Privacy Policy

Last updated: 14 June 2026

This Privacy Policy explains how Today's Take collects, uses, and protects your personal data when you use our mobile application ("App"). The data controller is Todays Take Ltd (company number 17193304, registered office 124 City Road, London, EC1V 2NX), registered with the UK Information Commissioner's Office under registration number ZC148137. You can contact us at admin@todaystake.app.

1. Data We Collect

Account data

When you sign up, we collect your email address, a username you choose, and your date of birth (which we use to verify you meet our minimum age of 16). If you sign in via Apple Sign-In or Google OAuth, we receive the identity token, email address, and (where provided) display name from that service. Apple and Google act as authentication processors for this purpose.

Photos

When you submit a photo, we store the image along with metadata such as the time of submission and the associated daily prompt. We generate resized versions (1080px and 400px WebP) for display purposes.

Location data (optional)

If you enable location sharing in Settings, we use on-device geocoding to determine your city and country when you submit a photo. This data is stored alongside your photo. You can disable location sharing at any time, and future submissions will not include location data. We do not collect precise GPS coordinates.

Activity data

We store your votes, competition results, scores, badges, follows, blocks, and reports to operate the competition, enforce community guidelines, and display leaderboards.

Feedback you give us

If you rate a daily prompt or leave a comment on it, we store your rating and comment. Comments are seen by us (and our admins) only, not by other users, and are used to improve the quality of future prompts.

Analytics data (legitimate interest)

We collect minimal usage events (such as app opens, photo submissions, shares, and camera activity) to understand how the App is used and to improve it. These events are linked to your account, so they are pseudonymised rather than anonymous. This data is stored in our own database (Supabase, hosted in the EU) and is not shared with any third party. We rely on our legitimate interest in improving the App as the legal basis for this processing (see §2). You can opt out at any time in Settings → Privacy → Usage Analytics, which stops further collection immediately.

Crash data (legitimate interest)

We use Firebase Crashlytics to collect crash reports including device type, operating-system version, and your account user ID so we can investigate stability issues. Crashlytics is operated by Google and processed on Google's infrastructure. We rely on our legitimate interest in maintaining a reliable service. You can learn more about Google's data practices at policies.google.com/privacy.

Push notification tokens

If you enable notifications, we store a push notification token linked to your account. Push notifications are delivered via Expo's push notification service. You can disable notifications in the App's settings at any time.

Operational logs

To keep the App running reliably and to protect against abuse, we keep minimal operational logs: rate-limit counters (your user ID plus an action and a timestamp), audit-log entries for admin actions taken on your records, and per-day records of which photos you have already viewed so the voting feed does not repeat photos.

Local storage

We store authentication session tokens, notification preferences, consent choices, and temporary cache data on your device using AsyncStorage. This data remains on your device and is cleared when you log out or delete the App.

2. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

• Contract performance: account data, photos, votes, scores, badges, push tokens for service notifications (such as the daily prompt), and feedback you give us — all processed to provide the competition service you signed up for.
• Legitimate interests: automated content moderation to maintain a safe environment; usage analytics to improve the App; crash reporting for service reliability; operational logs for security and abuse prevention; and promotional use of competition photos that contain no identifiable individuals (and without your username or any other identifier attached) to advertise the App. You may object to this promotional use at any time by emailing admin@todaystake.app, and we will stop using the photo in new marketing materials.
• Consent: location data collection; marketing-style push notifications. You can grant or withdraw each of these in Settings at any time, and withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
• Legal obligation: responding to lawful requests from authorities where required, and complying with our record-keeping duties.

3. How We Use Your Data

We use your data to: operate the daily competition; display your photos to other users for voting; calculate scores and leaderboards; send service push notifications (and, with consent, marketing pushes); moderate content for safety; analyse usage patterns to improve the App; and diagnose crashes and bugs. We do not sell your personal data to third parties, and we do not share it with third parties for their own advertising. We do not run programmatic ads or build advertising profiles about you.

One thing we do do: if you choose to submit a photo to a public competition, we may use that photo in our own marketing to advertise the App — for example in app-store listings, on our website and social-media channels, and in advertisements for the App. We will only ever use photos in which no identifiable individual appears — never a photo in which a person's face is visible, or in which a person is otherwise identifiable, whether as the subject of the photo or in the background — and we will not attach your username or any other identifier to the photo. This is our own promotional use; we do not sell or hand your photos to third-party advertisers. This is described in section 3 of the Terms of Service. If you would prefer a particular photo not be used this way, email admin@todaystake.app.

When you choose to share your photo outside the App via a link, we generate a shareable link that includes your user ID and the relevant prompt date. The link opens a landing page on our website that then opens the photo inside the App, where your photo and username are shown to whoever opened the link. The link is not access-controlled, so anyone you send it to can open it. The website landing page itself does not display your photo, and we set a no-index header so that search engines do not index it. You can take a shared photo down by deleting it in the App.

4. Automated Decision-Making

Submitted photos are automatically screened by OpenAI's omni-moderation model. We pass a temporary URL of your photo to OpenAI; OpenAI then downloads and analyses the image itself to detect content that violates our guidelines. OpenAI receives the image; it does not receive your username, email, or any other identifier from us. Under OpenAI's standard API policy, OpenAI may retain the image for up to 30 days for abuse-monitoring purposes; the image is not used to train OpenAI's models. Where the model flags a photo with high confidence, the submission is rejected automatically and we show you a brief statement of reasons inside the App. Under GDPR Article 22 you have the right to obtain human intervention, express your point of view, and contest the decision — email admin@todaystake.app and we will manually review within 30 days.

5. Where Your Data Is Stored and International Transfers

Database and authentication

Your account data, votes, scores, feedback, and other metadata are stored in the European Union using Supabase (hosted on AWS infrastructure in the EU). Supabase acts as a processor under a signed Data Processing Agreement.

Photos

Photos are stored in Cloudflare R2 in the European Union. When users access photos, Cloudflare's global content-delivery network (CDN) may temporarily cache image bytes on edge servers worldwide so they load quickly. Because photos can contain identifying information (for example a recognisable face), we treat these CDN copies as personal data too. Any resulting international transfers are covered by Cloudflare's Standard Contractual Clauses (Cloudflare's customer Data Processing Addendum, available at cloudflare.com/cloudflare-customer-dpa). Cache copies typically expire within 24–72 hours.

International transfers

Some of our sub-processors are based in the United States. Transfers to the US are protected by Standard Contractual Clauses (SCCs) executed with the relevant sub-processor and, where the sub-processor is self-certified, the EU-US Data Privacy Framework (DPF). The sub-processors involved in international transfers are OpenAI (content moderation, US), Google/Firebase (analytics and crash reporting, US), and Expo (push notification delivery, US). Signed DPAs are on file for each of these. You can request a copy of the relevant transfer mechanism by emailing admin@todaystake.app.

6. Sub-Processors and Recipients

We share data only with the service providers and personnel necessary to operate the App:

• Supabase (AWS EU) — database, authentication, and server-side functions. DPA in place.
• Cloudflare (EU primary storage, global CDN) — photo storage and delivery. DPA in place.
• OpenAI (US) — automated photo moderation. Receives the image only; no identifiers from us. Images may be retained for up to 30 days for abuse monitoring under OpenAI's standard API policy and are not used to train OpenAI's models. DPA in place.
• Google/Firebase (US) — crash reports (legitimate interest). DPA in place.
• Expo (US) — push notification delivery service. DPA in place.
• Apple and Google — authentication providers. They receive metadata about your authentication events with our App (such as when and how often you sign in) in order to authenticate you. They do not receive any other data about your activity in our App.
• Authorised personnel of Todays Take Ltd — for moderation, support, fraud prevention, and platform operations. Admin actions on user records are recorded in an internal audit log.

We do not share your data with advertisers or data brokers. A current list of sub-processors is published at todaystake.app/legal/subprocessors and is updated when sub-processors change.

7. Trackers We Use on Your Device

The mobile app does not use HTTP cookies, but applicable privacy law treats any information stored on or read from your device the same way. The trackers we use are:

• Supabase session token (in AsyncStorage) — authentication. Strictly necessary. Removed on logout.
• Crashlytics installation ID — crash correlation. Legitimate interest (service reliability). Up to 90 days.
• Notification preferences and locale (in AsyncStorage) — remembering your choices. Strictly necessary. Cleared when you delete the App.

8. Your Rights

You can view and edit your profile information in the App at any time. You can delete your account from the Settings screen, which offers two options.

Standard deletion (recommended): your account is deactivated immediately — other users can no longer see your profile, photos, or votes, and your data is excluded from feeds and leaderboards — and you have 30 days to sign back in and cancel the deletion. If you do not cancel, your personal data is permanently deleted within 30 days of the cancellation window ending.

Immediate deletion: from the pending-deletion screen you can also choose to skip the cancellation window. We will ban your account so that you cannot sign back in, and permanently delete your personal data within 30 days from that point.

In both cases the 30-day deletion guarantee runs from the date deletion takes effect (the end of the cancellation window for standard deletion; the moment you confirm for immediate deletion) and does not include any cancellation period offered. In the rare event that a technical issue with our storage provider prevents deletion within that window, we will complete deletion as soon as possible thereafter. CDN cache copies typically expire within 24–72 hours and disaster-recovery backups roll over within 30 days.

If you are in the UK or the EU/EEA, you have the following rights under the UK GDPR / GDPR:

• Right of access: obtain a copy of the personal data we hold about you.
• Right to rectification: correct inaccurate personal data.
• Right to erasure: request deletion of your personal data.
• Right to restrict processing: ask us to limit how we use your data.
• Right to data portability: receive your data in a structured, machine-readable format.
• Right to object: object to processing based on legitimate interests.
• Right to withdraw consent: where processing is based on consent (location data, marketing push notifications), you can withdraw it at any time via the App's Settings. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. For analytics (processed under legitimate interest), you can exercise your right to object via the opt-out toggle in Settings → Privacy → Usage Analytics.
• Rights related to automated decision-making: where a decision affecting you is made automatically (currently: photo moderation), you have the right under Article 22 to obtain human intervention, express your point of view, and contest the decision.

To exercise any of these rights, contact us at admin@todaystake.app. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. If you are in the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. If you are in the EU, you may contact your local data protection authority.

9. Data Retention

We keep different categories of data for different periods:

• Account, profile, photos, votes, feedback: kept while your account is active. When you delete your account it is deactivated immediately and the underlying data is permanently deleted within 30 days of the deletion taking effect — the end of the cancellation window for standard deletion, or the moment you confirm for immediate deletion. CDN cache copies expire within 24–72 hours; backups roll over within 30 days.
• Push notification tokens: until you disable notifications or delete the App.
• Analytics events: raw data retained for 90 days; daily aggregated statistics retained indefinitely.
• Crashlytics crash reports: 90 days.
• Admin audit-log entries: 7 years, to satisfy UK accountability and record-keeping duties.
• Rate-limit counters: 24 hours.
• OpenAI moderation API requests: up to 30 days on OpenAI's side for abuse monitoring, per their standard API policy; not used for model training.

10. Data Breach Notification

If a personal data breach occurs and we are required to notify regulators, we will notify the UK ICO (and, where relevant, the lead EU supervisory authority) within 72 hours of becoming aware of the breach, as required by Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in line with Article 34.

11. Children

The App is not intended for children under 16. We collect your date of birth at signup and reject anyone who does not meet this minimum age. If we become aware that an account was created by someone under 16, we delete the account and the associated data promptly, and (where we can identify a parent or guardian) we will contact them to confirm. If you believe a child under 16 has provided us with personal data, please contact us at admin@todaystake.app and we will act.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App at least 30 days before the changes take effect.

13. Contact

If you have questions about this Privacy Policy or your data, please contact us at admin@todaystake.app, or by post at 124 City Road, London, EC1V 2NX. Our ICO registration number is ZC148137.