Privacy Policy

AI Cricket Auction: Multiplayer

YOUR DATA
STAYS
YOURS.

No tracking  ·  No ads  ·  No accounts

Effective: June 2026
Read on
The Short Version

Three sentences. Whole truth.

🚫
Zero Personal Data
No name, email, phone, or any personal identifier is collected. Ever.
🔒
Anonymous by Design
Firebase Anonymous Auth — no sign-up, no account, no user profile linked to you.
📡
Network = Multiplayer Only
Solo vs AI is 100% offline after splash. Network calls happen only when you join a live room.
What We Don't Collect

The full list.
All refused.

👤Name, username, or display name
📧Email address or phone number
📍Location or GPS coordinates
📷Camera, microphone, or photo access
🗂️Contacts or address book
📊Analytics, telemetry, or crash reports
🎯Advertising identifiers (IDFA / tracking)
💳Payment information (no purchases exist)
🌐Browsing history or cross-app tracking
🏷️Device fingerprint or hardware identifiers
Firebase Anonymous Authentication

How we connect
without knowing you.

Multiplayer needs a way to separate players without making you sign up. Firebase Anonymous Auth is the solution — here's exactly what happens on your device.

🔐  Transparent auth flow — step by step
1
App opens — one silent POST
On first launch, the app makes a single silent request to the Firebase Anonymous Auth API. No name, no email, no device ID is included in the request body.
2
Firebase returns an anonymous UID
Firebase generates a random, anonymous localId. No personal information is attached. Stored locally as fb_uid. The refresh token is stored as fb_refresh_token. A stable fallback UUID is kept as fb_local_uid.
3
Token auto-refreshes silently
The ID token expires after 1 hour. The app refreshes it automatically via the Firebase Secure Token API, 5 minutes before expiry. No login screen. No user action required. Ever.
4
Multiplayer: token gates the room
When you join a room, the ID token is appended as ?auth=TOKEN to all Firebase Realtime Database requests. Firebase Security Rules enforce auth != null — keeping bots and unauthenticated scripts out, without knowing who you are.
5
Solo mode: token is never used in gameplay
Solo vs AI runs completely offline. The token fetch fires on splash (one call) to keep auth warm. Zero game data leaves your device during Solo play.
Local Storage

Three keys. Nothing personal.

The app writes exactly three values to UserDefaults on your device — all anonymous session tokens.

KeyTypeWhat it stores
fb_uid String Firebase Anonymous Auth localId — a random UUID with no personal information. Used to identify your session within a multiplayer room.
fb_local_uid String Fallback UUID generated locally on first launch, before Firebase auth completes. Guarantees a stable device identity even before the first network call returns.
fb_refresh_token String Firebase long-lived refresh token. Used to silently renew the 1-hour ID token. Opaque to the app — contains no personal data, cannot be used to identify you.
Network Endpoints

Every server this app contacts.

Three Firebase services, all HTTPS. No analytics. No ad networks. No third-party SDKs. Nothing else.

ServiceWhenPurpose
Firebase Auth API Both Firebase Anonymous Authentication — issues the initial anonymous session token on first launch. No personal data included.
Firebase Token API Both Firebase Secure Token service — silently renews the session token before it expires. No user action or login required.
Firebase Realtime Database Multiplayer only Stores active multiplayer room state only. Data is ephemeral — it exists only while a live game session is running. Solo vs AI makes zero calls during gameplay.
Security

Built-in protections.

🔐
Auth-gated database rules
Firebase Security Rules enforce auth != null on every read and write. Unauthenticated bots and scripts are blocked at the database level.
⚛️
ETag atomic transactions
Every bid uses ETag-based conditional writes. If two players bid at the exact same millisecond, Firebase guarantees only one wins — no duplicates, no race conditions.
🔁
In-app rate limiting
Room creation: max 3 per minute per device. Room joins: max 10 attempts per minute. Enforced in-app before any network call is made.
🛡️
HTTPS everywhere, ATS enforced
Every network request uses HTTPS. App Transport Security (ATS) is enforced by iOS at the OS level — no plain-text requests are possible.
🔏
Privacy questions?
Questions about this policy, what Firebase stores, or how to remove your anonymous session — email us and we'll reply plainly and quickly.
vivekkommareddy2023@gmail.com