Privacy Policy

1. Introduction

Los Floppers (“we,” “us,” or “our”) operates a soccer media platform that provides pre-game and post-game engines, Flop Ratings, Powder Keg Index scores, and live agree/disagree voting on editorial takes. This Privacy Policy describes how we collect, use, share, and protect information about you when you use our website or mobile application.

2. Data controller

The data controller responsible for your personal data is:

Los Floppers Media
[Entity address — operator to fill before launch]

3. Data Protection Officer

For any privacy-related questions, data access requests, or concerns, contact our Data Protection Officer:

dpo@losfloppers.com

4. What data we collect

We collect and process the following categories of data:

• Account data. Email address, sign-in provider (e.g., Google, Apple), account creation date, and last sign-in timestamp. Collected when you create an account via Supabase Auth.
• Engagement data. Votes (agree/disagree, linked to your account for deduplication), notification read status, notification preferences, and device tokens for push notifications.
• Technical data. IP address (transient, used for rate-limiting anonymous votes — max 50/minute per IP via Redis, never written to permanent storage), user-agent string, and device type for mobile clients.
• Analytics data (only with consent). Pageviews and key events (vote_cast, share_clicked, signup_complete) via Plausible Analytics. All analytics events are linked to a hashed identifier (HMAC-SHA256), never your raw user ID or email address. Plausible does not use cookies for analytics.

Anonymous usage. When you vote without an account, your IP address is used solely to enforce rate limits. IP addresses are processed in-memory via Redis and are not stored in our database or linked to any personal profile.

4b. Advertising

We partner with Google AdSense (web) and Google Ad Manager (mobile) to display advertisements. These networks may use cookies and device identifiers to serve ads based on your interests. Ad code only loads when you grant advertising consent via the cookie banner (or in-app settings on mobile).

• Web. Google AdSense places cookies to measure ad performance and personalize ads. Without consent, no AdSense code runs and no ad cookies are set.
• Mobile (iOS). We request App Tracking Transparency (ATT) permission before enabling personalized ads. If you decline, only non-personalized ads may appear (or no ads at all, depending on your subscription tier).
• Opt-out.You can withdraw advertising consent at any time via the cookie banner (web) or Settings > Privacy (mobile). Existing ad cookies will expire naturally; no new ad code will load.

5. Cookies we use

We use a minimal set of cookies, all functional. Plausible Analytics is cookieless and does not set any cookies.

Supabase auth cookies use the naming pattern sb-[project-ref]-auth-token and may be chunked across multiple cookies. They are strictly essential for authentication and do not require consent.

6. Lawful bases (GDPR Article 6)

• Account data: Contract performance (Article 6(1)(b)) — necessary to provide the service you signed up for.
• Engagement data: Contract performance (Article 6(1)(b)) — votes are a core product feature.
• Analytics (EU/UK/EEA): Consent (Article 6(1)(a)) — opt-in via the cookie consent banner.
• Analytics (non-EU): Legitimate interest (Article 6(1)(f)) — understanding product usage to improve the service. You can opt out via the Analytics toggle on your profile page.
• Error tracking (Sentry): Legitimate interest (Article 6(1)(f)) — maintaining security and service quality. Sentry is configured with PII scrubbing: no email, no IP, no device-id, no Authorization headers are sent.

7. How long we keep your data

Server-side structured logs include a request_id and a hashed user_id (HMAC-SHA256). No email, IP address, or raw user ID appears in structured logs.

8. Sub-processors

We share data with the following service providers to operate the platform. Each sub-processor processes data only as instructed and under appropriate safeguards.

9. Your rights (GDPR + CCPA)

You have the following rights regarding your personal data:

• Access. View and download all data we hold about you via the “Download my data” button on your Profile page. This returns a JSON export including your profile, votes, notification log, and preferences.
• Rectification. To correct any inaccurate data, contact us at dpo@losfloppers.com.
• Erasure. Delete your account via the “Delete account” button on your Profile page. Your account enters a 30-day grace period during which you can restore it. After 30 days, all data is permanently purged.
• Portability.The same JSON export available via “Download my data” serves as your data portability mechanism.
• Objection / Opt-out. Opt out of analytics via the cookie consent banner (EU/UK/EEA) or the Analytics toggle in your profile settings (all regions).
• Restriction. To request restriction of processing, contact us at dpo@losfloppers.com.

We will respond to all rights requests within 30 days. If you believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection authority.

10. California privacy rights (CCPA)

We do not sell your personal informationto third parties. We do not share your personal information for cross-context behavioral advertising. California residents have the right to know, delete, and opt out of the sale of personal information. Since we do not sell personal data, no opt-out mechanism for “sale” is required. All other rights (access, deletion) are available as described in Section 9 above.

11. International data transfers

Most of our sub-processors are based in the United States (see Section 8). If you are located in the EU/UK/EEA, your data may be transferred to the US. We rely on Standard Contractual Clauses (SCCs) where applicable, as provided by each sub-processor. Plausible Analytics (based in Estonia, EU) processes analytics data within the EU.

Operator note: confirm that DPAs with SCCs are in place with each US-based sub-processor before launch.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make substantial changes, we will notify you via an in-app notification and update the version number at the top of this page.

Version history:

• v2.0 (May 15, 2026) — Full rewrite for GDPR/CCPA compliance. Added cookie schedule, sub-processor list, retention windows, lawful bases, user rights enumeration, and data export/deletion flows.
• v1.0 (June 1, 2025) — Initial version. Basic information collection and third-party service disclosures.

13. Children's privacy

Our service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us at dpo@losfloppers.com and we will delete it promptly.

14. Contact

For privacy questions, data access or deletion requests, or any other concerns, contact our Data Protection Officer at dpo@losfloppers.com or visit our contact page.