Project 52! — Privacy Policy

Effective date: 2025-08-13

This Privacy Policy explains how NoGo apps inc. ("NoGo", "we", "us", or "our") collects, uses, discloses, and protects information about you when you use the Project 52! mobile application and related services (the "Service"). By using the Service, you agree to the practices described here.

If you do not agree, please do not use the Service.

1) Who We Are

• Data Controller: NoGo apps inc.
• Contact: team@project52.app

2) Scope

This Policy covers information processed through the Project 52! app and backend, including account onboarding, card shuffling and match detection, profile management, and basic operational logging.

3) Information We Collect

Based on the current implementation of the mobile app and backend, we process the following categories of information:

Account information:

• Username (required)
• Email (optional)
• Profile picture: either a default avatar or an image you upload
• Anonymous flag (whether you prefer a minimal identity)
• System metadata (e.g., created/updated timestamps, deletion status)

Authentication information:

• JSON Web Tokens (JWT) for access (~24 hours) and refresh (~30 days). Tokens are issued by our backend and stored locally on your device (e.g., AsyncStorage) to authenticate API requests.
• The Service does not use passwords.

Shuffle and match information:

• The app serializes the 52‑card deck sequence you generate, computes a SHA‑256 hash, and submits both the sequence and hash to the backend.
• The backend may store: the hash, the raw 52‑byte deck sequence, your user ID and username, timestamps, and (if a match occurs) a record linking both users who matched, including usernames and a match time.

App/device and operational information:

• Basic server logs (e.g., request time, endpoint, status) to maintain reliability and security.
• Local-only app preferences on your device for user experience, such as shuffle count, music/SFX/haptics toggles, theme, and language. These are stored on your device and not transmitted unless needed for a feature.

We do not currently collect precise geolocation, payment information, or sensitive categories of personal data.

4) Sources of Information

• You: information you provide during onboarding and profile updates, and your in‑app activity (e.g., shuffles submitted).
• Your device/app: locally stored tokens and preferences; requests sent to our backend.

5) How We Use Information

We use information to:

• Provide and operate the Service (account creation, authentication, profile updates, shuffle submissions, and match detection)
• Maintain and improve reliability, safety, and security (fraud and abuse prevention, diagnostics, service quality)
• Communicate with you (for example, if you provide an email and we need to contact you about a match or account matters)
• Generate aggregate, de‑identified statistics (e.g., number of shuffles, number of matches)
• Comply with legal obligations

Legal bases (where applicable, e.g., EU/UK):

• Contract: to provide the Service you request
• Legitimate interests: to ensure security, integrity, and to advance the scientific/competitive goal of detecting rare identical shuffles
• Consent: for optional items you choose to provide (e.g., email, uploaded profile picture)

6) Sharing and Disclosure

We share information as needed to operate the Service:

• Service providers and infrastructure: For storage of avatars/profile images we use Amazon Web Services (AWS) Simple Storage Service (S3). We may also use managed cloud hosting and logging.
• Legal, compliance, and safety: We may disclose information if required by law or to protect rights, safety, and the integrity of the Service.
• Corporate transactions: In the event of a merger, acquisition, or asset sale, information may be transferred as part of that transaction subject to this Policy.

We do not sell your personal information, and we do not use advertising networks or analytics SDKs in the app at this time.

About profile images and S3: default avatars are served from a public S3 bucket. Uploaded profile images are stored in S3. Depending on bucket configuration, uploaded images may be accessible via a direct URL to the app; do not upload sensitive content.

7) International Data Transfers

Our infrastructure (including S3) may be located in the United States (e.g., us‑east‑1). If you access the Service from outside the U.S., you understand your information may be transferred to and processed in the U.S. Where required, we rely on appropriate safeguards (e.g., standard contractual clauses) for such transfers.

8) Data Retention

• Account data: retained while your account is active. If you delete your account, we mark it as deleted and cease normal access and display. Certain technical records may be retained for security, audit, or compliance.
• Shuffle and match records: to preserve the integrity and scientific/competitive value of detecting rare identical shuffles, we may retain shuffle hashes, deck sequences, and match records indefinitely. Where feasible, we aim to decouple these records from directly identifying profile data.
• Logs: server logs are retained for a limited time consistent with security and operational needs.

9) Your Choices and Rights

In‑app controls:

• Update your profile (username, email, profile picture, anonymous flag)
• Delete your account (subject to technical and legal limitations)

Privacy rights (depending on your region):

• Access, correction, deletion, restriction, and portability of your personal data
• Object to processing where our legal basis is legitimate interests
• Withdraw consent where processing is based on consent (e.g., optional email)

California privacy disclosures (CPRA):

• Categories collected: identifiers (username, optional email), internet/technical information (basic server logs), user content (optional profile image), and in‑app activity (shuffle/match submissions). Sensitive personal information: not collected.
• Purposes: to provide the Service, security, diagnostics, and aggregate statistics.
• Sale/Sharing: we do not sell or share your personal information for cross‑context behavioral advertising.
• Retention: see Section 8.

To exercise rights, contact team@project52.app. We may need to verify your identity and your residency to process certain requests. You may use an authorized agent where permitted by law.

10) Children's Privacy

The Service is not directed to children under 13 (or under 16 in certain jurisdictions). If you believe we have collected personal information from a child, contact us and we will take appropriate steps to remove it.

11) Security

We implement technical and organizational measures designed to protect information (e.g., token‑based authentication, least‑privilege access to infrastructure). However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

12) Cookies and Tracking

The mobile app does not use third‑party advertising cookies or analytics SDKs at this time. We do not currently send push notifications.

13) Changes to This Policy

We may update this Policy as our Service evolves. When we do, we will update the Effective date above and, where required, provide notice in the app or on our website. Your continued use of the Service after changes take effect means you accept the revised Policy.

14) Contact Us

If you have questions or requests regarding this Policy or your information, contact: team@project52.app