Cupside

Legal

Privacy Policy

Last updated: May 2, 2026

This Privacy Policy explains what personal data Cupside processes when you use our mobile application and website (cupside.app), why we process it, and what rights you have.

1. Who we are

Cupside ("Cupside", "we", "us") operates the Cupside mobile application and the website at cupside.app. For privacy questions you can reach us at privacy@cupside.app.

For users in the European Economic Area, Cupside acts as the data controller of the personal data described below.

2. Data we collect

2.1 Account data

  • Email address (for sign-in and notifications)
  • Display name / nickname
  • Avatar image (if you upload one)
  • Country and platform preference
  • Authentication identifiers from OAuth providers, if you use them

2.2 Gameplay data

  • Matches you play, opponents, scores and timestamps
  • League and tournament participation, standings, ELO
  • Clan membership, role and history
  • Match screenshots you upload as proof, and OCR results derived from them

2.3 Communication data

  • Messages you send in chats (clan, tournament, direct)
  • Reactions, attachments, mentions and replies
  • Reports and blocks you submit, and reports filed against you

2.4 Device and technical data

  • Device push notification tokens (Firebase Cloud Messaging)
  • Operating system, app version and language
  • Crash logs and diagnostic events
  • IP address, processed for security and abuse prevention

2.5 Purchase data

  • Subscription status (Free / Pro), purchase tokens and entitlement state, received from Apple App Store or Google Play via our payments processor
  • We do not receive or store your full payment card details. Payments are processed by Apple, Google and (where applicable) RevenueCat.

3. How we use your data

  • To provide the core service: matches, leagues, tournaments, clans, chat
  • To deliver push and in-app notifications you opted in to
  • To enforce fair play, anti-cheat and community rules
  • To process Pro subscriptions and unlock paid features
  • To investigate disputes, walkovers and reported content
  • To improve product quality and fix bugs (aggregated diagnostics)
  • To comply with legal obligations

Legal bases (GDPR): performance of the contract (Art. 6(1)(b)), legitimate interests in running and securing the service (Art. 6(1)(f)), consent for optional features such as marketing emails (Art. 6(1)(a)), and legal obligation (Art. 6(1)(c)).

4. Who we share data with

We only share data with processors that help us run the service, under written agreements:

  • Supabase — database, authentication, storage and edge functions (data hosted in the EU).
  • Google Firebase — push notification delivery (Firebase Cloud Messaging).
  • Apple App Store / Google Play — distribution and in-app purchases.
  • RevenueCat — subscription receipt validation and entitlement management (when enabled).
  • OCR provider — match screenshots may be sent to a third-party OCR service to extract scores and stats. Screenshots are processed only for that purpose.

Other players see the data you publish: nickname, avatar, country, clan membership, ELO, match history, leaderboards, and messages in chats you participate in.

We do not sell your personal data and we do not share it with advertising networks.

5. International transfers

Some of our processors (e.g. Google, Apple, RevenueCat) operate in the United States. Where data leaves the EEA, we rely on the EU-US Data Privacy Framework or Standard Contractual Clauses approved by the European Commission.

6. Data retention

  • Account and gameplay data: while your account exists.
  • Chat messages: retained until you or a moderator delete them, or until your account is deleted.
  • Match screenshots: retained for the duration of the relevant competition plus a reasonable dispute window.
  • Backups: deleted on rolling cycles (max 35 days after deletion of the source record).
  • Tax and billing records: retained as required by applicable law.

7. Your rights

Subject to applicable law (including GDPR for EEA users), you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Delete your data (see Delete account)
  • Restrict or object to certain processing
  • Receive a portable copy of your data
  • Withdraw consent at any time
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, email privacy@cupside.app.

8. Children

Cupside is not intended for children under 13 (or under 16 in the EEA where local law sets a higher threshold). We do not knowingly collect data from children below those ages. If you believe a child has provided us with personal data, contact us and we will delete it.

9. Security

We use industry-standard measures to protect your data: encryption in transit (TLS), encryption at rest, row-level security in our database, scoped storage buckets and least-privilege server functions. No system is perfectly secure; if you suspect a security issue, write to security@cupside.app.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the app or by email. The "Last updated" date at the top of this page reflects the most recent revision.