Privacy Policy - HeXaGoal
| Field | Value |
|---|---|
| Effective Date | To be set on the date this policy is published at https://hexagoal.app/privacy |
| Last Updated | 2026-05-13 |
| Operator | HeXaGoal (operated by an individual developer based in Astana, Republic of Kazakhstan) |
| Privacy contact | privacy@hexagoal.app |
| Hosted at | https://hexagoal.app/privacy |
1. Introduction
HeXaGoal ("the App", "we", "us", "our") is a mobile application that produces probabilistic predictions for football (soccer) matches based on proprietary statistical models trained on football match data. The App is operated by Roman Goltsov, an individual developer registered in Astana, Republic of Kazakhstan ("the Operator").
This Privacy Policy explains what data we collect when you use HeXaGoal, why we collect it, who we share it with, and what rights you have over your data. It applies to the iOS and Android mobile applications and to the backend services that support them.
We have written this policy in plain language. Where formal legal terms apply (for example GDPR, CCPA, or COPPA) we name them so you can locate the relevant clauses if you wish to look them up, but the explanations are intended for everyday readers.
If you do not agree with this Privacy Policy, please do not use the App.
2. Data we collect
2.1 Account information
When you create an account or sign in, we collect:
- Email address - required for every account. Stored on our backend servers.
- Password - only if you sign up with email and password. Your password is never stored in plain text; we store an industry-standard salted hash (BCrypt). The password field is nullable for users who sign in only with Apple or Google.
- OAuth identifiers - if you sign in with Apple or Google, we store the provider name and the provider's stable user identifier for your account. We may also store the email address the OAuth provider shares with us, plus a flag indicating whether the provider considers it verified.
- Apple private-relay email - if you choose Apple's "Hide My Email" option, Apple sends us a relay address in the form
<id>@privaterelay.appleid.com. We store this exactly as Apple sends it; we do not attempt to resolve it to your real email.
2.2 Authentication tokens
To keep you signed in across app restarts, we issue:
- Access tokens - short-lived (1 hour) tokens signed by our backend. They contain your user identifier, email, and subscription tier. Stored encrypted on your device using your operating system's Keychain (iOS) or Keystore (Android).
- Refresh tokens - long-lived (30 days) random tokens that let the App refresh your session without prompting you to sign in again. The plain-text token is never persisted on our servers; we keep only a one-way cryptographic hash. Refresh tokens are single-use and rotated on every refresh; if a previously-used token is presented again, we revoke the entire token family for your account as a security measure.
2.3 Subscription information
When you subscribe to HeXaGoal Premium, we collect:
- Subscription tier - Free or Premium.
- Subscription expiration date.
- Store-issued purchase receipts - signed purchase confirmations from Apple App Store Connect or Google Play Billing. These receipts contain your purchase confirmation, product ID, and transaction identifier. They do not contain payment-card data - see §2.8.
- Subscription lifecycle events - renewals, cancellations, refunds, billing retries, and grace-period entries as they arrive from Apple App Store Server Notifications and Google Real-Time Developer Notifications.
- Subscription state via RevenueCat - we use RevenueCat as a managed receipt-verification and subscription-state service. RevenueCat receives your subscription receipts and a stable internal identifier so it can keep your subscription state in sync across Apple, Google, and our backend. RevenueCat's own privacy policy applies to data they process on our behalf.
2.4 Device information (limited)
For diagnostics and security:
- Device model (for example iPhone 15 Pro, Pixel 7) and OS version (for example iOS 17.4, Android 14) - collected from your App's user-agent string when it calls our backend. Used for crash diagnostics and compatibility checks.
- App version - included in every backend request so we can correlate bug reports.
- IP address - recorded by our backend access logs for rate-limiting and abuse prevention. Retention period: 90 days.
2.5 Biometric data - explicitly NONE collected
The App can use Apple Face ID / Touch ID or the Android Biometric API to unlock the App locally on your device. All biometric verification happens entirely on your device. The App receives only a boolean success or failure signal from the operating system. No biometric template, image, fingerprint, or face geometry data ever leaves your device, and no biometric data is ever sent to or stored on our servers.
This is enforced by using the standard biometric APIs provided by Apple (LocalAuthentication) and Android (BiometricPrompt). Both frameworks expose only success or failure to the calling application.
2.6 Usage analytics - planned, not yet active
At the Effective Date of this policy, the App does not collect any usage analytics. No analytics SDK is integrated into the App, and no third-party analytics service is receiving data on our behalf.
We plan to integrate Posthog (EU hosting) within 30 days following the Effective Date to collect anonymized usage data:
- Which screens you visit and which features you use most.
- How long sessions last.
- Whether predictions are viewed, dismissed, or acted upon.
When this integration launches, events will be tied to an anonymous identifier generated on first install. We will NOT associate analytics events with your email address or any other personally identifying information. We will NOT use Apple's Advertising Identifier (IDFA) or Google's Advertising ID. We will NOT track you across other apps or websites.
Posthog's own privacy policy will apply to data they process on our behalf, under a data-processing agreement that incorporates Standard Contractual Clauses for any cross-border transfers.
We will notify you when this integration launches via the in-App banner and email mechanism described in §13 ("Changes to this Privacy Policy"). You will have at least 30 days' advance notice before any usage analytics data is collected.
2.7 Crash and error diagnostics - planned, not yet active
At the Effective Date of this policy, the App does not collect any crash or error diagnostic data. No crash-reporting SDK is integrated into the App, and no third-party crash service is receiving data on our behalf.
We plan to integrate Sentry (EU hosting) within 30 days following the Effective Date to collect crash reports so we can fix bugs that affect you:
- Stack traces from crashes.
- The OS-reported error state at the time of the crash.
- The App version and device model.
- A non-personalized installation identifier so we can correlate multiple crashes from the same install without identifying you personally.
When this integration launches, we will NOT collect screenshots or contents of any screens at the time of crash. We will NOT collect contents of any text fields, predictions, or other in-App data alongside crash reports.
Sentry's own privacy policy will apply to data they process on our behalf, under a data-processing agreement that incorporates Standard Contractual Clauses for any cross-border transfers.
We will notify you when this integration launches via the same mechanism described in §2.6 above.
2.8 Match prediction history
- Server-side: we record which match-prediction screens you opened and when, used for analytics (per §2.6) and for billing-tier enforcement (for example, daily-view limits for free-tier users).
- Client-side: the App keeps a local cache on your device of recently-viewed predictions and team statistics with time-based expiry (typically 1 hour to 24 hours depending on data type). This cache lives only on your device and is cleared when you uninstall the App.
2.9 What we do NOT collect
We explicitly do NOT collect:
- Your contacts, address book, or calendar entries.
- Photos, camera roll, or media library.
- Microphone audio.
- Precise GPS location or coarse network location.
- Health, fitness, or wellness data.
- Payment card numbers, bank account numbers, or any other payment credentials. All payments are handled by Apple In-App Purchase or Google Play Billing and never touch our servers - see §2.3. Receipts are confirmation tokens, not payment instruments.
- Biometric templates or images (see §2.5).
- Browsing history outside the App.
- Social-graph data (your friends, followers, and so on).
3. Why we collect this data (legal basis under GDPR Article 6)
If you are in the European Union, the United Kingdom, or another jurisdiction with similar law, the legal bases for our processing are:
| Data category (§2) | Legal basis |
|---|---|
| Account information (§2.1) | Performance of a contract - you cannot use the App without an account or anonymous-mode access |
| Authentication tokens (§2.2) | Performance of a contract - to keep you signed in |
| Subscription information (§2.3) | Performance of a contract - to deliver the subscription you purchased; legal obligation - to retain receipts for tax purposes |
| Device information (§2.4) | Legitimate interest - diagnostics, abuse prevention, capacity planning |
| Biometric (§2.5) | Not applicable - we do not collect this |
| Usage analytics (§2.6) | Legitimate interest - improving the App; consent in jurisdictions where consent is required for analytics |
| Crash diagnostics (§2.7) | Legitimate interest - fixing bugs |
| Prediction history (§2.8) | Performance of a contract |
If you are in California (CCPA / CPRA), Colorado, Virginia, or another US state with consumer-privacy law, you have the rights listed in §7 below regardless of which legal basis above applies.
4. How we use the data
We use the data we collect to:
- Deliver the prediction service - produce probabilistic predictions for football matches, render them in the App, and update them as new data arrives.
- Manage your account - let you sign in, sign out, change your password, recover access, and link or unlink Apple or Google identities.
- Process subscription billing - verify your purchase with Apple or Google, activate Premium features, handle renewals, cancellations, refunds, and grace periods.
- Prevent fraud and abuse - detect refresh-token replay, enforce per-IP rate limits, and block automated scraping.
- Diagnose crashes and bugs - using Sentry per §2.7.
- Improve the App - using Posthog per §2.6 to measure which features are used and where users drop off.
- Comply with legal obligations - retain transaction records for tax, respond to lawful requests from authorities (§5.3).
We do not use your data for advertising. We do not sell or rent your data to anyone (§5.2).
5. Third parties we share data with
5.1 Service providers (data processors)
These third parties process data on our behalf to deliver the App:
| Third party | What they receive | Why |
|---|---|---|
| Apple | Sign-in claim (provider user ID, optional email), App Store In-App Purchase receipts, App Store Server Notifications | OAuth via Sign in with Apple; In-App Purchase processing; subscription lifecycle events |
| Sign-in claim (provider user ID, email), Play Billing receipts, Real-Time Developer Notifications | OAuth via Sign in with Google; In-App Purchase processing; subscription lifecycle events | |
| RevenueCat | A stable internal user identifier and your purchase receipts | Subscription state management across Apple and Google; receipt verification |
| Posthog (EU hosting) - planned, not yet active (see §2.6) | Anonymous event stream | Product analytics, scheduled for launch within 30 days of Effective Date |
| Sentry (EU hosting) - planned, not yet active (see §2.7) | Crash stack traces and OS state | Crash diagnostics, scheduled for launch within 30 days of Effective Date |
| Cloudflare | Encrypted API traffic via HTTPS proxy; DNS records | TLS termination, DDoS protection, DNS for hexagoal.app |
| Linode (Frankfurt, EU region) | Encrypted database and server logs | Hosting our backend services |
We have data-processing agreements with each of these providers requiring them to handle your data in accordance with this Privacy Policy and applicable law.
5.2 We never sell or rent your data
We never sell, rent, or trade your personal data to third parties. We never share your data with advertisers. This is consistent with the CCPA "Do Not Sell" requirement; California users do not need to take any action to opt out because we do not sell data in the first place.
5.3 Legal disclosure
We may disclose your data when required by law - for example, in response to a lawful subpoena, court order, search warrant, or regulatory request from an authority with jurisdiction over us. Where lawful, we will notify you before disclosing your data so you can challenge the request.
6. Data retention
| Data category | Retention period | Trigger for deletion |
|---|---|---|
| Account email and identity | Until you delete your account | User-initiated account deletion |
| Password hash | While the account exists | Account deletion |
| OAuth identity rows | While the account and identity remain linked | Account deletion or user-initiated unlink |
| Refresh tokens | Up to 30 days, or until revoked | TTL expiry, single-use rotation, or family-revocation |
| Subscription receipts and events | As required by applicable tax law (typically 5-7 years for financial records) | After legal retention period |
| Server access logs (IP, request path, timestamp) | 90 days | Auto-purge |
| Crash reports | Not collected at the Effective Date. When Sentry integration launches (see §2.7), the default Sentry retention of 90 days will apply. | Auto-purge |
| Analytics events | Not collected at the Effective Date. When Posthog integration launches (see §2.6), the default Posthog retention will apply (7 years on free tier; reset by account deletion request). | Auto-purge or user-initiated |
| Local on-device cache | 1 hour to 24 hours per data type | Automatic on TTL expiry; full clear on uninstall |
7. Your rights
Depending on where you live, you have some or all of the following rights over your data:
- Access - ask us what data we hold about you (GDPR Art. 15; CCPA right to know).
- Rectify - correct inaccurate data (GDPR Art. 16).
- Erase - delete your account and the data tied to it (GDPR Art. 17 "right to be forgotten"; CCPA right to delete). We will delete your data within 30 days unless we have a legal obligation to retain a subset (for example, subscription receipts for tax).
- Portability - receive a copy of your data in a structured, machine-readable format (GDPR Art. 20).
- Object - object to processing based on legitimate interest (GDPR Art. 21).
- Restrict - restrict processing while a dispute is resolved (GDPR Art. 18).
- Opt out of automated decisions - we do not currently make automated decisions about you that have legal effects.
To exercise any right, email privacy@hexagoal.app. We will respond within one calendar month for GDPR-covered users, or within 30 days otherwise. We may need to verify your identity before acting on a request.
In the App we currently do not offer self-service data export. To request your data, please email the address above.
8. Children's privacy
HeXaGoal is not directed at children. You must be at least 13 years old (or 16 in the European Economic Area, where the GDPR child-consent threshold applies) to create an account.
We do not knowingly collect personal data from children below these ages. If we learn that we have collected data from a child below the applicable age, we will delete it. If you are a parent or guardian and believe we have collected data from your child, please contact us at the address in §14.
9. International data transfers
Our backend services are hosted in the European Union (Frankfurt, Germany) and the third parties listed in §5.1 may process data in other countries, including the United States.
When personal data of users in the European Economic Area, the United Kingdom, or Switzerland is transferred outside those territories, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our data-processing agreements with Apple, Google, RevenueCat, Cloudflare, and Linode (and, once their integrations launch per §2.6 and §2.7, Posthog and Sentry), and
- Where applicable, the adequacy decisions issued by the European Commission, or
- Other lawful transfer mechanisms available under the applicable law.
The Operator's principal place of business is in the Republic of Kazakhstan. Transfers of EU/UK/Swiss personal data to Kazakhstan rely on Standard Contractual Clauses where required.
10. Security
We protect your data with industry-standard technical and organisational measures:
- Password hashing - we use industry-standard salted hashing (BCrypt). We never store, log, or transmit plain-text passwords.
- TLS in transit - all traffic between the App and our backend is encrypted via TLS (HTTPS).
- Signed access tokens - short-lived session tokens signed by our backend.
- Refresh-token hashing and replay detection - we never store plain-text refresh tokens, and we revoke entire token families if we detect token reuse.
- Server-side OAuth verification - we verify Apple and Google sign-in tokens against the providers' public verification keys; we do not trust client-supplied identity claims.
- No third-party analytics or crash-reporting SDKs in the App at the Effective Date. When the integrations described in §2.6 and §2.7 launch, the relevant SDKs will be added and this section will be updated accordingly.
No system is perfectly secure. If we become aware of a data breach affecting you, we will notify you and the relevant supervisory authorities as required by applicable law (for example GDPR Articles 33-34 - within 72 hours of becoming aware).
11. Apple App Store Privacy Labels
Use this section as the source of truth when filling Apple's App Privacy form in App Store Connect.
At the Effective Date (planned analytics + crash integrations from §2.6 and §2.7 are NOT yet active; we will update both this section and the Apple App Privacy form when those integrations launch):
| Apple category | Data type | Collected? | Linked to user? | Used for tracking? | Purpose |
|---|---|---|---|---|---|
| Contact Info | Email Address | YES | YES | NO | App Functionality, Account Management |
| Identifiers | User ID | YES | YES | NO | App Functionality |
| Identifiers | Device ID | NO | - | - | - |
| Purchases | Purchase History | YES | YES | NO | App Functionality |
| Usage Data | Product Interaction | NO (planned per §2.6 within 30 days of Effective Date) | - | - | - |
| Diagnostics | Crash Data | NO (planned per §2.7 within 30 days of Effective Date) | - | - | - |
| Diagnostics | Performance Data | NO (planned per §2.7 within 30 days of Effective Date) | - | - | - |
| Health & Fitness | - | NO | - | - | - |
| Financial Info | - | NO | - | - | - |
| Location | - | NO | - | - | - |
| Sensitive Info | - | NO | - | - | - |
| Contacts | - | NO | - | - | - |
| User Content | - | NO | - | - | - |
| Browsing History | - | NO | - | - | - |
| Search History | - | NO | - | - | - |
We do NOT use Apple's App Tracking Transparency (ATT) tracking. We do not track users across apps and websites owned by other companies. We will not prompt for the ATT permission.
12. Google Play Data Safety form
Use this section as the source of truth when filling Google Play Console's Data Safety form.
At the Effective Date (planned analytics + crash integrations from §2.6 and §2.7 are NOT yet active; we will update both this section and the Google Play Data Safety form when those integrations launch):
| Google data type | Collected? | Shared? | Optional? | Purpose | Encrypted in transit? |
|---|---|---|---|---|---|
| Personal info - Name | NO | - | - | - | - |
| Personal info - Email address | YES | NO* | NO | Account management, App functionality | YES |
| Personal info - User IDs | YES | NO* | NO | App functionality | YES |
| Financial info - Purchase history | YES | NO* | NO | App functionality | YES |
| Financial info - Payment info | NO (Apple/Google handle) | - | - | - | - |
| Health and fitness | NO | - | - | - | - |
| Location | NO | - | - | - | - |
| Contacts | NO | - | - | - | - |
| App activity - App interactions | NO (planned per §2.6 within 30 days of Effective Date) | - | - | - | - |
| App info and performance - Crash logs | NO (planned per §2.7 within 30 days of Effective Date) | - | - | - | - |
| Device or other IDs | NO | - | - | - | - |
*Shared only with the data processors named in §5.1, which Google does not treat as "sharing" under the Data Safety taxonomy because they act on our behalf.
We commit to data deletion on user request and provide an in-band mechanism (email request to privacy@hexagoal.app) per Google's Data Safety requirements.
13. Changes to this Privacy Policy
We may update this Privacy Policy. When we do, we will:
- Update the "Last Updated" date at the top.
- For material changes (for example, adding a new data category we collect, a new third-party processor, or a substantively different use of data), notify you via an in-app banner and, if we have your verified email, by email - at least 30 days before the change takes effect.
- For non-material changes (for example, clarifying language), publish the updated policy at the hosted URL without separate notice.
Your continued use of the App after the effective date of an updated policy constitutes acceptance of the updated terms.
14. Contact
For privacy-related questions, requests, or complaints:
- Email:
privacy@hexagoal.app - Operator: Roman Goltsov, individual developer
- Address: Astana, Republic of Kazakhstan
- Tax registration ID: available on request via
privacy@hexagoal.app
You also have the right to lodge a complaint with the supervisory authority in your country of residence. In the European Union, this is your country's data protection authority. In the United Kingdom, this is the Information Commissioner's Office (ICO).
End of Privacy Policy.