Privacy Policy — KplaWY Instant Replay 22s
Last updated: June 7, 2026
Version: 1.0
Applies to: the KplaWY Instant Replay 22s app (iOS, Android, Apple Watch,
Wear OS) and the kplawy.app website.
Quick summary (in plain language)
This box is a summary. The full text below is what governs legally.
What we collect: your email and name (so you have an account), your subscription status, and technical identifiers from your device (for diagnostics). When you use Sign in with Apple, we store a token so we can revoke your access if you delete your account.
What we do NOT collect: your videos do not go to our servers — they stay on your phone. If you turn on backup, they go to your own Google Drive, not to us. We do not see your card data (billing is handled by Apple/Google). We do not collect location, contacts, or use any tracking for advertising.
Your rights: you can access, correct, export, and delete your account and data at any time, directly in the app.
1. Who is responsible for your data
The party responsible (the data controller, under Article 5, VI of Brazil's LGPD — Law No. 13.709/2018) for processing your personal data is:
- Responsible party: Natan Kaway da Silva Pereira, an individual (natural person) responsible for the KplaWY app.
- Contact: kplawyapp@gmail.com (see "How to contact us")
2. What data we collect
| Category | What it is | Where it comes from |
|---|---|---|
| Identification | Email, display name, internal account identifier | When you create an account with Google, Apple, or email |
| Apple credential | A Sign in with Apple refresh token | Only if you sign in with Apple — used to revoke your access when you delete the account |
| Device | A random identifier generated by the app (not your device's serial number), the device model and name, the app version | Generated on install; sent to our server for usage diagnostics |
| Subscription | Your subscription status (free/Pro), purchase history, trial state | From RevenueCat and the stores (App Store / Google Play) |
| Backup (optional) | Backup status and counts, your Drive folder identifier | Only if you enable backup; kept on your device |
| Diagnostics | Crash reports + device information (Firebase Crashlytics) | When the app crashes, to fix errors — you can turn this off in Account → "Send crash reports" |
Data collected by the infrastructure (not by the app) — IP address: Google Firebase automatically logs the IP address of each connection as part of how the platform operates. We do not access or use this data — it stays in Google Cloud's operational logs under their retention policy. We mention it here for transparency, since IP is considered personal data under GDPR, the LGPD, and the CCPA.
Important about your videos: the clips (replays) you record are NOT sent to our servers. They stay on your device (in your photo library). If you enable backup, they go to your own Google Drive — never to us. We do not have a copy of your videos.
What we do NOT collect: card or payment data (processed entirely by Apple
and Google), location (GPS), contacts, calendar, health data, persistent
hardware identifiers, or any data for advertising tracking (on iOS we declare
NSPrivacyTracking = false).
3. How we use your data (purposes and lawful basis)
| Data | Purpose | Lawful basis |
|---|---|---|
| Email, name, account identifier | Create and maintain your account; authenticate you | Performance of a contract (GDPR Art. 6(1)(b)) |
| Apple token (refresh token) | Revoke your access with Apple when you delete the account (Apple requirement) | Legal obligation (Art. 6(1)(c)) + contract (b) |
| Device identifier + model + name | Diagnostics and improvement — understanding multi-device usage patterns | Legitimate interest (Art. 6(1)(f)) |
| Crash reports + device info (Crashlytics) | Fix errors and crashes; app stability | Legitimate interest (Art. 6(1)(f)) — can be turned off in Account |
| Subscription and trial state | Unlock Pro features; manage the single trial period | Performance of a contract (Art. 6(1)(b)) |
| Backup metadata | Manage the backup queue you enabled | Performance of a contract (Art. 6(1)(b)) |
| IP address | Platform security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Consent (onboarding) | Record your acceptance of this Policy and the Terms | Consent (Art. 6(1)(a)) |
About "legitimate interest" for device data: we collect the minimum needed (a random identifier, model, name, and version) for diagnostics and product improvement. We do not use this data to block usage across multiple devices, to profile you, or for advertising.
Brazil (LGPD) mapping: the bases above correspond to LGPD Art. 7º: contract = V, legal obligation = II, legitimate interest = IX, consent = I.
4. Who we share data with
We do not sell your data. We share only with the technical partners strictly necessary for the app to work.
The partners below act as processors (under the GDPR) / operators (under the LGPD) — they process data on our instructions, not for their own purposes. There are no joint controllers.
| Partner | Company | Purpose |
|---|---|---|
| Firebase (Authentication, Functions, Firestore) | Google LLC | Login, backend, storage of your account data |
| Google Sign-In | Google LLC | Login with a Google account |
| Google Drive | Google LLC | Optional backup of your clips in your own Drive account |
| Sign in with Apple | Apple Inc. | Login with an Apple account |
| RevenueCat | RevenueCat Inc. | Subscription management |
| App Store / Google Play | Apple Inc. / Google LLC | Processing the subscription payment |
Each partner has its own privacy policy; links are in "Useful links" at the end.
Access to your Google Drive: when you enable backup, the app requests
restricted access (drive.file scope) — meaning it can only see and manage
the files it created in your Drive. We do not have access to the rest of
your Drive or your other files.
5. International data transfers
The partners above process data on servers in the United States. This means your data may be transferred outside Brazil and the European Union.
This transfer is supported by:
- European Union (GDPR): the European Commission's Standard Contractual Clauses (SCCs) and the partners' participation in the EU-US Data Privacy Framework.
- Brazil (LGPD Art. 33): performance of the contract with you (item IX) and the standard contractual clauses (SCCs) signed by Google, Apple, and RevenueCat in their data processing agreements (item II).
6. Where your videos live (content you create)
To reinforce the most important point:
- Your clips stay locally on your device.
- Nothing goes to our servers.
- Backup is optional and, when enabled, sends to your own Google Drive.
- The multi-camera feature connects your devices directly over the local network (Wi-Fi), with encrypted transmission. Nothing passes through our servers.
You control your videos: you can delete them from the device and from your Drive whenever you want.
7. Children and teenagers
- KplaWY is intended for people aged 13 or older.
- Children under 13 must not use the app. The app does not ask for your date of birth, but if we become aware (through direct contact, a report, or otherwise) that an account belongs to a child under 13, it will be deleted and the associated data erased, except where retention is required by law.
- In the United States, COPPA (Children's Online Privacy Protection Act) prohibits collecting personal information from children under 13 without verifiable parental consent.
- Teenagers aged 13 to 17 must use the app with the consent and supervision of their parents or legal guardians, as required by applicable law (in the EU, GDPR Article 8; in Brazil, LGPD Art. 14 and additional protections under the ECA — Child and Adolescent Statute).
- Recorded persons: the app allows recording other people (for example, athletes during training). It is the responsibility of whoever uses the app to obtain consent from the people recorded — and, if they are minors, from their parents or legal guardians. Details of this responsibility are in the Terms of Use.
8. How long we keep data
- Account data (email, name, identifiers, subscription, device): for as long as your account exists. When you delete the account, it is erased.
- Apple token: deleted together with the account.
- IP address in logs: per Google Cloud's retention policy.
- Data we are legally required to keep: for example, tax records of transactions (charges via App Store / Google Play) may be retained for up to 5 years (the statutory limitation period in Brazil), even after you delete your account. These records may be anonymized where possible.
You can delete your account at any time in the app (Account → Delete account). Deletion removes your account from authentication, erases your data documents, and attempts to revoke your Apple credential (where applicable).
In the rare event that Apple revocation fails, your data is still deleted normally — we do not block deletion because of it. In those cases you can additionally revoke the app's access directly in Settings > [your name] (Apple ID) > Sign-In & Security > Apps Using Sign in with Apple.
9. How we protect your data
- Connections to our servers use HTTPS (encryption in transit).
- Data stored in Firebase is encrypted at rest (Google Cloud default).
- The multi-camera feature uses AES-GCM-256 encryption over the local network.
- Access to data on our server is restricted to the app's operation, with security rules.
- Operational logs are sanitized — they do not include personal content or file paths from your device.
No system is 100% secure, but we apply reasonable technical and organizational measures to protect your data.
10. For users in Brazil (LGPD)
You have the rights set out in Article 18 of the LGPD: confirmation and access; correction; anonymization, blocking, or deletion of unnecessary or non-compliant data; portability; deletion of data processed based on your consent; information about whom we share with; withdrawal of consent; and objection.
You exercise most of these rights directly in the app (access, correction, export, deletion). For the others, contact us (see "How to contact us").
Data Protection Officer (DPO): the responsible party also acts as the data protection officer and can be reached at kplawyapp@gmail.com.
11. For users in the European Union (GDPR)
If you are in the European Union, the processing of your data relies on the lawful bases in Article 6 of the GDPR (performance of a contract, legal obligation, legitimate interest, and consent), as set out in the table in section 3.
As a data subject, you have the right to: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection, and not to be subject to solely automated decision-making. You may also withdraw consent at any time and lodge a complaint with the supervisory authority in your country.
International transfers are carried out with the safeguards described in section 5 (SCCs + Data Privacy Framework). Our lawful basis for each processing activity is specified in section 3 (GDPR Article 6).
12. For users in California, USA (CCPA/CPRA)
For purposes of the CCPA/CPRA, we are considered a business. The partners listed in section 4 act as service providers under contract — they cannot use your personal information for purposes other than providing the services to us.
- We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
- Because we do not sell or share, there is no "Do Not Sell or Share My Personal Information" mechanism to act on. This right to opt-out of sale or sharing does not apply in practice, but you may contact us to confirm.
- Categories of information collected in the last 12 months: identifiers (email, account identifier, device identifier), commercial information (subscription status), and technical usage information (device model, IP address). We do not collect sensitive categories (precise geolocation, biometrics, etc.).
- You have the right to know, access, correct, and delete your data, and to not be discriminated against for exercising these rights.
13. The kplawy.app website
The kplawy.app website (where this policy is published) uses only one
functional cookie: NEXT_LOCALE, which remembers the language you chose
(Portuguese or English). This cookie is functional — it does not track you or
collect data. Duration: 1 year (or as the preference is renewed).
There are no analytics tools, tracking, pixels, or third-party cookies. Fonts are served from our own domain (self-hosted), with no third-party requests.
14. How to contact us
To exercise your rights, ask questions, or file privacy complaints:
- Email: kplawyapp@gmail.com
- Controller: Natan Kaway da Silva Pereira (individual responsible for the KplaWY app)
We will respond within the applicable legal timeframe.
15. Changes to this policy
We may update this policy. When a change is significant, we will notify you in the app or by email. The date at the top indicates the last update.
16. Useful links (partner policies)
- Google / Firebase: https://policies.google.com/privacy · https://firebase.google.com/support/privacy
- Apple: https://www.apple.com/legal/privacy/
- RevenueCat: https://www.revenuecat.com/privacy/