Privacy Policy

The controller for the processing of your personal data is PlayAsOne LLC, New York City, NY, USA. Full company details are listed in the Imprint.

Privacy questions: support@playasone.com

• Account data: email address, display name, username, password (hashed), profile avatar, signup provider (email, Google, Apple).
• Optional profile data: phone number (only if you choose phone verification), bio, social handles.
• Gameplay data: matches you log, results, leagues you join, tournaments, leaderboards, XP, badges, head-to-head stats.
• Communication: in-app inbox messages, transactional emails (login codes, weekly summaries, invitations).
• Payment data: when you purchase coin bundles, payment is handled by Mollie. We only receive a transaction reference and amount — never your card or bank details.
• Technical data: IP address, browser type, device type, referrer URL, session cookies, error reports.
• Optional avatar generation: if you use the AI avatar feature, a selfie or uploaded image is sent to our AI provider for processing.

We process your personal data based on the following legal grounds:

• Contract performance (GDPR Art. 6.1.b): authentication, account management, leagues, tournaments, leaderboards, in-app messaging, payment processing.
• Legitimate interest (Art. 6.1.f): fraud and abuse prevention, security monitoring, error logging, product improvement.
• Consent (Art. 6.1.a): analytics cookies, marketing communications, AI avatar processing — withdrawable at any time.
• Legal obligation (Art. 6.1.c): tax records, response to lawful authority requests.

• Account data: as long as your account exists, plus 30 days after deletion request (recovery window).
• Gameplay data: kept aggregated and anonymized after account deletion to preserve historical leaderboards.
• Payment records: 7 years (applicable tax law).
• Server logs: 30 days.
• Email communications: 2 years from last interaction.
• Cookie consent records: 12 months.

We share your data with the following processors, each under a Data Processing Agreement:

• Supabase Inc. — database, authentication, storage (US, with EU data regions).
• Vercel Inc. — application hosting and edge functions (US/EU).
• Resend — transactional email delivery (US).
• Mollie B.V. — payment processing for coin purchases (Netherlands/EU).
• Google LLC — Google Analytics 4 (US, optional, only after consent).
• Anthropic PBC — AI processing for badges and copy generation (US).
• fal.ai — AI avatar image processing (US, only when feature is used).
• Sentry — error monitoring (US/EU).

Several processors are located outside the EEA (notably the US). For these transfers we rely on the EU Standard Contractual Clauses (SCC) and, where applicable, the EU-US Data Privacy Framework. We do not knowingly transfer personal data to jurisdictions without an adequate level of protection.

Under the GDPR you have the following rights:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten").
• Right to restrict processing.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object to processing based on legitimate interests.
• Right to withdraw consent at any time, without affecting prior lawful processing.
• Right not to be subject to automated decision-making with legal effects.

To exercise any of these rights, contact us at support@playasone.com. We respond within 30 days.

EU/EEA residents have the right to lodge a complaint with their local Data Protection Authority. A directory of EU supervisory authorities is available at edpb.europa.eu. Belgian residents can contact the Gegevensbeschermingsautoriteit (GBA): gegevensbeschermingsautoriteit.be.

PlayAsOne is intended for users aged 16 and over. Users below 16 must obtain verifiable consent from a parent or legal guardian. We do not knowingly collect personal data from children under 13.

We apply industry-standard technical and organisational measures including TLS encryption in transit, encryption at rest, role-based access control, Row Level Security on the database, regular backups, and least-privilege principles. Despite our efforts, no service can guarantee absolute security; in case of a personal data breach we will notify the supervisory authority within 72 hours where required.

We may update this policy. The updated version takes effect on the date shown at the top. Material changes will be communicated via the app or email.