Privacy Policy

Last updated: 14.06.2026 โ€” Document version Privacy 1.5.0

1. Data Controller

The data controller within the meaning of the GDPR is:
Maximilian Reiter / Ryder Performance
Christdobl 13, 94034 Passau
Email: contact@fanlobby.app

Data Protection Officer: A Data Protection Officer is not required under ยง 38 BDSG, since the company does not permanently employ at least 20 persons in automated processing of personal data and does not perform large-scale regular processing of special categories of personal data.

2. Minimum Age & Parental Notice

Use of FanLobby is permitted from a minimum age of 13 years. Age is confirmed via self-declaration when accepting the Terms of Use โ€” we do not store a separate year-of-birth field (data minimisation, Art. 5 (1) (c) GDPR).

For younger users, we process personal data only with the consent of a parent or legal guardian (Art. 8 (1) GDPR). The decisive age is the one set by the respective EU member state (between 13 and 16); in Germany this consent requirement applies to users under 16. We recommend that parents review the app together with their child before use.

Optional betting odds content (odds tab) is only available to users aged 18 or older and must be actively enabled in the app settings (German Youth Protection Act ยง 14, Interstate Treaty on the Protection of Minors ยง 4).

3. General Notes on Legal Bases

Where you have consented to a processing operation, we process your personal data on the basis of Art. 6 (1) (a) GDPR. Where data is required to perform a contract with you or to take pre-contractual steps, we process it on the basis of Art. 6 (1) (b) GDPR. Where a legal obligation applies, processing is carried out on the basis of Art. 6 (1) (c) GDPR. Otherwise, processing may be based on our legitimate interests under Art. 6 (1) (f) GDPR, in particular for security and abuse prevention or for the technically necessary operation of the app. Where the German TDDDG applies, we observe ยง 25 TDDDG for storage and access operations on end-user devices. We name the specific legal basis in each section below where the relevant processing is described.

4. Data We Process

4.1 During Registration

Legal basis: Art. 6 (1) (b) GDPR (performance of contract).

4.2 During Use

Legal basis: Art. 6 (1) (b) GDPR (performance of contract); for push notifications additionally Art. 6 (1) (a) GDPR (consent when enabling notifications via the system permission).

4.3 Automatically Collected Technical Data

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in stability, security and abuse prevention); for optional product analytics and Crashlytics exclusively Art. 6 (1) (a) GDPR (active consent in the app settings, revocable at any time with effect for the future).

5. Recipients and Data Sources

We use the following processors (Art. 28 GDPR) and external data sources. Data Processing Agreements are in place with our processors.

5.1 Processors (recipients of personal data)

CategoryContracting partyPurposeData location
Hosting, database, authentication, functions, storage (Firebase Authentication, Firestore, Realtime Database, Cloud Functions, Cloud Storage)Google Ireland Ltd. (sub-processor: Google LLC, USA)Provision and persistence of account, chat, prediction and profile dataEU primary; some sub-processor operations in the USA under EU Standard Contractual Clauses (SCC) and the EU-US Data Privacy Framework
Push notifications (Firebase Cloud Messaging)Google Ireland Ltd. (sub-processor: Google LLC, USA)Delivery of push notifications to FCM tokensEU/USA under SCC and DPF
Optional product analytics (Google Analytics for Firebase / GA4 on Android/iOS)Google Ireland Ltd. (sub-processor: Google LLC, USA)Usage analysis of predefined product signals only after separate opt-in; no chat or DM contents and no user IDs in our own eventsEU/USA under SCC and DPF
Crash reports (Firebase Crashlytics, optional)Google Ireland Ltd. (sub-processor: Google LLC, USA)Pseudonymised diagnostics for stability, only after opt-inUSA under SCC and DPF
Bot and integrity protection (Firebase App Check, Web with Google reCAPTCHA v3)Google Ireland Ltd. (sub-processor: Google LLC, USA)Protection against automated abuse of backend APIsUSA under SCC and DPF
Automated chat moderation (OpenAI Moderation API)OpenAI, L.L.C., USAPlain message text of public chats (no user IDs/real names, no direct messages) to detect prohibited content; not used for model trainingUSA under SCC (OpenAI data processing agreement)

Google is certified under the EU-US Data Privacy Framework. More information: dataprivacyframework.gov/participant/5780.

5.2 External Data Sources (no transfer of user data)

SourcePurposeData flow
Bzzoiro Sports APISourcing of sports data (schedules, live scores, statistics, club and league logos)Inbound: sports data delivered to our backend server. No transfer of personal user data to Bzzoiro.

5.3 Future Recipients (once activated)

Once in-app purchases (e.g. "Cheers") are activated, the respective platform providers (Apple Inc. for the App Store, Google LLC for Google Play) will act as recipients of the data necessary for purchase processing. This privacy policy will be updated accordingly before activation.

6. Optional Consents

6.1 Product Analytics (Google Analytics for Firebase / GA4)

If the feature is enabled for your app version, we may process optional product analytics on supported mobile platforms (Android and iOS) after your separate voluntary consent by using Google Analytics for Firebase (GA4). This processing is disabled by default; Web and desktop versions remain analytics-free. We measure only predefined product signals such as screen views, match opens, sent chat messages, and submitted predictions. We do not write chat or direct-message contents, real names, ad IDs, user IDs, or other directly identifying values into our own analytics events. After consent, Firebase Analytics may additionally process technically necessary auto-collected and lifecycle events such as app starts, session information, and screen information. We do not use this data for personalised advertising, remarketing, Google Signals, or cross-app ad tracking. Legal basis: Art. 6 (1) (a) GDPR. You can withdraw consent at any time under Settings โ†’ Privacy โ†’ Allow analytics. Local consent alone does not force activation; the feature must also be enabled server-side for the respective platform.

6.2 Diagnostics

Crash reports and diagnostic telemetry are disabled by default (privacy by default, Art. 25 GDPR). You can enable collection at any time under Settings โ†’ Privacy โ†’ Share diagnostics, or withdraw a given consent, without affecting your use of the app. This consent is separate from the optional product-analytics opt-in.

7. International Data Transfers

Where processing or sub-processor steps take place in the USA (in particular optional product analytics via Firebase Analytics / GA4, Crashlytics, FCM routing, and App Check), we protect the transfer through the EU Standard Contractual Clauses (Art. 46 GDPR) and the recipient's certification under the EU-US Data Privacy Framework. In addition, for automated chat moderation we transmit the plain message text of public chats to OpenAI, L.L.C., USA; this transfer is safeguarded by the EU Standard Contractual Clauses (Art. 46 GDPR) under the data processing agreement concluded with OpenAI. Analytics and diagnostics are disabled by default; you can manage both consents separately in the app under Settings โ†’ Privacy and withdraw them there with effect for the future. Local analytics consent alone does not activate collection while the server-side release gate remains off.

8. Retention Periods

We retain personal data only for as long as it is necessary for the respective purpose or as required by statutory retention obligations. Specifically, we distinguish the following categories:

9. Your Rights

Pursuant to Arts. 15-22 GDPR you have, in particular, the following rights:

Requests to: contact@fanlobby.app

Account deletion is available directly in the app under Settings โ†’ Account โ†’ Delete account. Deletion is cascaded (Cloud Function onUserDelete) and covers all personal data. A full data copy under Art. 15 GDPR is provided on email request within the statutory period in JSON and CSV format.

9.1 Right to Restriction of Processing (Art. 18 GDPR)

You may request restriction of the processing of your personal data, in particular where (a) you contest the accuracy of the data and we are verifying it, (b) the processing is unlawful and you prefer restriction over erasure, (c) we no longer need the data but you require it for the establishment, exercise or defence of legal claims, or (d) you have lodged an objection under Art. 21 (1) GDPR and the balancing of interests is still pending.

9.2 Right to Object (Art. 21 GDPR)

Where we process your personal data on the basis of Art. 6 (1) (e) or (f) GDPR, you have the right to object at any time, on grounds relating to your particular situation, to such processing. Where your data is processed for direct marketing purposes, you have the right to object to such processing at any time without giving reasons; following such an objection, the data will no longer be used for direct marketing.

Note: We currently do not use personal data for direct marketing. Should this change in the future, you will be informed in advance.

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. Competent authority:
Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany, www.lda.bayern.de

11. Bot and Integrity Protection (Firebase App Check / Google reCAPTCHA v3)

On the Web version we use Firebase App Check with Google reCAPTCHA v3 to prevent automated abuse of our backend APIs. The provider is Google Ireland Limited (sub-processor: Google LLC, USA). Technical usage and interaction signals (e.g. IP address, browser and device information, usage behaviour) are analysed in the background to distinguish human use from automated requests. There is no visible interaction.

The legal basis is our legitimate interest in the security and availability of the app under Art. 6 (1) (f) GDPR. To the extent that information on your end-user device is accessed or stored in this context, this is strictly necessary under ยง 25 (2) (2) TDDDG to provide the service you have explicitly requested (login, write and prediction features) in a secure manner, and is therefore carried out without a consent requirement. Google is certified under the EU-US Data Privacy Framework. For more information on Google's processing, see the Google Privacy Policy and the Google Terms of Service.

12. Cookies and Similar Technologies (Web)

On the Web version we use the following cookies / local-storage entries. These are exclusively technically necessary or functional storage operations โ€” we do not set our own marketing or advertising cookies and do not perform tracking for profiling purposes. GA4-based product analytics is not used on Web, so we do not load our own analytics scripts there.

NamePurposeDurationCategory
Firebase Auth TokenLogin sessionSessiontechnically necessary
App Check TokenBot and integrity protectionshort-termtechnically necessary
_GRECAPTCHASecurity and integrity data for reCAPTCHA v3; processed by Google under their own terms โ€” not used by us for marketing purposesmedium-termtechnically necessary
app_settingsLanguage, theme, settingslong-termfunctional
cookie_consentStores your cookie decisionlong-termtechnically necessary

Legal basis: Art. 6 (1) (f) GDPR in conjunction with ยง 25 (2) TDDDG for technically necessary storage operations; for functional entries additionally your consent under Art. 6 (1) (a) GDPR and ยง 25 (1) TDDDG, where required.

13. Third-Party Content

Club logos, league logos, and player images are sourced from the Bzzoiro Sports API and used solely for editorial purposes (sports reporting). They remain the property of the respective trademark owners.

14. Automated Decision-Making and Profiling

We do not carry out any decision based solely on automated processing โ€” including profiling โ€” that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR. Automated security and abuse-prevention measures (e.g. spam/bot detection, rate limiting, ML-based detection of prohibited chat content) serve solely to protect the service. Public chat messages may be removed automatically and repeated violations may result in temporary, reversible chat restrictions; any such moderation or suspension decision can be reviewed by our team on request (see Terms of Use).

15. Changes to This Policy

For material changes you will be informed in the app and asked to renew your consent if necessary. The current version is available at this URL.

Last updated: 14.06.2026 โ€” Document version Privacy 1.5.0 โ€” Terms of Use (EULA)