Important notice: StickerKick is an UNOFFICIAL application for tracking sticker collections related to the 2026 international football tournament. It is not affiliated with, associated with, endorsed by, sponsored by, or licensed by any organization, federation, league, club, or album/sticker manufacturer. Any reference to competitions, teams, players, or third-party products is made for purely informational and descriptive purposes (nominative fair use).
1. Data Controller Information
| Field | Value |
|---|---|
| Controller | Bismarck Aguilar (natural person) |
| Domicile | Republic of Ecuador |
| Contact email | rbismarckal@gmail.com |
| Application | StickerKick |
| Bundle ID | com.mundialkick.app |
| Platforms | iOS and Android |
As the controller is a natural person without a formal legal establishment, all legal communications, exercise of rights, portability requests or complaints must be addressed to the email above.
Note: If a legal entity (company) is incorporated in the future to operate StickerKick, this policy will be updated with the corresponding registration details.
2. Data We Collect
2.1. Account data (mandatory)
When signing in via Google Sign-In or Sign in with Apple (through Firebase Authentication), we collect:
- Firebase UID (unique identifier assigned by Firebase)
- Email address linked to your Google or Apple account (with Apple it may be a private relay email you choose)
- Display name — you can edit it at any time in Settings
- Profile picture URL (provided by Google/Apple, hosted on their servers)
- Device language (to render the localized UI)
2.2. Album data (cloud-synchronized)
Stored in Cloud Firestore (Google Firebase, servers in the United States):
- Sticker pasting progress (which numbers are in your album and how many duplicates you own)
- Match results (official results are obtained automatically from Football-Data.org; you may also enter results manually)
- Progress on special "extras" stickers (bronze, silver, gold tiers)
2.3. Physical sticker photos (LOCAL-ONLY storage)
If you choose to photograph your physical stickers:
- Images are stored exclusively on the device's local storage
- AES-256 encryption is applied at rest within the device
- They are NEVER uploaded to the cloud, to Firebase, or to any third party
- Only the local file path is stored in the on-device database
- You are the sole owner of the photographic content you capture
Important consequences of photos living only on your device:
- If you sign out, reset your album, or delete your account, the photos stored on that device are deleted and CANNOT be recovered, because there is no cloud copy.
- You can create a photo backup ("Export / Save photos" feature): the app generates an encrypted file that you save, move or send wherever you want. That file does not pass through our servers; once exported, keeping it safe and who you share it with are your sole responsibility.
- The backup file is encrypted and tied to your account: if you delete the account, a backup made with it can no longer be re-imported.
2.4. Social features (friends, groups and trades)
If you enable the social modules:
- Share code (alphanumeric code to add friends)
- Friendship documents in Firestore (uid_1, uid_2, relationship status)
- Public profile (display name and progress) visible to friends you authorize, subject to your configurable privacy preferences
- Sticker lists shared with friends, subject to explicit permission you grant
- Groups (group name and members) to coordinate trades among several users
- Trades and auctions: documents in Firestore containing the participants' uids, the stickers offered/requested, text messages exchanged for the trade, ratings and reports. Your display name is visible to the users you trade with or share a group with.
2.5. Motion sensors (steady-shot camera)
The sticker photo capture feature may use the device's motion sensors (gyroscope / accelerometer) to auto-trigger the camera when the phone is steady and reduce blur. This sensor data is processed on the spot, on the device, and is NOT collected, transmitted or stored.
2.6. Push notifications
- FCM token (Firebase Cloud Messaging) for the device, to send friend-activity notifications
2.8. Advertising
- Google AdMob: device advertising identifier (IDFA on iOS, AAID on Android) to serve ads; optionally, interest-based personalized advertising
- In the EU/EEA/UK: UMP (User Messaging Platform) CMP for granular consent under GDPR and the ePrivacy Directive
- On iOS 14.5+: Apple's App Tracking Transparency (ATT)
2.9. In-app purchases (Tournament Pass)
If you make the "Tournament Pass" purchase (remove advertising), the transaction is processed by Apple App Store / Google Play and is technically handled through RevenueCat, Inc., which receives your App User ID (your Firebase UID), the transaction's receipt identifier and data, device information and attribution attributes (including ATT consent status). Neither StickerKick nor RevenueCat receives your card number or payment details, which are processed exclusively by Apple/Google.
3. Device Permissions
The app only uses these permissions when you turn on the related feature, and you can revoke them in your system settings:
| Permission | Purpose |
|---|---|
| Camera | Scan sticker codes and take a photo of your physical sticker |
| Motion sensors (gyroscope/accelerometer) | Auto-capture when the phone is steady. Not stored |
| Photos / storage | Only if you choose to import or save your photo backup file |
| Notifications | Only if you enable them |
4. Purposes of Processing
| Data | Purpose |
|---|---|
| Google/Apple account data | Authentication, identification, fraud prevention |
| Display name | Show you to yourself and friends; you control and edit it |
| Album progress | Cross-device sync, backup, social functionality |
| Local photos | Allow you to visually document your physical collection |
| Friendship data | Enable social functionality (trading, comparisons) |
| FCM token | Delivery of relevant push notifications |
| AdMob | Monetization through advertising |
5. Legal Basis for Processing
Pursuant to Regulation (EU) 2016/679 (GDPR), Art. 6 and Ecuador's LOPDP (2021), Art. 7:
| Processing activity | Legal basis |
|---|---|
| Account creation and authentication | Performance of a contract (GDPR Art. 6(1)(b)) |
| Album sync and game data | Performance of a contract (GDPR Art. 6(1)(b)) |
| Social features (friends, sharing, display name) | Consent (GDPR Art. 6(1)(a)) |
| Push notifications | OS consent (iOS/Android) |
| Personalized advertising (AdMob) | Explicit consent via UMP CMP (EU/EEA/UK) or ATT (iOS) |
| Non-personalized (contextual) advertising | Legitimate interest (GDPR Art. 6(1)(f)) |
You may withdraw consent at any time without affecting prior processing (GDPR Art. 7(3)).
6. Sharing of Data with Third Parties (Sub-Processors)
| Provider | Service | Data shared | Policy |
|---|---|---|---|
| Google LLC / Google Ireland Ltd. | Firebase (Auth, Firestore, Functions, Messaging, App Check) | UID, email, progress, tokens | https://policies.google.com/privacy |
| Google LLC | AdMob | Advertising ID, contextual data | https://policies.google.com/technologies/ads |
| RevenueCat, Inc. | In-app purchase management (receipt validation and entitlements) | App User ID (Firebase UID), transaction/receipt data, attribution attributes, advertising ID | https://www.revenuecat.com/privacy |
| Football-Data.org | Source of match results (final and live), queried server-side | None personal: only factual match data is received; no user data is sent to it | https://www.football-data.org/terms |
| Apple Inc. | Sign in with Apple, App Store, IAP | Authentication token; subject to Apple App Store Privacy | https://www.apple.com/legal/privacy/ |
| Google LLC | Google Sign-In, Google Play Store, billing | Authentication token; subject to Google Play Privacy | https://policies.google.com/privacy |
Your physical sticker photos are NOT shared with any third party or with us: they live encrypted on your device.
StickerKick DOES NOT sell personal data to third parties under any circumstances. See Section 14.3 (CCPA) for the formal California clause.
7. International Data Transfers
Data stored in Firebase resides on servers located in the United States of America.
- EU/EEA/UK residents: Google Cloud / Firebase operates under the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision (EU) 2021/914). Adequate safeguards under GDPR Arts. 44-49.
- Ecuador residents: transfer grounded in informed consent (LOPDP Art. 56) and contractual safeguards.
- Brazil residents (LGPD): transfer grounded in specific consent (LGPD Art. 33, VIII) and/or SCCs.
8. Data Retention
| Category | Retention period |
|---|---|
| Account data (UID, email, profile) | Until you delete your account |
| Album progress | Until you delete your account or request erasure |
| Friendship data | Until either party deletes the relationship |
| FCM token | Until uninstall or sign-out |
| Locally encrypted photos | Until you delete them, sign out, reset the album, delete the account or uninstall (they reside only on your device) |
| Access / audit logs | Up to 12 months |
After account deletion, data in operational backups may persist for a maximum of 30 additional days.
9. Your Rights as a Data Subject
Under GDPR (EU), LOPDP (Ecuador), LGPD (Brazil), and CCPA/CPRA (California) you hold rights to: access (GDPR Art. 15), rectification (Art. 16, including your display name, editable in-app), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), withdrawal of consent (Art. 7(3)), not to be subject to automated decisions (Art. 22), and to lodge a complaint with a supervisory authority (Art. 77).
9.1. In-app automated functions
- Account and full data deletion: in-app via the Cloud Function
deleteMyData. Irreversible; removes UID, email, progress, friendships and tokens within 30 days. - Data export: via the Cloud Function
exportMyData(structured JSON, GDPR Art. 20). - Edit your display name: directly in Settings.
9.2. Manual requests
For any other right, write to rbismarckal@gmail.com (subject "Rights request — [right]"), with your UID or registered email. Response time: max 30 calendar days (GDPR Art. 12(3)). Cost: free.
10. Security of Your Data
We apply appropriate technical and organizational measures (GDPR Art. 32 / LOPDP Art. 37):
- Encryption in transit: TLS 1.2+ in all communications with Firebase.
- Encryption at rest: Firebase applies AES-256 on its servers.
- Additional local photo encryption: physical sticker photos are encrypted with AES-256 on the device. The key lives in the Keychain (iOS) / Android Keystore, hardware-bound and not synced across devices.
- Photo backup files: when you export, the file is encrypted and tied to your account; keeping it safe thereafter is your responsibility.
- Firestore Security Rules: document-level access control.
- Delegated authentication via Google/Apple Sign-In; StickerKick does not store passwords.
Breach notification: within 72 hours to the competent authority (GDPR Art. 33 / LOPDP Art. 44) and to affected users where high risk (GDPR Art. 34).
11. Cookies and Tracking Technologies
StickerKick is a native mobile app and does not use HTTP cookies, but uses equivalent technologies (Firebase Installation ID, IDFA/AAID, FCM Token). Consent is managed via UMP CMP (EU) or ATT (iOS). On iOS 14.5+, explicit permission is requested before accessing the IDFA.
12. Minors
StickerKick is intended for users aged 13 and over. We do not knowingly collect data from children under 13 (COPPA) or under 16 where the digital consent age is 16 (GDPR Art. 8). In Brazil, processing minors' data requires guardian consent (LGPD Art. 14). Contact: rbismarckal@gmail.com.
13. Changes to This Policy
We may update this policy. Material changes will be notified via in-app notice, updated "Last updated" date and/or email. Continued use after notice constitutes acceptance.
14. Jurisdiction-Specific Compliance
14.1. Ecuador — LOPDP (2021): Supervisory authority: Superintendence of Personal Data Protection. ARCO and portability rights (Arts. 11-16). Consent age: 13 (Art. 21).
14.2. EU/EEA/UK — GDPR / UK GDPR: EU Representative (Art. 27) — exemption Art. 27(2) currently relied upon; reassessed as the EU user base grows. No formal DPO appointed (Art. 37) given scale and non-sensitive data. Single contact: rbismarckal@gmail.com.
14.3. United States — CCPA / CPRA (California): Categories collected (§1798.140): identifiers (UID, email, IDFA), commercial info (app usage), internet/network data, inferred geolocation, advertising inferences. StickerKick does not sell personal information; under CPRA, AdMob personalized advertising may qualify as "sharing" — opt out via UMP/ATT or by writing to rbismarckal@gmail.com ("Do Not Sell/Share — California Resident"). Rights: know, delete, correct, opt-out, limit sensitive info, non-discrimination.
14.4. Brazil — LGPD: Controller / DPO (Art. 41): Bismarck Aguilar, rbismarckal@gmail.com. ANPD: https://www.gov.br/anpd
14.5. Other LATAM: Mexico (LFPDPPP), Colombia (Law 1581/2012), Argentina (Law 25.326), Peru (Law 29733), Chile (Law 19.628 / 21.719) — rights apply mutatis mutandis under the most-favorable-treatment principle.
15. Contact
| Type | Channel |
|---|---|
| Privacy, exercise of rights | rbismarckal@gmail.com |
| Formal complaints | rbismarckal@gmail.com (subject: "FORMAL COMPLAINT") |
| Technical support | rbismarckal@gmail.com (subject: "Technical support") |
Controller: Bismarck Aguilar · Country: Ecuador · Response time: up to 30 calendar days
Final Disclaimer
StickerKick is an independent fan-built project, with no intent to compete with, replace, or infringe the rights of official brands. Photographs of physical stickers are User-Generated Content (UGC); ownership remains with the user at all times.
This policy is governed by the laws of the Republic of Ecuador, without prejudice to the mandatory extraterritorial application of GDPR, LGPD, CCPA and other applicable legislation.
This is a courtesy translation of the original Spanish document. In case of discrepancy, the Spanish version prevails.
© 2026 Bismarck Aguilar. All rights reserved over the original code and design of StickerKick.