Privacy Policy
Privacy policy
Effective: 9 July 2026
1. Controller
Hølt & Håvn, proprietor Kai-Ole Ehrlich, Abendorthsweg 59, 20251 Hamburg, Germany
Telephone: +49 15561 316277
Email: info@snapandmate.com
No data protection officer has been appointed because there is currently no legal obligation to do so.
2. Scope and legal bases
This policy covers Snap & Mate at https://www.snapandmate.com, including accounts, login, public profiles, rankings, friendships, gameplay, media delivery, email functions and the external support link. We process data to provide the free service under Article 6(1)(b) GDPR, to comply with legal obligations under Article 6(1)(c), and for legitimate interests under Article 6(1)(f), especially secure operation, abuse prevention, troubleshooting, game scoring and presentation of results.
3. Hosting, Cloudflare and email
The app and PostgreSQL database are hosted by Render Services, Inc., with Frankfurt selected as service region. Render may process IP address, time, requested address, HTTP details, technical connection data and the account and gameplay data stored in the database. See https://render.com/privacy.
Cloudflare is used for DNS, media delivery through Cloudflare R2, media.snapandmate.com and email functions. Cloudflare may process IP address, requested files, sender, recipient, subject, technical delivery data and message contents, depending on the function. See https://www.cloudflare.com/privacypolicy/.
Emails to info@snapandmate.com may be forwarded through Cloudflare Email Routing to snapandmate@gmail.com. This means email content and metadata may also be processed by Google Ireland Limited. Contact emails are processed to answer the request and possible follow-up questions under Article 6(1)(b) and (f) GDPR.
4. Accounts, security emails and game reminders
Registration data includes username, email address, password hash, country, preferred language, favourite team, verification status and timestamps. Security emails such as email verification, resend verification, password reset, email change and account deletion use the email address, short-lived cryptographic tokens, dispatch time and technical delivery data under Article 6(1)(b) and (f) GDPR.
Snap & Mate may send registered users emails when a game week is opened or scored. These reminders are enabled by default and can be disabled at any time in the profile/settings area.
5. Gameplay, profiles, rankings and friendships
We store game weeks, selected predictions, selected players or units, locks for previously used selections, submission and evaluation status, points, rankings and timestamps. Public profiles and rankings show game-related information such as username, favourite team, points, boards and selected players/units. Friendship requests store the accounts involved, status and timestamps. The legal basis is Article 6(1)(b) GDPR.
6. Player images and player data
Player images and player data may come from lawfully usable sources such as licensed datasets, official publications, publicly available professional information or directly supplied information. Sources or source categories are documented internally and disclosed where legally required. Only game-relevant professional data such as name, team, position, number, status and image are processed. Public availability alone does not grant permission to copy data or images.
7. Necessary session cookie
After login, the necessary cookie “snapmate.sid” stores a random session identifier, not the password. It is HTTP-only, secure in production, SameSite=Lax and expires after no more than 14 days. No consent banner is currently used because no non-essential cookies are set.
8. PayPal support link
“Support the project” is an external PayPal link. We do not embed PayPal tracking and do not send account or gameplay data to PayPal before you click. After the click, PayPal processes access, login and payment data under its own responsibility. Payments are voluntary, are not tax-deductible charitable donations and do not unlock features.
9. Logs, analytics and retention
Technical logs are used for delivery, security, stability and abuse prevention and may include IP address, time, method, path, status, response time, browser and system details. Logs are generally retained for no more than 30 days where controllable.
We currently use no analytics, personalised advertising, marketing pixels, social plugins or external error tracking.
Retention: sessions expire after no more than 14 days; unverified accounts are deleted after 30 days; expired verification/change/reset tokens are deleted no later than 30 days after expiry; active account, friendship, gameplay and result data is generally stored until account deletion; media files are stored while needed for the game or rights/troubleshooting; deleted data may temporarily remain in provider backups; statutory retention duties remain unaffected.
10. Account deletion, minors and required data
Accounts can be deleted in settings or by emailing info@snapandmate.com. Directly attributable account, friendship and gameplay data will be removed from the active database unless legal duties or overriding grounds require retention. Snap & Mate is not specifically directed at children and does not collect birth dates. Minors may use an account only with approval from their legal guardian and in accordance with applicable law. Username, email and password are required for account creation. No solely automated decision with legal or similarly significant effects and no profiling under Article 22 GDPR takes place.
11. Your rights and complaints
Subject to the GDPR, you have rights of access, rectification, erasure, restriction, portability, objection and withdrawal of consent for the future. Contact info@snapandmate.com. You may complain to a supervisory authority. Our relevant authority is the Hamburg Commissioner for Data Protection and Freedom of Information, Ludwig-Erhard-Straße 22, 20459 Hamburg, Germany, telephone +49 40 42854-4040, mailbox@datenschutz.hamburg.de, https://datenschutz-hamburg.de/.
12. Security and updates
We use appropriate safeguards such as encrypted transport, password hashing, access controls, expiring tokens, web-attack protections, separated credentials and updates. Absolute security cannot be guaranteed. This policy is updated when functions, providers or the law change.