Skip to main content

← Back to Finto

Privacy Policy

Last updated:

This policy explains what we collect on www.finto.fun during the pre-launch waitlist phase, why we collect it, where it lives, and how to remove yourself. Plain language; no surprises. The full policy for the live Finto product will replace this page before public launch and will cover the in-app data flows that don’t exist yet.

1. Who is responsible

The data controller for finto.fun is:

Privacy and data-rights requests are handled by the founders at privacy@finto.fun. Use hello@finto.fun for everything else.

2. What we collect

On this pre-launch landing site, the only personal data we collect is submitted by you when you join the waitlist. From the form we receive:

  • Email address — what you typed.
  • Source — which page submitted (e.g. landing/world-cup-2026).
  • Locale — your browser’s preferred language code if available (e.g. en-US).
  • Timestamp — when the submission was received (server time).
  • User-Agent string and referring URL — standard HTTP headers your browser sends with every request.

For abuse prevention we additionally store:

  • A salted SHA-256 hash of your IP address in short-lived rate-limit counters. We never store the raw IP.
  • A SHA-256 hash of your normalised email as the document ID. This is what de-duplicates submissions; we cannot reverse it back to your email.
  • A timestamp window for rate limiting that auto-expires.

We do not collect: payment data, identity documents, location beyond what your browser sends, contacts, behavioural tracking, cross-site advertising identifiers, or any data about gambling, wagering, or betting (because Finto does none of those things).

3. Why we collect it

  • Waitlist / early access: to email you once when groups open.
  • Security and abuse prevention: rate limiting and bot detection so the form isn’t abused.
  • Service operations: debugging if the form misbehaves; basic operational telemetry from our hosting providers.

4. Legal basis

For visitors in the EU/UK we rely on:

  • Consent — you submitted your email knowing it would be used for an early-access announcement (Art. 6(1)(a) GDPR).
  • Legitimate interests — protecting the form from abuse and operating the site (Art. 6(1)(f) GDPR).

Note for legal review: The exact legal-basis wording will be finalised by counsel before public launch, particularly the consent flow when we add a launch-announcement email.

5. Where your data lives

  • Email + signup metadata: stored in Firestore (Google Cloud) in the United States (region us-central1).
  • Site hosting: the static landing is served by Vercel from its global edge network.
  • Email forwarding: messages sent to hello@finto.fun are forwarded by ImprovMX to a founder inbox.

Your email may therefore be transmitted to / processed in the United States. Both Google Cloud and Vercel rely on Standard Contractual Clauses for international transfers.

6. How long we keep your data

  • Email + signup record: until launch and the launch announcement is sent, or until you ask us to delete it — whichever comes first.
  • Rate-limit counters: hashed records expire and are auto-deleted via Firestore TTL within 24-48 hours.
  • Operational logs from our hosting providers are kept for the providers’ standard retention windows (typically 30 days).

7. We don’t sell or share your data

We do not sell your personal data. We do not share it with advertisers or marketing networks. We do not run third-party analytics or tracking on this site today. The only third parties involved are the infrastructure providers listed in §5, and they only see what they need to in order to host or transmit your request.

8. Your rights

You can ask us to:

  • Confirm whether we hold any data about you.
  • Send you a copy of the data we hold (right of access).
  • Correct anything that is wrong.
  • Delete your data (right to erasure / “right to be forgotten”).
  • Restrict or object to processing.
  • Withdraw consent at any time.
  • Lodge a complaint with your local data protection authority.

To exercise any of these, email privacy@finto.fun from the address you signed up with (or include enough information for us to verify you). We will respond within 30 days, usually within 7.

9. Children

Finto is not intended for children under 13. The minimum age to join the waitlist or use the live Finto product is 13 years. If you are under 13, please do not submit your email here, and ask a parent or guardian if you would like to use a service like Finto. If you believe a child under 13 has submitted their email, contact privacy@finto.fun and we will delete the record promptly.

Per-jurisdiction adjustments (e.g. higher age thresholds in some EU member states under GDPR Art. 8) and the in-product age-verification mechanism are still under review and will be finalised here before the live product launches.

10. Security

Submissions travel over HTTPS. The waitlist endpoint enforces a CORS allowlist, payload size limits, a honeypot, form-timing checks, and sliding-window rate limits. We use Firebase Security Rules to ensure no third party can read or modify the waitlist collection directly. No system is perfect — if you spot a vulnerability, please email hello@finto.fun with subject “Security” and we’ll respond as fast as we can.

11. Changes to this policy

When this policy changes we will update the “Last updated” date at the top. Material changes (anything that expands what we collect or how we use it) will be flagged here for at least 30 days before they take effect, and where possible communicated by email to waitlist members.

12. Independence

Finto is an independent prediction game and is not affiliated with FIFA or the FIFA World Cup. References to the World Cup are nominal; the trademarks belong to FIFA.