Privacy Policy
TotoKiasu ("we", "our", or "us") is committed to protecting your personal data in accordance with the Singapore Personal Data Protection Act 2012 (PDPA). This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and your rights as a user.
By downloading or using the TotoKiasu mobile app, you consent to the practices described in this policy.
1. Who We Are
- Company: TotoKiasu
- Country of operation: Singapore
- Contact: support@totokiasu.sg
- Website: totokiasu.sg
2. What Data We Collect
Account information — collected when you sign in:
- Full name and email address (from Google or Apple Sign-In)
- Profile photo URL (from Google Sign-In, if provided)
- A unique user ID generated by Firebase Authentication
Ticket data — created when you scan a ticket:
- Ticket photo (stored in Google Cloud Storage)
- Extracted lottery numbers, bet type, draw dates, and game type
- Draw results and prize check outcomes
- Claim status (whether you have collected your prize)
App preferences and usage data:
- Preferred region (e.g. Singapore)
- Notification preferences (which alerts you have enabled and thresholds)
- Accessibility settings (e.g. Large Text Mode)
- Monthly scan usage count
- Subscription tier (Free or Pro)
Device data:
- Push notification token (to deliver notifications to your device)
- Auth session token (stored locally on your device via AsyncStorage)
What we do NOT collect:
- Precise or approximate location (GPS or IP-derived)
- Advertising ID (IDFA / GAID) — we do not run advertising
- Crash logs or analytics events — we do not use Crashlytics, Sentry, or any analytics SDK
- Payment card details — payments are handled entirely by Apple App Store or Google Play
- Audio — the app does not record audio
3. Device Permissions
| Permission | Why we need it | When prompted |
|---|---|---|
| Camera | To photograph your lottery ticket for scanning | First time you tap Scan |
| Photo library / media | To save scanned ticket images to your device gallery | First time you save an image |
| Push notifications | To notify you of draw results, jackpot alerts, and claim reminders | On first sign-in |
You can revoke any permission at any time in your device Settings. Revoking camera access will prevent ticket scanning. Revoking notification access will stop all push notifications.
4. How We Use Your Data
- Account management — to authenticate you and display your profile.
- Ticket checking — to extract numbers from your ticket image using AI and check them against published Singapore Pools draw results.
- Push notifications — to notify you of ticket results, upcoming jackpots, and prize claim reminders, based on your preferences.
- Subscription management — to track your plan tier and enforce scan quotas.
- App personalisation — to remember your region, accessibility, and notification preferences.
We do not use your data for advertising, profiling, or sale to third parties.
5. Third-Party Services
To operate TotoKiasu, we share limited personal data with the following categories of trusted service providers. Each is bound by contractual data protection obligations and their own privacy policies.
- Cloud infrastructure provider (Google) — stores your account information, ticket data, and preferences securely on our behalf. Your ticket photos are also processed by Google's AI services solely to extract lottery numbers from your image. Google does not use this data to train their AI models under our service agreement. Google Privacy Policy
- Subscription management provider — receives your app user ID and subscription status to manage your Pro plan. This provider does not receive your name, email, or ticket data. Payment card details are handled entirely by Apple App Store or Google Play and are never seen by us or this provider. Privacy Policy
- Push notification infrastructure (Apple / Google) — your device's push notification token is routed through Apple (iOS) or Google (Android) infrastructure to deliver notifications to your device. These providers do not receive your ticket data or account information beyond what is necessary to deliver the notification. Apple / Google
We do not use advertising networks, analytics platforms, attribution services, or any tracking SDKs. No personal data is sold or shared for marketing purposes.
6. International Data Transfers
Our primary Firebase infrastructure is hosted in the asia-southeast1 (Singapore) region. Some third-party services (RevenueCat, Expo) operate servers in the United States. By using TotoKiasu, you consent to your data being transferred to and processed in these countries.
All service providers are contractually bound to protect your data and comply with applicable privacy laws.
7. Data Retention
- Your account and ticket data is retained for as long as your account is active.
- Ticket images are retained to allow you to review past scans at any time.
- Push notification tokens are updated automatically and are not retained after account deletion.
- Upon account deletion, your personal data will be permanently deleted within 30 days, except where retention is required by applicable law.
- Ticket data may be retained in anonymised, aggregated form (with no link to you personally) for service improvement.
8. Your Rights Under PDPA
Under the Singapore Personal Data Protection Act 2012, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Correction — request correction of any inaccurate personal data.
- Withdrawal of consent — withdraw consent at any time (this may limit app functionality).
- Deletion — request deletion of your account and associated data.
To exercise any of these rights, email us at support@totokiasu.sg. We will respond within 10 business days.
You may also lodge a complaint with the Personal Data Protection Commission (PDPC) if you believe your data has been handled unlawfully.
9. Security
- All data transmitted between the app and our servers uses TLS 1.2+ encryption.
- Firebase security rules restrict data access so that each user can only read and write their own data.
- Cloud Functions are secured and not publicly accessible without authentication.
- Auth session tokens are stored locally on your device and never transmitted unnecessarily.
While we implement industry-standard security measures, no system is completely secure. We cannot guarantee absolute security against all threats.
10. Children's Privacy
TotoKiasu is intended for users aged 18 and over. Lottery participation is restricted to adults under Singapore law. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact us at support@totokiasu.sg and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date above and notify you via the app or email for significant changes. Continued use of the app after changes constitutes acceptance of the updated policy.
12. Contact Us
- TotoKiasu
- Email: support@totokiasu.sg
- Website: totokiasu.sg