Who we are
“Octogolazo” (we, us) operates the octogolazo.com website and the Octogolazo mobile applications for iOS and Android. Octogolazo is a social prediction game for live football matches — not a betting product, not a fantasy league, not a sportsbook. No money changes hands and predictions have no monetary value.
Data we collect
We collect only what we need to run the service.
•
Anonymous session: a random identifier created by Supabase when you first open Octogolazo. No name, email, or phone required. Lets you predict, share, and earn points without an account.
•
Predictions and reactions: the picks you make on matches, including timestamps; emoji reactions in match rooms.
•
Analytics events: page views, prediction submissions, share intents, install-CTA dismissals. Collected via PostHog only after you accept the cookie banner. If you decline, we don't collect analytics events.
•
Optional account data: if you choose to claim your anonymous session as a permanent account, the email address or phone number you provide for magic-link / OTP / social sign-in.
•
Install attribution: when you arrive via a shared Stamp link (octogolazo.com/s/...?ref=...), we store the referring stamp id in your browser localStorage so the original sharer can be credited if you later install the app on the same device + browser.
•
Device + network basics: user agent, locale, IP-derived country (not the full IP), and standard server logs from our hosting provider. Used to debug and surface localized content.
•
Push notification tokens: only on native apps, only after you accept the system push permission. Stored to deliver vindication and chaos-round notifications.
Why we use it
Each purpose maps to one of these legal bases under GDPR:
•
Contract: running the service you signed up for — recording predictions, computing scores, syncing across devices, sending push notifications you opted into.
•
Consent: analytics, A/B experiments on the scoring rubric, install attribution. You can withdraw consent at any time via the cookie banner or by clearing localStorage.
•
Legitimate interest: keeping the service secure (rate limits, fraud detection), and improving its reliability through error tracking (Sentry, with PII scrubbing).
Who we share it with
We use a small number of vendors to operate Octogolazo. We never sell your data and we don't share it with third parties for their own marketing.
•
Supabase: stores all account, prediction, score, and stamp data. Hosted in the EU.
•
PostHog: receives analytics events when you've accepted the cookie banner. EU instance.
•
Expo Push Notifications: native-only delivery of push notifications you opted into.
•
API-Football (api-sports.io): source of match fixtures, scores, and events. We send only the match id we're querying; no user data is sent to API-Football.
•
Sentry: receives application error reports with PII scrubbed.
•
EAS Hosting: serves the web client at octogolazo.com.
How long we keep it
•
Anonymous sessions on web: 30 days from last activity in your browser localStorage. The Supabase row stays until our quarterly orphan cleanup runs (90 days of inactivity with zero predictions).
•
Claimed accounts: until you delete the account or the company winds down.
•
Predictions and stamps: kept for the duration of the account so you can revisit your history.
•
Analytics events: PostHog's default retention applies (currently 7 years; we'll review this annually).
Your rights
Under GDPR (EU/UK) and most other comprehensive privacy laws, you have the right to access, correct, port, and delete your personal data, and to withdraw consent.
•
Access / export: email [email protected] from the address tied to your claimed account. •
Deletion: same address. We process deletion requests within 30 days; tournament-level aggregates (leaderboards) are scrubbed of your identifier and your row is removed.
•
Withdraw consent: click Decline on the cookie banner, or clear localStorage to re-prompt.
•
EU representative: to be appointed before public launch.
Cookies and local storage
Octogolazo uses a small number of cookie-like storage mechanisms. None are advertising cookies; we don't run advertising.
•
Strictly necessary: Supabase authentication state, your display preferences. No consent required under GDPR Article 6(1)(f).
•
Analytics: PostHog cookies and identifiers. Set only after you accept the consent banner.
•
Install attribution: the octogolazo_install_ref localStorage key set when you arrive via a shared link. Cleared on opt-out.