Privacy policy · effective 15 May 2026

Privacy is the default, not the upsell.

Plain-English summary: we collect your sign-in email and what you save in the app. We never sell or share your data. You can delete your account from inside the app and your data is gone immediately. The rest of this page is the detail.

1. Who runs 2UP

2UP is operated by Flipside, an independent studio (the "data controller" for the personal information described below). Postal address available on request via support@flipside.life or through Apple Developer's records. We have not appointed a Data Protection Officer because we are not required to under Article 37 GDPR.

2. Age requirement

You must be at least 13 years old to use 2UP. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with data, email us and we will delete the account. We comply with the U.S. Children's Online Privacy Protection Act (COPPA) and similar international rules.

3. What we collect

We only collect what's needed to run the app. Specifically:

Categories under U.S. state laws (e.g. CCPA/CPRA)

For California residents and similar jurisdictions, the categories we collect are: Identifiers (email, name, user ID, device token); Internet or other electronic network activity (saved items, in-app content you create); Inferences (none - we do not profile). Sources: you, your sign-in provider, and Apple (for the device token). Business purpose for each category: providing the app's functionality. We retain them for the lifetime of your account.

4. What we don't collect

5. Third-party processors

To deliver the app we send data to a small set of service providers, each acting as a processor on our behalf under a written agreement:

We also read from public Twitch, Kick and FiveM/Cfx.re APIs on your behalf. Those services see our backend's IP address, not yours.

International transfers

Some processors are based in the United States. Where personal data of EU/UK residents is transferred outside the EEA/UK, transfers rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework.

6. How long we keep data

7. Security

All traffic between the app and our servers is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 at the database hosting provider. Passwords are hashed using a modern, salted, one-way function before storage. Push notification permission is opt-in: iOS asks you for permission, and you can revoke it at any time in Settings → Notifications → 2UP.

8. Your rights

You have the following rights over your personal data:

9. Changes

If we change this policy materially we'll surface the update in-app and update the effective date at the top of this page. Continued use after the update means you accept the new terms.

10. Contact

Questions, deletion requests, data exports, security reports - support@flipside.life.