Privacy Policy

Account and identity information

• Full legal name, email address, phone number, and date of birth
• Username, avatar, profile bio, and gaming-platform usernames you choose to link
• Password (stored only as a hashed value; never visible to us in plaintext)
• State of residence (for sweepstakes eligibility)

Identity verification information

• Government-issued photo identification (driver's license, state ID card, or passport) and a live selfie, captured by Stripe Identity in a secure hosted flow. See Section 5 for what data we receive and Section 6 for biometric-specific disclosures.
• W-9 information (legal name, address, taxpayer identification number) when required by IRS rules for prize redemptions of $600 or more in a calendar year.
• Last four digits of your Social Security number, when required for 1099-MISC reporting.

Financial information

• Payment card information for deposits is processed by Stripe; we never store full card numbers, security codes, or expiry dates on our servers. We retain only a tokenized payment-method reference and the last four digits.
• Bank account information for prize payouts is collected and verified through Stripe Financial Connections. We never see your raw account or routing number. We retain only a tokenized account reference and the last four digits.
• Transaction history: deposits, redemptions, picks placed, winnings, account balances, and time-stamped audit logs of currency movements.

Service usage data

• Predictions placed, streamers followed, games viewed, picks history, wins, losses
• Features used, screens viewed, time spent in the app, session timestamps
• Responsible-gaming settings, deposit limits, self-exclusion history, time-out events
• Feedback, support tickets, in-app messages

Device and connection information

• Device type, model, operating system version, language, time zone
• App version, build number, install date
• IP address and approximate location (city, state, country) used to enforce eligibility under state sweepstakes laws and to detect anomalous logins
• Push notification token (when you opt in)
• Unique device identifier (e.g., advertising identifier where permitted)
• Crash logs and diagnostic data

Communications

• Email, SMS, and in-app messages you send to or receive from us
• Phone-verification one-time codes (delivered by Twilio; see Section 11)

Under the California Privacy Rights Act (CPRA) and similar laws in other states, the following items we collect are classified as "sensitive personal information":

• Social Security number (last four digits, for 1099 reporting)
• Financial account information (tokenized bank account references)
• Precise geolocation (when used to enforce state eligibility)
• Biometric information (selfie captured during Stripe Identity verification)
• Government-issued ID images (driver's license, passport)

We use sensitive personal information only for the purposes described in this policy — primarily identity verification, fraud prevention, tax reporting, and processing payouts. We do not use sensitive personal information to infer characteristics about you for advertising. You have the right to limit our use of sensitive personal information (see Section 16).

Service provision

• Creating and managing your account
• Operating the Rush Live platform and processing your picks
• Verifying your age, identity, and geographic eligibility
• Processing deposits and prize redemptions
• Disbursing payouts to your verified bank account via Stripe Connect
• Providing customer support

Safety, fraud prevention, and compliance

• Detecting and preventing fraud, abuse, and underage use
• Enforcing eligibility under state sweepstakes laws
• Identifying suspicious account activity
• Generating IRS Form 1099-MISC for users with $600+ in annual redemptions
• Responding to legal requests and enforcing our Terms of Service
• Maintaining audit logs of currency movements and KYC events

Service improvement

• Understanding how users interact with features
• Diagnosing and fixing technical issues
• Testing new features and measuring product changes

Communications

• Transactional emails (sign-up confirmations, payout confirmations, security alerts)
• SMS one-time codes (account verification, 2FA)
• Push notifications for pick results, streamer activity, and account events you opt into
• Optional marketing emails — you can opt out at any time using the link at the bottom of every marketing message or in-app at Settings → Notifications. We comply with the CAN-SPAM Act and applicable state marketing laws.

Aggregated and anonymized data

We may create aggregated or de-identified data from your information that does not identify you. We may use this aggregated data for any purpose, including research, analytics, marketing materials, and product development. We will not attempt to re-identify aggregated data.

We share information only with the following categories of recipients, and only as needed to operate the Service:

• Stripe, Inc. — payment processing for deposits, identity verification (Stripe Identity), bank account verification (Stripe Financial Connections), and payouts (Stripe Connect Express). See Stripe's privacy policy at stripe.com/privacy.
• Supabase, Inc. — database, authentication, file storage, and serverless infrastructure provider that powers the Service.
• Twilio, Inc. — SMS one-time codes for phone verification and two-factor authentication. See twilio.com/legal/privacy.
• Apple Inc. and Google LLC — for push notifications via APNs (iOS) and FCM (Android), and for in-app payments where used.
• Streaming platforms (Twitch, YouTube, Kick) — when you watch streams embedded in the app, your interaction with the stream is governed by those platforms' policies, not ours.
• Game-statistics providers (Fortnite Tracker, Henrik API, Riot Games, Supercell, Activision) — when you link gaming accounts, we query these providers using your linked username; no personal information beyond the username is shared.
• Analytics and crash-reporting providers — aggregated and pseudonymized usage data; we currently do not use third-party advertising networks.
• Law enforcement, regulators, and tax authorities — when required by valid legal process or by federal/state reporting rules. See Section 21.
• Successors — in the event of a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred. You will be notified before this happens.
• Service providers under contract — email-delivery providers, hosting, security scanners, and similar processors who act only on our instructions and only as needed to operate the Service.

We require service providers to handle your data under contract and only for the purposes we authorize. We do not authorize any of these recipients to sell your personal information.

Stripe powers all financial activity in Rush Live. The Stripe products we use, and the data flow with each, are:

Stripe Payments (deposits)

Card payments for Gold Coin purchases are tokenized by Stripe in your device's browser or app. Card numbers, security codes, and expiry dates are sent directly to Stripe and never touch our servers. We receive only a payment-method token and a transaction outcome.

Stripe Identity (KYC)

For prize redemption, you complete identity verification through Stripe Identity. You capture your government-issued ID and a selfie inside Stripe's hosted, secure flow. The document images and selfie are sent directly to Stripe; we never see or store them. We receive only the verification outcome (verified / requires_input / canceled), a session ID, and the basic name and date-of-birth fields Stripe extracts. Retention is 7 years per federal recordkeeping requirements.

Stripe Financial Connections (bank verification)

For redemptions of $100 or more, we use Stripe Financial Connections to verify that the bank account you link is owned by you. We request only two data types:

• Tokenized account and routing number — used solely to dispatch your payout through Stripe Connect.
• Account ownership details — the name and mailing address registered on the bank account, used to confirm the account belongs to the same person who completed Stripe Identity verification.

We do not request access to your balances or transaction history. We do not use Financial Connections data for any purpose other than fraud prevention on outbound payouts.

Stripe Connect (payouts)

Cash redemptions are sent through Stripe Connect Express accounts. Stripe collects the necessary information to make the transfer (your name, date of birth, address, and tokenized bank account). Stripe is the financial-services provider for your Connect account; their privacy policy and terms apply to that relationship.

When you complete identity verification through Stripe Identity, you capture a live selfie video that Stripe processes to confirm a face match against your government ID. Under Illinois law and similar laws in other states, the selfie may constitute "biometric information" or a "biometric identifier."

What is collected

• A live selfie video and the facial geometry derived from it
• The matching outcome (passed / failed) reported back to us by Stripe

How it is used

• Solely to confirm that the person creating the account matches the person on the ID
• To prevent fraud, underage use, and prohibited multi-accounting

Who receives it

• Stripe, Inc., who processes the selfie under their Privacy Policy. The raw selfie image and facial geometry are sent directly to Stripe; we never receive, store, or have access to them.
• We receive only the textual outcome (verified, requires_input, or canceled) and a session identifier.

Retention

We retain only the verification outcome and session ID — not the selfie itself — for up to 7 years from the date of your last interaction with the Service, to comply with federal financial-record-keeping requirements. Stripe's retention of the underlying biometric data is governed by Stripe's policies.

Your consent

By completing Stripe Identity verification you provide written consent to the collection and processing of biometric information for the purposes above. You can withdraw consent by deleting your account; however, identity verification is required to redeem prizes, so withdrawing consent will prevent further redemptions.

No sale or profit

We do not sell, lease, trade, or otherwise profit from your biometric information.

We use automated systems to help operate the Service, including:

• Fraud detection — automated rules and machine-learning models that flag accounts showing signs of fraud (e.g., velocity, chargeback history, device-fingerprint reuse) for human review and, in some cases, automatic account suspension.
• Odds and recommendations — odds for in-game picks and recommended streamers are generated by automated models trained on historical gameplay and viewing data.
• Eligibility enforcement — automated checks against your state of residence and IP-geolocation to enforce sweepstakes laws.

If an automated decision materially affects your account (e.g., suspension, blocking a redemption), you may request human review by contacting rushliveteam@gmail.com with the subject line "Decision Review."

Rush Live integrates third-party streaming platforms (Twitch, YouTube, Kick) so you can watch live gaming streams in the app. The Video Privacy Protection Act of 1988 (VPPA) protects the privacy of your video-viewing records.

• We log which streamers you follow and when you watch their content inside the app, for the purpose of generating odds, picks, and recommendations.
• We do not share your individual viewing history with marketers or advertisers.
• We may share aggregated, de-identified viewing data with streamer partners and for internal analytics.
• By using the Service, you provide informed, written consent for us to collect and process the viewing data described above for the purposes described. You may withdraw this consent at any time by deleting your account.

On the website at join-rush.com, we use:

• Strictly necessary cookies — required for the site to function (e.g., session cookies, security cookies). These cannot be disabled.
• Analytics cookies — to understand how visitors use the site. We use pseudonymized identifiers; we do not link website analytics to personally identifying information unless you sign up.
• Functional cookies — to remember your preferences (e.g., theme).

We do not use cross-site advertising cookies. You can control cookies through your browser settings; disabling strictly-necessary cookies may break parts of the site.

Mobile app: the Rush Live mobile app does not use browser cookies. It uses local device storage (AsyncStorage) for session tokens and preferences. See Section 11 for the SDKs in the app.

The Rush Live mobile app requests the following device permissions. You can grant or revoke each in your device settings.

• Camera — used only when you complete identity verification through Stripe Identity (selfie + ID capture). Not used at any other time.
• Photo library — used only if you choose to upload a profile picture or supporting verification documents.
• Location (approximate) — used to enforce state-level sweepstakes eligibility. We use approximate location only, not GPS, and only when you take actions that require state confirmation (sign-up, redemption).
• Notifications — push notifications for pick results, streamer activity, deposit/payout confirmations, and security alerts. Security alerts cannot be disabled separately; you can disable all notifications in Settings or in your device settings.
• Network access — required to communicate with our servers and Stripe.

The mobile app includes the following third-party libraries that may receive limited data:

• @stripe/stripe-react-native — Stripe payment, identity, and bank-verification SDKs.
• @supabase/supabase-js — Supabase client for authenticated API calls.
• Expo SDK — Expo runtime libraries (camera, location, notifications, secure store).
• @react-native-async-storage/async-storage — local on-device key-value storage for preferences and session tokens.
• expo-notifications — wraps Apple Push Notification service and Firebase Cloud Messaging.

We do not embed third-party advertising SDKs or behavioral-tracking SDKs in the app.

Rush Live operates as a sweepstakes platform. Some sweepstakes-specific data disclosures:

• Each paid Gold Coin purchase grants sweepstakes entries; each free daily login, mail-in entry, and qualifying activity also grants entries. We log every entry with your user ID, timestamp, and the entry source.
• When you mail in a free entry (AMOE), we log your name, address, and date of birth from the mail-in card. This data is retained for sweepstakes-rules compliance and audit purposes.
• When you win a prize, we may publish your username and the prize amount on a public winners list, as required by state sweepstakes-disclosure rules. We do not publish your legal name, address, or any other identifying information without your consent.
• We retain sweepstakes records (entries, draws, winners, prize delivery) for 7 years for audit and tax-reporting purposes.

See our Official Sweepstakes Rules for the full terms.

• Account information is retained while your account is active and for up to 90 days after deletion to allow for account recovery and to settle any pending transactions.
• Identity verification records (Stripe Identity outcomes, KYC artifacts, BIPA-related outcomes) — 7 years from your last interaction with the Service.
• Transaction history, sweepstakes entries, and payout records — 7 years from the transaction date, to comply with IRS recordkeeping and state sweepstakes audit rules.
• Marketing analytics in de-identified, aggregated form — may be retained indefinitely.
• Security and abuse logs — typically retained for up to 2 years, longer when required for an open investigation.

When you delete your account, we delete or de-identify your account-level data within 30 days, except for data we are required to retain under law or that is held in de-identified backups (which are cycled out within 90 days).

• All data in transit is encrypted with TLS 1.2 or higher.
• Passwords are hashed using industry-standard algorithms (bcrypt-equivalent).
• Payment card data is handled by Stripe, a PCI-DSS Level 1 certified processor; raw card data never reaches our servers.
• Bank account credentials are tokenized by Stripe Financial Connections; we store only references.
• Selfie and ID images are handled by Stripe Identity; we never receive or store the raw images.
• Two-factor authentication is available for all accounts and is required for accounts that have completed any cash redemption.
• Server access requires multi-factor authentication and is restricted to least privilege.
• Penetration testing and vulnerability scanning is performed regularly.

No system is perfectly secure. If we become aware of a data breach that affects you, we will notify you in accordance with applicable federal and state breach-notification laws.

Subject to applicable law, you have the right to:

• Access — request a copy of the personal data we hold about you. In the app: Settings → Privacy & Data → Export My Data.
• Correct — request that we correct inaccurate data.
• Delete — request that we delete your account and associated data. In the app: Settings → Delete Account.
• Object — object to certain types of processing, including direct marketing.
• Restrict — request that we restrict processing of your data in certain circumstances.
• Portability — receive your data in a machine-readable format.
• Withdraw consent — where processing is based on consent, withdraw it at any time.
• Lodge a complaint — with a supervisory authority in your jurisdiction.

How to make a request

Email rushliveteam@gmail.com with the subject line "Privacy Request" or use the in-app Settings menu described above. To protect your privacy, we may need to verify your identity (e.g., confirm ownership of the account email) before fulfilling the request.

Response timeline

• California (CCPA/CPRA): we respond within 45 days, with a possible 45-day extension if reasonably necessary.
• Other US states with comprehensive privacy laws: within 45 days, with extensions as permitted.
• EU/EEA/UK (GDPR): within 30 days, with a possible two-month extension for complex requests.

Authorized agents

California residents may designate an authorized agent to make a request on their behalf. Email us with proof of the agent's authorization (signed permission or power of attorney).

No retaliation

We will not deny you the Service, charge you a different price, or provide a lower level of service because you exercised any privacy right described in this policy.

If you are a California resident, you have all the rights in Section 15 plus the following:

• Right to know — what categories of personal information we have collected, the sources, the purposes, and the third parties we shared them with.
• Right to correct inaccurate personal information.
• Right to delete — request deletion of personal information we collected from you, subject to legal exceptions (e.g., tax records).
• Right to opt out of sale/sharing — see Section 19.
• Right to limit use of sensitive personal information — restrict our use of your SSN, financial account info, precise geolocation, biometric data, and government-ID images to those uses strictly necessary to provide the Service.
• Right to non-discrimination — see Section 15.

Shine the Light: California Civil Code § 1798.83 permits California residents to request information regarding the disclosure of personal information to third parties for the third parties' direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

Residents of Colorado, Connecticut, Utah, Virginia, Texas, Oregon, Montana, and other states with comprehensive consumer-privacy laws have substantially the same rights as California residents. To exercise these rights, follow the process in Section 15.

• Colorado (CPA) — right to access, correct, delete, portability, opt out of targeted advertising / sale / profiling.
• Connecticut (CTDPA) — equivalent rights to Colorado.
• Utah (UCPA) — access, deletion, portability, opt out of sale / targeted advertising.
• Virginia (VCDPA) — access, correct, delete, portability, opt out of sale / targeted advertising / profiling.
• Texas (TDPSA) — equivalent rights, opt out of sale / targeted advertising / profiling for decisions producing legal effects.

Some states allow appeal of a denied request. To appeal, reply to our response email with "Appeal" in the subject line; we will respond within the statutorily-required period.

Rush Live currently serves only US residents, and we do not target advertising to or collect data from individuals in the EU/EEA, UK, or Switzerland. If you nevertheless access the Service from one of these regions, you have the following rights under the GDPR or UK GDPR:

• Access, rectification, erasure, restriction, portability, and objection.
• Right to withdraw consent at any time for processing based on consent.
• Right to lodge a complaint with your local supervisory authority.

Our lawful bases for processing are: performance of a contract (operating the Service you signed up for), legal obligation (tax, KYC), legitimate interest (fraud prevention, security), and consent (marketing, biometrics).

We do not sell your personal information in exchange for monetary consideration. Under California law, the definition of "sale" or "share" can include certain analytics arrangements where a third party processes your data for their own purposes. To exercise your right to opt out of any such activity, email rushliveteam@gmail.com with subject line "Do Not Sell or Share" or use the in-app toggle at Settings → Privacy Controls.

We honor Global Privacy Control (GPC) signals where required by law.

The Service is intended for users 18 years of age or older (19 in Alabama and Nebraska, 21 in Mississippi). We do not knowingly collect personal information from anyone under 13 (Children's Online Privacy Protection Act, "COPPA") or knowingly allow anyone under the local age of majority to use the Service.

If you believe we have collected information from a child under 13, please contact us at rushliveteam@gmail.com and we will delete it promptly.

Parents may request review or deletion of their child's information by contacting us with proof of parental relationship.

We may disclose your information to law enforcement, regulators, or other government entities when required by valid legal process (subpoena, court order, search warrant, or applicable statute) or when we believe in good faith that disclosure is necessary to:

• Comply with a legal obligation or response to a lawful request from authorities
• Protect our rights, property, or safety, or that of our users or the public
• Investigate fraud, security incidents, or violations of our Terms of Service
• Comply with federal/state tax-reporting obligations (e.g., 1099-MISC)

Where permitted by law, we will attempt to notify the affected user before producing their information in response to a government request. We do not voluntarily disclose user information to government entities outside the United States.

Rush Live is offered only to residents of the United States, and only in states where our sweepstakes are permitted by law. Your data is stored on servers located in the United States. If you access the Service from outside the United States, you understand and consent that your data will be transferred to, stored in, and processed in the United States, which may have different data-protection laws than your country of residence.

We may update this Privacy Policy from time to time. When we make material changes, we will (a) post the updated policy here with a new effective date, (b) notify you in the app the next time you sign in, and (c) email registered users at the email address on file. Your continued use of the Service after the new policy takes effect constitutes acceptance of it. If you do not accept the new policy, you may delete your account at any time.

For privacy questions or to exercise your rights:

For accessibility assistance with this policy, contact us at the email above with subject line "Accessibility."