Privacy Policy for Misani

Last updated: May 13, 2026

Introduction

Misani ("we," "our," or "us") operates the Misani mobile application (the "App"). This Privacy Policy explains how we collect, use, share, and protect your information when you use the App on iOS or Android. By using the App you agree to the practices described here.

Who We Are (Data Controller)

The data controller for personal information processed through the App is the Misani team. You can reach us at misani.team@gmail.com for any privacy-related question or request.

Information We Collect

Account Information

The App supports three sign-in methods:

• Sign in with Google — we receive your email address and a Google-issued ID token, which we exchange with our backend for a Misani access token.
• Sign in with Apple — we receive an Apple-issued ID token and authorization code. On your first sign-in only, Apple may also share your full name and email address (you can choose Apple's private email-relay address; we honor it). On subsequent sign-ins, Apple does not resend name or email.
• Guest mode — we create an anonymous identifier and a guest access token. We do not collect your name or email in guest mode.

We store the access token on your device using the operating system's protected storage. We do not receive or store your Google or Apple password.

Profile and Game Data

Once you have an account, you can set a nickname and a profile picture URL. While you play, the App sends the following to our backend:

• Nickname, profile picture URL, and (optional) cover picture URL
• Quiz questions shown to you, the answers you select, time taken, and correctness
• Game results (win/loss/draw), rating, virtual coin balance, and match history
• Opponent-visible data shown on leaderboards (nickname, avatar, rating)
• Reports you file about other players or content

Real-time match events are exchanged with our servers over a secure WebSocket connection while a match is in progress.

Push Notifications

We use Firebase Cloud Messaging (FCM), a Google service, to deliver transactional push notifications related to your matches — for example, when it is your turn, your opponent has played, or a match has ended. When you grant notification permission, the App registers with FCM and we receive and store an FCM registration token tied to that install of the App on your device. We use this token only to deliver notifications you have allowed; we do not use it for advertising or for tracking across apps or websites. You can revoke notification permission at any time from your device's system settings, which stops further notifications.

Device and Diagnostic Information

To keep the App running reliably, diagnose problems, and improve quality, we collect (subject to your consent — see "Your Choices and Consent" below):

• Device model and operating system version
• App version and build number
• IP address (used at the network level; not stored against your account)
• An anonymous device or installation identifier
• Language and region settings
• Crash logs and error reports
• App performance and diagnostic metrics (e.g., long tasks, frame timings)
• In-app activity such as screens viewed, taps and other interactions, and network call metadata
• Firebase Installation ID — a pseudonymous identifier used by Firebase services to associate diagnostic data with your install of the App
• Firebase Analytics events — screen views, session start and end, taps, and other in-app events, together with device and OS metadata, language, and region
• Firebase Crashlytics reports — stack traces, device state, and breadcrumbs captured when the App crashes
• Firebase Remote Config fetches — used to deliver configuration values to your install; sends a Firebase Installation ID and basic device/OS metadata when fetching

If you are signed in and have granted analytics consent, your Misani user ID is attached to these diagnostic events so we can correlate issues to your account on request. We have disabled IDFA collection in Firebase Analytics on iOS and run Firebase Analytics with Google-side ad personalization features turned off.

Locally Stored Preferences

The following are stored only on your device and are not sent to our servers:

• Language preference
• Dark mode and theme
• Sound and haptic-feedback toggles
• Game tutorial state and games-completed counter
• Your analytics consent choice

What We Do Not Collect

The App does not request access to, and does not collect:

• Camera, microphone, or photo library
• Precise or approximate location
• Contacts, calendar, or health data
• Motion or sensor data
• Apple's IDFA (Identifier for Advertisers); we do not show the App Tracking Transparency prompt because we do not track you across apps or websites
• Payment card information; the App does not offer in-app purchases, and the in-game coin balance cannot be bought

How We Use Your Information

We use collected information to:

• Create and authenticate your account
• Provide and maintain the App and its multiplayer features
• Display leaderboards, rankings, and match history
• Send transactional push notifications about your matches when you have granted notification permission
• Deliver feature flags and configuration values to the App via Firebase Remote Config
• Improve gameplay, balance, and content
• Diagnose crashes, performance issues, and errors
• Detect and prevent abuse, cheating, fraud, and security incidents
• Respond to your support requests and account deletion requests
• Comply with legal obligations

Legal Bases for Processing

Where data protection laws such as the General Data Protection Regulation (GDPR), UK GDPR, or comparable local laws apply, we rely on the following legal bases:

• Performance of a contract — to create your account and operate gameplay you request.
• Consent — for diagnostic analytics (Datadog and Firebase Analytics) and for notification permission at the device level; you can withdraw consent at any time from within the App or in your device's system settings.
• Legitimate interests — for Firebase Crashlytics crash reporting (collected regardless of analytics consent because crash data is essential to keep the App functioning and to fix critical bugs); and to secure the App, prevent cheating and abuse, and improve our service. Where we rely on legitimate interests, we balance them against your rights.
• Legal obligation — when required to comply with applicable law.

Third-Party Services

The App uses the following third-party services. Each provider acts on our behalf as a processor or as an independent identity provider, as indicated.

Sign in with Google (Google LLC) — identity provider. We receive your email address and an ID token. Google's privacy policy: https://policies.google.com/privacy.

Sign in with Apple (Apple Inc.) — identity provider. We receive an ID token and authorization code, and on first sign-in optionally name and email. Apple's privacy policy: https://www.apple.com/legal/privacy/.

Datadog (Datadog, Inc.) — diagnostics processor. We use Datadog Real User Monitoring and Logs to monitor App performance and capture crash and error reports. Datadog may receive your IP address, device and OS information, App diagnostic data, and network call metadata. Data is processed in Datadog's EU1 (Frankfurt) region. Datadog's privacy policy: https://www.datadoghq.com/legal/privacy/.

Firebase (Google LLC) — push notifications, analytics, crash reporting, and remote configuration processor. The App uses the following Firebase products:

• Firebase Cloud Messaging (FCM) — delivers transactional push notifications you have permitted. Receives the FCM registration token assigned to your install of the App and the notification payload we send.
• Firebase Analytics — records in-app events (screen views, sessions, taps), device and OS metadata, language and region, and a Firebase Installation ID. We have disabled IDFA collection on iOS and disabled Google-side ad personalization features for Firebase Analytics, which means we do not use this data for advertising and do not show the App Tracking Transparency prompt.
• Firebase Crashlytics — captures crash logs, stack traces, breadcrumbs, and device state when the App crashes.
• Firebase Remote Config — delivers configuration values (such as feature flags) to your install; sends a Firebase Installation ID and basic device/OS metadata when fetching.

Firebase services are operated by Google LLC and process data globally, primarily on Google infrastructure in the United States. Firebase's privacy and security information: https://firebase.google.com/support/privacy. Google's privacy policy: https://policies.google.com/privacy.

DiceBear (api.dicebear.com) — avatar image service. The App fetches user avatar images directly from DiceBear's servers. As a result, DiceBear's servers receive your device IP address and standard HTTP request metadata when an avatar loads. DiceBear does not receive your account, email, or gameplay data. DiceBear's privacy policy: https://www.dicebear.com/legal/privacy-policy/.

API-Football (api-football.com, delivered via api-sports.io) — football data provider. Football imagery shown in the App (such as player photos, team logos, league badges, and country flags) is delivered from API-Football's content delivery network. When the App fetches such an image, API-Football's servers automatically log standard request metadata, including your device IP address, browser/HTTP client type and version, operating system, language preferences, the time of access, and the resource requested. API-Football states this information is used to detect abuse and produce aggregate traffic statistics, and is not shared with unaffiliated third parties. No Misani account or gameplay data is sent. We do not resell or redistribute API-Football data; football names, photographs, and logos remain the property of their respective owners (see our Terms for the full disclaimer). Website: https://www.api-football.com/. Privacy policy: https://www.api-football.com/privacy.

Where Your Data Goes

Your Choices and Consent

You can opt in to anonymous diagnostic data collection from the App's Settings screen. Until you grant consent, no analytics data is sent to Datadog Real User Monitoring or Firebase Analytics — these SDKs are initialized with collection disabled and only begin sending data after you opt in. You can change your choice at any time from the App's Settings; if you withdraw consent, we stop further analytics collection (data already received before withdrawal is retained for the limited period described below).

Firebase Crashlytics is not gated by the analytics consent toggle: it collects crash reports at all times under the legal basis of legitimate interest in keeping the App stable. You cannot disable Crashlytics from within the App; the only way to stop sending crash reports is to uninstall the App.

Push notifications are controlled separately: your device prompts you for notification permission, and you can grant or revoke that permission at any time in your device's system settings. Authentication, core gameplay data, push-notification delivery to opted-in devices, and Firebase Remote Config fetches are processed for the App to function and are not subject to the diagnostic-analytics consent toggle.

International Transfers

Our backend is operated by us; Datadog processes diagnostic data in the EU; Firebase services process data primarily on Google infrastructure in the United States. Where personal data is transferred outside your country of residence — in particular for Firebase — we rely on appropriate safeguards such as the EU Standard Contractual Clauses or equivalent legal mechanisms.

Data Storage and Security

Your data is stored on our servers behind authenticated HTTPS endpoints. Access tokens are stored on your device using the operating system's protected storage. We implement administrative, technical, and organizational safeguards designed to protect against unauthorized access, alteration, disclosure, or destruction. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

Data Retention

• Account, profile, and gameplay data — retained while your account is active. After deletion, residual copies in encrypted backups are removed within 30 days.
• Diagnostic data and logs (Datadog) — retained for up to 30 days, then automatically deleted.
• Firebase Analytics data — retained for 14 months (the project's configured retention), then automatically deleted by Google.
• Firebase Crashlytics data — retained for up to 90 days from the date of the crash.
• FCM registration token — retained on our backend while the App is installed and notifications are permitted. The token is deleted when you uninstall the App, sign out, delete your account, or revoke notification permission and we detect delivery failure.
• Apple authorization code — used at sign-in to enable account-revocation flows; not retained after the access token is issued.

Your Rights

Subject to applicable law (including GDPR and UK GDPR where relevant), you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate or incomplete data
• Request deletion of your account and associated data
• Request deletion of diagnostic data tied to your account
• Restrict or object to certain processing
• Receive a copy of your data in a portable format
• Withdraw analytics consent at any time
• Lodge a complaint with your local data protection authority

You can delete your account at any time from the App's Settings screen. You can also email us at misani.team@gmail.com to exercise any of these rights.

Children's Privacy

The App is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version in the App and on this page and update the "Last updated" date above. Material changes will be highlighted in the App.

Contact Us