Privacy Policy
This policy informs you about the processing of personal data when using tipnik (the "prediction game"), available at tipnik.app.
1. Controller
The controller responsible for data processing within the meaning of the GDPR is the sole publisher: Daniel Baumert, Raiffeisenstraße 33, 74248 Ellhofen, e-mail hello@tipnik.app. Further details in the Legal Notice.
No data protection officer has been appointed; there is no legal obligation to do so. For any data protection enquiries, please contact the e-mail address above.
2. Hosting
The prediction game is hosted on servers of Hetzner Online GmbH (location: Germany). When you access the service, the server processes technically necessary access data (including IP address, date and time, requested resource) to ensure delivery and security. The legal basis is our legitimate interest in secure operation (Art. 6 (1)(f) GDPR). The connection is TLS-encrypted; a data processing agreement (Art. 28 GDPR) is in place with the hoster.
3. Account and sign-in
To use the service you create an account. We process your e-mail address, display name, a password hash (for e-mail/password sign-in), and optionally a profile picture. When you sign in via magic link, we send a one-time sign-in link to your e-mail address. The legal basis is performance of the user contract (Art. 6 (1)(b) GDPR).
To authenticate and protect your session we set a technically necessary session cookie and may store the IP address and browser identifier (User-Agent) of the session for security purposes (Art. 6 (1)(f) GDPR).
4. Sign-in via Google or Apple (planned)
Where offered, you may alternatively sign in with your Google or Apple account ("Single Sign-On"). In this case we receive from the respective provider the data required for account creation (in particular e-mail address, name, and an account identifier). The legal basis is your consent, given by selecting the provider (Art. 6 (1)(a) GDPR); it can be withdrawn at any time with effect for the future. The providers are Google Ireland Ltd. and Apple Distribution International Ltd. respectively; data may be transferred to the USA to Google LLC or Apple Inc., relying on the EU-US Data Privacy Framework and/or standard contractual clauses (Art. 44 et seq. GDPR).
5. Game features
As part of the prediction game we process data you generate: your predictions, the resulting score and leaderboard position, bonus answers, badges, your membership in prediction rounds, and associated notifications. Within a prediction round, your display name, your (locked) predictions, and your score are visible to the other members of that round — this is the core of the shared game. The legal basis is performance of the contract (Art. 6 (1)(b) GDPR). Match schedules and final results come from public sports data sources; no personal data about you is transmitted to these sources.
6. Contact form
If you use the contact form, we process the data you provide (name, e-mail address, message) in order to respond to your enquiry. The legal basis is our legitimate interest in answering enquiries (Art. 6 (1)(f) GDPR) or pre-contractual measures (lit. b). The message is delivered to us by e-mail via our mailbox provider (OVH, EU); we delete the data once your enquiry has been resolved and no retention obligations apply.
7. E-mail delivery
Transactional e-mails (e.g. sign-in/magic-link and account-related messages) are sent via a mailbox at OVH (OVH SAS, France/EU). We process your e-mail address and the content of the respective message. The legal basis is performance of the contract (Art. 6 (1)(b) GDPR); processing takes place within the EU.
8. Cookies and local storage
We use only technically necessary or functional mechanisms:
- a session cookie (better-auth) for authentication — technically necessary;
- a cookie
PARAGLIDE_LOCALEto store your language preference; - the theme setting (light/dark) in your browser's
localStorage.
Consent is not required for this (§ 25 (2) TDDDG), as this storage is strictly necessary or functional for the service you have requested.
9. Error monitoring (Sentry)
To detect and fix technical errors we use Sentry (Functional Software, Inc. dba Sentry). Sentry automatically captures errors and exceptions that may occur during your use of the service (e.g. JavaScript errors, server-side exceptions), including technical diagnostic data such as stack traces and — where available — your user ID. Processing takes place on servers in the EU (Sentry EU region, Frankfurt/DE); no transfer to third countries occurs. The legal basis is our legitimate interest in stable and secure operation of the service (Art. 6 (1)(f) GDPR). A data processing agreement (Art. 28 GDPR) is in place with Sentry. No tracking, analytics, or advertising data is collected.
10. Analytics (Umami)
To understand how the prediction game is used, we use Umami — a cookie-free, privacy-friendly analytics tool that we self-host on our own server (Hetzner Online GmbH, location: Germany). No data is transferred to third parties or third countries.
Umami sets no cookies and stores no information intended to be stored on your device; consent is therefore not required. Only aggregated, anonymous usage data is collected, such as pages visited, the referring URL (referrer), approximate location at country level, and browser, operating system, and device type. To distinguish visits, a non-reversible hash is derived from your IP address, browser identifier (User-Agent), and a website identifier using a regularly rotating random value; your IP address is only processed briefly and is not stored. Identification of individuals or cross-site tracking is therefore excluded. The legal basis is our legitimate interest in demand-oriented design and statistical evaluation of the service (Art. 6 (1)(f) GDPR).
11. No other analytics, tracking, or advertising services
Beyond the error monitoring and cookie-free analytics described above, we do not use any analytics, advertising, or tracking services (no Google Analytics, no tracking pixels, no profiling, no cross-site tracking). Since we do not use cookies for analytics or advertising purposes and do not create personal usage profiles, no cookie consent banner is required.
12. Recipients and processors
We share personal data only with carefully selected service providers acting as data processors on our behalf (Art. 28 GDPR): the hosting provider (Hetzner, Germany), the e-mail service (OVH, EU), and the error monitoring service (Sentry, EU). If you use Google/Apple login, the providers mentioned in section 4 are added. No sharing for other purposes takes place.
13. Retention periods
We process account data for as long as your account exists; upon deletion, the associated personal data is erased unless statutory retention obligations apply. Server logs are retained only briefly; session data expires on logout or session expiry.
14. Your rights
You have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21). Any consent you have given may be withdrawn at any time with effect for the future (Art. 7 (3) GDPR). You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77) — for the controller's place of business this is the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI Baden-Württemberg). To exercise any of your rights, a message to the e-mail address in section 1 is sufficient.
15. Data security
The connection is fully TLS-encrypted, session cookies are HttpOnly, and database access is exclusively server-side via the API.
16. Status and changes
We update this privacy policy when our processing activities change (e.g. upon activation of Google/Apple login or future features such as e-mail reminders). The version published here at any given time applies.
The German version of this privacy policy is legally authoritative. Deutsche Fassung.