Privacy Policy

Last updated: March 2, 2026

1. Introduction

This Privacy Policy explains how GetPaird ("we", "us", "our") collects, uses, stores, and protects your personal information when you use our Platform. We are committed to protecting your privacy and complying with applicable data protection regulations, including the EU General Data Protection Regulation (GDPR).

2. Data We Collect

2.1 Account and Profile Data

When you create an account, we collect:

  • Registration data: Name, email address, username, password (stored as a bcrypt hash — we never store your actual password).
  • Profile data: First name, last name, bio, city, country, profile picture (avatar).
  • Optional profile data: Discord username, social media handles (Twitch, Instagram, Twitter/X, YouTube, Facebook, LinkedIn, TikTok), Spotify track URL.
  • Geolocation data: Latitude and longitude coordinates, derived from your city or manually set. Used to show nearby tournaments. This data is optional and can be removed by clearing your city.
  • Display preferences: Display name preference (username or full name), language preference, theme preference (light/dark mode).

2.2 Organization and Tournament Data

  • Organization data: Organization name, description, contact email, phone, website, address, city, country, logo, banner image, social media links.
  • Tournament data: Tournament names, descriptions, rules, prize structures, schedules, locations, entry fees, format configuration.
  • Tournament results: Match results, standings, rankings, scores, tiebreaker values, penalty records. These are associated with your user account.
  • Decklists: Card lists you create or submit for tournaments, including card names, quantities, and section structure (main deck, sideboard, etc.).

2.3 Registration and Participation Data

  • Registration data: Tournament registration status, ticket number, barcode identifier (for check-in), registration timestamp, check-in status.
  • Custom player data: Tournament organizers may configure additional data fields collected at registration (e.g. age, country, game identifier). These fields are defined per tournament and you are informed of what is being collected before registering.
  • Competition data: Match results you report or confirm, disputes you raise, penalties you receive, drop status.

2.4 Payment Data

  • Stripe payments: Payment amounts, transaction identifiers, refund status, Stripe session and payment intent IDs. Credit card details are processed exclusively by Stripe and never stored on our servers. Stripe is a PCI DSS Level 1 certified payment processor.
  • HelloAsso payments: Payment amounts, HelloAsso order identifiers, payer email (as received from the HelloAsso webhook). Credit card details are processed exclusively by HelloAsso.
  • Payment audit trail: All payment transactions (payments, refunds, manual adjustments) are recorded with timestamps, amounts, and the staff member who performed the action.

2.5 Communication Data

  • Contact form: Name, email address, message type (feedback, bug report, suggestion, contact), and message content.
  • Email communications: We store records of transactional emails sent to you (registration confirmations, staff notifications, reminders).

2.6 Automatically Collected Data

  • Log data: IP address, browser type and version, operating system, referring URLs, pages visited, timestamps. These are collected through standard web server logs.
  • Device data: Device type, screen resolution, language preferences.
  • Cookies and local storage: Session tokens, CSRF tokens, language and theme preferences. See our Cookie Policy for details.

2.7 Third-Party Data

  • OAuth providers: If you sign in with Google or Discord, we receive your name, email, and profile picture from those services. We store a provider-specific identifier to link your account.
  • Stripe: Payment confirmation status, transaction references. For organizations using Stripe Connect, we receive account verification status. We do not receive your full card details.
  • HelloAsso: Order confirmation data, payer email, payment amounts (via webhook). We do not receive your full card details.
  • Card data APIs: Card names, images, and game data used for decklist display and search are fetched from third-party APIs. No personal data is sent to these services.

2.8 Staff Activity Data

When users act in a staff capacity (judge, scorekeeper, etc.), the Platform records an activity log of their actions within the tournament. This includes the action performed, the affected entity, a timestamp, and the staff member's identity. This log is visible to other tournament staff and is retained for audit and dispute resolution purposes.

3. How We Use Your Data

We use your data for the following purposes:

  • Service operation: Account management, tournament organization, registration processing, payment handling, pairing generation, standings calculation, decklist management, penalty tracking.
  • Communication: Sending registration confirmations, waitlist promotions, tournament updates, staff assignment notifications, decklist reminders, event reminders for bookmarked tournaments, and essential service emails.
  • Tournament discovery: Using your geolocation data to display nearby tournaments. This feature is optional and based on city-derived coordinates.
  • Security: Fraud prevention, abuse detection, protecting the integrity of tournaments, rate limiting on contact forms.
  • Improvement: Analyzing aggregated and anonymized usage patterns to improve the Platform.
  • Legal compliance: Meeting legal obligations, maintaining financial records, and responding to lawful requests.
  • Dispute resolution: Using payment records, activity logs, and tournament data to resolve disputes between players and organizers.

4. Legal Basis for Processing (GDPR)

  • Contract: Processing necessary to provide the service you requested (account creation, tournament participation, payment processing, decklist management).
  • Legitimate interest: Security, fraud prevention, service improvement, activity logging for tournament integrity.
  • Consent: Optional features like geolocation for nearby events, linking third-party accounts (Google, Discord), sharing optional profile data.
  • Legal obligation: Financial record retention (tax compliance), anti-money laundering requirements.

5. Data Sharing and Visibility

We do not sell your personal data. We share data only in these circumstances:

  • Tournament organizers and staff: Organizers and staff can see your display name, registration status, check-in status, decklist (if submitted), penalty history, and any custom player data fields you provide when registering. Staff activity (results entry, penalties, etc.) is logged and visible to other staff.
  • Other participants: Your display name, tournament results (standings, pairings, match scores), and penalty count are visible to other tournament participants. The specific details you control through your privacy settings (email, city, full name, etc.) are respected.
  • Public profiles: Your username and tournament history may be visible on your public profile, subject to your privacy settings. You control which fields are visible: email, full name, city, rating, bio, Discord username, and social links.
  • Service providers: Stripe (payments), HelloAsso (payments), email delivery service (transactional emails), hosting provider (server infrastructure), third-party card data APIs (decklist display).
  • Legal requirements: When required by law, court order, or to protect the rights and safety of the Platform and its users.

6. Data Retention

  • Account data: Retained as long as your account is active. Deleted upon account deletion request, except for data required for legal compliance.
  • Tournament data: Retained as long as the tournament exists on the Platform. Tournament results and standings may be retained indefinitely for historical and competitive record purposes.
  • Decklist data: Personal decklists are deleted with your account. Tournament-submitted decklists may be retained as part of the tournament record.
  • Payment records: Retained for a minimum of 10 years for tax and legal compliance purposes. Payment transaction records use soft deletion to ensure audit trail integrity.
  • Penalty records: Retained as long as the tournament exists, for competitive integrity and dispute resolution.
  • Staff activity logs: Retained as long as the tournament exists, for audit and transparency purposes.
  • Contact messages: Retained for up to 2 years for support follow-up, then deleted.
  • Log data: Retained for up to 90 days, then deleted or anonymized.

7. Your Rights (GDPR)

Under the GDPR, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data. You can update most of your data directly from your profile settings.
  • Right to erasure: Request deletion of your personal data (subject to legal retention requirements). You can delete your account from your profile settings — this removes your personal data, though anonymized tournament records and legally required financial records may be retained.
  • Right to restrict processing: Request limitation of how we use your data.
  • Right to data portability: Receive your data in a structured, machine-readable format. You can export your decklists in text format from the Platform.
  • Right to object: Object to processing based on legitimate interest.
  • Right to withdraw consent: Withdraw consent at any time for processing based on consent. You can unlink third-party accounts, clear your geolocation data, and adjust your privacy settings at any time.

To exercise these rights, contact us through the feedback form or email provided on the Platform. We will respond within 30 days.

8. Your Privacy Controls

The Platform provides granular privacy controls in your profile settings. You can independently toggle the visibility of:

  • Email address
  • Full name (first and last name)
  • City
  • Rating/achievements
  • Biography
  • Discord username
  • Social media links

When a field is set to private, it is only visible to you. Tournament staff may still see your display name and registration-specific data necessary for tournament operation.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • All data is transmitted over HTTPS (TLS encryption).
  • Passwords are hashed using bcrypt.
  • Sensitive data (API keys) is encrypted at rest.
  • Access to production systems is restricted and logged.
  • Regular backups are maintained.
  • Credit card details are never stored on our servers — they are handled exclusively by Stripe and HelloAsso.
  • CSRF protection on all forms.
  • Rate limiting on sensitive endpoints (login, contact form, registration).
  • Webhook signature verification for payment providers.
  • IP whitelisting for HelloAsso webhooks.

10. International Transfers

Your data may be processed in countries outside the European Economic Area (EEA) where our hosting and service providers operate. Where this occurs, we ensure appropriate safeguards are in place (Standard Contractual Clauses, adequacy decisions, or equivalent protections).

11. Children's Privacy

The Platform is not intended for children under 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will delete that data promptly. Users between 16 and 18 must have parental or guardian consent.

12. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be posted on this page. For significant changes, we will notify you via email or a prominent notice on the Platform.

13. Contact

For questions about this Privacy Policy or to exercise your data rights, please contact us through the feedback form available on the Platform.