Privacy Policy

Effective date: May 17, 2026

Emilio Rios (“we”, “us”, “our”) built What A Team as a free app. This page describes how the app handles information.

Information We Collect

What A Team is designed to collect the minimum data necessary to make the app work. We do not sell data, run ads, or use third-party analytics.

Account information

You sign in to the app with Sign in with Apple or Google Sign-In. There is no email-and-password signup. The first time you sign in, the following is stored in our database to support your account:

• Display name — Used to identify you to your teammates within the app. Initially taken from your Apple or Google account; you can edit it from the Profile screen.
• Authentication identifier (UID) — A unique ID generated by Firebase Authentication when you sign in. Used to link your team membership and your High Fives to your account.
• Profile timestamps — When your account was created and when your display name was last changed.

About your email. Your email address is provided by Apple or Google to Firebase Authentication as part of the sign-in flow. It is held by Firebase Authentication only and is not copied into our Firestore database. We do not use your email for marketing, newsletters, or account-recovery flows — Apple and Google handle account recovery on their side.

Team and recognition data

While using the app, the following is stored so that the core functionality works:

• Team membership — The teams you belong to, your role in each (creator or member), the display name shown for you within the team, and when you joined.
• Team configuration — The team’s type (a “team” or a “family” — both work the same way and store the same data), name, emoji, the list of shared values, the season start and end dates, an invite code used to let new members join, and the weekly High Five limit. Created and edited by the team creator.
• High Fives — The recognition messages you send and receive within your teams. Each High Five includes the sender’s name and ID, the recipient’s name and ID, the chosen value (name and emoji), the message text, a timestamp, who has liked it, and — if a member reports it for moderation — who flagged it.

Notification token

If you grant notification permission, we store a Firebase Cloud Messaging device token so the app can deliver push notifications about activity in your team. The token is associated with your account.

How We Use Your Information

Your data is used solely to provide the app’s functionality:

• Authenticate you when you sign in
• Show you your team, teammates, and the High Fives you’ve sent or received
• Display the activity feed and Team Pulse insights to other members of your team
• Send push notifications to you when relevant
• Apply usage rules within the App (such as the weekly High Five quota)
• Diagnose and fix bugs through automatic crash and error reports (see Firebase Crashlytics below)
• Verify that requests come from a legitimate copy of the app, helping deter abuse (see Firebase App Check below)

Legal Basis for Processing (EU/UK Users)

If you are based in the EU or the UK, our legal bases for processing your personal data under the GDPR are:

• Performance of a contract (Art. 6(1)(b) GDPR). Creating and maintaining your account, your team membership, and the High Fives you send and receive are processed to provide the service you’ve chosen to use.
• Legitimate interests (Art. 6(1)(f) GDPR). We process crash and error reports through Firebase Crashlytics, and we validate app integrity through Firebase App Check, to maintain a stable and abuse-resistant service. We balance these interests against your privacy and use the minimum data needed.
• Consent (Art. 6(1)(a) GDPR). Push notifications are sent only with your explicit consent (the operating system permission prompt). You can withdraw this consent at any time in your device settings.

Where Your Data Lives

Your data is stored in Firebase (Google Cloud Platform), specifically:

• Firebase Authentication for sign-in.
• Cloud Firestore for team data, members, and High Fives.
• Firebase Cloud Messaging for push notifications.
• Firebase Crashlytics for automatic crash and error reports, enabled in release builds only. Reports include a stack trace, basic device metadata (device model, OS version, app version, and an anonymous installation identifier), and information about what the app was doing when it crashed. They do not include the contents of your messages, your display name, or your email.
• Firebase App Check to validate that requests to our backend come from a legitimate copy of the app. App Check uses Apple App Attest on iOS and Google Play Integrity on Android — these are device-attestation services provided by Apple and Google. App Check does not transmit personal information about you.

Firebase is provided by Google. By using the app, you also accept Google’s Firebase Privacy and Security terms.

Data is stored in Google’s data centers located in the European Union.

Data Retention

We keep your personal data only for as long as it is needed:

• Account data, team membership, and High Fives are kept until you delete your account, leave a team, or the team is deleted. Once removed, they cannot be recovered.
• Crash and error reports (Firebase Crashlytics) are retained for up to 90 days, then deleted automatically.
• App Check tokens are short-lived (typically valid for around an hour) and are not retained beyond their validity window.
• Backups may persist for a short window after deletion as part of normal cloud-database operations, and are overwritten on Firebase’s standard backup cycle.

After deletion, anonymized aggregated data may remain in our systems where it cannot be linked back to you.

Who Can See Your Data

• Your teammates can see your name, the High Fives you’ve sent and received within the team, and the activity feed.
• Team creators can additionally edit team settings (name, emoji, values, season dates, weekly High Five limit) and remove members. They do not see anything more than a regular member can see.
• Any signed-in user of the App can look up your display name by your user identifier — this is how the App resolves member names across invitations and lookups. Your email address is not exposed this way (it stays in Firebase Authentication).
• Removed members immediately lose access to the team’s data.
• We (the developer) do not access individual user data except as strictly necessary to maintain the service or to comply with legal obligations.
• No data is shared with third parties other than the Firebase services described above.

Data We Do NOT Collect

To the best of our knowledge, the app does not:

• Use third-party analytics or tracking services
• Use advertising or ad identifiers
• Access location, contacts, photos, camera, or microphone
• Sell or share your data with marketing partners

Children’s Privacy

What A Team is intended for users aged 13 and older (or the higher minimum age that applies in your jurisdiction). We do not knowingly collect personal data from children under that age. If you believe a child has provided personal data through the app, please contact us using the details on the Impressum page and we will delete it. See also our Child Safety Standards.

Your Rights

You have the right to:

• Access — See the data the app holds about you (your profile, your High Fives, your team membership) directly within the app.
• Edit — Update your display name from the Profile screen.
• Leave a team — Leave a team at any time from the Team Settings screen, removing your access to that team’s data.
• Delete your account — You can permanently delete your account directly from inside the app: open the Profile tab and tap “Delete my account”. This removes your profile, your team membership, and every High Five you’ve sent or received. The action is immediate and cannot be undone. If you need help or are unable to access the app, you can also email us at the contact address listed in the Impressum.

If you are based in the EU, the UK, or another jurisdiction with applicable data protection laws, you may have additional rights under those laws (such as GDPR rights to access, rectification, erasure, restriction, portability, and objection). To exercise any of these rights, contact us using the details on the Impressum page.

Right to lodge a complaint. If you are based in the EU and believe we have not handled your personal data lawfully, you have the right to lodge a complaint with a data protection supervisory authority. In Germany, the competent authority for our operations is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW) — ldi.nrw.de.

Third-Party Services

The app uses the following third-party services. Each has its own privacy policy:

• Firebase / Google Cloud — Backend services (Authentication, Firestore, Cloud Messaging, Crashlytics, App Check). Privacy policy
• Google Sign-In — One of the two ways you sign in. Privacy policy
• Sign in with Apple — One of the two ways you sign in. Privacy policy
• Apple App Attest (iOS only) — Used by Firebase App Check to verify the App is genuine. Apple’s privacy practices for App Attest are described in their Privacy Policy.
• Google Play Integrity (Android only) — Used by Firebase App Check to verify the App is genuine. Privacy information.

Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated effective date.

Contact

If you have questions about this privacy policy, you can reach us via the contact details on the Impressum page.