Privacy Policy

Last updated: May 26, 2026.

FiguriTrack is an offline-first app. By default, all your data stays on your own device. We only sync with the cloud when you choose to sign in with your Google Account. This policy explains exactly what we process, for what purpose, and your rights.

1. Data controller

The controller of personal data processed by this application is Diogo Domanski de Souza, an independent developer based in Brazil. To exercise any right under this policy or under Brazil's General Data Protection Law (LGPD, Law nº 13.709/2018), please write to diogo.domanski@gmail.com.

2. What we process

2.1. Data stored locally on your device

Your collection inventory is stored in your own browser, using IndexedDB (Dexie) and the PWA Service Worker Cache Storage. This includes:

• sticker codes, owned quantities and duplicates;
• per-sticker status (glued, duplicate, missing);
• trade marks, achievements and app preferences;
• timestamps (updatedAt) required to sync correctly across devices.

Until you sign in, none of this leaves your device. Neither we nor any third party has access to it.

2.2. Google Account data (optional sign-in)

If you choose to sign in with a Google Account, we use Firebase Authentication (Google LLC) to authenticate you. We request only the basic scopes openid, email and profile, which give us access to:

• your public name;
• your email address;
• the URL of your public profile picture;
• a unique identifier (UID) generated by Google to associate you with your synced inventory.

We do not request access to your contacts, calendar, location, Google Drive, Gmail, photos, videos, browsing history, or any other Google Account data.

2.3. Synced data in the cloud

After sign-in, your inventory and achievements are copied to Cloud Firestore (Google LLC) under your UID. This lets you access the same collection across multiple devices and recover your data if you lose a device.

2.4. What we do not collect

We do not use tracking cookies. We do not use Google Analytics or any other third-party analytics. We do not collect IPs for marketing, we do not fingerprint users, we do not build behavior profiles, and we do not sell data to anyone.

3. Purposes of processing

• to operate the app (record and display your inventory);
• to let you access the same collection across multiple devices (sync);
• to identify you stably across sessions;
• to comply with applicable legal obligations and lawful requests from competent authorities, when required.

4. Legal basis (LGPD, art. 7)

• Performance of a contract (art. 7, V) for local storage strictly necessary for the app to work;
• Consent (art. 7, I) for Google sign-in and cloud sync, both optional and revocable at any time;
• Compliance with a legal obligation (art. 7, II) and regular exercise of rights (art. 7, VI), where applicable.

5. Sharing with third parties

We only share data with operators strictly necessary for the service to work:

• Google LLC — Firebase Authentication and Cloud Firestore (authentication and synced storage);
• Amazon Web Services, Inc. (AWS) — hosting of the infrastructure that serves the app and this website (EC2 + Docker Swarm + Traefik).

We do not sell, rent, lend or trade your data with third parties for commercial, advertising or profiling purposes.

6. International transfer

Google and AWS services may store and process data outside Brazil. These providers adopt safeguards compatible with the LGPD (art. 33). By using sign-in and sync, you consent to this transfer.

7. Security

• all traffic is delivered over HTTPS (TLS);
• access to synced data is restricted by Firestore security rules: each user can only read and write under their own UID;
• local data is protected by the browser's same-origin model.

8. Retention

Local data stays on your device until you erase it (by clearing site data in the browser or uninstalling the PWA). Synced data stays in Firestore while your account exists. You can request deletion at any time.

9. Your rights (LGPD, art. 18)

At any time, you have the right to:

• confirm that we process your data;
• access and obtain a copy of your data;
• correct incomplete, inaccurate or outdated data;
• request anonymization, blocking or deletion of your data;
• request data portability;
• withdraw consent (e.g., sign out to stop syncing) and request deletion of synced data;
• be informed about whom we share your data with.

To exercise any of these rights, write to diogo.domanski@gmail.com. We will reply within the timeframe set by law.

10. Cookies and local storage

FiguriTrack does not use tracking or advertising cookies. We only use storage technologies strictly necessary for the app to work: IndexedDB (inventory), Cache Storage (PWA assets) and LocalStorage (preferences such as theme and language).

11. Children

FiguriTrack can be used by collectors of any age. For children under 13, the app should only be used with the consent and supervision of a parent or guardian, in accordance with Brazil's Child and Adolescent Statute (ECA) and LGPD art. 14. If you are a guardian and notice misuse by a child under your care, please write to us so we can erase the data.

12. Changes to this policy

This policy may be updated to reflect changes in the app or in the law. The "Last updated" date at the top of this page indicates the current version. Material changes will also be signaled inside the app.

13. Governing law

This policy is governed by Brazilian law, in particular the LGPD (Law nº 13.709/2018) and the Consumer Protection Code (Law nº 8.078/1990) where applicable.

14. Contact

Questions, requests or complaints related to privacy can be sent to diogo.domanski@gmail.com.