Privacy Policy

When you register, we collect and store the following data in our authentication system (Supabase): your email address, a password hash (we use bcrypt and never store your actual password), your email verification timestamp, and, if you register via Google, your Google account ID, email address and given name as provided by Google.

Legal basis: Art. 6(1)(b) GDPR — processing is necessary to perform the contract (your account and use of the service).

After registration, you create a profile. We store the following profile data:

For optional fields collected on the basis of Art. 6(1)(a) GDPR, you may withdraw your consent at any time by deleting the relevant data in your profile settings. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

To provide the core service, we store your picks, group memberships, group configuration set by the group owner, settlement records for group-internal arrangements, and Hall of Fame records. Hall of Fame records contain only display name and score, never your email address or contact information.

Visibility of pick data is controlled by Row-Level Security in our database: you see only your own picks until the lock or kick-off deadline, after which group members can see each other's picks.

Legal basis: Art. 6(1)(b) GDPR.

If you actively enable web push notifications (for example by clicking "turn on" in the in-app prompt on /app/sports, or via your notification settings), we store the following data on our infrastructure to deliver notifications to your device:

1. the push endpoint URL provided by your browser or operating system,
2. the public encryption keys (p256dh and auth) provided by your browser,
3. your browser's user-agent string,
4. your per-category channel preferences (currently: pick reminders, essentials, banter), which determine for each category whether notifications are delivered by email, by push, or not at all.

This data is created only when you actively opt in. It is deleted when you opt out in the app or in your browser/OS settings, or when your browser invalidates the endpoint.

Legal basis: Art. 6(1)(a) GDPR — your freely given consent, expressed through the active opt-in click. You may withdraw your consent at any time, with effect for the future, by disabling notifications in the app or in your browser/OS settings. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

Storage of the push subscription on your device is not strictly necessary to provide the service and therefore does not fall within the exemption of § 25(2) TDDDG. We rely on your explicit consent under § 25(1) TDDDG, obtained via the active opt-in click described above.

We maintain logs to detect abuse and audit privileged actions, including admin action logs, game audit logs and group audit logs. Our infrastructure providers (Lovable Cloud, Supabase) also record standard hosting logs containing IP address, user agent, timestamp and request path. These logs are retained per provider defaults and are not exported to third parties for analytics purposes.

Legal basis: Art. 6(1)(f) GDPR — our legitimate interests in (i) detecting abuse, cheating and unauthorised access to protect the fairness of the game for all users; (ii) auditing privileged administrative actions to ensure accountability; and (iii) maintaining the technical security and integrity of the platform.

We have carried out a balancing assessment: the logs are retained for a limited period only (audit logs: 12 months; hosting logs: up to 30 days per provider defaults), are not shared with third parties for marketing or analytics purposes, and are accessed only where there is a specific reason to investigate an incident. We consider that our interests are not overridden by users' interests, given the minimal intrusiveness of the processing and the importance of platform security for all users.

You have the right to object to processing based on our legitimate interests under Art. 21 GDPR; please contact us at hello@tinyhamster.app.

If you win a prize competition, we will contact you via your registered email address. At your request, you provide either a PayPal email address or SEPA bank details (account holder name, IBAN, optional BIC) for the payout. Payment details are not stored by default and are collected solely for the single payout event. Once the transfer is complete, the payment details are discarded. Payout records and supporting documents are retained in accordance with the German commercial and tax retention obligation (§ 147 AO) as described in Section 5.

Legal basis: Art. 6(1)(b) GDPR (performance of the prize arrangement) and Art. 6(1)(c) GDPR (legal retention obligation under § 147 AO).

We use essential storage only. A Supabase authentication session token is stored in your browser's localStorage to keep you signed in. This is strictly technically necessary for the service to function. A short-lived OAuth state cookie is set during a Google sign-in redirect, only when you use that sign-in method, and is automatically deleted as soon as the OAuth flow completes. We also store the dismissed/collapsed state of in-app UI hints (such as the notification and engagement nudges on /app/sports) in your browser's localStorage, so that hints you have already dismissed do not reappear on every visit.

No other cookies, tracking scripts, advertising pixels or non-essential browser storage is used.

These storage operations fall within the exemption under § 25(2) No. 2 TDDDG (German Telecommunications and Digital Services Data Protection Act), which dispenses with the consent requirement where storage is strictly necessary to provide a digital service explicitly requested by the user. No consent banner is therefore required.

To help you submit your picks before the applicable lock deadline, we send automated transactional reminder emails ("Pick Reminders"). These are service-operational emails; they are not marketing communications, newsletters, or promotional messages.

Data processed. For each Pick Reminder, we process the following data:

1. your email address (from your account in Supabase Auth),
2. your user ID and group membership,
3. lock deadline timestamps for the relevant competition or matchday,
4. a pick-completeness flag (a boolean value indicating whether you have already submitted picks for the upcoming deadline — no pick content or selections are processed),
5. reminder dispatch records: a deduplication key (reminder_key), sent timestamp (sent_at), and associated email address.

No tracking pixels, open-rate tracking, or click trackers are used in Pick Reminders.

Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in notifying you before your picks are locked, given that you have actively registered to participate in a prediction competition and can reasonably expect reminder communications before a deadline. We have assessed that this interest is not overridden by your interests or fundamental rights: the emails are strictly transactional, contain no promotional content, and are subject to a hard cap of three reminder emails per user per day. You may opt out at any time (see below).

Processor. Pick Reminders are dispatched via Mailgun, operated by Sinch Email, acting as a sub-processor through Lovable Cloud's email infrastructure. Email sending and processing take place within the EU. A data processing agreement covering this processing activity is in place with Lovable Cloud.

Retention. Reminder dispatch records (reminder_key, email address, sent_at) are retained in an append-only log for 90 days, after which they are deleted.

Unsubscribe / right to object. Every Pick Reminder email contains a one-click unsubscribe link. Unsubscribing globally suppresses all Pick Reminders for your account (no granular per-sport selection is available). Authentication emails (password reset, email verification) are not affected by an unsubscribe. You may also object to this processing at any time by contacting us at hello@tinyhamster.app. Opting out does not affect your ability to continue using the Service.

Suppression list. Email addresses that have unsubscribed, generated a hard bounce, or triggered a spam complaint are stored on a permanent suppression list. This data is retained indefinitely to ensure that no further Pick Reminders are sent to those addresses.

Legal basis for the suppression list: Art. 6(1)(f) GDPR — our legitimate interest in honouring opt-outs and in complying with email deliverability standards; and Art. 6(1)(c) GDPR — compliance with applicable anti-spam obligations.

In addition to Pick Reminders, we send two further categories of engagement communications, dispatched manually by an authorised administrator. For each category, you can choose per channel (email, push, or off) how you wish to receive it; the channels are mutually exclusive, and no message is sent on more than one channel.

(a) Essentials — service-related announcements such as new releases, planned or unplanned outages, changes to our terms, and the launch of new sport modes. Essentials are operational communications directly tied to your use of the prediction service.

Data processed. We process your email address and/or push subscription (depending on your channel preference), your user ID and your per-category channel preference for Essentials. No tracking pixels, open-rate tracking, or click trackers are used.

Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in informing active users of a prediction game about service-relevant changes that may affect their participation. We have assessed that this interest is not overridden by your interests: the messages are strictly service-operational, contain no promotional content, are sent infrequently and on an ad-hoc basis, and you may opt out at any time per channel via your notification settings or via the one-click unsubscribe link in any Essentials email.

(b) Banter — editorial and community content such as recaps, storylines and other "nice-to-have" entertainment around the prediction games.

Data processed. We process your email address and/or push subscription (depending on your channel preference), your user ID and your per-category channel preference for Banter. No tracking pixels, open-rate tracking, or click trackers are used.

Legal basis: Art. 6(1)(a) GDPR — your freely given consent, expressed by setting the Banter channel preference to "email" or "push" in your notification settings. We do not rely on legitimate interest for Banter, given its community/marketing-adjacent character. You may withdraw your consent at any time, with effect for the future, by setting the Banter channel preference to "off" or by using the one-click unsubscribe link in any Banter email. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

Recipient filtering. For both categories, recipients are filtered server-side before dispatch. Email addresses or push subscriptions that have unsubscribed, that are on the suppression list, or whose channel preference is set to a different value are hard-blocked from delivery.

Unsubscribe. Every Engagement email contains a one-click unsubscribe link compliant with RFC 8058 (List-Unsubscribe and List-Unsubscribe-Post headers). Unsubscribes are honoured immediately for the relevant category. You may additionally toggle each category off in your in-app notification settings at any time.

Processor. Engagement emails are dispatched via the same email infrastructure as Pick Reminders (Mailgun / Sinch Email, sub-processor via Lovable Cloud). Engagement push notifications are delivered via the standard browser/OS push services using the subscription data described in Section 2.4.

Retention. Engagement broadcast dispatch records (broadcast ID, category, channel, recipient address or subscription reference, sent timestamp) are retained in an append-only send log for 90 days, after which they are deleted. The email suppression list described in Section 2.8 applies equally to Engagement emails.