Privacy Policy

1. Introduction

PlayPredict ("we", "us", "our") is a free-to-play tournament prediction game operated from Malta. We are committed to protecting your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Maltese data protection laws.

This policy explains what data we collect, why we collect it, and your rights regarding that data.

PlayPredict operates as a multi-tenant platform. Regardless of which organisation or subdomain you access the service through, PlayPredict remains the data controller for all personal data processed through the platform.

2. Data We Collect

• Email address - provided at sign-in for magic-link authentication.
• Prediction data - the match predictions you submit while using the game.
• Usage data - basic analytics such as pages visited, timestamps, and device type, collected to improve the service.

3. Legal Basis for Processing

We process your personal data under Article 6(1)(f) GDPR - legitimate interest. Processing your email address is necessary to provide the authentication service, and processing prediction data is necessary to deliver the core game functionality. We have assessed that these interests do not override your fundamental rights and freedoms.

4. How We Use Your Data

• Authentication - your email is used solely to send magic-link sign-in emails and identify your account.
• Game functionality - prediction data is stored to calculate scores, display leaderboards, and provide the core game experience.
• Service improvement - aggregated, anonymised usage data helps us understand how the app is used and where to improve.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

5. Cookies and Local Storage

We use a single essential httpOnly authentication cookie to keep you signed in. This cookie expires after 7 days and is strictly necessary for the service to function. We do not use advertising cookies or any non-essential cookies.

Our analytics provider (PostHog) uses localStorage to maintain an anonymous session identifier. This identifier does not contain personal data and is used solely to understand how the service is used in aggregate. You can clear this data at any time through your browser settings.

6. Third-Party Services and International Data Transfers

We rely on the following third-party services to operate PlayPredict:

• Amazon Web Services (AWS) - cloud hosting and infrastructure (US-East-1 region).
• Amazon Simple Email Service (SES) - delivery of magic-link authentication emails.
• PostHog - product analytics to understand how the service is used and improve the experience. PostHog processes data on EU-based servers (Frankfurt). Data collected includes pages visited, feature usage, and session metadata. Your email and user ID are linked to analytics data to provide per-user insights. PostHog does not sell or share this data with third parties.

Your data is stored on AWS servers in the United States and PostHog servers in the European Union. The AWS transfer is lawful under the EU-US Data Privacy Framework, under which AWS is certified. All providers process data on our behalf under data processing agreements that comply with GDPR requirements.

7. Data Retention

We retain your personal data for as long as your account is active. If you request account deletion, we will erase your personal data within 30 days, except where retention is required by law.

8. Your Rights (GDPR)

Under the GDPR, you have the right to:

• Access - request a copy of the personal data we hold about you.
• Rectification - request correction of inaccurate data.
• Erasure - request deletion of your personal data ("right to be forgotten").
• Restriction - request that we limit how we process your data.
• Portability - receive your data in a structured, machine-readable format.
• Objection - object to processing of your data in certain circumstances.

To exercise any of these rights, contact us at privacy@playpredict.io. We will respond within 30 days.

9. Data Security

We implement appropriate technical and organisational measures to protect your data, including encrypted connections (HTTPS), secure authentication tokens, and access controls on our infrastructure.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the app or by email. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact

For any privacy-related questions or data requests, contact us at privacy@playpredict.io.