Privacy Policy

1. Introduction

Lottoread ("we," "our," or "us") operates the Lottoread mobile application (available on iOS and Android) and the website at lottoread.com (collectively, the "Service"). This Privacy Policy explains what information we collect, how we use it, with whom we share it, and the rights you have over your data.

By using the Service, you agree to the practices described in this policy. Our Service is intended for users aged 13 and older. If you are under 13, do not use the Service or submit any personal information.

2. Information We Collect

2.1 Information You Provide

• Account information: Email address and display name provided when you sign in with Google or Apple.
• Lottery ticket images: Photos you capture or upload for ticket scanning. Images are transmitted to our servers for AI-powered processing and stored in Google Cloud Storage.
• App preferences: Your preferred lottery games, notification settings, and liked games.

2.2 Information Collected Automatically

• Device information: Device model, operating system version, language, timezone, and a unique device identifier.
• Usage data: Features used, tickets scanned, numbers generated, login history, login streaks, and session activity.
• Push notification token (FCM): A Firebase Cloud Messaging token used to deliver lottery draw notifications to your device.
• Crash and performance data: Automatic crash reports and performance traces collected via Firebase Crashlytics and Firebase Performance Monitoring.
• Analytics events: Page views, feature interactions, and in-app events collected via Firebase Analytics.
• Advertising identifiers: On iOS, the IDFA (Identifier for Advertisers) may be collected after you grant permission via the App Tracking Transparency prompt. On Android, the AAID (Android Advertising ID) may be used subject to your consent via Google's User Messaging Platform.
• Subscription status: Your current subscription tier and transaction history, managed through RevenueCat.

2.3 Information From Third Parties

• Google Sign-In / Apple Sign In: Basic profile information (name, email) returned by the authentication provider when you choose to sign in.

3. How We Use Your Information

• Ticket scanning and validation: Ticket images are processed server-side using AI models (OpenAI, Anthropic Claude, xAI/Grok) to detect lottery numbers and validate results.
• Account management: To create and maintain your account, store your scan history, generated plays, and credits.
• Push notifications: To send draw results, jackpot alerts, and other notifications you subscribe to via Firebase Cloud Messaging.
• Subscription management: To process purchases and manage your subscription level through RevenueCat and the App Store / Google Play.
• Advertising: To display ads (rewarded, interstitial, and native) via Google AdMob. Ad serving may use your advertising identifier where permitted.
• Analytics and improvement: To understand how users interact with the app and improve features using aggregated Firebase Analytics data.
• Security and stability: To detect crashes, diagnose bugs, and monitor app performance via Firebase Crashlytics and Performance Monitoring.
• Remote configuration: To update app behavior (e.g., feature flags, AI model selection) without requiring an app update, via Firebase Remote Config and Firestore.
• Legal compliance: To comply with applicable laws and respond to valid legal requests.

4. Third-Party Services

We integrate the following third-party services. Each operates under its own privacy policy. We encourage you to review them.

For Google's privacy policy, visit policies.google.com/privacy. For RevenueCat, visit revenuecat.com/privacy.

5. Advertising & Tracking

Lottoread displays ads through Google AdMob, including rewarded, interstitial, and native ad formats.

• iOS: When you launch the app, you will be shown an App Tracking Transparency (ATT) prompt asking whether you consent to tracking via the IDFA. If you decline, only contextual ads are served. You can change this setting at any time in Settings > Privacy & Security > Tracking.
• Android: Google's User Messaging Platform displays a consent dialog for ad personalization in line with GDPR and CCPA requirements. You may withdraw or update consent at any time from within the app settings.
• SKAdNetwork (iOS): We use Apple's SKAdNetwork framework for privacy-preserving ad campaign measurement. No individual-level data leaves your device.
• Opt-out: On Android, you can reset or opt out of ad personalization in Settings > Google > Ads. On iOS, turn off personalized ads in Settings > Privacy & Security > Apple Advertising.

6. Data Sharing

We do not sell your personal information. We share data only in the following circumstances:

• Service providers: The third-party services listed in Section 4 receive data only to the extent necessary to perform their functions.
• AI processing: Ticket images and extracted text are sent to OpenAI, Anthropic, and/or xAI servers for processing. Images are not used to train third-party AI models under our agreements with these providers.
• Legal obligations: We may disclose information if required by law, court order, or government authority.
• Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of that transaction.

7. Data Retention

• Account and ticket data: Retained for as long as your account is active. Deleted within 30 days of an account deletion request. To request deletion, visit our Account Deletion page.
• Ticket images: Stored in Google Cloud Storage and retained for 90 days, after which they are automatically purged.
• Crash and performance logs: Retained for 90 days by Firebase Crashlytics and Performance Monitoring per Google's standard retention policy.
• Analytics data: Aggregated and anonymized; retained per Firebase Analytics' default retention settings (up to 14 months for event-level data).

8. Your Privacy Rights

8.1 EEA, UK & Switzerland (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR:

• Right of access — obtain a copy of your personal data
• Right to rectification — correct inaccurate data
• Right to erasure — request deletion of your data
• Right to restriction — limit how we process your data
• Right to data portability — receive your data in a machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

Our legal bases for processing include: performance of a contract (providing the Service), legitimate interests (security, analytics), consent (advertising identifiers, push notifications), and legal obligation.

8.2 California Residents (CCPA/CPRA)

California residents have the right to:

• Know what personal information is collected and how it is used
• Request deletion of your personal information
• Opt out of the "sale" or "sharing" of personal information — we do not sell personal information. Advertising identifiers shared with AdMob for ad personalization may qualify as "sharing" under CPRA; you may opt out as described in Section 5
• Non-discrimination for exercising your privacy rights

8.3 Exercising Your Rights

To submit a privacy request, email us at privacy@lottoread.com. We will respond within 30 days (or sooner as required by applicable law). We may ask you to verify your identity before processing your request.

9. Children's Privacy (COPPA)

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@lottoread.com and we will promptly delete such information.

10. Data Security

We implement technical and organizational measures to protect your information, including:

• TLS encryption for all data in transit
• Firebase App Check to prevent unauthorized API access
• Firebase Authentication tokens for secure session management
• Role-based access controls on our backend systems and Google Cloud Storage

No system is completely secure. If you discover a security vulnerability, please report it to privacy@lottoread.com.

11. International Data Transfers

Your information may be processed and stored on servers located in the United States and other countries where our service providers operate. If you are located outside the United States, your information will be transferred to and processed in the US. We rely on Standard Contractual Clauses and other appropriate safeguards for transfers of personal data from the EEA or UK to third countries.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Effective Date" at the top of this page. For material changes, we will notify you via in-app notice or email. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

13. Contact Us

If you have questions, requests, or complaints about this Privacy Policy or our privacy practices, please contact us:

If you are located in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.