Privacy Policy

Last updated: 24 May 2025

1. Data controller

The data controller responsible for your personal data is:

ScoreLayer
support@scorelayer.live

2. Data we collect

We collect only what is necessary to provide the service.

Account and authentication data

·Email address — used to authenticate you via a magic link.
·Account name — used to label your account within the product.

Billing data

If you purchase a paid plan, Stripe collects your name, email address, payment card details, and billing address on our behalf. We store only a Stripe customer ID and your subscription status. We never see or store full payment card numbers.

Scoreboard content

Team names, team colors, and logo images you upload are stored to deliver the scoreboard overlay. This content is not personal data unless you choose to include personal information in it.

Analytics data (with your consent)

If you accept analytics cookies on the marketing pages, Google Tag Manager collects anonymised event data (such as sign-in actions). No analytics data is collected until you explicitly consent, and no analytics runs on the operator or overlay pages.

3. How we use your data

Email address: Authenticate you; send transactional emails related to your account (e.g. sign-in links, billing receipts).
Account name: Identify your account within the product interface.
Stripe customer ID: Link your account to a Stripe subscription and process billing events.
Scoreboard content: Render your scoreboard overlay and control panel.
Analytics events: Understand how users interact with the marketing site so we can improve it. Only collected with your consent.

4. Legal basis for processing

We process your personal data on the following legal bases under GDPR Article 6:

Contract: Processing your email and account data is necessary to perform the service you signed up for (Art. 6(1)(b)).
Legal obligation: Retaining billing records to comply with tax and accounting law (Art. 6(1)(c)).
Legitimate interests: Preventing fraud and abuse, and maintaining service security (Art. 6(1)(f)).
Consent: Analytics cookies — only if you click "Accept" on the cookie banner. You may withdraw consent at any time (Art. 6(1)(a)).

5. Third-party processors

We share data with the following sub-processors, who process data strictly on our behalf:

Supabase

Database, authentication, and file storage.

Location: EU (AWS eu-west-1 / eu-central-1)

Stripe

Payment processing and subscription management.

Location: EU and US (Standard Contractual Clauses apply)

Google Tag Manager / Google Analytics

Anonymised analytics on marketing pages (consent-gated).

Location: US (Standard Contractual Clauses apply)

We do not sell, rent, or share your personal data with any other third parties for their own purposes.

6. Data retention

Account data: Retained for as long as your account is active. Deleted within 30 days of an account deletion request.
Billing records: Retained for 7 years to comply with EU tax and accounting obligations, even after account deletion.
Uploaded logos: Deleted when you remove the file or when your account is deleted.
Analytics data: Retained per Google Analytics retention settings (default: 14 months). Not collected without consent.

7. International transfers

Supabase stores data within the EU. Stripe and Google operate in the United States. Where data is transferred outside the European Economic Area, appropriate safeguards are in place — specifically the European Commission's Standard Contractual Clauses (SCCs) under GDPR Article 46(2)(c).

8. Cookies and local storage

We use minimal browser storage:

NamePurposeDuration

analytics_consentStores your analytics cookie choice (accepted / declined).Persistent (localStorage)

sb-* (Supabase)Authentication session token.Session / 7 days

Analytics cookies (Google Tag Manager) are only set after you click "Accept" on the cookie consent banner shown on marketing pages. You can withdraw consent at any time by clearing your browser's local storage for this site, which resets the banner.

9. Your rights

Under GDPR, you have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.
Rectification: Ask us to correct inaccurate or incomplete data.
Erasure: Ask us to delete your account and personal data ("right to be forgotten").
Restriction: Ask us to pause processing your data in certain circumstances.
Portability: Receive your data in a structured, machine-readable format.
Objection: Object to processing based on legitimate interests.
Withdraw consent: Withdraw analytics consent at any time without affecting prior processing.

To exercise any of these rights, email us at support@scorelayer.live. We will respond within 30 days.

You also have the right to lodge a complaint with your national data protection authority. In Ireland, this is the Data Protection Commission (DPC). A list of all EU supervisory authorities is available at edpb.europa.eu.

10. Children

ScoreLayer is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. If you have an account, we will notify you by email for significant changes. Continued use of the service after changes are posted constitutes acceptance of the updated policy.

12. Contact

For any privacy-related questions, requests, or complaints, contact us at:

ScoreLayer
support@scorelayer.live