🔒 Privacy

Privacy Policy

This Privacy Policy explains how BlueManager ("we", "us") collects, uses, stores, and protects your personal data when you use the BlueManager web application, mobile PWA, and related services (the "Service"). It is written to comply with the EU General Data Protection Regulation (GDPR) and the Czech Republic's Personal Data Processing Act.

1. Data we collect

You provide directly

• Account data: email address, username, optional display name, password (hashed and salted by Supabase Auth — we never see your plaintext password).
• Profile data: avatar choice, theme preference, faction, captain role, manager card customisations.
• User-generated content: votes, predictions, takes, comments, blueprints, scouting nominations, feedback submissions.
• Payment data: handled exclusively by Stripe — we receive only a customer ID and subscription status. We never see or store your card number, CVV, or expiry.

Collected automatically

• Gameplay data: BlueDeck collection, decks, match results, EP/Blues/TRX balances, achievement progress, leaderboard scores, predictions, login streak.
• Technical data: IP address (transient — for rate-limiting and abuse prevention), user-agent string, app version, language preference, timestamps of actions.
• Error and performance data: stack traces and session replays of errors via Sentry — used solely to fix bugs. Configured to mask sensitive form inputs.
• Push notification tokens (only if you opt in): a Firebase Cloud Messaging device token used to send notifications you've enabled.

2. Why we process your data (lawful bases)

Purpose	Lawful basis (GDPR Art. 6)
Provide the Service (account, gameplay, predictions, leaderboards)	Performance of contract
Process payments and manage subscriptions	Performance of contract
Fix bugs, security, abuse prevention, fraud detection	Legitimate interest
Send transactional emails (password reset, payment receipts)	Performance of contract
Send push notifications you opted into	Consent
Aggregate analytics (anonymous totals, no individual tracking)	Legitimate interest
Comply with legal obligations (tax, court orders)	Legal obligation

We do not sell your data, run third-party advertising, or use behavioural ad tracking.

3. Third-party processors

We share the minimum data necessary with the following sub-processors:

Processor	Purpose	Region
Supabase	Database, authentication, storage	EU (Frankfurt)
Netlify	Hosting, edge functions	Global (EU edge)
Stripe	Payment processing	EU / US (SCCs)
Sentry	Error monitoring	EU (Frankfurt)
OpenAI	AI feed and content generation (no PII sent — only public Chelsea data)	US (SCCs)
Google (Gemini, FCM, Fonts)	Research agent, push notifications, web fonts	EU / US (SCCs)
API-Football	Live match and stats data (no user data sent)	EU

For non-EU processors, transfers are protected by Standard Contractual Clauses (SCCs).

4. Cookies and local storage

We use strictly necessary browser storage only:

• Supabase auth cookie / localStorage — keeps you signed in.
• localStorage gameplay cache — your BlueDeck save, current page, theme, onboarding flags. Cloud-backed for resilience.
• sessionStorage — short-lived UI state (open modals, toast queues).

We do not use third-party advertising cookies, fingerprinting trackers, or marketing pixels. Because all storage is strictly necessary, no cookie banner is required under EU ePrivacy guidance — but you can clear it any time via your browser settings.

5. How long we keep data

Data	Retention
Account and profile	Until you delete your account, then up to 30 days for backup rotation
Payment records (invoices)	10 years (Czech accounting law)
Gameplay state	Until you delete your account
Error logs (Sentry)	30 days, then auto-purged
Daily user-progress snapshots	14 days, then rotated
Server logs (function_logs)	14 days INFO/WARN, 60 days ERROR/FATAL

6. Your rights (GDPR)

You have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data (most fields are editable in your profile).
• Erasure ("right to be forgotten") — delete your account and associated personal data. Some aggregated, anonymised data may remain.
• Portability — receive your data in a machine-readable format (JSON).
• Restriction — pause processing while a dispute is resolved.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — for any processing based on consent (e.g. push notifications).
• Lodge a complaint — with the Czech Office for Personal Data Protection (ÚOOÚ) or your local supervisory authority.

To exercise any of these rights, email hello@bluemanager.app from the address linked to your account. We respond within 30 days.

7. Security

We protect your data using:

• HTTPS/TLS for all connections.
• Passwords hashed with bcrypt (handled by Supabase Auth).
• Row Level Security (RLS) on every database table — users can only access their own data.
• Service role keys stored as environment secrets, never exposed client-side.
• Daily snapshots, retained for rollback in case of incident.
• Sentry monitoring for anomalies and errors.

No system is 100% secure. In the event of a personal-data breach affecting your rights and freedoms, we will notify the Czech supervisory authority within 72 hours and inform affected users without undue delay.

8. Children

BlueManager is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has signed up, contact us and we will delete the account.

9. International users

BlueManager is operated from the Czech Republic. By using the Service from outside the EU/EEA, you consent to your data being transferred to and processed in the EU and (via SCC-protected sub-processors) in the United States.

10. Changes to this policy

We may update this policy as the Service evolves. Material changes will be announced in-app and via email at least 14 days before they take effect. The "Last updated" date at the top reflects the current version.

11. Contact

Questions, requests, or complaints: hello@bluemanager.app