1. Who we are
YourFriendsLeague is operated by SIA EGATRI (registration nr. 50203368661), a Latvian limited liability company with registered office at Bauskas nov., Codes pag., “Vaidelotes”, LV-3901, Latvia. We are the data controller for personal data processed through the Service.
Contact: contact@yourfriendleague.com
2. What data we collect
We collect only what we need to run the Service. Specifically:
| Category | Examples |
|---|---|
| Account data | Email, username, password (stored hashed with bcrypt), role (free/premium), creation date |
| Profile data | Optional bio, avatar (emoji or URL) |
| Game data | League memberships, predictions you make, points, achievements, prediction history |
| Communication data | Emails you send us, your notification preferences |
| Technical data | IP address (for rate limiting and security), browser user-agent, log entries with error stacks |
| Payment data | Limited info from Stripe (subscription status, card brand, last 4 digits, expiry). We do not store full card numbers. |
3. Why we process your data (and the legal basis)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide and operate the Service (account, predictions, leaderboards) | Contract — Art. 6(1)(b) |
| Process Premium subscriptions | Contract — Art. 6(1)(b) |
| Send transactional emails (welcome, password reset, billing notices) | Contract — Art. 6(1)(b) |
| Prevent fraud, abuse, brute-force attacks (rate limiting, security logs) | Legitimate interest — Art. 6(1)(f) |
| Comply with legal obligations (e.g. tax, accounting if applicable) | Legal obligation — Art. 6(1)(c) |
| Send optional marketing emails (only if you opt in — currently no marketing emails are sent) | Consent — Art. 6(1)(a) |
4. Who we share data with
We share personal data only with these processors, under written data processing agreements:
| Processor | Purpose | Location |
|---|---|---|
| Google LLC (Cloud Run, Gmail) | Application hosting, transactional email delivery | EU (us-central1 region for app) |
| Neon, Inc. | Managed PostgreSQL database | EU region (Azure West Europe) |
| Stripe Payments Europe, Ltd. | Payment processing for Premium subscriptions | Ireland (EU) |
| Google LLC (Google Analytics 4) | Anonymous traffic measurement — page views, geography (country-level), device type, referral sources. IP addresses are anonymised before storage. We do not enable Google Signals or ad personalisation. | EU (regional servers) |
We do not sell your data to third parties. We do not use third-party advertising trackers or analytics SDKs that profile you (e.g. Facebook Pixel, Google Analytics).
5. International transfers
Our processors may store or process data on servers operated by US-headquartered companies (Google, Neon, Stripe). Where this involves transfers outside the EEA, we rely on EU Standard Contractual Clauses (SCCs) and additional safeguards offered by the relevant processor.
6. How long we keep your data
- Active accounts: for as long as your account exists.
- Deleted accounts: personal identifiers are deleted within 30 days of account deletion. Aggregate, anonymised statistics may be retained.
- Billing records: 7 years from the end of the financial year, as required by Latvian tax law.
- Server logs: rotated after 30 days unless needed for security investigation.
- Password reset tokens: 1 hour after issue, then deleted.
7. Your rights under GDPR
You have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure (“right to be forgotten”) — request deletion of your account and data.
- Restriction — limit how we process your data.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
To exercise these rights, email contact@yourfriendleague.com. We will respond within 30 days. We may ask you to verify your identity before processing the request.
You also have the right to lodge a complaint with the Latvian supervisory authority, the Data State Inspectorate (Datu valsts inspekcija, DVI): www.dvi.gov.lv.
8. Cookies & similar tracking
We use the following cookies and storage on this site:
| Category | Purpose | Consent |
|---|---|---|
| Strictly necessary (NextAuth session cookie) | Keeps you signed in across requests. Essential for the Service to function. | No consent required (essential, per EU ePrivacy law). |
Analytics (Google Analytics 4: _ga, _ga_*) | Anonymous traffic measurement: page views, country-level geography, device type, referral source. Enables us to understand which content is useful and improve the Service. | Loaded with Google Consent Mode v2 in “denied” mode by default — no personal data is sent to Google until you grant consent via our cookie banner. Until consent is granted, Google receives only modelled, fully anonymous pings. |
We do not use advertising cookies, retargeting trackers, social-media pixels, or any cross-site profiling. Google Signals and ad personalisation are explicitly disabled in our GA4 configuration. We anonymise IP addresses before they are stored.
You can withdraw analytics consent at any time by clearing cookies for this site or by emailing contact@yourfriendleague.com.
9. Security
We protect your data with industry-standard measures including:
- HTTPS/TLS for all traffic
- Passwords hashed with bcrypt (never stored in plain text)
- Password reset tokens hashed with SHA-256
- Rate limiting on authentication endpoints
- HTTP security headers (HSTS, X-Frame-Options, X-Content-Type-Options, etc.)
- Database access restricted to the application; credentials stored in encrypted secrets
- Regular dependency updates
No system is 100% secure. If we become aware of a personal data breach likely to result in risk to your rights, we will notify the DVI within 72 hours and, where required, notify you directly.
10. Children
The Service is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with data, please email us and we will delete it.
11. Automated decision-making
We do not use automated decision-making, profiling, or AI systems that produce legal effects concerning you.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notice. The “Last updated” date at the top reflects the current version.
13. Contact
Questions, concerns, or requests about your data? Email contact@yourfriendleague.com or write to:
SIA EGATRI
Bauskas nov., Codes pag., “Vaidelotes”
LV-3901, Latvia