Privacy Policy
Last updated: May 20, 2025
1. Introduction
Scoreo (“we”, “us”, “our”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. It applies to all users, including those in the European Economic Area (EEA) and United Kingdom, where the General Data Protection Regulation (GDPR) and UK GDPR apply.
2. Data Controller
Scoreo is the data controller for personal data processed through the Service. Contact details for data protection enquiries are available via our website.
3. Data We Collect
We collect the following categories of personal data:
- Account data — email address, display name or username, and OAuth provider identifiers when you register.
- Profile data — optional profile information you provide (avatar, country, language preference).
- Usage data — pages visited, features used, and interactions with the Service, collected via server logs and analytics.
- Device data — browser type, device type, operating system, and IP address.
- Preference data — pinned leagues, favourite teams, and match preferences stored in your account.
- Cookie data — session tokens and preference cookies as described in Section 8.
4. Legal Basis for Processing (GDPR)
Where GDPR applies, we process your personal data on the following legal bases:
- Contract — to provide the Service you have signed up for (Art. 6(1)(b)).
- Legitimate interests — for analytics, security, and Service improvement, where these do not override your rights (Art. 6(1)(f)).
- Legal obligation — where we are required to process data to comply with applicable law (Art. 6(1)(c)).
- Consent — for optional communications and non-essential cookies, which you may withdraw at any time (Art. 6(1)(a)).
5. How We Use Your Data
We use collected data to:
- Provide, maintain, and improve the Service.
- Authenticate your identity and manage your account.
- Personalise your experience (e.g. saved preferences, pinned leagues).
- Send transactional emails (account confirmation, password reset).
- Monitor and analyse usage to improve features and security.
- Comply with legal obligations.
We do not sell your personal data to third parties.
6. Data Sharing
We may share your data with:
- Supabase — our database and authentication infrastructure provider (EU data centres where possible).
- Google — if you choose to sign in via Google OAuth.
- Vercel — our hosting platform, which processes request logs.
- Analytics providers — aggregated, anonymised usage data only.
- Legal authorities — where required by law or to protect our legal rights.
All processors are bound by data processing agreements consistent with GDPR requirements.
7. Data Retention
We retain your account data for as long as your account is active or as necessary to provide the Service. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal compliance purposes.
8. Cookies
We use the following cookies:
- Essential cookies — session tokens required for authentication. Cannot be disabled.
- Preference cookies — theme and language settings stored locally.
- Analytics cookies — anonymised usage statistics (e.g. Google Analytics). You may opt out via browser settings.
9. Your Rights (GDPR)
If you are located in the EEA or UK, you have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion of your data (“right to be forgotten”).
- Restriction — request restriction of processing in certain circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
To exercise these rights, please contact us through the contact information on our website. You also have the right to lodge a complaint with your local data protection authority.
10. International Transfers
Some of our processors operate outside the EEA. Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses) in accordance with GDPR Chapter V.
11. Children's Privacy
The Service is not directed to children under 13. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal data, we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via the Service or by email. The “Last updated” date at the top of this page indicates when the policy was last revised.