Google's OAuth verification team flagged that the privacy policy at /legal/privacy did not document how the application interacts with Google user data. The policy has been rewritten to satisfy Google API Services User Data Policy requirements.

• Explicit table of every Google scope requested (openid / userinfo.email / userinfo.profile) with what each returns and how Hollahoop uses it
• Explicit confirmation we do not request Gmail / Drive / Calendar / Contacts / Photos or any sensitive scope
• 'What we don''t do' section: no resale, no advertising, no behavioural targeting, no AI/ML training on Google data, no human review (with the standard support / security / legal carve-outs)
• Limited Use compliance statement linking to the Google API Services User Data Policy
• Sub-processors, cookies, retention (30-day logs, 7-day account delete with up to 30-day backup tail), GDPR rights, contact, last-updated date
• Replaced the original 3-paragraph policy with a structured 11-section document