Legal
Privacy Policy
Last updated: 1 April 2026
1. Who we are
Score Social is a group-chat native football prediction platform. The data controller is the operator of this service. For privacy enquiries, account deletion requests, or subject access requests, contact the administrator directly via the in-app bug report tool or the contact details provided to you when you joined.
2. What data we collect and why
| Data | Purpose | Lawful basis |
|---|---|---|
| Username, display name, first and last name | Account creation, leaderboard display | Contract (Art 6(1)(b)) |
| PIN (stored as a scrypt hash) | Authentication | Contract |
| Prediction selections per round | Running the competition | Contract |
| Scores, rank, season standings | Competition results and leaderboard | Contract |
| IP address | Rate limiting and brute-force protection | Legitimate interest (security) |
| Push notification subscription token | Match and round notifications (optional) | Consent (Art 6(1)(a)) |
3. Cookies and local storage
We use the following storage:
- ss_session — an HTTP-only, secure, same-site session cookie set on login. Strictly necessary; expires after 7 days.
- theme — localStorage preference (light/dark). Functional; no personal data.
- ss:timezone — localStorage preference (your timezone). Functional; no personal data.
We do not use analytics cookies, advertising cookies, tracking pixels, or any third-party tracking technology.
4. How long we keep your data
Your account data and prediction history are retained for the duration of your membership. IP rate-limit records are automatically purged within one hour. Admin action logs are retained for 12 months. If you delete your account, all associated entries, scores, and standings are permanently deleted. Admin audit log entries that reference your account are anonymised rather than deleted.
5. Who we share your data with
We do not sell or share your data with advertisers or marketing companies. Your data is processed by the following infrastructure providers:
- Supabase (database and file storage) — AWS us-east-1. Supabase acts as a data processor under a Data Processing Agreement.
- Vercel (application hosting) — US-based. Vercel acts as a data processor. Application request logs may contain IP addresses and path metadata.
- Push notification platforms (FCM, APNs, or Mozilla Push, depending on your device) — used only if you opt in to notifications.
All transfers to US-based processors are covered by Standard Contractual Clauses (SCCs) or equivalent UK IDTA mechanisms under the providers' published DPAs.
6. Your rights
Under UK/EU GDPR you have the right to:
- Access — request a copy of all data we hold about you.
- Portability — download your data in machine-readable JSON format from your account page.
- Erasure — delete your account and all associated data from your account page.
- Rectification — correct inaccurate personal data by contacting the administrator.
- Object to processing — contact the administrator to discuss any objection to how your data is used.
- Lodge a complaint — you have the right to complain to the Information Commissioner's Office (ICO) if you believe your data has been mishandled.
7. Security
PINs are hashed with scrypt before storage and never stored in plaintext. Sessions are signed with HMAC-SHA256 and transmitted only over HTTPS with strict same-site cookies. Access to the database uses a service-role key restricted to server-side code; no direct database access is granted to the browser.
8. Changes to this policy
We may update this policy when the app or its data practices change. The “last updated” date at the top of this page will reflect any revisions. Continued use of the service after a material change constitutes acceptance of the revised policy.
9. How to exercise your rights
To submit a subject access request, request erasure, or raise any privacy concern, contact the administrator at:
We will respond to all requests within one calendar month in accordance with UK GDPR Article 12.
If you are not satisfied with our response, or believe your personal data has been mishandled, you have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner's Office (ICO) — ico.org.uk/make-a-complaint