Privacy Policy
Last updated: May 2026
At Figurapp we take your privacy seriously. This policy describes what data we collect, what we use it for, who we share it with and what rights you have over it. By using the app you accept the practices described here.
30-second summary. We store the minimum needed for the app to work: your email, your sticker album, your last approximate location (only while the app is open), and your trade history. Your location is never shown to other users with your identity attached: the map only shows aggregated zones. We use third-party services (Firebase, Sentry, AWS) that process minimal data and are listed below. We do not use your data for advertising tracking nor do we share it with third parties for marketing purposes. You can delete your account at any time from Settings.
1. Who we are
Figurapp is a mobile application for football sticker collectors. Stickers are identified internally by country and player name.
For any questions about this policy, write to us at privacy@figurapp.com.
2. What data we collect
This section is aligned 1:1 with the privacy nutrition label we publish on the App Store and Google Play.
2.1 Contact data
- Email: used to create your account and to sign in. Managed by Firebase Auth. We never see your password: Firebase hashes and stores it in its infrastructure.
2.2 Identifiers
- User ID: the internal UID assigned by Firebase Auth. We use it to identify your account in our backend.
- FCM push tokens: Firebase Cloud Messaging tokens, required to send you push notifications (trades, messages, etc.).
2.3 Location
- Precise location, captured only in foreground (foreground only) while you are using the app. We do not access your location when the app is closed or in the background.
- We use it to show you collectors nearby and to let you coordinate in-person trades.
- We do not share your exact location with other users. The map only shows approximate, aggregated zones (3 or more users) — it is impossible to re-identify you individually.
- Coordinates are automatically deleted from the backend after a short period of inactivity.
2.4 Usage data
- Product interactions: we log on the backend which endpoints you invoked, when, and with what result, to operate the app, prevent abuse and debug errors. These logs live in CloudWatch (AWS).
2.5 Diagnostics
- Crash and error data sent to Sentry: stack traces, device model, OS version and app version.
- This data is reported anonymously, not linked to your identity or your User ID. Sentry does not receive your email or your UID.
2.6 User content
- Chat messages: stored in DynamoDB with a maximum retention of 20 days; after those 20 days they are deleted automatically.
- Avatar (optional): if in the future we enable the option to upload a profile photo, it will be stored in Firebase Storage. Today the app does not require nor force you to upload an avatar.
- Album data: which stickers you marked as owned, missing or duplicate, and how many copies of each you have.
- Trades and friendships: history of your trades and your friends list.
2.7 What we do NOT collect
To make it clear, Figurapp does not collect any of the following data:
- Phone contacts (we do not read your address book).
- Web browsing history.
- Financial data, card numbers or banking information.
- Health, fitness or biometric data.
- Advertising identifiers (IDFA, AAID).
We also do not use your data for advertising tracking, advertising profiling, nor cross-app tracking. There are no advertising or marketing analytics SDKs in the app.
3. What we use your data for
- To provide and operate the app (show your album, process trades, send messages, etc.).
- To show you collectors nearby within the radius you configure.
- To send you push notifications: trade proposals, nearby collectors, and chat messages. You can disable them in Settings.
- To detect and prevent abuse, spam and violations of the terms.
- To improve the app (aggregated and anonymous metrics, crash reports).
4. Third-party services
We use the following third-party services. Each one has its own privacy policy that also applies to the data it processes:
| Service | What it processes | Policy |
|---|---|---|
| Firebase Auth | Email, hashed password, UID, login metadata | firebase.google.com/support/privacy |
| Firebase Cloud Messaging | Device token, notification payload | firebase.google.com/support/privacy |
| Sentry | Stack traces, device metadata, app version | sentry.io/privacy |
| AWS (Amazon Web Services) | Backend hosting (us-east-1), data storage | aws.amazon.com/privacy |
We do not sell your data to third parties. We do not share your data with marketing companies, data brokers or advertisers.
5. How long we retain your data
- Account data: while your account is active. If you delete it, we erase everything within 30 days.
- Album and trade data: while your account is active.
- Location data: maximum 30 minutes of inactivity. An automatic process deletes it periodically.
- Chat messages (DynamoDB): 20 days, after that they are deleted automatically.
- Crash reports (Sentry): 90 days.
- Access and usage logs (CloudWatch): 30 days.
6. Your rights
Regardless of where you live, you have the following rights over your data:
- Access: you can request a copy of all the data we hold about you.
- Rectification: you can correct incorrect data from Settings → Edit profile or by writing to us.
- Deletion: you can erase your account from Settings → Delete account. All your data is deleted within 30 days.
- Portability: you can request a JSON export of your account, album and trades.
- Objection: you can object to the processing of your data for certain purposes (e.g., notifications).
If you live in the European Union or the United Kingdom, you also have the rights of GDPR. If you live in California, you have the rights of CCPA. To exercise them, write to us at privacy@figurapp.com from the email of your account. We respond within 30 days.
7. Security
We take reasonable measures to protect your data:
- All communications use HTTPS/TLS 1.2+.
- Passwords are hashed by Firebase (we never see them).
- Session tokens are stored in the device's Keychain (iOS) or Keystore (Android).
- The database is in a private subnet without direct internet access.
- WAF and rate limiting protect sensitive endpoints (location, map).
- Credentials live in AWS Secrets Manager, never in code.
No system is 100% secure. If we detect an incident affecting your data, we will notify you within 72 hours as required by applicable regulations.
8. Minors
Figurapp is not directed to children under 13. If you are between 13 and 17, you need authorization from your parents or guardians to use the app. If we believe a user is under 13, we delete the account and associated data.
9. International data transfers
Our servers are in AWS us-east-1 (Virginia, United States). Some third-party services process data in other regions. If you are in the European Union, this implies an international transfer of data to the United States. We rely on the Standard Contractual Clauses (SCCs) approved by the European Commission.
10. Cookies and similar technologies
The mobile app does not use cookies. It uses operating system identifiers (Keychain/Keystore UUID, FCM device token). The landing page (figurapp.com) only uses necessary technical cookies (no third-party tracking).
11. Changes to this policy
If we make significant changes, we will notify you via push notification and/or email before they take effect. The "Last updated" date at the top of this document always reflects the current version.
12. How to delete your account
You can delete your account directly from the app:
Settings → Delete account. Your account and all associated data are erased. This cannot be undone.
Deletion includes: your Firebase Auth account, your album, your trade history, your chat messages, your notification tokens and any residual location data. The process completes within 30 days.
13. How to contact us
If you have any question, complaint or want to exercise any of your privacy rights, write to us:
- General support: support@figurapp.com
- Security and abuse reports: safety@figurapp.com