Privacy Policy

This Privacy Policy explains what personal data we collect when you use Max Arena, why we collect it, who we share it with, and the rights you have under the General Data Protection Regulation (GDPR) and the Bulgarian Personal Data Protection Act.

1. Who is the controller

PROPER EDUCATION LTD (Bulgarian company ID / EIK 206192004), with its registered office at Vidin 3700, South Industrial Zone, Republic of Bulgaria, is the data controller for the personal data processed through Max Arena.

For any privacy question or request, contact us at [email protected].

We have not appointed a Data Protection Officer because our core activities do not currently trigger Article 37 of the GDPR. We will revisit this if our processing changes.

2. What personal data we collect

Account information you provide:

• Username and email address.
• Display name and date of birth.
• Password — stored only as a bcrypt hash. Never in plaintext, never readable by us or anyone else.
• Avatar image, if you choose to upload one.
• Favourite team, if you choose to set one.

Activity you generate using the App:

• Predictions you submit on matches.
• Leagues you create or join.
• Users you follow or block.
• Reports you file against other users.

Technical information from your requests:

• IP address, user-agent string, request method and path, response status, timestamp. Used for security, abuse prevention, rate limiting, and aggregate operational logs.

Notifications:

• Firebase Cloud Messaging (FCM) device token, registered by the app after you sign in. Used solely to deliver push notifications to you (a new follower, league activity, match start / end, goals, and reminders about predictions you haven't submitted). When you delete your account or remove the app, the device token is deleted.
• Your in-app "Notifications" feed is stored so you can view, mark as read, and dismiss past notifications.

What we do not collect:

• Gender or geographic location of residence (not requested).
• Analytics events, tracking pixels, or advertising identifiers (no analytics or advertising SDKs are integrated).
• Precise device location, contacts, calendar, photos library, or microphone.

3. Why we collect it (legal basis)

• To run your account, store your predictions, and display leaderboards — performance of a contract with you, GDPR Art. 6(1)(b).
• To send you verification and password-reset emails — performance of a contract, GDPR Art. 6(1)(b).
• To keep the service secure, prevent abuse, enforce rate limits, and retain operational logs — our legitimate interest, GDPR Art. 6(1)(f).
• To review reports and moderate content — our legitimate interest and compliance with legal obligations, GDPR Art. 6(1)(c) and 6(1)(f).

4. How long we keep your data

• Active accounts: while the account exists.
• After you delete your account: when you delete your account from inside the App, it is marked as deleted and immediately removed from public view. A 30-day grace period follows, during which you can change your mind and restore the account by logging in. After 30 days, your account and the personal data we hold are queued for permanent removal. Until our scheduled cleanup pass runs, your account remains in a soft-deleted state inside the database; we are working to fully automate this cleanup. You can email [email protected] to request expedited permanent removal.
• Predictions you made remain in the system for league-history integrity but are dissociated from your identity after permanent removal.
• Server logs: retained for approximately 30 days, then rotated out.

5. Who we share your data with (subprocessors)

We use a small number of trusted service providers to operate the App. Each is bound by appropriate data-processing terms.

• Resend (resend.com) — sends transactional emails on our behalf (registration verification codes, password-reset codes, email-change confirmations). Receives your email address and the contents of those emails. Resend is a US-based service operating under the EU–US Data Privacy Framework.
• Cloudflare R2 (cloudflare.com) — stores avatar and league image files in a private bucket. Object storage only. Cloudflare also acts as our CDN/edge in front of the API, which means it processes your IP address and request metadata in transit.
• Google (Firebase Cloud Messaging) — delivers push notifications to your device. Receives your device token and the contents of the notification (title, body, and metadata such as a match or user identifier). Google LLC processes this data globally; transfers to the United States rely on Standard Contractual Clauses and/or the EU–US Data Privacy Framework.
• API-Football / api-sports.io — supplies us with football fixtures and results. We consume data from them; we do not send them any of your personal data.

We do not use analytics providers, advertising networks, or data brokers, and we do not sell your data to anyone.

6. Where your data is processed

Primary processing happens on infrastructure located in the European Union. Some subprocessors may process data outside the EU — Resend in the United States, Cloudflare globally. Such transfers rely on Standard Contractual Clauses and adequacy decisions where applicable.

7. Your rights under GDPR

You have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data ("right to be forgotten").
• Restrict or object to certain processing.
• Receive a portable copy of your data in a machine-readable format.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with the Bulgarian Commission for Personal Data Protection (KZLD / CPDP, cpdp.bg) or the supervisory authority in your country of residence.

To exercise any of these rights, email [email protected] from the address associated with your account. We respond within 30 days, as required by GDPR Art. 12(3).

8. Deleting your account

You can delete your account in two ways:

• From inside the App: Settings → Delete account.
• By email, if you no longer have the App installed — follow the instructions on the Delete account page.

Either way, your account is removed from public view immediately. See section 4 above for what is retained and for how long.

9. Children

Max Arena is rated 9+/12+ and is not directed at children under 13. We do not knowingly collect personal data from children under 13. In Bulgaria, the digital-consent age is 14; users aged 14–17 may use the App with parental supervision. If you believe a child under 13 has provided us with personal data, please email [email protected] and we will delete it.

10. Cookies and similar technologies

The API does not set cookies. Authentication is performed with a Bearer token sent in the Authorization HTTP header.

11. Security

Passwords are stored only as bcrypt hashes. Refresh tokens are hashed in the database. All traffic in production is served over HTTPS. Access to production data is restricted to operations staff on a need-to-know basis. No security control is perfect; we ask that you report any suspected security issue to [email protected].

12. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be announced in the App or by email, and the "Last updated" date at the bottom of this page will change. Please review this page periodically.

13. Contact

PROPER EDUCATION LTD
Bulgarian company ID (EIK): 206192004
Registered office: Vidin 3700, South Industrial Zone, Republic of Bulgaria
Email: [email protected]