Last updated: 14.06.2026 โ Document version Privacy 1.5.0
The data controller within the meaning of the GDPR is:
Maximilian Reiter / Ryder Performance
Christdobl 13, 94034 Passau
Email: contact@fanlobby.app
Data Protection Officer: A Data Protection Officer is not required under ยง 38 BDSG, since the company does not permanently employ at least 20 persons in automated processing of personal data and does not perform large-scale regular processing of special categories of personal data.
Use of FanLobby is permitted from a minimum age of 13 years. Age is confirmed via self-declaration when accepting the Terms of Use โ we do not store a separate year-of-birth field (data minimisation, Art. 5 (1) (c) GDPR).
For younger users, we process personal data only with the consent of a parent or legal guardian (Art. 8 (1) GDPR). The decisive age is the one set by the respective EU member state (between 13 and 16); in Germany this consent requirement applies to users under 16. We recommend that parents review the app together with their child before use.
Optional betting odds content (odds tab) is only available to users aged 18 or older and must be actively enabled in the app settings (German Youth Protection Act ยง 14, Interstate Treaty on the Protection of Minors ยง 4).
Where you have consented to a processing operation, we process your personal data on the basis of Art. 6 (1) (a) GDPR. Where data is required to perform a contract with you or to take pre-contractual steps, we process it on the basis of Art. 6 (1) (b) GDPR. Where a legal obligation applies, processing is carried out on the basis of Art. 6 (1) (c) GDPR. Otherwise, processing may be based on our legitimate interests under Art. 6 (1) (f) GDPR, in particular for security and abuse prevention or for the technically necessary operation of the app. Where the German TDDDG applies, we observe ยง 25 TDDDG for storage and access operations on end-user devices. We name the specific legal basis in each section below where the relevant processing is described.
Legal basis: Art. 6 (1) (b) GDPR (performance of contract).
Legal basis: Art. 6 (1) (b) GDPR (performance of contract); for push notifications additionally Art. 6 (1) (a) GDPR (consent when enabling notifications via the system permission).
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in stability, security and abuse prevention); for optional product analytics and Crashlytics exclusively Art. 6 (1) (a) GDPR (active consent in the app settings, revocable at any time with effect for the future).
We use the following processors (Art. 28 GDPR) and external data sources. Data Processing Agreements are in place with our processors.
| Category | Contracting party | Purpose | Data location |
|---|---|---|---|
| Hosting, database, authentication, functions, storage (Firebase Authentication, Firestore, Realtime Database, Cloud Functions, Cloud Storage) | Google Ireland Ltd. (sub-processor: Google LLC, USA) | Provision and persistence of account, chat, prediction and profile data | EU primary; some sub-processor operations in the USA under EU Standard Contractual Clauses (SCC) and the EU-US Data Privacy Framework |
| Push notifications (Firebase Cloud Messaging) | Google Ireland Ltd. (sub-processor: Google LLC, USA) | Delivery of push notifications to FCM tokens | EU/USA under SCC and DPF |
| Optional product analytics (Google Analytics for Firebase / GA4 on Android/iOS) | Google Ireland Ltd. (sub-processor: Google LLC, USA) | Usage analysis of predefined product signals only after separate opt-in; no chat or DM contents and no user IDs in our own events | EU/USA under SCC and DPF |
| Crash reports (Firebase Crashlytics, optional) | Google Ireland Ltd. (sub-processor: Google LLC, USA) | Pseudonymised diagnostics for stability, only after opt-in | USA under SCC and DPF |
| Bot and integrity protection (Firebase App Check, Web with Google reCAPTCHA v3) | Google Ireland Ltd. (sub-processor: Google LLC, USA) | Protection against automated abuse of backend APIs | USA under SCC and DPF |
| Automated chat moderation (OpenAI Moderation API) | OpenAI, L.L.C., USA | Plain message text of public chats (no user IDs/real names, no direct messages) to detect prohibited content; not used for model training | USA under SCC (OpenAI data processing agreement) |
Google is certified under the EU-US Data Privacy Framework. More information: dataprivacyframework.gov/participant/5780.
| Source | Purpose | Data flow |
|---|---|---|
| Bzzoiro Sports API | Sourcing of sports data (schedules, live scores, statistics, club and league logos) | Inbound: sports data delivered to our backend server. No transfer of personal user data to Bzzoiro. |
Once in-app purchases (e.g. "Cheers") are activated, the respective platform providers (Apple Inc. for the App Store, Google LLC for Google Play) will act as recipients of the data necessary for purchase processing. This privacy policy will be updated accordingly before activation.
If the feature is enabled for your app version, we may process optional product analytics on supported mobile platforms (Android and iOS) after your separate voluntary consent by using Google Analytics for Firebase (GA4). This processing is disabled by default; Web and desktop versions remain analytics-free. We measure only predefined product signals such as screen views, match opens, sent chat messages, and submitted predictions. We do not write chat or direct-message contents, real names, ad IDs, user IDs, or other directly identifying values into our own analytics events. After consent, Firebase Analytics may additionally process technically necessary auto-collected and lifecycle events such as app starts, session information, and screen information. We do not use this data for personalised advertising, remarketing, Google Signals, or cross-app ad tracking. Legal basis: Art. 6 (1) (a) GDPR. You can withdraw consent at any time under Settings โ Privacy โ Allow analytics. Local consent alone does not force activation; the feature must also be enabled server-side for the respective platform.
Crash reports and diagnostic telemetry are disabled by default (privacy by default, Art. 25 GDPR). You can enable collection at any time under Settings โ Privacy โ Share diagnostics, or withdraw a given consent, without affecting your use of the app. This consent is separate from the optional product-analytics opt-in.
Where processing or sub-processor steps take place in the USA (in particular optional product analytics via Firebase Analytics / GA4, Crashlytics, FCM routing, and App Check), we protect the transfer through the EU Standard Contractual Clauses (Art. 46 GDPR) and the recipient's certification under the EU-US Data Privacy Framework. In addition, for automated chat moderation we transmit the plain message text of public chats to OpenAI, L.L.C., USA; this transfer is safeguarded by the EU Standard Contractual Clauses (Art. 46 GDPR) under the data processing agreement concluded with OpenAI. Analytics and diagnostics are disabled by default; you can manage both consents separately in the app under Settings โ Privacy and withdraw them there with effect for the future. Local analytics consent alone does not activate collection while the server-side release gate remains off.
We retain personal data only for as long as it is necessary for the respective purpose or as required by statutory retention obligations. Specifically, we distinguish the following categories:
Pursuant to Arts. 15-22 GDPR you have, in particular, the following rights:
Requests to: contact@fanlobby.app
Account deletion is available directly in the app under Settings โ Account โ Delete account. Deletion is cascaded (Cloud Function onUserDelete) and covers all personal data. A full data copy under Art. 15 GDPR is provided on email request within the statutory period in JSON and CSV format.
You may request restriction of the processing of your personal data, in particular where (a) you contest the accuracy of the data and we are verifying it, (b) the processing is unlawful and you prefer restriction over erasure, (c) we no longer need the data but you require it for the establishment, exercise or defence of legal claims, or (d) you have lodged an objection under Art. 21 (1) GDPR and the balancing of interests is still pending.
Where we process your personal data on the basis of Art. 6 (1) (e) or (f) GDPR, you have the right to object at any time, on grounds relating to your particular situation, to such processing. Where your data is processed for direct marketing purposes, you have the right to object to such processing at any time without giving reasons; following such an objection, the data will no longer be used for direct marketing.
Note: We currently do not use personal data for direct marketing. Should this change in the future, you will be informed in advance.
You have the right to lodge a complaint with a data protection supervisory authority. Competent authority:
Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany, www.lda.bayern.de
On the Web version we use Firebase App Check with Google reCAPTCHA v3 to prevent automated abuse of our backend APIs. The provider is Google Ireland Limited (sub-processor: Google LLC, USA). Technical usage and interaction signals (e.g. IP address, browser and device information, usage behaviour) are analysed in the background to distinguish human use from automated requests. There is no visible interaction.
The legal basis is our legitimate interest in the security and availability of the app under Art. 6 (1) (f) GDPR. To the extent that information on your end-user device is accessed or stored in this context, this is strictly necessary under ยง 25 (2) (2) TDDDG to provide the service you have explicitly requested (login, write and prediction features) in a secure manner, and is therefore carried out without a consent requirement. Google is certified under the EU-US Data Privacy Framework. For more information on Google's processing, see the Google Privacy Policy and the Google Terms of Service.
On the Web version we use the following cookies / local-storage entries. These are exclusively technically necessary or functional storage operations โ we do not set our own marketing or advertising cookies and do not perform tracking for profiling purposes. GA4-based product analytics is not used on Web, so we do not load our own analytics scripts there.
| Name | Purpose | Duration | Category |
|---|---|---|---|
| Firebase Auth Token | Login session | Session | technically necessary |
| App Check Token | Bot and integrity protection | short-term | technically necessary |
| _GRECAPTCHA | Security and integrity data for reCAPTCHA v3; processed by Google under their own terms โ not used by us for marketing purposes | medium-term | technically necessary |
| app_settings | Language, theme, settings | long-term | functional |
| cookie_consent | Stores your cookie decision | long-term | technically necessary |
Legal basis: Art. 6 (1) (f) GDPR in conjunction with ยง 25 (2) TDDDG for technically necessary storage operations; for functional entries additionally your consent under Art. 6 (1) (a) GDPR and ยง 25 (1) TDDDG, where required.
Club logos, league logos, and player images are sourced from the Bzzoiro Sports API and used solely for editorial purposes (sports reporting). They remain the property of the respective trademark owners.
We do not carry out any decision based solely on automated processing โ including profiling โ that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR. Automated security and abuse-prevention measures (e.g. spam/bot detection, rate limiting, ML-based detection of prohibited chat content) serve solely to protect the service. Public chat messages may be removed automatically and repeated violations may result in temporary, reversible chat restrictions; any such moderation or suspension decision can be reviewed by our team on request (see Terms of Use).
For material changes you will be informed in the app and asked to renew your consent if necessary. The current version is available at this URL.