Privacy Policy
Version 1.0 — Effective April 1, 2026
This Privacy Policy explains how Vibora S.L. ("Vibora", "we", "our", or "us") collects, uses, stores, and protects your personal data when you use the Vibora platform ("Service"). We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Polish data protection law.
1. Data Controller
The data controller responsible for your personal data is:
- Company: Vibora S.L.
- Email: privacy@vibora.cloud
For any questions or requests regarding your personal data, please contact our data protection point of contact at the address above.
2. Personal Data We Collect
We collect and process the following categories of personal data:
2.1 Account and Identity Data
- Email address — provided during registration or retrieved from your social login provider.
- OAuth identifier — a unique identifier issued by Google, Apple, Facebook, or LinkedIn when you authenticate via social login. We do not store your social provider password.
- Display name — the name you choose to display on your player profile.
- Password hash — if you register with email and password, we store a one-way bcrypt hash of your password. The plain-text password is never stored.
2.2 Player Profile Data
- Profile avatar — an image you choose to upload. Stored on Google Cloud Storage (GCS) with access controlled by Vibora.
- Player statistics — tournament results, match scores, rankings, and performance data generated through your use of the Service.
- Friendship relationships — records of other Vibora users you have connected with.
2.3 Push Notification Token
- Firebase Cloud Messaging (FCM) token — a device-level token generated by Firebase, a service provided by Google LLC, used to send push notifications to your device if you have granted notification permissions.
2.4 Technical and Usage Data
- IP address and login logs — recorded when you authenticate, for security and fraud prevention purposes.
- Session data — a temporary session cookie is used during the OAuth2 login flow to maintain state between authorisation redirects. This cookie is not used for tracking and is deleted upon completion of the login process.
3. Legal Basis for Processing
We process your personal data on the following legal bases:
- Performance of a contract (Article 6(1)(b) GDPR): Processing of your email address, password hash, OAuth identifier, player statistics, and tournament/match data is necessary to provide you with the Service you have registered for.
- Consent (Article 6(1)(a) GDPR): Processing of your Firebase push notification token is based on your explicit consent, given when you opt in to push notifications. You may withdraw this consent at any time via your device notification settings or within the application.
- Legitimate interests (Article 6(1)(f) GDPR): We process IP address and login log data to detect and prevent fraud, abuse, and unauthorised access. Our legitimate interest in maintaining the security of the Service outweighs any impact on your privacy given the limited nature of this data.
4. How We Use Your Personal Data
We use your personal data for the following purposes:
- To create and manage your account.
- To authenticate your identity when you log in.
- To provide tournament organisation, match scheduling, and results tracking features.
- To display your player profile, avatar, and statistics to other users within the Service.
- To send transactional emails (email verification, password reset notifications) via Mailgun, a service provided by Mailgun Technologies Inc.
- To send push notifications about tournament activity, match results, and account events, via Firebase Cloud Messaging.
- To detect, investigate, and prevent security incidents and fraudulent activity.
- To comply with our legal obligations.
5. Third-Party Service Providers
We share your personal data with the following categories of third-party service providers who process data on our behalf. We have data processing agreements in place with each of these providers.
- Google LLC — provides Google OAuth2 social login (processing your OAuth identifier and basic profile data), Google Cloud Storage (storing your avatar), and Firebase Cloud Messaging (processing your push notification token and delivering notifications to your device). Google processes data under its own privacy policy and standard contractual clauses.
- Apple Inc. — provides Sign in with Apple (processing your OAuth identifier when you choose this login method).
- Meta Platforms Ireland Ltd. — provides Facebook Login (processing your OAuth identifier when you choose this login method).
- LinkedIn Ireland Unlimited Company — provides LinkedIn Login (processing your OAuth identifier when you choose this login method).
- Mailgun Technologies Inc. — processes your email address to deliver transactional emails sent by the Service.
We do not sell your personal data to any third party. We do not share your personal data with advertisers or data brokers.
6. Data Retention
We retain your personal data for as long as your account is active. When you delete your account, we will permanently delete your personal data within 30 days of the deletion request, except where retention is required by applicable law or to resolve outstanding disputes.
Login logs and IP address records are retained for a maximum of 90 days for security purposes and then deleted.
Profile avatars stored on Google Cloud Storage are deleted promptly upon account deletion or profile update.
7. Your Rights Under the GDPR
Under the GDPR, you have the following rights in respect of your personal data:
- Right of access (Article 15): You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that data.
- Right to rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data.
- Right to erasure (Article 17): You have the right to request deletion of your personal data ("right to be forgotten") where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where processing is unlawful.
- Right to data portability (Article 20): You have the right to receive a copy of the personal data you provided to us in a structured, commonly used and machine-readable format, and to transmit that data to another controller.
- Right to object (Article 21): You have the right to object to processing of your personal data based on our legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests.
- Right to withdraw consent (Article 7(3)): Where processing is based on consent (e.g. push notifications), you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
- Right to restriction of processing (Article 18): In certain circumstances, you may request that we restrict the processing of your personal data.
To exercise any of these rights, please contact us at privacy@vibora.cloud. We will respond within 30 days. We may need to verify your identity before processing your request.
If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with the Polish Data Protection Authority (Urząd Ochrony Danych Osobowych, UODO) at uodo.gov.pl.
8. Cookies
We use only a single, functional session cookie that is strictly necessary for the OAuth2 authorisation login flow. This cookie maintains the state of your authorisation request between redirects and is deleted automatically upon completion of the login process. It is not used for tracking, analytics, or advertising purposes.
We do not use tracking cookies, analytics cookies, or any third-party advertising cookies.
9. International Data Transfers
Some of our third-party providers, including Google LLC and Mailgun Technologies Inc., may process your data outside the European Economic Area. Where this occurs, we ensure that appropriate safeguards are in place, including standard contractual clauses approved by the European Commission, to protect your data in accordance with the GDPR.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encrypted data transmission (TLS), bcrypt password hashing, and access control restrictions on our infrastructure. However, no method of transmission over the internet is entirely secure, and we cannot guarantee absolute security.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Policy on the Service or by sending a notification to your registered email address. The date of the most recent revision is shown at the top of this document.
12. Contact
For any privacy-related questions or requests, please contact:
- Email: privacy@vibora.cloud
- Company: Vibora S.L.