R Rivalio

Rivalio — Privacy Policy

⚠️ This is a template, not legally binding advice. Prior to deployment, the Operator recommends review by a lawyer specialising in data protection. This template was generated by AI and may not reflect the latest legislative changes nor the actual technical implementation.

Data Controller: Rivalio s.r.o., Company ID 29509751, with its registered office at Nové sady 988/2, Staré Brno, 602 00 Brno, Czech Republic, registered with the Regional Court in Brno under file no. C 151679 (the "Controller").

Version: 1.1 Effective from: [TO FILL IN: deployment date after legal review] Related Terms of Service version: 1.2

Contact for data-protection matters: privacy@rivalio.cz

1. Introduction

1.1 Purpose of this document

1.1.1. This Privacy Policy (the "Policy") describes what personal data the Controller processes in connection with the operation of the digital service Rivalio available at https://rivalio.cz (the "Service" or "Rivalio"), for what purposes, on what legal basis, for how long, and to whom it is disclosed.

1.1.2. The Policy is an integral part of the contractual relationship with the Data Subject and supplements the Rivalio Terms of Service (version 1.2).

1.1.3. The Policy reflects in particular:

  • Regulation (EU) 2016/679 of 27 April 2016 (General Data Protection Regulation, "GDPR"),
  • Czech Act No. 110/2019 Coll. on the processing of personal data,
  • Czech Act No. 480/2004 Coll. on certain information-society services,
  • Czech Act No. 127/2005 Coll. on electronic communications (§ 89 — cookies),
  • CJEU judgments C-210/16 (Wirtschaftsakademie) and C-40/17 (Fashion ID) on joint controllership.

1.2 Who the Policy applies to

1.2.1. The Policy applies to all Data Subjects whose personal data the Controller processes — in particular:

  • Users (registered consumers and business customers who have concluded a contract with the Controller),
  • Players and other persons whose data is entered into Rivalio by tournament/league organisers (the Controller acts as a processor with respect to such data — see Section 10),
  • Website visitors (cookies, analytics — if activated with consent).

2. Definitions

Term Definition
Controller Rivalio s.r.o., the entity determining the purposes and means of processing (Article 4(7) GDPR).
Data Subject An identified or identifiable natural person whose personal data the Controller processes.
Processor A third party processing personal data on behalf of the Controller under contract (Article 28 GDPR). Recipients are listed in Section 7.
Personal Data Any information relating to an identified or identifiable natural person (Article 4(1) GDPR).
Processing Any operation performed on personal data (collection, storage, organisation, use, erasure, etc.) — Article 4(2) GDPR.
Cookies Small text files stored in the Data Subject's browser.
Account A user profile in Rivalio protected by login credentials.
Service The Rivalio application as defined in Section 1 of the Terms of Service.

3. Data Protection Officer (DPO)

3.1 The Controller has not appointed a DPO

3.1.1. The Controller is not required to appoint a DPO under Article 37(1) GDPR or § 6 of Czech Act No. 110/2019 Coll. The reasons:

  • the Controller is not a public authority or body,
  • the Controller's core activities do not consist of large-scale regular and systematic monitoring of Data Subjects,
  • the Controller does not process special categories of personal data on a large scale (Article 9 GDPR) or data on criminal offences (Article 10 GDPR).

3.2 Contact point for data protection

3.2.1. All questions, requests, and complaints concerning the processing of personal data should be addressed to:

E-mail: privacy@rivalio.cz Postal address: Rivalio s.r.o., Nové sady 988/2, Staré Brno, 602 00 Brno, Czech Republic

3.2.2. If the processing changes in such a way that the obligation to appoint a DPO arises, the Controller will appoint one and update this Policy.

4. Categories of personal data processed

4.1 Identification and contact data

  • first name and surname,
  • e-mail address,
  • phone number (optional for Users, required for Players entered by organisers),
  • username (login).

4.2 Billing data (for Business Customers and tax invoicing)

  • company name,
  • Company ID (IČ),
  • VAT number (DIČ, if the Data Subject is a VAT payer),
  • billing address.

4.3 Authentication data

  • username,
  • password hash (bcrypt; a plaintext password is never stored),
  • date and IP of last successful registration/login,
  • optional two-factor authentication (2FA) — shared secret encrypted in the database.

4.4 Account and Service data

  • Tariff purchased (Basic, Standard, Premium),
  • date of purchase, date of expiry, end of read-only phase,
  • order and payment history,
  • features used, number of tournaments/leagues created.

4.5 Operational and technical data

  • IP address (encrypted; retention per Section 6),
  • User-Agent string,
  • timestamps (registration, login, in-app actions),
  • log files (errors, access audit, authorisation).

4.6 User Content

  • tournament and league names, configuration,
  • team logos, statistics, match results,
  • names and contact details of players entered by an organiser (the Controller acts as processor for such data — see Section 10).

4.7 Behavioural data (consent only)

  • if the Data Subject grants consent via the cookie banner — telemetry of in-app behaviour (analytics).
  • Note: the Controller does not currently use any analytics tools such as Google Analytics or heatmaps. If activated in the future, the Policy will be updated and the Data Subject re-informed.

4.8 Marketing data (consent only)

  • if the Data Subject grants separate consent — preferences for newsletters.
  • Note: the Controller does not currently run any marketing e-mail campaigns.

4.9 § 1837 Czech Civil Code audit trail — consent before performance starts

4.9.1. In connection with § 1837(l) of the Civil Code and § 1822 of the Civil Code, the Controller keeps an immutable audit record that the Consumer expressly consented to performance starting before the 14-day withdrawal period and was informed about the loss of that right. The record (in table payment_consents) contains:

  • both consents (checkbox A and B),
  • the verbatim text of the consents as shown to the Data Subject at the moment of the order,
  • the language of the order, the Terms of Service version then in force,
  • IP address and User-Agent of the device,
  • server-side timestamp.

4.9.2. This record is necessary to prove the lawfulness of processing and to enforce contractual rights. Retention: see Section 6.

5. Purposes of processing and legal bases

5.1 Performance of a contract (Article 6(1)(b) GDPR)

5.1.1. The Controller processes personal data to:

  • register and maintain the Account,
  • supply the Service in the scope of the chosen Tariff,
  • process orders and payments,
  • issue tax documents (invoices),
  • send transactional e-mails (registration, order, payment, Tariff expiry),
  • provide customer support.

5.1.2. If the Data Subject refuses to provide data necessary for the performance of the contract, the Controller cannot conclude or perform the contract.

5.2 Compliance with a legal obligation (Article 6(1)(c) GDPR)

5.2.1. The Controller retains:

  • tax documents (invoices) for 10 years under § 35 of Czech Act No. 235/2004 Coll. on VAT,
  • accounting records for 10 years under § 31 and § 32 of Czech Act No. 563/1991 Coll. on accounting,
  • complaint records for the duration of statutory warranty rights,
  • records of the Controller's compliance with information obligations (Articles 13 and 14 GDPR).

5.3 Legitimate interests (Article 6(1)(f) GDPR)

5.3.1. The Controller processes data on the basis of legitimate interests for:

  • security and operation of the application — error tracking via Sentry (stack trace + IP at the moment of error), access logging, administrative audit,
  • fraud prevention — analysis of access patterns (e.g. repeated failed login attempts),
  • establishment and defence of legal claims (e.g. debt collection),
  • internal administrative purposes within a group of organisations (Article 47 GDPR, recital 48 — the Controller currently has no branches).

5.3.2. The Data Subject has the right to object to processing on the basis of legitimate interests (Article 21 GDPR) — see Section 11.

5.4 Consent of the Data Subject (Article 6(1)(a) GDPR)

5.4.1. On the basis of the Data Subject's consent (granted in the cookie banner or a separate form), the Controller processes:

  • non-essential cookies (analytics, marketing — if activated),
  • Google reCAPTCHA v3 on public registration forms (if activated),
  • embedded YouTube videos on tournament pages (cookie-gated playback),
  • (Since version 1.1, the Inter web font is self-hosted from rivalio.cz/fonts/inter/* — no request reaches Google, no consent required for typography.)

5.4.2. Consent is freely given, specific, informed, and unambiguous. The Data Subject may withdraw consent at any time — see Section 11.

5.5 Rivalio as processor for player data (Article 28 GDPR)

5.5.1. Where an organiser (a User — typically a club, association, sports federation) enters personal data of players into Rivalio (names, contacts, statistics), the organiser is the controller of such data and Rivalio acts as processor under Article 28 GDPR.

5.5.2. The organiser:

  • is responsible for the lawful basis vis-à-vis its players,
  • complies with the information obligation toward players (Article 13 GDPR),
  • responds to players' requests to exercise their rights (Articles 15–22 GDPR).

6. Retention periods

The Controller retains personal data only for as long as necessary for the relevant purpose:

Category Retention Legal basis for retention
Registration and contact data for the duration of the Account + 3 years after closure general limitation period (§ 629 Czech Civil Code)
Billing data, tax documents 10 years from the end of the tax period § 35 Act No. 235/2004 Coll., § 31 Act No. 563/1991 Coll.
Accounting records 10 years § 31 and § 32 Act No. 563/1991 Coll.
§ 1837 NOZ consent audit (payment_consents) 10 years link to accounting + evidentiary burden
Operational logs, IP addresses, login attempts 12 months CONS-SEC-010 — security forensics
Master admin audit log 12 months CONS-SEC-009 — ISO 27001 A.8.15
Spatie ActivityLog (Eloquent mutations) 12 months CONS-COMP-006 — data minimisation
Sessions (cookies) 30 days since last use automatic cleanup
Push subscriptions (web push) 90 days since last activity stale endpoints
Notifications (read) 6 months inbox cleanup
Cookies (essential) per banner expiry, max. 12 months EDPB 05/2020
Cookies (non-essential, consent-based) per expiry, until consent withdrawn Article 7(3) GDPR
Marketing data (newsletter consent) until consent is withdrawn Article 7(3) GDPR
User Content (tournaments, statistics) for the duration of the Account, optional anonymisation upon deletion contract

The Controller runs an automated cleanup process — daily at 04:00 (php artisan gdpr:clean-expired) — that removes records older than the periods set out above.

7. Recipients of personal data (Processors and third parties)

The Controller discloses personal data only to the following Processors:

7.1 Infrastructure

Subject Registered office Purpose Data categories US transfer
Hetzner Online GmbH Industriestraße 25, 91710 Gunzenhausen, Germany Application hosting, database, file storage, backups All data stored in Rivalio NO (DE/EU)

7.2 Communication, payments, invoicing

Subject Registered office Purpose Data categories US transfer
ComGate Payments, a.s., Company ID 27924505 Gočárova třída 1754/48b, 500 02 Hradec Králové, Czech Republic Processing of card payments (if paid through ComGate) Name, e-mail, billing address, transaction outcome; card data is processed by ComGate, the Controller does not access it NO (CZ)
Fakturoid s.r.o. Sudoměřská 1550/4, 130 00 Prague 3, Czech Republic Issuing tax documents (skeleton; ready for activation) Name/company, billing address, IČ, DIČ, order items, price NO (CZ)

7.3 Security and monitoring

Subject Registered office Purpose Data categories US transfer
Functional Software, Inc. (Sentry) 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA Error tracking and application monitoring (backend only) Stack trace, IP, User-Agent, optionally user ID YES — DPF certification + SCC

7.4 Functional third-party integrations

Subject Registered office Purpose Data categories US transfer Activation
Google Ireland Limited (reCAPTCHA v3) Gordon House, Barrow Street, Dublin 4, Ireland (contracting entity for EU); data in US/EU Bot protection on public registration form IP, User-Agent, behavioural data YES — DPF + SCC only if admin enables recaptcha_enabled
Google Ireland Limited (YouTube embed) Dublin, IE; data in US Embedded live-stream video (if organiser supplies a YouTube URL) IP, User-Agent, behavioural data, cookies YES — DPF + SCC conditional; youtube-nocookie.com variant, gated by Functional consent

The Controller does not currently use any other tracking pixels, marketing tools (e.g. Meta Pixel, Google Ads, Microsoft Clarity), e-mail marketing platforms (e.g. Brevo), third-party CDNs, or external authentication providers. Should this change in the future, the Controller will update the Policy and re-inform the Data Subject.

7.5 Public authorities

7.5.1. The Controller discloses personal data to public authorities only on the basis of law — typically the Tax Office (VAT control), courts, the Police of the Czech Republic, ÚOOÚ.

8. International transfers (outside the EU/EEA)

8.1 Countries and processors

8.1.1. Some personal data is processed in the United States by the following processors:

  • Functional Software, Inc. (Sentry) — California, USA,
  • Google LLC (through Google Ireland Limited as the contracting entity) — part of the server estate for reCAPTCHA, Fonts, and YouTube is in the USA.

8.2 Legal mechanism

8.2.1. Transfers to the USA are based on Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 on the adequacy of the protection of personal data under the EU-US Data Privacy Framework (DPF).

8.2.2. All US companies listed above are (or must be, prior to production deployment) certified under the DPF (https://www.dataprivacyframework.gov/list).

8.2.3. Standard Contractual Clauses (SCC) under Commission Decision (EU) 2021/914 of 4 June 2021 apply as a supplementary safeguard.

8.3 Right to a copy of the safeguards

8.3.1. The Data Subject has the right to request a copy of the appropriate safeguards for transfers to a third country (Article 46(2) GDPR) at privacy@rivalio.cz.

9. Joint Controllership

9.1.1. The Controller does not currently operate any tools that would trigger joint controllership under Article 26 GDPR — in particular, the Controller does not use Meta Pixel, Meta Conversions API, or other social-network tools for conversion tracking.

9.1.2. Should the Controller introduce such a tool in the future (typically Meta Pixel), the Policy will be updated and the Data Subject re-informed. Specifically, the following will be added:

  • description of joint responsibility,
  • link to the other controller's Joint Controller Addendum (e.g. https://www.facebook.com/legal/controller_addendum),
  • explanation of which controller fulfils which part of the information duty.

10. Rivalio ↔ Organiser ↔ Player relationship

10.1 Dual role of the Controller

10.1.1. Vis-à-vis the User (organiser — typically a club, association, sports federation, or a Consumer hosting a private tournament), Rivalio is the controller of personal data. The relationship is governed by this Policy.

10.1.2. Vis-à-vis players, referees, and other persons whose data the organiser enters into Rivalio (for the purposes of sports competitions), Rivalio acts as a processor under Article 28 GDPR. The organiser is the controller of such data and:

  • is responsible for the lawful basis vis-à-vis its players,
  • complies with the information obligation toward players (Article 13 GDPR),
  • responds to players' requests to exercise their rights (Articles 15–22 GDPR).

10.2 Recommended Data Processing Agreement (DPA)

10.2.1. The Controller recommends that B2B Users who enter personal data of third parties conclude a Data Processing Agreement (DPA) under Article 28 GDPR. A DPA template will be provided upon request at privacy@rivalio.cz.

10.2.2. Without an executed DPA, the Controller and User are bound by the general provisions of this Policy and the Terms of Service.

11. Rights of the Data Subject

11.1 Overview of rights (Articles 15–22 GDPR)

The Data Subject has the following rights:

Right Description
Right of access (Art. 15) The Data Subject may obtain confirmation whether the Controller processes their personal data and obtain a copy.
Right to rectification (Art. 16) The Data Subject may request correction of inaccurate data.
Right to erasure (Art. 17, "right to be forgotten") The Data Subject may request erasure, unless there is a legal ground for retention.
Right to restriction of processing (Art. 18) The Data Subject may request restriction of processing in statutory cases.
Right to data portability (Art. 20) The Data Subject may obtain their data in a structured, commonly used, machine-readable format.
Right to object (Art. 21) The Data Subject may object to processing based on legitimate interests or for direct marketing purposes.
Right not to be subject to automated decision-making (Art. 22) See Section 12 below — the Controller does not engage in automated decision-making.
Right to withdraw consent (Art. 7(3)) The Data Subject may withdraw consent at any time, with effect for the future.

11.2 Exercising rights

11.2.1. A request may be submitted:

  • by e-mail to privacy@rivalio.cz (preferred),
  • in writing to the Controller's registered office.

11.2.2. For identity verification, the Controller may request additional information (e.g. confirmation from the registered e-mail address). The purpose is to prevent abuse of rights by a third party.

11.2.3. Time limit: at the latest 30 days from receipt of the request (Article 12(3) GDPR). In complex cases, the time limit may be extended by 2 months with notice to the Data Subject.

11.2.4. Handling of the request is free of charge. Where requests are manifestly unfounded or excessive (in particular repetitive), the Controller may:

  • charge a reasonable fee covering administrative costs,
  • refuse to act on the request (Article 12(5) GDPR).

11.3 Complaint to a supervisory authority

11.3.1. The Data Subject has the right to lodge a complaint with a supervisory authority — particularly in the Member State of habitual residence, place of work, or place of the alleged infringement (Article 77 GDPR).

11.3.2. The competent supervisory authority in the Czech Republic is the Office for Personal Data Protection (ÚOOÚ):

Pplk. Sochora 27, 170 00 Prague 7 Phone: +420 234 665 111 Web: https://www.uoou.cz E-mail: posta@uoou.cz

12. Automated decision-making and profiling

12.1.1. The Controller does not engage in automated decision-making within the meaning of Article 22 GDPR that would produce legal effects concerning the Data Subject or similarly significantly affect them.

12.1.2. The Controller does not perform profiling of Data Subjects for marketing or price-differentiation purposes.

13. Security of personal data

The Controller has implemented appropriate technical and organisational measures to protect personal data (Article 32 GDPR):

13.1 Technical measures

  • HTTPS/TLS encryption of communication between the browser and the server,
  • bcrypt password hashing (passwords are stored only as hashes, never in plaintext),
  • Encryption of sensitive attributes in the database (Laravel encrypted cast) for:
    • player e-mails and phone numbers,
    • registration contacts (name, e-mail, phone),
    • IP addresses in beta feedback,
    • IBAN bank account numbers in organisation settings,
    • 2FA secrets and recovery codes.
  • Encrypted backups,
  • Audit logging of all administrative actions (master_admin_audit_log, Spatie ActivityLog),
  • Immutable audit trail for § 1837 consents (payment_consents),
  • Automated cleanup of stale data (daily),
  • Regular security updates of dependencies.

13.2 Organisational measures

  • Role-based access control (master_admin, owner, admin, referee, hostess, team_manager),
  • Mandatory two-factor authentication (2FA) for privileged roles (org_owner, master_admin),
  • Need-to-know access for employees and contractors,
  • Contractual confidentiality obligations for all persons with access to data,
  • Data Processing Agreements (DPAs) with every Processor (see Section 7).

13.3 Security incidents

13.3.1. In the event of a personal data breach likely to result in a high risk to the rights and freedoms of Data Subjects, the Controller will:

  • without undue delay (within 72 hours of becoming aware) notify ÚOOÚ (Article 33 GDPR),
  • without undue delay notify the affected Data Subjects (Article 34 GDPR).

14. Cookies

14.1.1. The Controller uses cookies of the following categories:

Category Purpose Legal basis
Essential Necessary for functionality — session, CSRF, cookie consent state Article 6(1)(f) GDPR; cookies strictly necessary for service delivery (§ 89(3) Act No. 127/2005 Coll.)
Analytics (optional) Statistical analysis of visitor behaviour Consent (Article 6(1)(a) GDPR) — if activated
Marketing (optional) Advertising targeting Consent — if activated
Functional (optional) Preferences (language, theme) Consent

14.1.2. A cookie banner appears on first visit and allows the Data Subject to grant or refuse consent for non-essential categories. Consent is stored in the browser's localStorage (cookie_consent_v2).

14.1.3. Details about individual cookies, their expiry, and providers are set out in a separate Cookies Policy, available at https://rivalio.cz/cookies-policy.

15. Children

15.1.1. The Rivalio Service is not primarily intended for children under 16 years of age. Under Article 8 GDPR, the processing of personal data of a child in the context of information-society services offered directly to a child is lawful only where the child is at least 16 years old (default under the GDPR).

15.1.2. Note for the Czech Republic: § 7 of Czech Act No. 110/2019 Coll. lowers this age to 15 years. The Czech threshold therefore applies to Data Subjects with habitual residence in the Czech Republic; other Member States may apply different thresholds (between 13 and 16).

15.1.3. Where the Data Subject is below the applicable age threshold, parental consent is required.

15.1.4. Note for organisers: organisers who enter player data of minors into Rivalio are responsible for obtaining consent from the parents/legal guardians. The Controller draws attention to this obligation but does not independently verify it.

15.1.5. If the Controller becomes aware of personal data of a child collected without parental consent, the data will be erased without undue delay.

16. Changes to this Policy

16.1.1. The Controller may amend this Policy at any time (particularly in response to changes in the legal framework, technology of processing, or scope of the Service).

16.1.2. The Controller will inform Data Subjects of material changes to the Policy:

  • by e-mail to the address on file,
  • by an in-app notice at the next login,
  • at least 30 days before the change takes effect.

16.1.3. The Data Subject has the right to withdraw any consent given under the previous version at any time — see Section 11.

16.1.4. The version of the Policy is always indicated in the header. The current version is available at https://rivalio.cz/privacy-policy.

17. Right to lodge a complaint

The Data Subject has the right to lodge a complaint with a supervisory authority if they consider that the processing of their personal data infringes the GDPR or Czech Act No. 110/2019 Coll.

The competent supervisory authority for processing carried out by the Controller is in the Czech Republic:

Office for Personal Data Protection (ÚOOÚ) Pplk. Sochora 27, 170 00 Prague 7, Czech Republic Phone: +420 234 665 111 Web: https://www.uoou.cz E-mail: posta@uoou.cz

The Data Subject may also lodge a complaint with the supervisory authority of their country of habitual residence.

18. Final provisions

18.1 Governing law

18.1.1. This Policy is governed by the laws of the Czech Republic, in particular the GDPR and Czech Act No. 110/2019 Coll.

18.2 Relationship to the Terms of Service

18.2.1. This Policy forms an integral part of the contractual relationship with the Data Subject. Terms not defined here have the meaning given in the Rivalio Terms of Service version 1.2 (/terms-of-service).

18.3 Effective date

18.3.1. This Policy takes effect on [TO FILL IN: effective date] and replaces all previous versions.

18.4 Contact details

Item Value
Company name Rivalio s.r.o.
Company ID 29509751
Registered office Nové sady 988/2, Staré Brno, 602 00 Brno, Czech Republic
Commercial register Regional Court in Brno, file no. C 151679
E-mail for GDPR matters privacy@rivalio.cz
General contact info@rivalio.cz
Phone +420 775 132 147

End of Privacy Policy. Version 1.0, effective from [TO FILL IN].

Privacy Policy version: 1.0 · Back to Rivalio