Last updated: 3 July 2026 · Operator: CrowdKick (sole proprietor — Mohamad Salman, Toronto, ON, Canada).
CrowdKick is a mobile app that helps sports fans find pubs, bars and other venues showing their match near them, and redeem the deals those venues offer for that match. It is built around niche and famous sports communities — across soccer, basketball, football, baseball, hockey and MMA. This policy explains what we collect, how we use it, how long we keep it, and how you control it. We've tried to write it in plain English.
| Category | Example | Why we collect it |
|---|---|---|
| Device identifier | A random UUID generated on your device the first time you launch (device_id). |
Lets us anonymously track wallet contents and rate-limit deal redemptions so a single device can't redeem the same deal twice. |
| Push notification token | If you grant notification permission, an Expo push token issued to your device, stored with your device_id and (if you're signed in) your account. |
To send you match-start reminders, deal alerts, and occasional announcements. Notifications are optional — if you deny the permission, no token is collected and the app works normally. |
| Approximate location | Your device's "When In Use" coarse location (no background location, no continuous tracking). | Sorts venues on the map by distance from where you currently are. Only collected when you have the app open and have granted location permission. You can deny — the app still works; venues are listed in default order. |
| Account info (when you create an account) | Apple Sign In ID and/or email + first name (depending on what you provide to Apple/Google), or an email address you type for one-time-code (OTP) sign-in. | Lets you sync your saved deals across devices and recover your wallet if you reinstall. You can browse venues, matches and deals without an account; you only create one at the moment you redeem a deal (so the bar can verify it) or tap "Sign up" in the Me tab. |
| Saved deals | The discount codes you save to your wallet + the venues they belong to. | So you can show them at the venue to redeem. Stored locally on your device; if you're signed in, also synced server-side to the same user_id. |
| Redemption events | A row recording that this device redeemed this deal at this venue at this timestamp. | To prevent one device from redeeming the same deal multiple times. To give partner venues anonymized aggregate counts of how many redemptions their deals drove. |
| Team / sport preference (optional) | The team you picked in Settings → Sports & Teams; the country you picked in the nation picker. | To highlight your team's matches and surface venues likely to screen them. Stored locally; synced to your account if signed in. |
| Card-view analytics | An anonymous row recording that some device opened this venue's detail card at this time. Optionally the match that led to the open. | To give partner venues aggregate engagement stats. The device identifier is stored only as a one-way SHA-256 hash (never the raw device_id), so partner venues never see your identifier. |
| Usage analytics | Anonymous in-app events — e.g. app opened, a team selected, the map viewed, a venue or match tapped, a filter changed, location permission denied — sent to our product-analytics tool PostHog and to our own analytics store (Supabase), keyed to a hashed device identifier (device_hash, a SHA-256 of your random device_id), not your name or email. PostHog also derives an approximate (city/region-level) location from the request IP address at the moment of upload. |
To understand which sports, venues and features fans actually use, so we can improve the product and show partner venues aggregate interest. |
| Session replays | An anonymized recording of how you move through the app — taps, scrolls and which screens you view — captured via PostHog and keyed to a hashed device identifier. All text you type, and all images, are masked before they ever leave your device, so search terms, anything you enter, and on-screen photos are never recorded. | To see where the app is confusing or broken and fix it, without watching identifiable users. |
| Install attribution (referral / ambassador codes) | If you install CrowdKick after tapping an ambassador or venue referral link, we record your device_id, the referral code, your device OS, locale, timezone and screen size, and — in memory, server-side, at the moment of install — your IP address, from which we derive a one-way fingerprint. We store the derived country and the fingerprint, not your raw IP address. |
To credit the ambassador who referred you and to detect referral fraud. This runs on our own backend; no third-party attribution / "MMP" SDK is involved. |
| Device & app info | Device model, iOS version, and app version, collected by our analytics and crash tools. | To debug device-specific issues and report performance accurately. |
| Crash & error reports | If a crash or handled error occurs, a stack trace + iOS version + app version is sent to Sentry and an anonymized exception event is sent to PostHog. Does not include screen contents, your location, or your account info. | So we can fix bugs that affect real users. |
device_hash, never your name or email.ca-central-1 (Canada). Data is encrypted in transit and at rest. Our own anonymous analytics store also lives here.device_hash. Text inputs and images are masked before recording; no name, email, or saved-deal contents are sent.device_id, your email, your location, or anything you do in the app, and it cannot be used to track you across other apps.device_hash.Under PIPEDA (Canada), Quebec's Law 25, GDPR (EU/EEA users), and CCPA/CPRA (California users), you have the right to:
To exercise any of these rights, email crowdkickapp@gmail.com. We respond within 30 days.
Where GDPR applies, we rely on: performance of a contract (Art. 6(1)(b)) for wallet/saved-deal sync and deal redemption; legitimate interests (Art. 6(1)(f)) for redemption-fraud prevention and anonymous product analytics; and consent (Art. 6(1)(a)) for ad/install measurement (TikTok App Events SDK and SKAdNetwork) and notifications. We have not appointed a Data Protection Officer or an Art. 27 EU representative, as our processing does not currently meet the thresholds that require one; we will revisit this if our EU user base grows.
If you reside in Quebec, the Act respecting the protection of personal information in the private sector ("Law 25") gives you the rights above, plus the right to be informed of technology that collects identifiers or builds a profile of you, and the right to request human review of a decision made solely by automated processing. Technology that can collect identifiers — the TikTok ad-attribution SDK — only accesses your advertising identifier with your consent (via the App Tracking Transparency prompt). Our referral/ambassador program runs an automated fraud-scoring step on device-fingerprint signals to decide whether an install is credited to a promoter; this affects promoter payouts, not your access to the app. You may email us to request human review of any such decision.
Person in charge of the protection of personal information: Mohamad Salman — crowdkickapp@gmail.com.
We do not sell your personal information for money. We do "share" a hashed device identifier and install/registration events with TikTok solely to measure whether our own install ads work, which California law may treat as "sharing" for cross-context behavioural advertising. California residents have the right to know, delete, correct, and to opt out of this sharing. To opt out — or to exercise any California right — email crowdkickapp@gmail.com with "Do Not Sell or Share My Personal Information" in the subject line, and we will stop sharing your install signals with TikTok. We do not discriminate against you for exercising any right.
Open the app and go to Me → Settings → Delete account. This permanently removes:
Some records are not automatically removed by in-app deletion and are instead retained (anonymized) for fraud prevention and analytics: your push notification token, your referral/install-attribution record, and anonymized usage events held in PostHog and our Supabase analytics store (keyed only to your hashed device_hash). Aggregate, anonymized analytics (e.g. "venue X had 47 card views last week") also survive — they don't reference you and can't be linked back to you. If you want any of these purged as well, email crowdkickapp@gmail.com and we'll remove them within 30 days.
CrowdKick is intended for users 17 years and older (matching the App Store age rating). We do not knowingly collect personal information from anyone under 17. If you believe a minor has provided personal information, email crowdkickapp@gmail.com and we'll delete the account.
All data in transit is encrypted with TLS 1.2+. Data at rest in Supabase is encrypted with AES-256. Authentication uses Apple Sign In, Google Sign-In, or email OTP — we don't store passwords. The app's network configuration enforces App Transport Security (no insecure HTTP loads). We rotate our API keys after any suspected exposure.
That said, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security. If we learn of a breach of security safeguards involving your personal information that creates a real risk of significant harm, we will notify you and the relevant regulator (in Canada, the Office of the Privacy Commissioner) as required by applicable law.
If we make material changes (e.g. add a new category of data we collect), we'll update the "Last updated" date at the top and surface a notice in the app the next time you open it. You can always view the current version at crowdkickapp.com/privacy.
Privacy questions, data requests, deletion requests, opt-out requests, or complaints:
Email: crowdkickapp@gmail.com
Operator: CrowdKick (sole proprietor — Mohamad Salman), Toronto, Ontario, Canada.
Person in charge of personal information (Quebec Law 25): Mohamad Salman, same email.