Privacy Policy

Last updated: May 9, 2026

This Privacy Policy explains how KickSage (operated under idleboard.com; “we”, “our”) collects, uses, and protects your personal data when you use our mobile application and related services (the “Service”).

Turkish-speaking users should refer to the KVKK Aydınlatma Metni which is the binding version for users in Türkiye under Law No. 6698.

1. Who We Are

Operator: idleboard.com.
Contact: [email protected].

2. Data We Collect

We collect only the data needed to run the Service:

• Account data: email, username, optional display name, password hash (never the plain password).
• Authentication identifiers: when you sign in with Google, Apple, or Facebook we receive a stable provider-issued subject ID and (when granted) your email. We never receive your social network password.
• Profile fields you provide: avatar URL, optional first/last name, optional province / district / neighborhood for local leaderboards. We do not collect device GPS coordinates.
• In-app activity: predictions, room joins, chip transactions, mini-game attempts, achievement progress, daily streak.
• Push notification tokens: when you opt in, we store the FCM/APNs device token to deliver match-start, room-invite, and system notifications.
• Technical data: IP address, app version, device OS — used for security logging and abuse detection.
• Chat messages: messages posted in rooms are stored for moderation and history.
• Purchase metadata: when you buy chip packages or premium passes, we store the receipt identifier and the resulting chip credit. We do not see your card number — Apple and Google handle payment.

3. How We Use Your Data

• Provide and operate the Service (predictions, leaderboards, chat).
• Authenticate you and keep your session secure.
• Send push notifications you have opted in to.
• Enforce our Terms of Service, including the Pay-to-Win invariant — earned and purchased chips are tracked separately so paid balance can never influence game outcomes.
• Detect cheating, fraud, multi-accounting, and abuse.
• Respond to support requests.
• Generate aggregated, non-identifying product analytics.

4. Legal Basis (GDPR / KVKK)

• Contract performance: account, predictions, chip economy.
• Legal obligation: retaining purchase records for tax / accounting compliance.
• Legitimate interest: fraud prevention, security, product improvement.
• Consent: push notifications, location-based local leagues, optional marketing communication.

5. Sharing With Third Parties

We do not sell your personal data. We share it only with sub-processors strictly necessary to run the Service:

• Apple App Store / Google Play — app distribution, in-app purchases, push notification infrastructure (APNs / FCM).
• Google (Firebase / OAuth) — push messaging, authentication.
• Apple (Sign in with Apple), Meta (Facebook Login) — social authentication only when you choose those providers.
• Cloud infrastructure providers for hosting, PostgreSQL database, Redis cache, log aggregation.
• Match-data providers (e.g. api-football) — we consume public match statistics; user data is never sent.

6. International Transfers

Some of these processors operate outside Türkiye / EU (mostly the United States and EU regions). Transfers rely on standard contractual clauses or equivalent safeguards under GDPR Article 46 / KVKK Article 9.

7. Data Retention

• Active account: as long as your account is open.
• Account deletion: personal data is removed or anonymised within 30 days, except records we are required to retain by law (e.g. purchase history for tax purposes).
• Chat messages: anonymised or deleted after 90 days.
• IP / session logs: retained no longer than 12 months.

8. Your Rights

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your account and request data erasure.
• Export your data in a portable format.
• Withdraw consent for optional processing (e.g. push, marketing).
• Lodge a complaint with your local data protection authority (in Türkiye: Kişisel Verileri Koruma Kurumu — KVKK).

Send any such request to [email protected] from your registered email. We respond within 30 days.

9. Children

The Service is not directed at children under 13 (or the higher minimum age in your jurisdiction). If we discover that a younger user has registered, we will delete that account.

10. Security

We protect your data with TLS in transit, encrypted database backups, bcrypt-hashed passwords, JWT short-lived access tokens, and refresh token rotation. No system is perfectly secure, but we treat any breach seriously and notify affected users when required by law.

11. Changes

We may update this Policy from time to time. The “Last updated” date above reflects the most recent revision. For material changes we will notify you in the app or by email.

12. Contact

Questions, concerns, or rights requests: [email protected].