1. Introduction
Sportiverse ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application.
GDPR Compliance: We are fully compliant with the General Data Protection Regulation (GDPR) for users in the European Union.
2. Information We Collect
Personal Information You Provide
- Account Information: Email, password, first name, last name
- Profile Information: Date of birth, nationality, profile picture, bio
- Sports Data: Club memberships, match statistics, training schedules
- User Content: Comments, match results, team rosters
Information Collected Automatically
- Device Information: Device type, operating system, unique device identifiers
- Advertising Identifiers: Apple IDFA (iOS) and Google Advertising ID (Android), used by our advertising partner to serve and measure ads. Collection of IDFA on iOS requires your explicit permission via the App Tracking Transparency prompt.
- Usage Data: App features used, time spent, interaction patterns
- Performance Data: Crash reports, performance metrics
Analytics Data (With Consent)
If you consent to analytics, we collect:
- App usage patterns and feature engagement
- User journey and navigation flows
- Performance and stability metrics
3. How We Use Your Information
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and maintain the service | Contract performance |
| Create and manage your account | Contract performance |
| Enable sports organization features | Contract performance |
| Send service-related notifications | Legitimate interest |
| Analytics and improvements | Consent |
| Display advertising to support the free service | Legitimate interest (non-personalized ads) / Consent (personalized ads) |
| Administrative audit logging (fraud prevention, dispute resolution, platform integrity) | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations | Legal obligation |
4. Data Sharing and Disclosure
We Share Data With:
- Other Users: Profile information, match results, and statistics as part of the service
- Club/League Members: Information relevant to your sports activities
- Service Providers: Firebase (Google) for infrastructure and authentication
- Advertising Partners: Google AdMob for displaying ads. See the "Advertising" section below for details.
We Do NOT:
- Sell your personal information
- Use your data for email or push marketing without consent
4a. Advertising
Sportiverse displays ads to support the free service. We use Google AdMob (operated by Google LLC) as our sole advertising partner.
What AdMob Collects
- Apple IDFA (iOS) or Google Advertising ID (Android)
- Approximate (non-precise) location derived from IP address
- Device information (model, OS, language)
- Interactions with ads (views, clicks)
Personalized vs Non-Personalized Ads
If you are located in the European Economic Area, United Kingdom, or Switzerland, we show a consent form on first launch asking whether you allow personalized ads. You can change this choice at any time in Settings → Privacy.
- With consent: AdMob may use your advertising identifier to show ads tailored to your interests.
- Without consent: Only non-personalized ads are shown, based on contextual signals rather than your profile.
iOS App Tracking Transparency
On iOS 14.5 and later, Apple requires an additional permission prompt before any tracking across apps. If you decline the prompt, no IDFA is shared with AdMob and you will only see non-personalized ads.
Learn More
For details on how Google handles data collected from partner sites and apps, see Google's Partner Data Policy. To opt out of personalized ads across Google services, visit Google Ad Settings.
4b. Administrative Audit Logs
When an action that affects who can govern a club is taken — an admin adding, promoting, demoting, or removing a member, a member (including an admin) leaving a club they belong to, an admin editing club settings or rotating the invite code, or an admin deleting the club — we write a short record to an internal audit log. This section explains what is captured, why, and how long it is kept.
What we log
For member-level actions (a member added, promoted, demoted, removed, or leaving):
- The user ID (UID) of the acting user — the admin who took the action, or the member themselves if they left
- The UID of the affected user (which may be the same person as the acting user, e.g. when a member leaves)
- The display names of the acting user and the affected user, as shown at the time of the action
- The action type — one of member-added, admin-promoted, admin-demoted, member-removed, member-left
- The club ID and a timestamp
For club-level actions (settings changes, invite-code rotation, club deletion):
- The UID of the acting admin
- The acting admin's display name (captured at the time of the action) — only for club deletion; club-settings edits and invite-code rotations record only the UID
- The action type — one of club-updated, club-invite-code-rotated, club-deleted
- For club-updated, the names of the fields that changed (e.g. "name", "description", "colors") — never the field values themselves
- The club ID and a timestamp
We do not capture email addresses, profile content, free-form notes, the actual contents of changed club settings, or any other personal data in audit logs. Where display names are captured, they are captured only as they were at the time of the action, so the entry remains readable for dispute resolution if the people involved later delete their accounts or change their names. While your account remains active, the audit-log viewer displays your current display name from your live profile — the captured name is shown only as a fallback after the original user record is no longer available.
Why we log this
The audit log exists purely to allow us to investigate disputes — for example, if a user reports they were kicked or demoted unfairly, or if we need to investigate coordinated abuse of admin powers. It is not a user-facing feature and is not used for profiling, analytics, advertising, or product development.
Retention and automatic deletion
Each audit-log entry is automatically deleted 90 days after the action it records, enforced by a Firestore time-to-live policy. We cannot extend this window for individual entries.
Legal basis
The processing relies on GDPR Article 6(1)(f) — legitimate interests pursued by Sportiverse (fraud prevention, dispute resolution, and platform integrity). We have balanced this against your rights and freedoms:
- Necessity: the captured display names are needed so that entries about a member leaving or being removed remain readable after that person's account is deleted; without them, the most relevant rows for a dispute would render as "unknown user."
- Data minimization: the log is limited to UIDs, action metadata, and (where applicable) the display names of the acting user and the affected user. No emails, profile content, free-form notes, or club-settings values are captured. Club-settings edits record only the names of fields that changed, not their contents.
- Live-name preference: while a user's account exists, the audit-log viewer shows that user's current display name from their live profile. The captured name is read only as a fallback when the original user record is no longer available.
- Short retention: 90 days from the action, enforced by a Firestore time-to-live policy.
- No secondary use: the data is not shared with third parties and is not combined with your profile for any other purpose (no profiling, analytics, advertising, or product development).
Account deletion and this log
If you exercise your right to erasure (delete your account), we remove your personal data from our systems as described in sections 6 and 7. However, any UID of yours, and the display name as it was at the time of the action, already captured in audit-log entries before deletion will remain in those entries for the remainder of their individual 90-day windows, and will then be auto-deleted along with each entry. We cannot remove individual entries on request.
Right to object
You can object to this processing by emailing privacy@sportiverse.no and citing the specific audit-log entries or timeframe. Because this processing serves fraud-prevention and dispute-resolution interests that may override an individual objection, we cannot guarantee immediate deletion within the 90-day window; we will, however, review each request on its merits. Regardless of the outcome, every entry is auto-deleted once its 90 days elapse.
5. Data Storage and Security
Storage Location
Your data is stored on Google Firebase servers, primarily located in:
- Europe (for EU users)
- United States (for non-EU users)
Security Measures
- Encryption in transit (HTTPS/TLS)
- Encryption at rest for sensitive data
- Secure authentication via Firebase Auth
- Regular security audits and updates
- Access controls and monitoring
6. Your Rights (GDPR)
Under GDPR, you have the following rights:
Right to Access
Request a copy of your personal data we hold
Right to Rectification
Correct inaccurate or incomplete personal data
Right to Erasure ("Right to be Forgotten")
Request deletion of your personal data (with 30-day grace period). Note: administrative audit logs containing your UID and the display name recorded at the time of each action remain for up to 90 days from the original action and are then auto-deleted; we cannot remove individual entries on request (see section 4b).
Right to Restrict Processing
Limit how we use your personal data
Right to Data Portability
Receive your data in a structured, machine-readable format
Right to Object
Object to processing based on legitimate interests
Right to Withdraw Consent
Withdraw consent for analytics at any time in Settings
To exercise these rights: Go to Settings → Privacy in the app or contact us at privacy@sportiverse.no
7. Data Retention
We retain your data for different periods based on the type:
- Account Data: Until account deletion + 30-day recovery period
- Match Statistics: Indefinitely for historical records (anonymized after account deletion)
- Analytics Data: 2 years
- Logs and Security Data: 90 days
- Administrative Audit Logs: UID, action metadata, and the display names of the people directly involved (captured at the time of each action) — 90 days from the action, auto-deleted by Firestore TTL. Retained through account deletion until each entry's window elapses (see section 4b).
8. Children's Privacy
Sportiverse requires users to be at least 13 years old. Users under 18 require parental consent. We do not knowingly collect data from children under 13.
9. International Data Transfers
If you're in the EU and your data is transferred outside the EU, we ensure appropriate safeguards through:
- Standard Contractual Clauses
- Adequacy decisions
- Privacy Shield frameworks (where applicable)
10. Cookies and Tracking
The Sportiverse mobile app does not use cookies. We may use:
- Local storage for app preferences
- Analytics SDKs (only with your consent)
- Firebase Performance Monitoring (anonymized)
- Mobile advertising identifiers (IDFA / Google Advertising ID) via Google AdMob — see section 4a
11. Changes to This Policy
We will notify you of significant changes via:
- In-app notifications
- Email to your registered address
- Prominent notice in the app
Contact Information
Data Protection Officer
Email: privacy@sportiverse.no
Address: Hagegata 1A
Oslo, Norway
Supervisory Authority (Norway)
Datatilsynet (Norwegian Data Protection Authority)
Website: www.datatilsynet.no