Privacy policy

Weirdo.Rocks LLC (US, state: Florida),
7901 4th St N STE 300
St. Petersburg, Florida 33702, USA
Contact: office@weirdo.rocks

Account: email (for magic-link login), username, language, sign-up & last-login timestamps.

Gameplay: your tips, chosen tags, round memberships, match comments, optional prize sign-ups.

Technical: shortened IP (abuse protection only), browser user-agent, session cookie (httpOnly, EU-hosted), language-preference cookie.

Payments (Premium/Founder): handled by Polar Software Inc. We see the transaction (amount, tier, time) — never card data.

Newsletter / waitlist: email + language + source + confirmation token + confirmation timestamp (for double-opt-in documentation); unsubscribe in every email footer.

Telegram integration (optional):When you link your Telegram account to tiptilldone, we store your Telegram user ID, Telegram username, and link timestamp. For rounds with a linked Telegram group chat we additionally store the group's chat ID. You can unlink at any time (Telegram /unlink or via settings).

Push notifications (optional): If you enable browser push, we store the push subscription issued by your browser (the push service endpoint URL plus the two cryptographic keys p256dh and auth). We use it to send you reminders (e.g. tip deadlines, results). Delivery technically goes through your browser vendor's push service (Google for Chrome/Android, Mozilla for Firefox, Apple for Safari/iOS). You can revoke push anytime in settings or your browser permissions.

• Providing the game & login — Art. 6 (1) (b) GDPR (contract).
• Newsletter / waitlist — Art. 6 (1) (a) GDPR (consent), revocable anytime.
• Abuse defence, server logs (max. 14 days) — Art. 6 (1) (f) GDPR (legitimate interest).
• Invoice & tax records for Fan Pass / Founder — Art. 6 (1) (c) GDPR (statutory retention).
• Telegram integration & bot notifications — Art. 6 (1) (b) GDPR (contract; you opt in actively).
• Push notifications — Art. 6 (1) (a) GDPR (consent; you actively enable them via the browser prompt), revocable anytime.

• Vercel Inc. — hosting, EU region (fra1), DPA signed.
• Supabase Inc. — database & auth, Frankfurt EU, DPA signed.
• Resend, Inc. — transactional email (login link, confirmations, match results, newsletter).
• Plausible Analytics — EU-hosted, cookie-free, no personal profiling.
• Google Analytics 4 (Google Ireland Ltd.) — only with your consent ("Accept all"), with IP anonymization and no ad/personalization signals. Legal basis: Art. 6 (1)(a) GDPR; US transfers under Art. 46 GDPR SCCs. Withdraw anytime via the cookie notice.
• Polar Software Inc. — payment processing as Merchant of Record (separate controller; see Terms §4).
• Anthropic, PBC — AI Picks generation; processes match fixtures only, no personal data.
• Telegram FZ-LLC — bot messages when you link your Telegram account. We transmit: your Telegram user ID (for DMs) or group chat ID, message text, reply markup. Telegram's privacy terms: telegram.org/privacy.
• Crossmint — Optional Founder Badge mint feature (V1.5); activated only if a Founder chooses to mint.
• Browser-vendor push services — if you enable push, notifications are delivered via your browser's push service: Google LLC (FCM, Chrome/Android), Mozilla (Firefox), or Apple Inc. (Safari/iOS). Only the notification itself and your push endpoint are transmitted; third-country transfers, where applicable, under SCCs per Art. 46 GDPR.

US-based providers process EU data either in EU regions or under Art. 46 GDPR SCCs. Full processor list available on request.

We use only strictly necessary cookies (session, language, CSRF). Permitted without consent (Art. 5 (3) ePrivacy Directive). No third-party ad pixels, no retargeting.

You may additionally enable Google Analytics 4 via "Accept all" in the cookie notice. Analytics cookies are set only then; without your consent no Google script is loaded. You can withdraw your choice anytime (clear cookies).

• Account + gameplay: while your account is active; deletion on request or via settings.
• Dormant accounts (no login > 24 months): notice email; deletion 60 days after if no reply.
• Server logs: 14 days.
• Invoice records: 7 years (Austrian § 132 BAO).
• Newsletter: until you unsubscribe.

Access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21). You can withdraw consent at any time with future effect. We reply within 30 days. You may lodge a complaint with the Austrian DPA (dsb.gv.at).

Settings expose “Export data” (JSON of all gameplay) and “Delete account” (immediate, irreversible). Fan Pass / Founder purchases keep tax records archived for 7 years per § 132 BAO; everything else is anonymized.

None. Scoring follows the transparent, documented rule chosen for the round.

TLS 1.3 in transit, AES-256 at rest. Passwordless magic links — no password to steal. Row-Level Security isolates user data. Security advisories at tiptilldone.com/security.

Some editorial pages (stadium guides, match previews) carry affiliate links to streaming services, jersey shops, or travel platforms. Such links are visibly labelled "Ad" / "Anzeige" per § 5a UWG. If you purchase via an affiliate link, we may receive a commission; the price you pay does not change. We do not link to gambling, betting, or casino offers. Clicking an affiliate link takes you to the partner site; their privacy terms apply there.

We notify active users by email at least 30 days before material changes. Always-current version at tiptilldone.com/datenschutz.