crucible.fans logo
← Back to crucible.fans

Privacy Policy

Last updated: June 12, 2026

1. Controller Identity

The data controller for your personal data is crucible.fans ("we", "us", "our"). We operate the crucible.fans platform, a global matchday discovery service that connects fans with places to watch live sports together.

Contact email: team@mail.crucible.fans
Data Protection Officer: dpo@mail.crucible.fans (designated upon regulatory requirement)

2. Data We Collect

We collect the following categories of personal data:

Identity & Authentication

  • Email address
  • Display name
  • Avatar image URL (from Google/Apple if you sign in via OAuth)
  • Authentication provider (Google, Apple, or email magic link)

Profile & Engagement

  • User role and verification status
  • Growth metrics: points, streaks, tier level, referral code
  • Phone verification status (boolean only — we do not store your phone number)

Activity Data

  • Ends created (title, description, address, location coordinates, capacity)
  • Lock-ins (attendance reservations at ends)
  • Reviews and ratings submitted
  • Comments on ends
  • Photos uploaded to ends

Payment Data

  • Payment status, amount, and currency for ticketed ends
  • PayPal transaction IDs (processed by PayPal — we do not store card numbers)
  • Venue commission records (for hosts who receive payouts)

Technical & Analytics Data

  • IP address (truncated to first 3 octets for EU users, per GDPR)
  • Browser type and version, device type, operating system
  • Pages visited, time spent, referral source (via Google Analytics 4 — only with your consent)
  • Session cookies for authentication and language preference

Verification Documents

  • Business license URL (optional, for venue verification)
  • Verification status and any supporting documentation

3. Purpose & Lawful Basis for Processing

Under GDPR Article 6, we process your data based on the following lawful bases:

PurposeLawful Basis
Account creation and authenticationContract (Art. 6(1)(b))
End discovery, creation, and lock-insContract (Art. 6(1)(b))
Payment processing for ticketed endsContract (Art. 6(1)(b))
Website analytics and improvementConsent (Art. 6(1)(a))
Transactional emails (lock-in confirmations, updates)Legitimate interest (Art. 6(1)(f))
Growth features (points, streaks, referrals)Legitimate interest (Art. 6(1)(f))
Trust and safety (host verification)Legitimate interest (Art. 6(1)(f))
Bug fixes and error monitoringLegitimate interest (Art. 6(1)(f))

4. Data Sharing & Third-Party Processors

We share your personal data with the following service providers, each bound by a Data Processing Agreement (DPA) or equivalent contractual safeguards:

ProcessorPurposeData Location
VercelApplication hosting, CDN, serverless functionsGlobal edge network (US primary)
SupabaseAuthentication, database, file storage, realtimeUS (AWS us-east-1)
PayPalPayment processing for ticketed endsGlobal (US primary)
ResendTransactional email deliveryUS
MapTilerInteractive map rendering (no PII transmitted)EU (Germany)
Google AnalyticsWebsite analytics (only with your consent)Global

We do not sell your personal data to third parties. Data is only shared with processors listed above or as required by law.

5. International Data Transfers

Your data may be transferred to and processed in countries outside your region of residence, including the United States and Germany. For transfers from the EU/UK to the US, we rely on:

  • EU Standard Contractual Clauses (SCCs) with all US-based processors
  • Supabase and Vercel have signed EU-US Data Privacy Framework certifications or equivalent SCCs

For transfers to adequacy-decision countries (e.g., Germany), no additional safeguards are required.

6. Data Retention

We retain your personal data for the following periods:

Data CategoryRetention Period
Account & profile dataAccount lifetime + 30 days after deletion
Ends created & activity dataActive period + 90 days after event end date
Payment & commission records7 years (tax and legal requirement)
Analytics data (GA4)26 months (GA4 default, auto-expiring)
Email logs1 year
Verification documentsAccount lifetime + 1 year after deletion

7. Your Rights

Depending on your location, you may have the following rights:

EU/UK GDPR Rights

  • Right of access (Art. 15): Request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): Correct inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten").
  • Right to data portability (Art. 20): Receive your data in a machine-readable format (JSON).
  • Right to object (Art. 21): Object to processing based on legitimate interest.
  • Right to restrict processing (Art. 18): Limit how we use your data.
  • Right to withdraw consent (Art. 7(3)): Withdraw consent at any time via your cookie preferences or settings.
  • Right to lodge a complaint: Contact your national supervisory authority (see Appendix B in our compliance docs).

California (CCPA/CPRA) Rights

  • Right to know: What personal information we collect, use, and share.
  • Right to delete: Request deletion of your personal information.
  • Right to correct: Correct inaccurate personal information.
  • Right to opt out of sale/sharing: We do not sell your data, but you may opt out of sharing with service providers.
  • Right to limit use of sensitive data: Restrict use of sensitive personal information (e.g., precise geolocation).
  • Non-discrimination: We will not discriminate against you for exercising your rights.

To exercise any of these rights, email us at privacy@mail.crucible.fans with the subject line "Data Subject Request". We will respond within 30 days (or 45 days for complex requests). You can also use the controls in your account settings to export your data or delete your account.

8. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to operate our service, remember your preferences, and analyze website traffic. See our Cookie Policy for a complete breakdown of every cookie we use and how to manage them.

In summary: essential cookies (session, language) are always active. Analytics cookies (Google Analytics 4) only run with your explicit consent. You can change your preferences at any time via the "Cookie Preferences" link in your account settings or by clicking the cookie icon in our footer.

9. Children's Data

crucible.fans is not directed to children under the age of 16 (13 in the United States). We do not knowingly collect personal data from children under these ages. If you believe we have inadvertently collected data from a child, contact us at privacy@mail.crucible.fans and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or a prominent notice on our website. The "Last updated" date at the top of this page indicates when the current version took effect.

Continued use of our service after changes constitutes acceptance of the updated policy. For significant changes, we may require your explicit consent.

11. Contact Us

For any privacy-related inquiries, data subject requests, or questions about this policy:

Email: privacy@mail.crucible.fans
General inquiries: team@mail.crucible.fans
Security issues: security@mail.crucible.fans

This Privacy Policy was last updated on June 12, 2026. It supersedes all previous versions.