90+
LEGAL · PRIVACY POLICY

Privacy Policy

90+ Privacy Policy

EOM LLC ("we" or "us") publishes this Privacy Policy to describe how we handle user data in the mobile application and website 90+ ("the Service"). This Policy reflects Japan's Act on the Protection of Personal Information (APPI), the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA / CPRA). By using the Service you agree to this Policy.

1. Definitions

  1. Personal Information: information as defined in the APPI; information about a living individual that can identify a specific individual by the name, contact details or other descriptions contained therein.
  2. Activity and Attribute Information: non-personal information about a user's interactions with the Service (timestamps, usage patterns, environment, IP address, cookies, device identifiers, etc.).
  3. Personal-Related Information: cookies, browsing history, advertising identifiers and other information that cannot identify an individual unless combined with other information.
  4. Privacy Information: collective term for items 1 through 3 above.
  5. Should we later handle "pseudonymised information" or "anonymised information" as defined under the APPI, the safeguards and third-party-provision provisions of this Policy apply by analogy.

2. Design principle

The Service requires no account. We do not collect any directly identifying information such as name, email, or phone number. Each install is identified by an anonymous UUID generated on the device at first launch.

3. Data we collect

3-1. Anonymous user identifier

  • UUID — a random string generated on the device at first launch, used as the destination ID for writes (e.g., saving favorites). Not linked to any identifying information.
  • HMAC signing key — a secret used to authenticate writes, stored on the device (iOS Keychain / Android Keystore) and never sent to our servers.

3-2. User preferences

  • Display language
  • Favorite teams (FIFA 3-letter codes)
  • Notification preferences
  • Display timezone

3-3. Push notification token

Only when you enable notifications, we receive a push token issued by the Expo Push Service. It is used solely to deliver notifications and cannot be used to identify you.

3-4. What we do NOT collect

  • Name, email, phone number, postal address
  • Location data (no device-location tracking)
  • Contacts, photo library, on-device files
  • Social media accounts, payment information
  • Advertising identifiers (IDFA / AAID are not used)

4. How data is collected

Type Method
Anonymous UUID Generated on device at first launch
HMAC signing key Generated on device; stored in Keychain / Keystore
User preferences Entered/edited by the user from the Settings screen
Push notification token Issued automatically by Expo Push Service when notifications are enabled

5. Purposes and legal bases

We use collected data for the following purposes. For users to whom GDPR applies, the legal basis for each purpose is shown below.

Purpose GDPR legal basis
Provide and operate the Service Performance of a contract (Art. 6(1)(b))
Deliver push notifications Consent (Art. 6(1)(a)); revocable at any time
Detect, analyze and fix bugs Legitimate interest (Art. 6(1)(f))
Improve Service features Legitimate interest (Art. 6(1)(f))
Send important notices (policy / terms changes) Performance of contract / legal obligation (Art. 6(1)(b)/(c))

We will obtain your prior consent before using data for any purpose not listed above.

6. Security measures

  • Transport encryption — all traffic between the Service and our servers uses TLS.
  • Write authenticity — preference writes are verified via HMAC-SHA256 signatures.
  • On-device secret protection — the HMAC signing key is stored in iOS Keychain / Android Keystore and is removed when the app is uninstalled.
  • Access control — server-side user data is accessible only to personnel with the minimum necessary privileges for operations.
  • Data centre location — user data is stored on the Cloudflare edge network (US, EU, UK and other regions).

7. Incident notification

In the event of leakage, loss, damage or other compromise of personal information ("Incident"), we will promptly confirm the facts, assess the extent of external exposure and recurrence risk, and notify Japan's Personal Information Protection Commission and affected users in principle within 72 hours of becoming aware. If notification is delayed, we will explain the reason and follow up as soon as further information is confirmed.

8. Third-party processors

We entrust the following third parties with processing of data only to the extent necessary to operate the Service. Under the APPI, these are "outsourcing" relationships rather than "third-party provision". Each processor's privacy policy is linked below.

Processor Data handled Means Privacy policy
Cloudflare (Workers / D1 / KV / Queues) User preferences, anonymous UUID, push tokens API https://www.cloudflare.com/privacypolicy/
Expo (Expo Push Service) Push notification token, message body API https://expo.dev/privacy
football-data.org Request information made when fetching match data API Privacy Policy at the bottom of the About page
Apple Inc. Distribution-related data (not collected by us) App Store https://www.apple.com/legal/privacy/
Google LLC Distribution-related data (not collected by us) Google Play https://policies.google.com/privacy

We do not share user data with any other third party without your prior consent, except as required by law or as needed to protect life, body or property.

The Service contains no ad SDKs, no behavioural trackers, and no third-party analytics.

9. International data transfers

The Service may store and process data on servers located in the US, EU, UK or other regions (primarily on the Cloudflare edge network). For transfers outside Japan we rely on the following safeguards:

  • EU adequacy decision for Japan: In 2019 the European Commission recognised Japan as providing "an adequate level of protection for personal data". Transfers from the EU to Japan are therefore generally possible without additional measures.
  • EU Standard Contractual Clauses (SCCs) / UK International Data Transfer Agreement (IDTA): for processors located in the US or other non-adequate jurisdictions, we rely on these contractual clauses.
  • EU-US Data Privacy Framework (DPF): if a US-based processor self-certifies under the DPF, we may also rely on the DPF.

10. Data retention

Type Retention
Anonymous UUID + preferences Until 24 months of inactivity, or upon explicit deletion request
Push notification token 30 days after notifications are disabled or the app is uninstalled
Server operation logs Up to 30 days for quality monitoring

11. Your rights

11-1. Rights under the APPI (Articles 28–30)

Users resident in Japan have the following rights under Articles 28–30 of the APPI:

  • Right to request disclosure (Art. 28)
  • Right to request correction, addition or deletion (Art. 29)
  • Right to request cessation of use, erasure or cessation of third-party provision (Art. 30)

11-2. Rights under GDPR / UK GDPR (Articles 15–22)

Users resident in the EEA or UK have the following rights:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure / "right to be forgotten" (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right not to be subject to automated decision-making (Art. 22)
  • Right to lodge a complaint with a supervisory authority

11-3. CCPA / CPRA (California residents)

California residents have the following rights:

  • Right to know what personal information is collected, used and shared
  • Right to delete personal information
  • Right to correct personal information
  • Right to opt out of the "sale" or "sharing" of personal information (we do not sell or share personal information for cross-context behavioural advertising)
  • Right to non-discrimination for exercising these rights

11-4. How to exercise rights

To exercise any of the rights above, please contact us via the form in Section 17. We may request information to verify your identity. We will respond in writing or by email within two weeks of receipt where possible. If you uninstall the app, your UUID and associated data are purged from our servers via scheduled expiry; for immediate deletion, please use the same contact channel.

12. Cookies and similar technologies

The web version (90plus.babelfc.com) uses a single browser cookie (PARAGLIDE_LOCALE) to remember your display language. The app does not use cookies. We do not use cookies for advertising or third-party analytics.

13. Children's privacy

The Service is not directed at children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child's data has been submitted to us, please contact us using the form in Section 17.

14. Apple App Tracking Transparency (ATT)

The Service does not engage in any activity that falls under "tracking" as defined by Apple's ATT framework. Specifically, we do not collect IDFA (Identifier for Advertisers), we do not track users across other apps or websites, and we do not share personal information with data brokers. The Service therefore does not display the ATT permission prompt.

15. Changes to this Policy

We may revise this Policy as needed. We will announce material changes in-app or on the website and, where required by law, provide reasonable advance notice. The revised Policy is effective when posted in the Service.

16. Governing law

This Policy is interpreted under the laws of Japan.

17. Contact

For questions or requests regarding this Policy or your data, please use the form below. If you live in the EEA or UK and your concerns are not resolved, you have the right to lodge a complaint with your local data-protection authority.

18. Established / Last updated

  • Established: 2026-05-17
  • Last updated: 2026-05-17