MADURO CIGAR TRACKER – PRIVACY POLICY

Last updated April 14, 2026

This Privacy Policy for Kennedy Custom Designs LLC (“we,” “us,” or “our”) describes how and why we collect, use, store, and share your information when you use the Maduro Cigar Tracker mobile application (“Maduro,” “the app,” “the Service”).

Maduro is a personal cigar collection tracker and journal. Your humidor, journal, wishlist, and personal notes are stored locally on your device. The app offers optional anonymous community contributions and uses Firebase services for authentication, catalog data, and crash reporting. Maduro does not display advertisements, does not sell personal data, and does not track you across other apps or websites.

Contact: apps@kennedycustomdesigns.com

Mailing address: Kennedy Custom Designs LLC, 934 Jennison Dr, Rossford, OH 43460, United States

The Short Version

• Your tasting notes, journal photos, and humidor organization stay on your device and are never uploaded.
• Anonymous usage signals (which cigars you add, smoke, and rate) are collected only if you opt in via the Community Contributions toggle in Settings. It is off by default outside the United States.
• We don’t show ads. We don’t sell personal data. We don’t track you across other apps or websites.
• You can delete your account at any time from Settings → Profile → Delete Account.

1. What Information Do We Collect?

Information you provide to us

We collect information that you voluntarily provide when you use the Service:

Account information. When you sign in using Google Sign-In or Apple Sign-In, we receive your email address. Apple Sign-In users typically receive a private relay email address from Apple rather than their real email, unless they choose to share it. We do not receive or store your display name, profile photo, or any other account details.

Community submissions. If you submit a band photo, review, rating, or data correction for community review, that content is uploaded to our servers along with your anonymous user identifier.

Donation purchases. If you choose to make a voluntary donation through the app’s “Buy Me a Cigar” feature, payment processing is handled entirely by Apple App Store or Google Play. We do not collect, store, or have access to your payment card details, billing address, or financial information. We receive only a purchase confirmation and transaction identifier from RevenueCat, our purchase management service.

Information collected automatically

Device and usage data. When you use the app, Firebase services may automatically collect device information such as device model, operating system version, app version, crash logs, and performance metrics. This data does not include your name, email, or any content you create in the app.

Anonymous usage signals (opt-in only). If you enable Community Contributions in Settings, the app uploads anonymous usage signals as described in Section 4 below.

Sensitive information

We do not process sensitive personal information such as racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health data, or sexual orientation.

Information from third parties

We do not collect information about you from third parties.

Age verification signals

The app uses Apple’s Declared Age Range API and/or Google Play Age Signals API to verify that your account meets the minimum age requirement. These APIs return only a general age range or pass/fail signal. We do not receive or store your date of birth. The fact that you passed verification is stored on your device so you do not have to re-verify on every launch.

2. How Do We Use Your Information?

We use the information we collect for the following purposes:

• To provide and maintain the Service, including your account and access to the cigar catalog
• To process your voluntary donations through in-app purchase
• To moderate community submissions (band photos, reviews, data corrections)
• To compute anonymous community ratings and price ranges for cigars
• To tag your community contributions with an anonymous identifier so they can be attributed to your account for moderation and anonymized if you delete your account
• To diagnose crashes and improve app stability (via Firebase Crashlytics)
• To understand aggregate usage patterns and improve the app (via anonymous usage signals, only when Community Contributions is enabled)
• To verify your age meets the legal minimum for tobacco-related applications
• To respond to your inquiries and support requests
• To comply with legal obligations
• To protect against fraudulent, harmful, or illegal activity

We do not use your information for advertising, marketing, or profiling. We do not email you marketing communications.

3. Data That Stays on Your Device (Never Uploaded)

The following is stored in a local database on your device and is never transmitted to us or any third party, regardless of your Community Contributions setting:

• Tasting notes, flavor tags, and personal observations
• Journal photos you attach to entries
• Humidor names, organization, and sort order
• App preferences (dark mode, activity retention window, consent toggle)

The following is stored locally on your device and is also uploaded as anonymous signals if you have Community Contributions enabled (see Section 4):

• Which cigars are in your humidor and wishlist (cigar catalog IDs only — not your humidor names, notes, or organization)
• Star ratings you give to cigars (the numeric rating only — not your written notes)
• Prices you paid for cigars
• How long a cigar was in your humidor before you smoked it
• How long a cigar was on your wishlist before you purchased it
• Smoke and removal events with reason (e.g., gifted, traded)

If you uninstall the app or delete your account, local data is removed from your device.

4. Data That Is Collected (Only If You Opt In)

If you enable Community Contributions in Settings, the app uploads anonymous signals from your activity. This toggle is off by default in the EU, UK, and regions where consent is required by law, and on by default in the United States. You can change it at any time.

Community signals

Used to build community ratings and price ranges for cigars:

• Your star ratings (1-5) linked to a cigar catalog ID
• Prices you paid, linked to a cigar catalog ID
• A timestamp

Anonymous usage signals

Used to understand aggregate usage patterns and improve the app:

• Event type (humidor add, smoke, remove, wishlist add, wishlist purchase)
• Cigar catalog ID
• Quantity
• How long you held a cigar in your humidor before smoking it
• How long a cigar was on your wishlist before you purchased it
• A removal reason if you recorded one (e.g., gifted, traded)
• A timestamp

User identifier used with these signals

Each uploaded event is tagged with your Firebase Authentication user ID, which is an opaque random string. It is not your name, email, phone number, or any personally identifying value. It is used server-side only to compute community averages without double-counting and to anonymize your contributions if you delete your account.

What we NEVER upload (regardless of your Community Contributions setting)

• Your name or email address
• Your tasting notes, flavor tags, or any free-text entries
• Journal photos or band photos attached to journal entries
• Humidor names or organizational data
• Your IP address or precise location
• Device identifiers, advertising IDs (IDFA/GAID), or cross-app tracking signals

5. AI Band Scanner

When you use the AI scanner to identify a cigar band:

• The photo is sent to Google Gemini Vision and Google Cloud Vision for identification
• If the cigar is not yet in our catalog, Gemini researches it and creates a catalog entry
• The photo is not stored on our servers. It is used only for the scan request and discarded after identification.
• If you separately submit a photo as a band image for community review, that photo is uploaded to Firebase Storage. You can view and delete it from the Submissions queue in your profile.

6. Authentication

The app uses Google Sign-In and Apple Sign-In via Firebase Authentication. The only information provided to us through sign-in is your email address. For Apple Sign-In users, this is typically Apple’s private relay email address rather than your real email, unless you choose to share it.

We use this information for account identification, to enable account deletion, and to associate your community submissions with your account for moderation purposes. We do not use your email for marketing, newsletters, or promotional communications. We do not share your email with any third party.

7. In-App Purchases and Donations

The app offers optional voluntary donations (“Buy Me a Cigar”) processed as consumable in-app purchases. All payment processing is handled by Apple App Store and Google Play. We do not collect, store, or have access to your payment card details or billing information.

Purchase confirmations and transaction management are handled by RevenueCat, our purchase management service. RevenueCat receives a transaction identifier and purchase status from Apple or Google. See RevenueCat’s privacy policy at https://www.revenuecat.com/privacy for details.

Apple’s privacy policy: https://www.apple.com/legal/privacy/
Google’s privacy policy: https://policies.google.com/privacy

8. When and With Whom Do We Share Your Information?

We do not sell your personal information. We do not share your personal information with third parties for their marketing or advertising purposes.

We may share information in the following limited situations:

With service providers. We share limited data with the following service providers who process data on our behalf to operate the Service:

• Firebase (Google) — for authentication, database, storage, analytics, crash reporting, and configuration
• RevenueCat — for donation purchase management (receives transaction identifiers from Apple or Google)
• Google Gemini and Cloud Vision — for AI band scanning (receives cigar band photos during scan requests only)

These providers process data under their respective privacy policies and data processing agreements. They do not use your data for their own marketing purposes.

For legal compliance. We may disclose information if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. If such a transfer occurs, we will ensure the receiving party honors this privacy policy or notify you of any changes.

With your consent. We may share information for other purposes if you give us specific consent to do so.

9. Third-Party Services

The app uses the following third-party services:

• Firebase Authentication (Google) — sign-in and account management
• Cloud Firestore (Google) — cigar catalog data and anonymous community signals
• Cloud Storage for Firebase (Google) — community-submitted band photos
• Firebase Crashlytics (Google) — anonymous crash reports for bug fixing. No personal data is included.
• Firebase Analytics and Performance Monitoring (Google) — gated by the Community Contributions toggle. Disabled when the toggle is off.
• Firebase Remote Config (Google) — feature flags and configuration. Does not collect data from you.
• Google Gemini and Cloud Vision (Google) — used only during AI band scans as described in Section 5.
• RevenueCat — in-app purchase and donation management. Receives transaction identifiers and purchase status from Apple or Google.

These services process data on Google’s and RevenueCat’s infrastructure respectively. See:

• Google’s privacy policy: https://policies.google.com/privacy
• RevenueCat’s privacy policy: https://www.revenuecat.com/privacy

10. How Long Do We Keep Your Information?

Local data. Data stored on your device remains there until you delete it or uninstall the app. We have no access to or control over locally stored data.

Account data. Your Firebase Authentication account and associated user record are retained until you delete your account. Upon deletion, your account enters a 7-day soft-delete window, after which it is permanently removed.

Anonymous community signals and usage data. Anonymized community ratings and usage events are retained indefinitely in aggregate form to maintain community rating averages and usage statistics. When you delete your account, your user identifier on these records is replaced with a generic “deleted-user” tag so they can no longer be associated with you.

Crash reports and performance data. Firebase Crashlytics and Performance Monitoring data is retained according to Google’s standard retention policies (typically 90 days for crash data).

Community submissions. Approved band photos and reviews remain in the community database. Pending submissions are deleted when you delete your account.

11. How Do We Keep Your Information Safe?

We implement appropriate technical and organizational security measures to protect your information:

• Data in transit is encrypted using TLS
• Data at rest in Firebase is encrypted by Google
• Local data on your device is protected by the operating system’s standard app sandboxing
• We do not have a way to access your local device data
• Community contributions use anonymous identifiers rather than personal information

However, no method of electronic transmission or storage is 100% secure. We cannot guarantee that unauthorized third parties will not be able to defeat our security measures. Transmission of information to and from the Service is at your own risk.

12. Age Restriction

Maduro is intended for adults of legal smoking age. You must pass an age verification process to use the app:

• Users in the United States must confirm they are 21 or older
• Users outside the United States must confirm they are 18 or older

The app uses an age gate confirmation followed by Apple Declared Age Range API or Google Play Age Signals API as a secondary verification. We do not ask for your date of birth and do not store your age. Only the fact that you passed verification is stored on your device so you do not have to re-verify on every launch.

13. Children’s Privacy

The app is not directed to children. We do not knowingly collect any information from children under the age of 18 (or 21 in the United States). If you believe a child has created an account or provided information to the app, please contact us at apps@kennedycustomdesigns.com so we can remove it.

14. What Legal Bases Do We Rely On to Process Your Information?

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we rely on the following legal bases under the General Data Protection Regulation (GDPR) and UK GDPR:

Consent. We process your community contribution data and anonymous usage data only when you have opted in via the Community Contributions toggle. You can withdraw consent at any time by turning off the toggle.

Performance of a contract. We process your account information (email address) as necessary to provide you with the Service you signed up for.

Legitimate interests. We process crash reports and performance data to maintain and improve the stability of the app. Our legitimate interest is providing a reliable service, balanced against minimal impact on your privacy since this data contains no personal information.

Legal obligations. We may process your information where necessary to comply with applicable laws and regulations.

If you are located in Canada, we may process your information with your express or implied consent, or without consent in the limited circumstances permitted by applicable Canadian law (such as fraud prevention or legal compliance).

15. Your Privacy Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate personal information
• Delete your personal information
• Restrict or object to processing of your personal information
• Receive your personal information in a portable format (data portability)
• Withdraw consent at any time where processing is based on consent
• File a complaint with your local data protection authority

The Community Contributions toggle in Settings lets you withdraw consent for anonymous data collection at any time. The Delete Account function lets you permanently remove your account and associated data. For any other request, email us at apps@kennedycustomdesigns.com. We will respond to all requests within the timeframes required by applicable law.

16. Rights for United States Residents

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia, or any other state with applicable privacy legislation, you may have specific rights regarding your personal information, including:

• Right to know whether we are processing your personal data
• Right to access your personal data
• Right to correct inaccuracies in your personal data
• Right to request deletion of your personal data
• Right to obtain a copy of your personal data
• Right to non-discrimination for exercising your rights
• Right to opt out of the sale of personal data
• Right to opt out of targeted advertising
• Right to limit use and disclosure of sensitive personal data

We do not sell personal information as defined by the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), or by any other state privacy law. We do not share personal information with third parties for targeted advertising. We do not engage in profiling that produces legal or similarly significant effects.

We have not disclosed, sold, or shared any personal information to third parties for a business or commercial purpose in the preceding twelve (12) months. We will not sell or share personal information in the future belonging to app users or other consumers.

Categories of Personal Information

The following table describes the categories of personal information we may collect, as defined by the CCPA/CPRA:

To exercise your rights, contact us at apps@kennedycustomdesigns.com. You may also designate an authorized agent to make a request on your behalf. We will verify your identity before processing any request and will respond within 45 days as required by law.

California “Shine the Light” Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for direct marketing purposes.

17. Rights for EEA, UK, and Swiss Residents

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR and UK GDPR:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure (“right to be forgotten”)
• Right to restrict processing
• Right to data portability
• Right to object to processing based on legitimate interests
• Right to withdraw consent at any time
• Right not to be subject to automated decision-making (we do not engage in automated decision-making that produces legal or similarly significant effects)

To exercise these rights, contact us at apps@kennedycustomdesigns.com. If you believe we are unlawfully processing your personal information, you have the right to complain to your local data protection authority:

• EEA: Your Member State data protection authority
• UK: The Information Commissioner’s Office (ICO)
• Switzerland: The Federal Data Protection and Information Commissioner (FDPIC)

18. Rights for Canadian Residents

If you are located in Canada, we process your information based on your express or implied consent. You have the right to withdraw your consent at any time by contacting us or by turning off Community Contributions in Settings.

In limited circumstances permitted under applicable Canadian law, we may process your information without consent, including for fraud detection and prevention, legal compliance, and situations where collection is clearly in the interests of an individual and consent cannot be obtained in a timely way.

19. Rights for Australian Residents

We collect and process your personal information under the obligations set by Australia’s Privacy Act 1988. You have the right to request access to or correction of your personal information at any time by contacting us.

If you believe we are unlawfully processing your personal information, you have the right to submit a complaint to the Office of the Australian Information Commissioner.

20. Controls for Do-Not-Track Features

Most web browsers and some mobile operating systems include a Do-Not-Track (“DNT”) feature or setting. At this time, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard is adopted that we must follow in the future, we will update this policy accordingly.

California law requires us to disclose how we respond to DNT signals. Because there is not currently an industry or legal standard for recognizing or honoring DNT signals, we do not respond to them at this time.

21. Account Deletion

You can permanently delete your account from Settings → Profile → Delete Account. When you confirm deletion:

1. Your account enters a 7-day soft-delete window. If you sign back in during those 7 days, the deletion is cancelled.
2. After 7 days, a scheduled cleanup process:
   • Deletes your Firebase Authentication account
   • Deletes your user record from our database
   • Anonymizes any community signals and usage events you contributed by replacing your user identifier with a generic tag so they can no longer be associated with you
   • Deletes any pending community submissions

Local data on your device (humidor, journal, wishlist, photos) can be removed by uninstalling the app.

For users who cannot access the app (for example, if you signed in with Google or Apple and can no longer access the app), please email us at apps@kennedycustomdesigns.com with your account email address to request account deletion.

22. Business Transfers

We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. If such a transfer occurs, we will require the receiving party to honor this privacy policy or provide you with notice before your personal information becomes subject to a different privacy policy.

23. Do We Make Updates to This Policy?

We may update this Privacy Policy from time to time. The updated version will be indicated by the “Last updated” date at the top. If we make material changes to how the app handles data, we will show a notice inside the app the next time you open it. We encourage you to review this policy periodically.

24. How Can You Contact Us?

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, contact us:

To exercise any of your privacy rights, submit a request by emailing us at the address above. We will verify your identity and respond within the timeframes required by applicable law.

This Privacy Policy was last reviewed and updated on April 14, 2026.