情報の保護に関する法律).
• China — PIPL (个人信息保护法).
• Indonesia — UU PDP (UU No. 27/2022).
• Saudi Arabia / GCC — Saudi PDPL (نظام حماية البيانات الشخصية).
• California, USA — CCPA / CPRA.

To exercise any right, email privacy@ifscores.com. We respond within the statutory window of the requester's jurisdiction (30 days under GDPR / KVKK / LGPD; 15 days under PIPL for some requests).

Mobile app: no cookies (JWT-only). Web site (ifscores.com): single session cookie for language preference. No tracking, no ads.

We follow standard age requirements. Users under 13 are not allowed personal accounts; underage accounts are deleted on detection.

We are a live sports scores and notifications service. We do not process bets and do not promote any specific bookmaker.

Material changes trigger an in-app notification and an email. The "Last updated" date above reflects the latest revision.

Questions? privacy@ifscores.com