Privacy Policy

1. Information We Collect

1.1 Personal Information

• Account Data: Full name, email address, date of birth (for age verification)
• Authentication Data: Google OAuth credentials (managed via Supabase Auth)
• Profile Information: Username, avatar, country/region

1.2 Financial Information

• Payment Data: Processed securely via Stripe (PCI-DSS Level 1 compliant). We do not store complete card details on our servers.
• Transaction Records: Purchase history, payment amounts, timestamps
• Prize Winnings: Details of prizes won, payout methods, tax documentation where required

1.3 Usage and Performance Data

• Quiz Performance: Scores, correct/incorrect answers, response times, leaderboard rankings
• Game Logs: Session data, questions answered, timestamps, IP addresses
• Anti-Cheat Data: Behavioral patterns, device identifiers, anomaly detection metrics

1.4 Technical Data

• Device Information: Browser type, operating system, screen resolution
• Network Data: IP address, approximate geolocation (country/city level)
• Cookies & Identifiers: Session tokens, preference cookies (see our Cookie Policy)

2. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following lawful grounds under UK/EU GDPR:

• Contract (Article 6(1)(b)): Processing necessary to provide quiz services, process payments, and award prizes as per our Terms & Conditions.
• Legal Obligation (Article 6(1)(c)): Compliance with financial regulations (e.g., HMRC tax reporting), anti-money laundering laws, and data retention requirements.
• Legitimate Interest (Article 6(1)(f)): Fraud prevention, platform security, service improvements, and marketing communications (with opt-out options).
• Consent (Article 6(1)(a)): Where explicitly requested (e.g., marketing emails, optional analytics).

3. How We Use Your Data

3.1 Core Services

• Authenticate users and manage accounts via Supabase Auth
• Enable participation in live quiz competitions
• Calculate scores, generate leaderboards, and determine winners
• Process payments for round purchases and distribute prize winnings

3.2 Security & Fraud Prevention

• Detect and prevent cheating, multi-accounting, and automated bots
• Monitor for suspicious payment activity and account abuse
• Enforce age restrictions (18+ requirement) through automated checks

3.3 Communications

• Send transactional emails via Zoho Mail (purchase confirmations, password resets, prize notifications)
• Deliver platform updates and important service announcements
• Provide customer support responses to user inquiries

3.4 Analytics & Improvement

• Analyze aggregated usage patterns to optimize platform performance
• Improve quiz difficulty balancing and question quality
• Conduct A/B testing for feature enhancements (anonymized data only)

4. Automated Decision-Making

We use automated systems for the following purposes:

• Quiz Scoring: Answers are automatically evaluated against correct responses to calculate scores in real-time.
• Leaderboard Ranking: Players are ranked algorithmically based on total score, accuracy, and response times.
• Anti-Cheat Detection: Automated systems flag suspicious patterns (e.g., impossibly fast answers, coordinated behavior) for manual review.
• Age Verification: Date of birth is automatically checked to ensure compliance with our 18+ policy.

5. Third-Party Services & Data Sharing

We work with trusted service providers to deliver VibraXX. All processors are contractually bound to UK/EU GDPR standards:

5.1 Essential Service Providers

• Supabase (Backend & Auth): Database hosting, user authentication, real-time data sync. Data Location: EU/US (Standard Contractual Clauses apply)
• Stripe (Payment Processing): Secure payment processing, PCI-DSS Level 1 compliant. Data Location: EU/US (GDPR-compliant)
• Zoho Mail (Transactional Emails): Sending service emails (confirmations, password resets). Data Location: EU data centers
• Vercel (Hosting & CDN): Website hosting and content delivery. Data Location: Global network with EU compliance

5.2 International Data Transfers

Some of our service providers (Supabase, Vercel) operate servers outside the UK/EU, primarily in the United States. To ensure GDPR compliance:

• We use Standard Contractual Clauses (SCCs) approved by the European Commission
• Providers implement supplementary security measures (encryption, access controls)
• We conduct regular Transfer Impact Assessments (TIAs) to monitor data protection risks

5.3 Legal Disclosures

We may disclose personal data if required by law or to:

• Comply with legal obligations (e.g., court orders, tax authorities)
• Enforce our Terms & Conditions or investigate violations
• Protect the rights, safety, or property of VibraXX, users, or the public

6. Data Security

We implement industry-standard security measures to protect your personal data:

• Encryption: All data in transit is protected with TLS 1.3 encryption. Sensitive data at rest is encrypted using AES-256.
• Access Controls: Role-based access restrictions ensure only authorized personnel can access personal data.
• Password Security: Passwords are hashed using bcrypt with individual salts (never stored in plain text).
• PCI-DSS Compliance: Payment processing adheres to Payment Card Industry Data Security Standards via Stripe.
• Regular Audits: We conduct periodic security assessments and vulnerability testing.
• Incident Response: In the event of a data breach, we will notify affected users and relevant authorities within 72 hours as required by GDPR.

7. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy:

7.1 Active Accounts

• Profile Data: Retained while your account is active
• Quiz Performance: Stored for long-term statistical and historical purposes, including leaderboard history and analytics.
• Session Logs: Kept for 90 days for technical support and fraud prevention

7.2 Financial Records

• Transaction Data: Retained for 7 years to comply with UK tax law (HMRC requirements)
• Prize Payouts: Records kept for 7 years for audit and legal compliance purposes

7.3 Closed Accounts

• Account Deletion: When you close your account, we anonymize your profile data within 30 days
• Anonymization: Historical quiz scores remain in aggregated form but are no longer linked to your identity
• Legal Hold: Financial records are retained for 7 years even after account closure (HMRC requirement)

8. Your Privacy Rights (UK/EU GDPR)

Under UK and EU data protection law, you have the following rights:

9. Cookies & Tracking Technologies

We use cookies and similar technologies to improve your experience. For full details, see our Cookie Policy.

Types of Cookies We Use:

• Essential Cookies: Required for authentication, session management, and core functionality
• Performance Cookies: Anonymous analytics to improve platform performance
• Preference Cookies: Remember your language, theme, and display settings

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect platform functionality.

10. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. When we make significant changes:

• We will notify you via email at your registered address
• A banner will appear on the website highlighting the updates
• The "Last Updated" date at the top of this policy will be revised

We encourage you to review this policy regularly to stay informed about how we protect your data.

11. Contact Us