← Back to EventCrawler

Privacy policy

Last updated: 2026-05-30 · Version 0.3 (DRAFT)

DRAFT — pending counsel review. This document is a working draft prepared during development. It accurately describes what the application currently does with your data, but it has not been reviewed by a qualified data-protection lawyer and must be before the service is offered to the public. Treat it as informational until then.

1. Who we are

EventCrawler ("we", "us") is a development-stage application for finding live and upcoming sports events on a map, recording the ones you attend, and earning achievements. The service is operated by the individual developer building it. For data-protection questions or to exercise any of the rights described below, contact privacy@example.invalid (placeholder — to be replaced before launch).

2. What data we collect and why

2.1 Account data

When you sign up, we collect an email address, a username, and a password(stored only as a hash by our authentication provider). Lawful basis: performance of the contract between you and us — without these we can't give you an account.

2.2 Profile data

Your level, XP, an optional avatar URL, and an internal role flag (user, admin, club) used for access control. Other signed-in users see only your username, level, XP, and avatar — never your email or role. Lawful basis: contract.

2.3 Location data

When you open the map, the browser asks your permission to share your approximate location. We use this only client-side to center the map; the coordinates are not transmitted to our servers and are not stored. If you deny permission we show a default area instead. Lawful basis: consent (you give it via the browser prompt).

Once the mobile app launches with geofenced check-ins, location samples taken during an event window will be transmitted and stored as evidence of attendance, and this section will be updated to describe that processing in detail before the mobile app collects any data.

2.4 Attendance data

The events you RSVP to (planned attendance) and the events you check in to (verified attendance, mobile-only). Used to award XP, unlock achievements, and show you your own history. Lawful basis: contract.

Visibility of your attended events is controlled by an attendance-visibility setting on your profile, which you can set to private (only you — the default), friends (people you have a mutual friendship with), or public(any signed-in user). When attendance is visible to someone, they may see it on your profile and in social features such as “who was there”. This setting is independent of your overall profile-visibility setting; RSVPs (planned, not yet attended) are never shown to others.

2.5 User-submitted content

Events you submit for moderation through the user-submission flow. Approved submissions become public events visible to everyone. Lawful basis: contract (your direct request).

2.6 Photos and rendered cards

When you mint a trading card after attending an event you upload one photo of your choosing. We store two files per card:

  • Original photo — the file you uploaded, stored privately in our Supabase storage in the EU. Only you (the owner) and EventCrawler administrators (for content moderation) can read it.
  • Rendered card — a derivative image we generate by compositing your photo into a brand frame at 1080×1350. Same access rules until and unless you list the card on the marketplace (a future feature), at which point the rendered card becomes visible to potential trade partners as part of the listing.

Photos can contain personal data of you and people pictured with you. We do not currently apply any automated face-recognition, background-removal, or content-classification model — moderation is done by humans (EventCrawler administrators). The originals are used only to generate the rendered card and for moderation; we do not analyse them with third-party AI services.

Lawful basis: contract (you uploaded them as part of using the cards feature). Retention: as long as the card row exists; deleted on account erasure (both the database row and the underlying storage file).

2.7 Marketplace activity

When you list a card on the trade market, the card's metadata (event, rarity, rendered image, your username) becomes visible to every signed-in user browsing the market — that exposure is the point of listing. When you make a trade offer, the cards you offer become visible to the lister of that listing. When a trade completes, both parties' ownership of the affected cards changes, and we record a row in our internal trade_history table so each side has a permanent record of the trade.

Trade history is retained for the lifetime of either participant's account. If you delete your account, your user id is removed from the trade history records, but your username at the time of deletion is preserved as a snapshot (e.g. "traded with previousUsername") so the other party's trade record remains meaningful. We consider this proportionate because usernames were already public to other signed-in users while your account was active.

Pending trade offers and active listings are deleted (or cancelled) on account deletion via database cascades; only the completed trade_history rows persist in anonymised form.

Lawful basis: contract. Retention: as described above.

2.8 Abuse reports

You can flag a listing, trade offer, or card for admin review. We keep your report (reason text, what you flagged, when) so admins can investigate and so we have a record of moderation decisions. Reports you filed are included in your data export. If you delete your account, your pending reports are cascade-deleted; reports that have already been resolved survive without your user id (the resolver id stays).

Lawful basis: legitimate interest (keeping the service safe).

2.9 Cookies

We use strictly necessary cookies to keep you signed in and protect against cross-site request forgery. We do not currently use analytics, advertising, or tracking cookies. If that changes we will introduce a consent mechanism before turning them on.

2.10 Server logs

Our hosting and database providers retain technical logs (IP addresses, request timestamps, error traces) for short periods to operate the service, prevent abuse, and debug failures. Lawful basis: legitimate interest (operating a secure, reliable service).

3. Who we share data with (sub-processors)

  • Supabase(Supabase, Inc.) — authentication, database, and storage. EU project region (Frankfurt). DPA in place via Supabase's standard terms.
  • Mapbox (Mapbox, Inc.) — map tiles and forward geocoding for venue addresses. Your IP is visible to Mapbox when the map loads in your browser.
  • API-Football (API-Sports SAS) — sports fixture data. Outbound only; we send no user data to API-Football.
  • Vercel (Vercel, Inc.) — hosting (planned). Standard server logs as described in 2.6.

4. How long we keep your data

  • Account, profile, attendances, achievements, cards — for as long as your account exists.
  • Photos and rendered card images — same: as long as the corresponding card row exists.
  • After you delete your account — most data is hard-deleted from our active database and storage buckets immediately (backups roll over within 30 days). Two exceptions: completed trade_history rows persist with your username preserved as a snapshot but your user id removed, and already-resolved abuse reports you filed persist without your user id, both as described in sections 2.7 and 2.8.
  • Server logs — retention is set by the provider (typically 30 days for Vercel, 7 days for Supabase). Logs are not tied to user identity beyond IP + timestamp.

5. Your rights

Under the GDPR (if you are in the EU/EEA) and equivalent laws elsewhere, you have the rights to:

  • Access — see what we hold about you. Available via the Download my data button on your profile page.
  • Rectification — fix inaccurate data. You can update your profile from the app.
  • Erasure — delete your account and associated data. Available via the Delete account link on your profile page.
  • Portability — receive a machine-readable copy of your data (the same JSON the Download my data button produces).
  • Objection and restriction — contact us at the address above.
  • Lodge a complaint— with your local supervisory authority (in Germany, your state's Landesdatenschutzbeauftragte/r).

6. International transfers

Data is stored in the EU (Supabase Frankfurt region). Some sub-processors (Mapbox, API-Football) may transfer aggregate technical data to the United States; transfers rely on the providers' standard contractual clauses or Data Privacy Framework certifications.

7. Changes to this notice

If we make material changes we will update the version and date at the top and, where appropriate, notify signed-in users in the app.

8. Contact

Questions, complaints, or data requests: privacy@example.invalid (placeholder).