GamesTally

Privacy Policy

Effective date: 1 June 2026 · Last updated: 1 June 2026

1. Who We Are

GamesTally ("the Service") is operated by GamesTally Pte Ltd, a private limited company incorporated in Singapore (UEN T260601319). GamesTally Pte Ltd is the data controller for personal data processed through the Service.

Contact: hello@gamestally.com

2. What We Collect

  • Account data: email address, hashed password, display name (if provided), email verification status, two-factor enrolment status.
  • Event data you create: event names, dates, team and game configurations, scores, and the score-change audit log.
  • Authentication & security logs: sign-in events, failed-login attempts, password resets, IP addresses and user agents (for security investigation only).
  • Billing data: via Stripe — we store the Stripe customer ID and subscription status. Payment card details are held by Stripe; we never see them.
  • Cookies: see our Cookie Policy.

3. How We Use It

  • To provide and operate the Service (run events, store scores).
  • To authenticate users and protect against abuse.
  • To send transactional emails (verification, password reset, billing).
  • To process payments via Stripe.
  • To investigate security incidents and resolve disputes.

4. Legal Basis (PDPA / GDPR)

We process personal data on the basis of contract (operating the Service), consent (where required — e.g. marketing emails if any are sent), and legitimate interest (security, fraud prevention, audit trails for dispute resolution at corporate events).

5. Sub-processors

We use the following providers to deliver the Service:

  • Stripe (United States, Singapore) — payment processing
  • Supabase (Singapore region) — database, auth, storage
  • Vercel (global edge network) — application hosting
  • Resend (United States, EU) — transactional email
  • Sentry (United States) — error tracking and monitoring

We do not use any advertising or marketing analytics sub-processors at this time.

6. Retention

  • Account data: until you delete your account. Account deletion uses a 30-day grace period (account suspended, restorable on request); after 30 days, all tenant data is hard-deleted.
  • Event data (events, teams, games, results, score history): for the lifetime of the account, subject to free-tier auto-archive after 30 days of inactivity.
  • Authentication and admin audit logs: 12 months, with the user_id replaced by a hash after account deletion.
  • Backups: daily, 30-day retention, encrypted at rest in a region separate from the primary database.

7. Your Rights

Under the Singapore PDPA and (where applicable) GDPR you have the right to access, correct, port, or delete your personal data. Account deletion is available from your settings (M6+); for any other request, contact hello@gamestally.com.

8. International Transfers

Customer data is primarily stored in Singapore (Supabase ap-southeast-1). Application code is served via Vercel's global edge network with caching, but no Customer Data is persisted at edge nodes. Sub-processor data may be transferred to the United States (Stripe, Sentry, Resend) and EU (Resend secondary region).

For transfers from EU / UK / EEA: we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

For transfers from Singapore: we comply with the PDPA Transfer Limitation Obligation by ensuring sub-processors provide protection comparable to PDPA standards.

9. Changes

We may update this policy. Material changes will be communicated by email to verified account holders before they take effect.