WeMillion Back to the counter
Legal · WeMillion

Privacy Policy

Effective 02 May 2026
App name
WeMillion
Publisher
Félix Thiollier — 38 avenue des Ternes, 75017 Paris, France
Contact
1

Overview

This Privacy Policy explains what data WeMillion (“the App”) collects, how it is used, and your rights as a user. We are committed to collecting the minimum data necessary to operate the App.

2

Data Controller

Félix Thiollier
38 avenue des Ternes, 75017 Paris, France
felixthiollier63@gmail.com

3

Data We Collect

3.1 — Data you provide

  • Sign in with Apple: Apple provides us with a stable, anonymised user identifier (“userIdentifier”). We use this solely to link your Apple ID to your Firebase account. We do not receive or store your real name or email address — even if requested by Apple's sign-in flow, this information is discarded immediately and never written to our database.

3.2 — Data we store (Firestore database)For each paying participant we store only:

  • userNumber: your unique numbered position (e.g. 4,726,319)
  • paidAt: timestamp of your payment
  • countryCode: ISO 3166-1 alpha-2 code (e.g. “FR”) derived from your StoreKit 2 storefront at the time of purchase

We do NOT store your name, email address, phone number, Apple ID, payment card details, IP address, or device identifiers.

3.3 — Aggregate data

  • A global counter (totalPaid, todayCount) and per-country counters are maintained. These contain no personal data.

3.4 — Transaction data

  • Apple's StoreKit 2 transaction ID is stored server-side for idempotency (to prevent double-counting). It is not linked to your identity beyond your Firebase UID.

3.5 — Authentication tokens

  • Firebase Auth ID tokens are used to authenticate requests between the App and the backend. They are stored in the iOS Keychain and are never written to UserDefaults or any unprotected storage.
4

Data We Do Not Collect

  • We do not use advertising SDKs or third-party analytics.
  • We do not use cookies or web tracking technologies.
  • We do not collect device identifiers (IDFA, IDFV).
  • We do not access your contacts, photos, camera, microphone, or location.
5

How We Use Your Data

PurposeLegal basis (GDPR)
Assigning your unique numbered positionPerformance of contract (Art. 6(1)(b))
Preventing double-counting (idempotency)Legitimate interest (Art. 6(1)(f))
Displaying real-time global and country countersLegitimate interest (Art. 6(1)(f))
6

Data Sharing

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.

We use the following sub-processors solely to operate the App:

Both sub-processors are subject to Standard Contractual Clauses (SCCs) for any data transfers outside the European Economic Area.

7

Data Retention

Your user record (userNumber, paidAt, countryCode) is retained indefinitely as it forms the permanent historical registry of participants. If you request deletion (see Section 9), we will delete your record, but note that the totalPaid counter will not be decremented — your numbered position will simply become unoccupied.

Transaction IDs (idempotency records) are retained for 5 years for fraud-prevention purposes.

8

Security

  • All communication between the App and backend uses HTTPS/TLS.
  • Payment verification is performed server-side using cryptographic JWS signature verification against Apple's Root CA G3. The client never decides the outcome of a payment.
  • Firestore Security Rules prevent clients from writing to sensitive collections (/stats/global, /countries/*, /users/*).
  • Authentication tokens are stored in the iOS Keychain.
9

Your Rights (GDPR / French Law)

If you are located in the European Economic Area, you have the following rights:

  • Right of access: request a copy of the data we hold about you.
  • Right to rectification: request correction of inaccurate data.
  • Right to erasure (“right to be forgotten”): request deletion of your data.
  • Right to restriction of processing.
  • Right to data portability.
  • Right to object to processing based on legitimate interest.

To exercise any of these rights, contact us at felixthiollier63@gmail.com. We will respond within 30 days.

You also have the right to lodge a complaint with the French data protection authority: Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr

10

Children's Privacy

The App is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has used the App, contact us and we will delete the relevant data.

11

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the App. The date at the top of this document indicates when it was last revised.

12

Contact

Félix Thiollier
38 avenue des Ternes, 75017 Paris, France
felixthiollier63@gmail.com