Privacy Policy

1. Introduction

Welcome to ArenaIQ. We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our tournament management platform.

By using ArenaIQ, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide when you:

• Create an Account: Email address, name, password, profile picture
• Complete Your Profile: Phone number, timezone, bio, preferences
• Create an Organization: Organization name, contact information, billing details
• Register for Tournaments: Participant information, team data, contact details
• Process Payments: Billing address, payment method (processed via Stripe)
• Contact Support: Name, email, message content
• Enable Two-Factor Authentication: Phone number, authenticator app data

2.2 Information Collected Automatically

When you use ArenaIQ, we automatically collect:

• Usage Data: Pages visited, features used, time spent, interactions
• Device Information: IP address, browser type, device type, operating system
• Location Data: Approximate location based on IP address
• Log Data: Access times, error logs, API requests
• Cookies and Tracking: Session cookies, authentication tokens, analytics cookies
• Security Data: Login attempts, IP addresses, device fingerprints, threat detection data

2.3 Information from Third Parties

We may receive information from:

• OAuth Providers: Google and GitHub (name, email, profile picture)
• Payment Processors: Stripe (transaction status, payment method details)
• Email Services: Resend (email delivery status, open rates)

3. How We Use Your Information

We use your information to:

• Provide the Service: Create accounts, manage tournaments, process registrations
• Authentication & Security: Verify identity, enable 2FA, detect threats and fraudulent activity
• Communication: Send verification emails, notifications, tournament updates, billing alerts
• Payment Processing: Process subscription payments and tournament registration fees
• Service Improvement: Analyze usage patterns, fix bugs, develop new features
• Customer Support: Respond to inquiries, troubleshoot issues, provide assistance
• Compliance: Meet legal obligations, enforce Terms of Service, prevent abuse
• Analytics: Generate tournament statistics, performance metrics, engagement data
• Marketing: Send product updates and promotional emails (with consent, opt-out available)

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your data based on:

• Contract Performance: To provide the Service you signed up for
• Consent: When you explicitly agree (e.g., marketing emails, cookies)
• Legitimate Interests: To improve the Service, prevent fraud, and ensure security
• Legal Obligations: To comply with laws and regulations

5. How We Share Your Information

We do not sell your personal information. We may share your data with:

5.1 Service Providers

• Cloud Hosting: Vercel (frontend), Railway/AWS (backend), PostgreSQL (database)
• Payment Processing: Stripe (payment processing)
• Email Delivery: Resend (transactional and marketing emails)
• Analytics: Google Analytics, Mixpanel (usage analytics)
• Error Tracking: Sentry (error monitoring and debugging)

5.2 Within Your Organization

Tournament data, participant information, and organization settings are accessible to members of your organization based on their role permissions (Admin, Organizer, Judge, Viewer).

5.3 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to protect our rights, property, or safety.

5.4 Business Transfers

If ArenaIQ is involved in a merger, acquisition, or asset sale, your information may be transferred. We will notify you before your data is transferred and becomes subject to a different Privacy Policy.

6. Data Retention

We retain your personal information for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.

• Active Accounts: Data retained while your account is active
• Deleted Accounts: Most data deleted within 30 days; some data retained for legal compliance
• Log Data: Retained for 90 days for security and troubleshooting
• Billing Records: Retained for 7 years for tax and accounting purposes
• Security Logs: Login attempts, threat detection logs retained for 1 year

7. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
• Authentication: Bcrypt password hashing, JWT tokens with 7-day expiration
• Two-Factor Authentication (2FA): Optional TOTP and backup codes
• Access Controls: Role-based access control (RBAC) for organization data
• Audit Logging: All critical actions logged with timestamps and user attribution
• Threat Detection: Automated monitoring for suspicious activity, brute force attacks
• Regular Security Audits: Penetration testing, vulnerability scans
• IP Whitelisting: Optional IP restrictions for organization access

However, no method of transmission over the Internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Your Privacy Rights

8.1 Access and Portability

You have the right to access your personal data and request a copy in a machine-readable format (JSON or CSV export available in account settings).

8.2 Correction

You can update your personal information at any time through your account settings.

8.3 Deletion

You can delete your account at any time. Some data may be retained for legal compliance.

8.4 Opt-Out of Marketing

You can unsubscribe from marketing emails via the link in each email or through notification preferences.

8.5 GDPR Rights (EEA Users)

If you are in the EEA, you have additional rights:

• Right to restrict processing
• Right to object to processing
• Right to lodge a complaint with a supervisory authority
• Right to withdraw consent at any time

8.6 CCPA Rights (California Users)

If you are a California resident, you have the right to:

• Know what personal information is collected
• Know if your personal information is sold or disclosed
• Opt-out of the sale of personal information (we do not sell data)
• Request deletion of personal information
• Not be discriminated against for exercising your rights

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to:

• Essential Cookies: Required for authentication, session management, security
• Analytics Cookies: Track usage patterns to improve the Service
• Preference Cookies: Remember your settings and preferences

You can control cookies through your browser settings. Note that disabling essential cookies may affect the functionality of the Service.

10. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. We ensure adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission for GDPR compliance.

11. Children's Privacy

ArenaIQ is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us, and we will delete it.

12. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice on the Service. The "Last Updated" date at the top indicates when the policy was last revised.

14. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

15. Data Protection Officer

For GDPR-related inquiries, you can contact our Data Protection Officer at dpo@arenaiq.com.