1. Data Controller
The Data Controller is Alessandro Giupponi (hereinafter also 'ScoreLab'), who can be reached for any issue relating to data protection at the e-mail address privacy@scorelab.it.
2. Types of data collected
ScoreLab collects the following categories of personal data of users who register and use the service:
| Category | Data | Collection method |
|---|---|---|
| Personal Data | First and Last Name | Manual input or via Google account (Google Sign-In) |
| Contact Data | E-mail address | Manual input or via Google account (Google Sign-In) |
| Profile Data | Profile picture (avatar) | Voluntary upload by the user or imported from the Google profile |
| Technical Data | Log data, IP address, browser/device type | Automatically collected by servers during navigation |
No sensitive data under Art. 9 GDPR (data relating to health, ethnic origin, sexual orientation, religious or political beliefs, biometric data, etc.) is collected.
3. Purpose and legal basis of the processing
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Creation and management of the user account | Execution of a contract (Art. 6, par. 1, let. b) |
| Providing predictions and gaming services between friends | Execution of a contract (Art. 6, par. 1, let. b) |
| Sports information and updates on competitions | Execution of a contract (Art. 6, par. 1, let. b) |
| Technical management of the platform (logs, security, debug) | Legitimate interest of the Controller (Art. 6, par. 1, let. f) |
| Compliance with legal obligations | Legal obligation (Art. 6, par. 1, let. c) |
Data is not used for direct marketing, commercial profiling, or statistical analysis purposes through third-party analytical cookies.
4. Processing methods
Processing takes place using electronic and computer tools. Data is stored digitally on secure cloud infrastructures. The Controller adopts appropriate technical and organizational measures to protect data against unauthorized access, loss, destruction, or disclosure, in accordance with Art. 32 GDPR.
5. Recipients and data processors
Personal data may be communicated to the following technological service providers, appointed as Data Processors in accordance with Art. 28 GDPR:
| Provider | Service | HQ Sede | Privacy Policy |
|---|---|---|---|
| Google LLC | Google Firebase (autenticazione, database, storage) | USA — Standard Contractual Clauses (SCC) | policies.google.com/privacy |
| Neon Inc. | NeonDB (database relazionale PostgreSQL) | USA — Standard Contractual Clauses (SCC) | neon.tech/privacy-policy |
Data is not sold, assigned, or communicated to third parties for their own purposes, outside of what is indicated in this privacy policy.
6. Data transfer to third countries
Some of the providers indicated above (Google LLC, Neon Inc.) are based in the United States. Data transfer to these countries takes place in compliance with the guarantees provided by the GDPR, in particular by means of the Standard Contractual Clauses (SCC) adopted by the European Commission and, where applicable, by means of the EU-US Data Privacy Framework.
7. Retention periods
| Data Category | Retention Period |
|---|---|
| Account data (name, email, avatar) | For the duration of the account. In case of cancellation, within 30 days of the request |
| Log and technical data | Maximum 12 months, unless legally required |
| Data relating to predictions and leagues | For the duration of the account. Deleted within 30 days of closure |
8. Rights of the data subjects
As a data subject, you have the right to:
- Access (Art. 15 GDPR): obtain confirmation of processing and a copy of your data;
- Rectification (Art. 16 GDPR): correct inaccurate or incomplete data;
- Erasure (Art. 17 GDPR): request erasure of your data ('right to be forgotten');
- Limitation (Art. 18 GDPR): limit processing under certain circumstances;
- Portability (Art. 20 GDPR): receive your data in a structured, readable format;
- Objection (Art. 21 GDPR): object to processing based on legitimate interest;
- Withdraw consent (Art. 7, par. 3 GDPR): withdraw consent at any time.
To exercise your rights, write to privacy@scorelab.it. The Controller will reply within 30 days of receiving the request.
You also have the right to lodge a complaint with your local Data Protection Authority (Garante per la Protezione dei Dati Personali in Italy, www.garanteprivacy.it).
9. Minors
The ScoreLab service is aimed at people aged 16 or over. The Controller does not knowingly collect personal data of minors under 16. If such unintentional collection is detected, the data will be deleted immediately.
10. Changes to this Privacy Policy
The Controller reserves the right to modify this Privacy Policy at any time, in particular following regulatory changes or modifications to the service. Substantial changes will be communicated to registered users via e-mail or through a prominent notice on the platform. The updated version will always be available at www.scorelab.it/privacy-policy.