Privacy Policy

Last updated: 16 May 2026

Sideline is built and operated by Jorge Reyes as an independent developer ("we", "us"). This policy explains what we collect, why, and how to get rid of it.

1. What we collect

Account data

• Email address — for account identity and password reset.
• Display name — what you type during sign-up. Shown to others in pools you share.
• Password — never stored by us in plain text; handled exclusively by Supabase Auth, which stores a bcrypt-hashed copy.

App usage data

• Favorite teams (up to 3) and chosen avatar team.
• Pools you create or join, your role in each (owner / member), and the pool name + 6-letter code.
• Predictions you submit for matches in pools you've joined.
• Notification preferences (which match alerts you opted in to).
• Push token — APNs (iOS) or FCM (Android) device identifier, used to deliver match-event alerts.
• App language — the locale your device is set to, sent with AI-summary requests so the response comes back in your language.

What we do NOT collect

• Location data.
• Contacts, photos, calendar, or microphone.
• Browsing history outside the app.
• Advertising identifiers (IDFA / AAID).
• Analytics tracking (no Mixpanel, Amplitude, Firebase Analytics, etc.).

2. Who else sees your data (third-party processors)

To run the app we send certain data to these processors. We do not sell or rent your data to anyone.

• Supabase (Supabase, Inc., United States) — hosts the Postgres database, authentication service, and edge functions. All your account + app data lives here.
• Resend (Resend, Inc., United States) — sends verification and password-reset emails on our behalf. Receives your email address only.
• Anthropic (Anthropic PBC, United States) — generates AI match-preview summaries. Receives match metadata (team names, recent form, head-to-head record) and your device locale. No personally identifying account data is sent.
• live-score-api.com — public fixtures, scores, and head-to-head data. No user data is sent.
• Apple Push Notification Service and Google Firebase Cloud Messaging — deliver the push notifications we generate. They see only the push token Apple/Google issued to your device.

3. How long we keep your data

Account data is retained as long as your account exists. Predictions, pool memberships, and match-event records persist with the related account row. Push tokens are kept while the device remains active; we re-fetch them on every app launch and overwrite the old value.

4. Your choices

• Export. Email hello@sideline.app with the address you signed up under and we'll send you a JSON dump of everything tied to your account within 14 days.
• Delete. Email the same address and we'll delete the row from auth.users. Cascade-deletes wipe predictions, pool memberships, push tokens, profile, and favorites. Backups are rotated within 30 days.
• Push notifications. Toggle individual alert types in Settings, or use your device's system permissions to turn them off entirely.
• Biometric sign-in. Optional. If enabled, your email + password live encrypted on your device only (iOS Keychain / Android Keystore) — never sent to us in that form. Sign out from Settings to clear the in-app session; reinstall the app to wipe the biometric store.

5. Children

Sideline is not intended for users under 13 (or the minimum age of digital consent in your jurisdiction, whichever is higher). We don't knowingly collect data from anyone under that age. If we learn we have, we will delete the account.

6. International transfers

Our processors are based in the United States. By using Sideline you consent to your data being processed there. Both Supabase and Resend offer EU regions; we can migrate on request if that's a regulatory blocker for you.

7. Security

All traffic to our backend uses HTTPS. Passwords are bcrypt-hashed by Supabase Auth. Database rows are gated by row-level security so users can only read / write their own data; sensitive write operations (joining a pool, deleting a pool, dispatching pushes) go through audited SECURITY DEFINER RPCs with explicit ownership checks. We don't store payment information — the app has no in-app purchases.

8. Changes to this policy

If we change anything material we'll update the "Last updated" date above and notify active users via an in-app banner before the change takes effect. Substantive changes that expand data collection require renewed consent.

9. Contact

Questions, requests, complaints: hello@sideline.app.