Privacy Policy

The controller of your personal data is Houmofis d.o.o., Sedejeva 3, 1000 Ljubljana, Slovenia (VAT 55359752). For privacy questions, write to privacy@lynvo.app.

We collect only data needed to operate the service:

• Account data — name, email, hashed password, language preference. Provided by you at signup.
• Membership and match data — which tenant / leagues you belong to, match results you record, votes you cast.
• Billing data (organizers only) — Stripe customer ID, subscription status, current plan, period end. We never see or store full card numbers; those live with Stripe.
• Operational logs — IP address, user-agent, and timestamps for security and abuse prevention. Logs are kept short-term (≤ 30 days) unless tied to a security incident.
• Cookies — a session cookie for authentication and a small lang cookie for your language pick. We don't use third-party advertising or tracking cookies.

Each kind of data has a specific legal basis under Article 6 GDPR:

• Performance of contract — account creation, league administration, match recording, billing.
• Legal obligation — keeping accounting records, responding to lawful requests.
• Legitimate interests — security logging, preventing abuse, improving the product. We weigh these against your rights and stop if you object.
• Consent — when applicable (e.g. optional marketing emails). You can withdraw it at any time.

We share data with a small number of processors strictly to deliver the service. Each is bound by a data-processing agreement.

• Vercel Inc. — hosting and CDN. May process data in the EU and the US under SCCs.
• Stripe Payments Europe Ltd. — payment processing. Stores card data; we don't.
• Resend, Inc. — transactional email delivery (sign-up, verify, password reset, league invites, match notifications).
• Anthropic PBC — generates AI news articles from match data. Match-derived content is sent at the time of generation; Anthropic doesn't retain it for training under our enterprise terms.
• Database hosting — managed PostgreSQL in the EU.

We do not sell your personal data to anyone.

When a processor (such as Vercel or Stripe) transfers data outside the EEA, the transfer is covered by the European Commission's Standard Contractual Clauses or an equivalent adequacy mechanism. You can request a copy of the safeguards by emailing privacy@lynvo.app.

Account, league, and match data are kept while your account is active. When you delete your account or your tenant, we remove identifiable data within 30 days, except where retention is required by law (e.g. invoices for 10 years under Slovenian accounting rules) or where data is anonymized for aggregate statistics.

Under the GDPR, you have the right to: access your personal data, correct it, have it erased, restrict its processing, object to processing, and request portability. You also have the right to lodge a complaint with the Slovenian Information Commissioner (Informacijski pooblaščenec). Most rights can be exercised directly in the app (account settings); for everything else, email privacy@lynvo.app and we'll respond within 30 days.

Passwords are stored as bcrypt hashes. All traffic is encrypted with TLS. Access to production data is restricted and logged. If we ever experience a breach affecting your data, we'll notify the supervisory authority within 72 hours and inform affected users without undue delay, in line with Articles 33-34 GDPR.

Lynvo is not aimed at children under 16. We don't knowingly collect data from anyone in that age group through self-signup. If a younger child is added by an organizer (e.g. a junior league), the organizer is responsible for obtaining the consent of the child's parent or guardian.

We may update this policy when the service or the law changes. Material changes are announced by email to active organizers and posted here with a new "last updated" date.