Skip to main content

← Back to Finto

Privacy Policy

Last updated:

Status: this policy covers the www.finto.fun website (and its waitlist) and the live Finto prediction game at app.finto.fun. The wording is current to the date above. Final wording for the World Cup 2026 launch is being reviewed by counsel; we will update this page if that review changes anything material.

1. Who is responsible

Privacy and data-rights requests (access, deletion, correction, objection, portability, complaints) are handled by the founders at privacy@finto.fun. Use hello@finto.fun for everything else. See the Contact page for response SLAs.

2. What we collect on the public website

On the pre-launch www.finto.fun landing site and its waitlist endpoint:

  • Email address when you join the waitlist.
  • Source — which page submitted the form (for example landing/world-cup-2026).
  • Locale — your browser’s preferred language code if available (e.g. en-US).
  • Timestamp — when the submission was received (server time).
  • User-Agent string and referring URL — standard HTTP headers your browser sends with every request.
  • For abuse prevention: a salted SHA-256 hash of your IP address (never the raw IP) in short-lived rate-limit counters; a SHA-256 hash of your normalised email as the document ID for deduplication; and a timestamp window for rate limiting that auto-expires.

3. What we collect when you create or use a Finto account

Once you create an account inside the app, we collect and store only what we need to run the service:

  • Account email. Used to sign in (for email/password) and to send transactional and (where you have not opted out) non-transactional Finto emails.
  • Firebase Authentication identifiers. A user ID (UID) generated by Firebase, and — depending on the sign-in method you choose — the email/password handled by Firebase, your Google account profile (via Google Sign-In), or your Apple account profile (via Sign in with Apple on iOS).
  • Username (chosen during onboarding; visible to other players and on public leaderboards if you opt in).
  • Display name (visible inside groups you join).
  • Birth year (collected to enforce the 13+ minimum age; stored on your account, used for the age check at signup and any future age-related compliance checks).
  • Terms-acceptance record. A version identifier and a timestamp for the Terms of Use you accepted at signup, stored on your account so we have an audit trail if the terms change.
  • Group memberships. Which groups you belong to, your role in each (admin or member), when you joined, how you joined (admin-created, accepted an email invite, opened a shareable invite link), and — if you joined via a referral — which member referred you.
  • Invite records. When a group admin invites someone by email, we store that email on the invite row so the admin can audit the invite and so we can deliver it (see §4 on Resend). The plaintext invite email is readable only to admins of the inviting group, never to other members. It is automatically deleted on a short retention clock (see §7).
  • Predictions you submit (when prediction features ship): the match ID, the score you predicted, when you submitted it, whether it has locked, and (after lock) the points it scored.
  • Activity events. A lightweight feed of group-relevant events (invite created, invite rotated, invite revoked, member joined, join requests, join request approved/rejected) so members can see what is happening in the group. These are pruned automatically after 60 days.
  • Email preferences and suppression state. Your master and per-track non-transactional email preferences, plus any one-click unsubscribe state, keyed by a hash of your email so we can keep honouring an opt-out even after deletion.
  • Email delivery events from Resend (queued, sent, delivered, opened, clicked, bounced, complained). We use these to monitor deliverability and to suppress addresses that bounce or complain.
  • Operational logs from our hosting providers (Vercel, Google Cloud) and our backend functions, used for debugging. Where logs would otherwise contain a full email address we log only the email domain.

4. Cookies, local storage, and analytics

A detailed breakdown lives on the Cookies & Tracking page. In short:

  • The public website (www.finto.fun) sets no Finto cookies. We use Vercel Web Analytics and Vercel Speed Insights, which are first-party and set no cookies and no cross-site identifiers. When the TikTok Pixel is enabled (a build-time configuration; off by default in builds without the pixel ID), the pixel fires a parameter-less SubmitForm event after a confirmed waitlist signup. No email, phone, name, or other direct identifier is sent through it; the TikTok script itself may set or read its own browser identifiers under TikTok’s policies.
  • The authenticated app (app.finto.fun) uses Firebase Authentication for session handling. The app writes a small number of named keys to your browser’s localStorage (a flag remembering you have seen the onboarding tour) and sessionStorage (a per-tab funnel-correlation UUID used to link the four events of the invite funnel before sign-in). No third-party advertising or analytics scripts are loaded inside the authenticated app.
  • No Google Analytics, Google Tag Manager, Meta Pixel, LinkedIn Insight, or Hotjar runs on either site.

5. Why we collect it

  • Run the service. Authenticate you, show your groups, score your predictions, deliver invites you (or your group admin) asked to be sent.
  • Enforce the rules. Age gate (13+), one-account-per-person, anti-abuse, fair-play enforcement.
  • Communicate. Send transactional emails (invites, deletion confirmations, security notices) and the non-transactional emails you have not opted out of.
  • Improve performance and safety. First-party Vercel analytics for performance (the public site), error logs for debugging, deliverability monitoring for emails.
  • Comply with law. Respond to lawful requests, exercise your data rights, and maintain a basic record of consent.

6. Legal basis (EU / UK visitors)

  • Contract (Art. 6(1)(b) GDPR): processing necessary to operate the service you signed up for, including running groups, scoring predictions, and delivering transactional emails.
  • Consent (Art. 6(1)(a) GDPR): joining the waitlist, opting in to non-transactional email tracks, and any future processing that requires consent.
  • Legitimate interests (Art. 6(1)(f) GDPR): preventing abuse, protecting the platform, basic security and operational logging.

Counsel review of legal-basis wording is in progress and may refine this section before public launch.

7. How long we keep your data

  • Account record (users collection): while your account exists. On deletion request (see §10), it is removed in accordance with the deletion process described there.
  • Email and signup metadata on the waitlist: until launch and the launch announcement is sent, or until you ask us to delete it, whichever comes first.
  • Invite records that include a plaintext recipient email: automatically pruned by a 90-day retention clock on the invite row (and earlier if revoked or replaced). Email is admin-readable only.
  • Activity events (invite events feed): automatically pruned by Firestore TTL 60 days after creation.
  • Notification records: automatically pruned by Firestore TTL 60 days after creation.
  • Rate-limit counters and short-lived security records: auto-expire within 24 to 48 hours.
  • Email-engine records (deliverability state, suppression lists keyed by email hash): typically 90–180 days for deliverability monitoring; suppression entries are retained so we keep honouring an opt-out.
  • Operational logs from hosting providers: their standard retention windows (typically 30 days).

8. Where your data lives

  • Firestore (Google Cloud) in the United States, region us-central1 — account records, group records, invites, activity events, predictions, email suppression state.
  • Firebase Authentication (Google Cloud) — sign-in identity material (email, password hash for email/password sign-ins, OAuth subject identifiers for Google and Apple sign-ins).
  • Vercel — static hosting and edge network for the public site and the web app; first-party Vercel Web Analytics and Speed Insights on the public site.
  • Resend — email sending and delivery webhooks. Recipient address, sender info, and the email body are processed by Resend so the mail can be delivered.
  • Google Sign-In and (on iOS) Sign in with Apple — used when you choose those sign-in methods. Google or Apple receive the standard OAuth exchange under their own policies.
  • TikTok — only when the TikTok Pixel is enabled on the public site, and only the parameter-less SubmitForm event after a confirmed waitlist signup.
  • ImprovMX — forwards messages sent to hello@finto.fun and privacy@finto.fun to a founder inbox.

Your data may therefore be transmitted to or processed in the United States. Google Cloud (Firestore, Firebase Auth) and Vercel rely on Standard Contractual Clauses for international transfers, and Resend operates under its published terms and DPA.

9. We don’t sell or share your data

We do not sell your personal data. We do not share your email, phone, name, or other direct personal identifiers with advertisers, data brokers, or marketing networks. The only third parties that process your data are the infrastructure providers listed in §8, each of which sees only what it needs to in order to run its function. We do not run a cross-site advertising profile, and we do not load the Meta Pixel, Google Ads, LinkedIn Insight, or any similar tracker.

10. Your rights

You can ask us to:

  • Confirm whether we hold any data about you.
  • Send you a copy of the data we hold (right of access).
  • Correct anything that is wrong.
  • Delete your data (right to erasure / “right to be forgotten”).
  • Restrict or object to processing.
  • Port your data to another service (where applicable).
  • Withdraw consent at any time (for processing based on consent).
  • Lodge a complaint with your local data protection authority.

To delete your Finto account, the fastest path is Settings → Danger zone → Request deletion inside the app. We acknowledge the request, mark your account for deletion, and begin removing data from our systems. The fully-automated purge worker that hard-deletes every related record is still in development; until that worker ships, the team handles deletion requests through a combination of automated marking and manual cleanup. We aim to complete deletion within 30 days of the request and will email you when it is done. See Data deletion for the step-by-step process. To exercise any other right, email privacy@finto.fun from the address you signed up with (or include enough information for us to verify you). We respond within 30 days, usually sooner.

11. Children

Finto is not intended for children under 13. The minimum age to use Finto is 13, enforced at signup via a birth-year check; some jurisdictions require a higher minimum (see §4 of the Terms of Use). If you believe a child under the relevant minimum age has signed up, email privacy@finto.fun and we will delete the account promptly. Per-jurisdiction adjustments and any parental-consent mechanism are still under legal review and will be reflected here before any change goes live.

12. Security

Traffic to Finto travels over HTTPS. The waitlist endpoint enforces a CORS allowlist, payload size limits, a honeypot, form-timing checks, and sliding-window rate limits. The authenticated app sits behind Firebase Authentication. We use Firebase Security Rules so no third party can read or modify your data directly, and so plaintext invite emails are readable only by admins of the inviting group. No system is perfect: if you spot a vulnerability, email hello@finto.fun with the subject “Security” and we will respond as fast as we can.

13. Changes to this policy

When this policy changes we will update the “Last updated” date at the top. Material changes (anything that expands what we collect or how we use it) will be flagged here for at least 30 days before they take effect, and where possible communicated by email.

14. Independence

Finto is an independent prediction game and is not affiliated with FIFA or the FIFA World Cup. References to the World Cup are nominal; the trademarks belong to FIFA.