Privacy Policy

1. Information We Collect

PardonMyBalls.com (the “Service”), operated by dech, LLC (“we,” “us,” or “the Operator”), collects the following information when you create an account:

a. Account Data (Google OAuth 2.0)

We do not store your Google password or OAuth tokens long-term. We do not access your Google contacts, Drive, Calendar, or any Google services beyond basic profile information required for authentication.

b. Gameplay Data (All Users)

c. Automatic Data

We use session cookies provided by Supabase for authentication (keeping you logged in). These are essential cookies required for the Service to function.

We also collect limited usage data to understand how the Service is used and to fix bugs. This includes:

PostHog analytics data is routed through our own domain (not a third-party domain), so no third-party tracking cookies are set. PostHog stores an anonymous identifier in your browser's local storage to recognize returning visitors. When you log in, we link this anonymous identifier to your account so that we can provide support and debug issues. When you log out, this link is severed. We do not send your email address to PostHog.

Vercel Analytics collects anonymous, cookie-free page view and performance data. It does not track individual users or set any cookies.

Google Analytics uses cookies to collect aggregate data about page views, session duration, and traffic sources. We use this data to understand how visitors find and use the Service. Google Analytics does not receive your username, email, or other account information from us. Google's use of this data is governed by Google's Privacy Policy.

d. What We Do NOT Collect

We do not collect: precise or approximate geographic location data, contacts or address books, financial or payment information, phone numbers, browsing history outside of this Service, or biometric data. While IP addresses are visible to our hosting and analytics infrastructure as a technical necessity of serving web traffic, we do not store or process IP addresses at the application layer for any purpose, and our analytics are configured to minimize IP-based data collection.

2. How We Use Your Information

We use the information we collect to:

• Create and authenticate your account
• Enable gameplay features (submitting picks, tracking results, displaying leaderboards)
• Display your username and avatar on public leaderboards and statistics
• Understand how features are used and improve the Service (via PostHog analytics, Google Analytics, and Vercel Analytics)
• Maintain the security and integrity of the Service (fraud prevention, abuse detection)
• Monitor and fix errors in the Service (via Sentry, with personally identifiable information disabled in our configuration)

3. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Performance of a Contract: Processing necessary to provide the Service to you (account creation, authentication, gameplay)
• Consent: Where you have given us consent to process your data (e.g., creating an account via Google OAuth). You may withdraw consent at any time by deleting your account.
• Legitimate Interests: Processing necessary for our legitimate interests, such as understanding how the Service is used (product analytics), maintaining the security and integrity of the Service, and diagnosing errors (error monitoring), provided those interests are not overridden by your rights

4. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We do not share your data with advertising networks or data brokers. We share data only with the following service providers, solely as necessary to operate and improve the Service:

• Supabase (database & authentication): Stores your account data and gameplay data. Hosted in the United States.
• Vercel (application hosting & analytics): Hosts and serves the web application. Vercel Analytics collects anonymous, cookie-free page view and web performance metrics. Hosted in the United States.
• PostHog (product analytics): Receives usage events (page views, feature interactions) and, for authenticated users, your user ID and username to help us understand how the Service is used. We do not send your email address to PostHog. Analytics data is routed through our own domain (no third-party cookies). Hosted in the United States and the European Union.
• Sentry (error monitoring): Receives error logs to help us diagnose and fix bugs. Personally identifiable information transmission is disabled in our Sentry configuration — your email, username, and other personal data are not intentionally sent to Sentry. Hosted in the United States.
• Google Analytics (traffic analytics): Receives aggregate page view and session data via cookies to help us understand traffic sources and usage patterns. We do not send your username, email, or other account information to Google Analytics. Hosted in the United States.
• Google (OAuth authentication):If you sign in with Google, Google processes your authentication request. We receive only your email and profile picture URL. Google's handling of your data is governed by Google's Privacy Policy.

We may also disclose your information if required by law, court order, or governmental request, or to protect the rights, safety, or property of the Operator, our users, or the public.

5. Cookies & Tracking Technologies

The Service uses the following browser storage:

• Authentication cookies (Supabase): Essential cookies required to keep you logged in. These are strictly necessary for the Service to function and cannot be opted out of while using the Service.
• Analytics local storage (PostHog):A small anonymous identifier stored in your browser's local storage (not a cookie) to recognize returning visitors and link usage events within a session. This identifier is reset when you log out. No third-party cookies are set because analytics data is routed through our own domain.
• Analytics cookies (Google Analytics): Google Analytics sets first-party cookies (e.g., _ga) to distinguish unique visitors and track session information. These cookies contain randomly generated identifiers and do not contain personally identifiable information.

We do not use advertising or targeting cookies, third-party tracking pixels, social media tracking widgets, or fingerprinting technologies. Vercel Analytics is entirely cookie-free.

6. Data Retention

We retain your personal data for as long as your account is active. When you delete your account (available in the app's account settings), all of your data — including your profile, email, username, pick history, and computed statistics — is permanently and irreversibly deleted through a cascading deletion process. We do not retain your data after account deletion.

We may retain anonymized, aggregated data that cannot be used to identify you (e.g., total number of users) for internal analysis.

7. Data Security

We implement reasonable technical and organizational measures to protect your personal data, including:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted via HTTPS/TLS
• Encryption at rest: Your data is encrypted at rest by our database provider (Supabase)
• Row-Level Security (RLS): Database access controls ensure users can only modify their own data
• PII exclusion: Our error monitoring system (Sentry) is configured to exclude personally identifiable information

While we take security seriously and implement industry-standard protections, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

8. Your Rights

a. Rights Under the GDPR (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete personal data
• Eraseyour personal data (“right to be forgotten”)
• Port your data to another service in a structured, machine-readable format
• Restrict the processing of your personal data
• Object to the processing of your personal data
• Withdraw consent at any time (without affecting the lawfulness of prior processing)
• Lodge a complaint with your local Data Protection Authority

b. Rights Under the CCPA/CPRA (California Residents)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose
• Delete your personal information
• Opt out of the sale or sharing of your personal information — we do not sell or share your personal information with third parties for cross-context behavioral advertising
• Non-discrimination for exercising your privacy rights

c. Exercising Your Rights

To exercise any of these rights, you may:

• Delete your account directly in the app (this permanently removes all your data)
• Email us at contact@pardonmyballs.com with your request

We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA/CPRA). We will not charge a fee for processing reasonable requests. We may ask for additional information to verify your identity before fulfilling a request.

9. Children's Privacy

The Service is not directed at children under the age of 13 (or under 16 in the European Union). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at contact@pardonmyballs.com. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information promptly.

10. International Data Transfers

Your data is processed and stored in the United States. If you are accessing the Service from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on our service providers' compliance with applicable data transfer mechanisms, including Standard Contractual Clauses (SCCs) approved by the European Commission and equivalent safeguards for UK and Swiss transfers.

11. Do Not Track Signals

The Service does not track users across third-party websites. Our analytics are limited to activity within the Service itself. While there is no universal standard for how web services should respond to Do Not Track (“DNT”) browser signals, we note that our analytics do not involve cross-site tracking, advertising profiles, or data sales.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be effective when the updated policy is posted on this page with a revised “Last Updated” date. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy. We encourage you to review this policy periodically.

13. Contact Information

If you have any questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at:

dech, LLC
Email: contact@pardonmyballs.com