Privacy Policy
Last updated: 17 April 2026
This is the privacy policy for Slaps, a mobile app for photographing and collecting football (soccer) supporter stickers. This policy explains what data we collect, why we collect it, and the rights you have over it.
Questions? Email [email protected].
1. Who this policy applies to
This policy covers everyone who uses the Slaps mobile app on iOS or Android.
2. What we collect
2.1 Account information
When you sign up, we collect:
- Email address — used only to log you in and send account-related emails (password reset, email verification).
- Password — stored as a salted hash by our auth provider (Supabase). We never see your plaintext password.
- Apple Sign-In token (if you use "Sign in with Apple") — Apple may provide us with a private relay email address if you choose to hide your real email. We only use this to identify your account.
2.2 Profile information
Once logged in, you can optionally provide:
- Username — publicly visible on stickers you mark as public.
- Favourite club — publicly visible.
- Avatar image — publicly visible.
You can edit or remove any of these at any time in the "More" tab.
2.3 Sticker data
Each time you save a sticker, we collect:
- The original photo you took and a cropped version of it.
- A team name you enter manually.
- Your GPS location at the time of capture (latitude and longitude), used to tag where the sticker was found.
- A human-readable location label (e.g. "Fitzroy, Melbourne") derived from those coordinates.
- A public / private flag that you control.
Only stickers you mark as public are visible to other users on the map or elsewhere. Private stickers are visible only to you.
2.4 What we do NOT collect
- We do not collect analytics, tracking identifiers, or advertising IDs.
- We do not use third-party trackers, pixels, or SDKs that profile you.
- We do not track your location in the background. GPS is only read at the exact moment you save a sticker, and only if you grant permission.
3. Why we collect it
| Data | Purpose | Legal basis |
|---|---|---|
| Email & auth tokens | Account creation and login | Contract |
| Username, club, avatar | Display on your profile and public stickers | Consent |
| Sticker photos & metadata | Core app functionality — your collection and the public map | Contract |
| GPS coordinates | Tagging where a sticker was found | Consent |
4. Who we share it with
We share data only with the service providers needed to run the app:
- Supabase (supabase.com) — hosts our database, authentication, and file storage. Data is stored on Supabase's infrastructure (AWS, typically eu-west or us-east regions).
- Apple — if you use "Sign in with Apple".
- Google Cloud — if and when we re-enable AI-assisted team recognition, the cropped sticker image may be sent to Google's Gemini API for identification. This feature is currently disabled.
We do not sell your data. We do not share your data with advertisers. We do not share your data with anyone else, full stop.
5. Where your data lives
All data is stored with Supabase, which runs on Amazon Web Services. Servers may be located in the EU or US depending on our region setting. By using Slaps, you consent to your data being transferred to and processed in these regions.
6. How long we keep it
- Account and profile data — kept for as long as your account exists.
- Stickers — kept for as long as your account exists, or until you delete individual stickers.
- Deleted accounts — when you delete your account, your profile and all your stickers (including public ones) are removed within 30 days.
7. Your rights
You can, at any time:
- Access the data we hold about you — visible in the app, or emailed to you on request.
- Correct your profile data by editing it in the app.
- Delete individual stickers from your collection.
- Delete your entire account and all associated data by emailing [email protected]. We'll action the request within 30 days.
If you are in the EU, UK, or California, you have additional rights under the GDPR / UK GDPR / CCPA, including the right to data portability and to lodge a complaint with your local data protection authority.
8. Children
Slaps is not directed at anyone under the age of 13, and we do not knowingly collect data from children under 13. If you are a parent or guardian and believe your child has created an account, contact us at [email protected] and we will delete the account.
9. Security
Passwords are hashed and salted. Data in transit is encrypted via HTTPS / TLS. API keys for external services are stored server-side, never in the app bundle. We follow the principle of least privilege — Row Level Security is enabled on every database table so users can only read and write their own data.
No system is perfectly secure, but we take reasonable technical and organisational measures to protect your data.
10. User-generated content
Slaps lets users post photographs of stickers they find in the wild. We have a zero-tolerance policy for objectionable content (hate speech, violence, nudity, copyrighted material posted without rights). You can report any sticker by tapping the Report button on the sticker's detail page. We review reports within 24 hours and remove content that violates our policy. Users who repeatedly violate the policy will have their accounts terminated.
11. Changes to this policy
If we make material changes, we'll update the "Last updated" date and notify you in-app. Continued use of Slaps after changes constitutes acceptance.
12. Contact
- Email: [email protected]
- Data controller: Malcolm Pirrie, Toronto, Ontario, Canada