1. Controller

The controller responsible for the processing of personal data is:

• Laurin Maurer
• Baumgartenstrasse 10
• 8118 Pfaffhausen
• Switzerland
• Email: strategyorienteering@gmail.com

2. Scope

This Privacy Policy applies to all users and visitors of the Service. It covers account use, fantasy team participation, public rankings, bonus questions, event pages, analytics, security monitoring, and related communications.

3. Personal Data We Collect

We may collect and process the following categories of personal data:

• Account Data: email address, password authentication data, display name, user ID, account creation date, login status, communication preferences, acceptance of Terms and this Privacy Policy.
• Profile Data: optional profile information, linked athlete profile, club memberships, public name, country, profile image, and other information you choose to provide.
• Game Data: fantasy teams, relay teams, athlete selections, bonus question answers, scores, rankings, leaderboards, points, event participation, recap status, and related gameplay records.
• Public Display Data: display name, score, rank, selected public athlete profile, linked athlete identity, profile image, and other gameplay information shown in public or semi-public areas of the Service.
• Technical Data: IP address, device type, browser type, operating system, session IDs, timestamps, page paths, referring pages, approximate country or region, logs, error reports, and security events.
• Communication Data: emails you send us, support requests, feedback, and email delivery data if you subscribe to notifications.
• Third-Party Public Athlete Data: publicly available athlete names, countries, clubs, profile images, rankings, race results, and related sports information from sources such as IOF/Eventor or other public or official orienteering sources.

4. Public Athlete Data

The Service uses publicly available information about orienteering athletes to operate the fantasy game. This may include athlete names, countries, clubs, photos, results, rankings, starts, disqualifications, and event-related information. We do not control the original public sources and cannot guarantee that third-party athlete data is complete, accurate, or up to date.

If you are an athlete and believe that information displayed about you is inaccurate or should be reviewed, contact us at strategyorienteering@gmail.com.

5. How We Use Personal Data

We process personal data for the following purposes:

• to create, authenticate, and manage user accounts;
• to operate fantasy games, team builders, relay team builders, scoring systems, leaderboards, and event pages;
• to display public rankings, scores, athlete selections, and game-related information;
• to prevent fraud, duplicate accounts, abuse, manipulation, cheating, unauthorized access, or misuse;
• to provide support, respond to requests, and communicate service-related information;
• to send optional emails, reminders, or updates where you have opted in or where legally permitted;
• to analyze usage, improve functionality, fix bugs, monitor performance, and develop new features;
• to comply with legal obligations, enforce our terms, and protect legal rights;
• to maintain backups, logs, and security records.

6. Legal Bases for Processing

Where GDPR applies, we rely on the following legal bases:

• Contract: to provide the Service, manage accounts, operate games, calculate scores, and display rankings.
• Legitimate Interests: to secure the Service, prevent abuse, improve the product, analyze usage, and display game-related public information.
• Consent: for optional communications, optional cookies or analytics where required, and other consent-based features.
• Legal Obligation: where processing is necessary to comply with applicable laws or lawful requests.

Under Swiss FADP, we process personal data lawfully, proportionately, transparently, and for purposes that are clear from this Privacy Policy, the Service context, or applicable law.

7. Public Visibility

The Service is a competitive fantasy game. Some information is intentionally visible to other users or the public. This may include display names, linked athlete profiles, profile images, teams, relay assignments, scores, rankings, leaderboard positions, club-related visibility, and selected gameplay activity.

Do not use the Service if you do not want this game-related information to be visible according to the Service’s public and semi-public features.

8. Cookies, Local Storage, and Similar Technologies

We may use cookies, local storage, session storage, and similar technologies to keep you logged in, remember preferences, secure the Service, measure usage, and improve performance.

Where legally required, non-essential cookies or analytics technologies will only be used with your consent. You can control cookies through your browser settings. Disabling essential cookies may prevent parts of the Service from working correctly.

9. Analytics and Logs

We may process technical and usage data to understand how the Service is used, detect errors, improve features, and protect against misuse. This may include page paths, timestamps, device information, session IDs, approximate location from IP address, and interaction events.

We aim to minimize analytics data where reasonably possible and avoid using analytics to identify individuals unless necessary for security, debugging, fraud prevention, or legal reasons.

10. Data Sharing and Processors

We do not sell personal data. We may share data with:

• Service Providers / Processors: hosting providers, database providers, authentication providers, analytics providers, email delivery services, error monitoring tools, and security providers.
• Google Firebase / Google Cloud: used for authentication, Firestore/database, hosting, storage, security rules, and related infrastructure.
• Email Providers: used only to send service emails, transactional messages, or optional communications.
• Public Users: where information is displayed through public game features such as leaderboards, rankings, public guesses, athlete links, or profiles.
• Authorities or Legal Parties: where required by law, legal process, enforcement of terms, or protection of rights, safety, and security.
• Sponsors and Partners: we may display sponsor content or links, but we do not share your private account data or private team data with sponsors unless we clearly inform you and, where required, obtain your consent.

11. International Transfers

Personal data may be processed in Switzerland, the EU/EEA, the United States, or other countries where our service providers operate. These countries may have different data protection laws.

Where required, we rely on appropriate safeguards such as adequacy decisions, the EU Standard Contractual Clauses, the Swiss data transfer addendum or equivalent safeguards, the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework for certified recipients, or another lawful transfer mechanism.

For US providers, adequacy under the Swiss-U.S. Data Privacy Framework applies only if the recipient is certified under the applicable framework. If a provider is not covered by an adequacy mechanism, we use contractual safeguards or another lawful basis where required.

12. Data Security

We use appropriate technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure. These measures may include authentication controls, access restrictions, database security rules, HTTPS encryption in transit, provider-side security measures, backups, monitoring, and limited administrative access.

No internet service can be guaranteed to be completely secure. You are responsible for keeping your login credentials confidential and for using a secure device and browser.

13. Data Breaches

If we become aware of a personal data breach, we will assess the risk and take appropriate steps to contain, investigate, and remediate it. Where legally required, we will notify the competent supervisory authority and/or affected users.

14. Data Retention

We retain personal data only as long as necessary for the purposes described in this Privacy Policy, including providing the Service, maintaining leaderboards and game history, resolving disputes, enforcing terms, securing the platform, and complying with legal obligations.

• Account data: generally retained while your account exists.
• Game and leaderboard data: may be retained after an event to preserve competition history and rankings.
• Technical logs: retained for a limited period unless needed for security, debugging, or legal reasons.
• Email preferences: retained as long as needed to respect opt-ins and opt-outs.
• Backups: deleted or overwritten according to backup cycles.

When data is no longer needed, we delete, anonymize, or aggregate it where reasonably possible.

15. Your Rights

Depending on your location and applicable law, you may have the right to:

• request access to your personal data;
• request correction of inaccurate or incomplete data;
• request deletion of personal data;
• request restriction of processing;
• object to certain processing, including processing based on legitimate interests;
• withdraw consent where processing is based on consent;
• request data portability where applicable;
• object to direct marketing;
• lodge a complaint with a competent data protection authority.

You can manage some account information directly in your profile. To exercise rights, contact us at strategyorienteering@gmail.com. We may need to verify your identity before responding.

16. EU/EEA and UK Users

If GDPR or UK GDPR applies to your use of the Service, you may have additional rights under those laws. You may also have the right to complain to your local supervisory authority.

We are based in Switzerland. If we are legally required to appoint an EU/EEA or UK representative, we will update this Privacy Policy with the representative’s contact details.

17. Swiss Supervisory Authority

In Switzerland, the competent supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC). You may contact the FDPIC if you believe your data protection rights have been violated.

18. Children and Minors

The Service is not intended for children below the age at which they can legally consent to data processing in their jurisdiction without parental consent. If you are a minor, use the Service only with permission from a parent or legal guardian where required.

If we learn that we have collected personal data from a child unlawfully or without required consent, we will take appropriate steps to delete it.

19. Automated Decision-Making and Profiling

The Service automatically calculates scores, rankings, predictions, leaderboards, and game statistics based on game rules and user activity. These automated calculations are part of the Service and do not produce legal or similarly significant effects outside the game.

We do not use personal data for automated credit, employment, insurance, or similarly significant decisions.

20. Third-Party Links

The Service may contain links to external websites, sponsors, event pages, federations, timing providers, maps, or athlete resources. We are not responsible for the privacy practices, content, or security of third-party websites. Review their privacy policies before providing personal data.

21. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by the "Last Updated" date. If changes are material, we may notify users through the Service or by email where appropriate.

22. Contact

For questions, requests, objections, or complaints regarding this Privacy Policy or personal data processing, contact:

• Laurin Maurer
• Baumgartenstrasse 10
• 8118 Pfaffhausen
• Switzerland
• Email: strategyorienteering@gmail.com