Privacy Policy

1. Data Controller

2. Data We Collect

a) Data provided voluntarily

Email address (provided at signup), display name (optional), BuzzerBeater username and BBAPI access code (provided optionally for integration), and consent records (privacy policy, terms of service, BBAPI authorization — all with timestamps).

b) Authentication data

Login timestamps, authentication provider type (email/password or Google), session tokens. For authenticated users, we use only strictly necessary technical cookies for session management. These cookies do not track the user, are not shared with third parties, and do not require consent under the ePrivacy Directive (Art. 5.3).

3. Purpose of Processing

Your data is used exclusively to:

• Provide the BuzzerBeater analytics service
• Authenticate your account and manage sessions
• Retrieve your BuzzerBeater data via BBAPI (only with your explicit consent)
• Send transactional emails (verification, password reset)

3bis. Registration and Sign-In via Google

If you choose to register or sign in with Google ("Continue with Google"), the authentication process is managed via Google's OAuth 2.0 protocol, with Supabase as an intermediary for session management.

Google data we access

We request exclusively the OAuth scopes email e openid. Of these, we use only the email address associated with your Google account. We do not access any other Google data (display name, photo, contacts, calendar, files, etc.).

How we use Google data

The email address obtained from Google is used exclusively to:

• Create or update your user account on buzzeriq.com
• Authenticate you in subsequent sessions
• Send transactional emails (verification, password reset)

Sharing of Google data with third parties

The email address obtained from Google is shared exclusively with the following services, necessary for platform operation:

• Supabase (authentication): manages the OAuth flow and stores access credentials. Servers in the European Union. Info: supabase.com/privacy

We do not sell, rent, or share Google data with any other third parties for any purpose.

Storage and protection of Google data

The email address obtained from Google is stored in a PostgreSQL database managed by Supabase (servers in the European Union). Data protection is guaranteed by:

• Encryption in transit (TLS/HTTPS) for all communications
• Database access limited through authenticated credentials and network policies
• Daily encrypted backups on Cloudflare R2 (EU servers), with 30-day retention

Data is retained while your account remains active.

Deletion of Google data and revoking access

You can at any time:

• Delete your account from the profile page: your email address will be irreversibly anonymized (see "Account Deletion" section below)
• Revoke BuzzerIQ's access to your Google account from your Google account settings

3ter. Account Deletion and Anonymization

When you delete your account:

• Authentication account: permanently deleted (you will no longer be able to sign in)
• Personally identifiable data (email, name, BBAPI credentials, consents): irreversibly anonymized
• Anonymized records: may be retained for aggregate statistics as permitted under GDPR Recital 26

Irreversible anonymization constitutes a valid form of erasure under Art. 17 GDPR (right to erasure), as anonymized data is no longer considered personal data (GDPR Recital 26).

4. Legal Basis

Registered users: Processing is based on the performance of the service contract (Art. 6.1.b GDPR) and explicit consent provided at registration (Art. 6.1.a GDPR). You may withdraw consent at any time.

5. Cookies & Analytics

Technical cookies (strictly necessary)

For logged-in users, we use technical cookies strictly necessary for authentication and session protection. These cookies do not contain personal data, are not shared with third parties, and do not require prior consent (Art. 5.3 ePrivacy Directive, Art. 122 Italian Privacy Code).

Cookie-free analytics

For non-logged-in visitors, no cookies are set.

6. Data Storage & Security

Account data is stored in Supabase (EU region). BBAPI codes are encrypted at rest using Fernet symmetric encryption. Passwords are handled by Supabase Auth (bcrypt hashing). All traffic is encrypted via HTTPS/TLS.

Account data (profile, authentication credentials) is backed up daily and encrypted on Cloudflare R2 (servers in the European Union). Backups are retained for 30 days and then automatically deleted. Data anonymized following account deletion is also removed from backups upon retention expiry.

Third-party services

• Supabase Auth — authentication management, GDPR-compliant, EU servers. Processes authentication data (email, password hash) as data processor. Info: supabase.com/privacy
• Cloudflare R2 — encrypted backup storage, EU servers. Info: cloudflare.com/privacypolicy
• Simple Analytics — cookie-free analytics, no personal data collected. Info: simpleanalytics.com/privacy

7. Your Rights (GDPR)

As a registered user, under GDPR you have the right to:

• Access (Art. 15): view your personal data from your profile
• Rectification (Art. 16): modify your data at any time
• Erasure (Art. 17): delete your account and all associated data
• Portability (Art. 20): request a copy of your data
• Withdraw consent: revoke BBAPI consent or delete your account at any time

You can exercise these rights directly from your profile or by contacting us at [email protected]

8. Changes to This Policy

This policy may be updated at any time. We invite you to periodically review this page.

9. Contact for Privacy Requests

For any questions about privacy, data access, rectification, or deletion requests, write to us at: