Privacy Policy

1. Who we are

Elimly is operated by SV express, a company registered in Poland (EU VAT PL5423371491). When this policy says “we”, “us”, or “the operator”, it means that company. The service is available at https://elimly.com.

Because the operator is established in the European Union, this policy follows the General Data Protection Regulation (GDPR). We are the data controller for the personal data described below.

2. What we collect

2.1 Information you provide

• Email address — required to sign in. We send a one-time magic link to that address every time you log in. The address is also the identifier of your account.
• Display name and profile picture — optional. If you sign in through Google, your name and avatar may be imported from your Google account so they can appear in the navigation bar. You can change or remove them at any time on the profile page.
• Tournament content — the tournament name, the list of player names you type in, the scores you enter, and any configuration (system, scoring rules, third-place flag, etc.).

2.2 Information collected automatically

• Anonymous-creator cookie (anon_token) — a long-lived random identifier we set the first time you visit the site, so brackets you create without logging in stay attached to your browser until you claim them.
• Session cookie (sid) — a 16-character random identifier renewed after 30 minutes of inactivity. Used for first-party analytics described below.
• Login session cookie (PHPSESSID) — the standard PHP session cookie, set after you click a magic link, used to keep you logged in.
• Analytics records — for each session we store: page paths visited, referer URL, UTM parameters from the landing URL, device type (mobile / desktop), browser user agent, country (derived from a Cloudflare header, see §5), and an IP hash — SHA-256 of your IP combined with a salt that rotates every day, so the value is not a long-term identifier.
• Event records — key actions are logged with a timestamp: page views, bracket creation, score updates, bracket completion, sign-up, sign-in.

3. Why we use this data (legal bases)

• To run the service (contract, GDPR Art. 6(1)(b)) — store your brackets, deliver magic-link emails, keep you signed in.
• To prevent abuse (legitimate interest, Art. 6(1)(f)) — rate-limit logins, block obvious crawlers and bots, protect against forged requests.
• To understand how the product is used (legitimate interest, Art. 6(1)(f)) — aggregate analytics for headline metrics, conversion funnel, top tournament types. We design the analytics to be coarse and unfriendly to re-identification (hashed IPs, no precise location, no cross-site tracking).
• To meet legal obligations (Art. 6(1)(c)) — e.g. respond to lawful requests from authorities, retain billing records when payments are introduced.

We do not sell personal data, and we do not use it to make decisions with significant legal effects.

4. Tournament URLs are public

Every bracket has a short random URL of the form /b/<token>. Anyone who knows the URL can view the tournament name, the player names you entered, and the scores. Treat the URL like an unlisted YouTube link: it’s not indexed publicly, but anyone you give the link to can share it further. Don’t put real personal data into player names if you want it to stay private.

Only the bracket’s owner (you, if logged in, or the browser that holds the matching anon_token cookie if it was created anonymously) can edit scores.

5. Third-party processors

We use a small number of providers to deliver the service. They process personal data on our behalf under a contract that requires GDPR-level protection. Most are based in the United States; international transfers rely on the EU–US Data Privacy Framework and on the EU Standard Contractual Clauses (SCCs).

• Resend (Resend, Inc., USA) — delivery of magic-link emails. Receives the recipient address and the email body.
• Google LLC (USA) — (a) Google OAuth, when you choose to sign in with Google — we receive your email, name, profile picture and Google subject ID; (b) Google Analytics 4 and Google Ads tag, for traffic measurement and conversion tracking — these run client-side and set Google cookies, see §6.
• Cloudflare, Inc. (USA) — if traffic reaches us via Cloudflare, Cloudflare may set its own security cookies and provides us with a coarse country code (the CF-IPCountry header) which we store alongside the session record. Cloudflare also operates as a CDN/proxy in front of the site.
• VPS hosting — our server runs on a dedicated VPS in the EU. The hosting provider only has access to the server filesystem; it does not have access to application-level data unless we make a manual export.

6. Cookies

Cookies fall into two groups:

• Necessary cookies (no consent required) — PHPSESSID for login sessions, anon_token for anonymous bracket ownership, sid for first-party analytics. Without these the site does not function.
• Measurement cookies — Google Analytics 4 (_ga, _ga_*) and Google Ads (_gcl_*) cookies. These are placed by Google to count visits and attribute conversions to ad campaigns. You can opt out of GA4 by installing the official Google Analytics opt-out add-on, or by clearing cookies and blocking them in your browser.

7. How long we keep data

• Account data — for as long as you keep the account. If you ask us to delete it (see §8), we delete the user record and detach the brackets it owned. We do not auto-delete inactive accounts.
• Brackets — indefinitely, unless you delete them or ask us to. Anonymous brackets remain accessible to anyone with the URL.
• Magic-link tokens — valid for 15 minutes and discarded after use. The used_at mark stays in the database but does not contain any personal data beyond your email.
• Analytics records — retained for 24 months and then deleted in bulk. The daily IP salt rotates every 24 hours, so even within the retention window the IP hash cannot be reversed to identify a specific person.

8. Your rights under GDPR

Wherever you live, you have at least the following rights regarding your personal data:

• Access — ask for a copy of what we hold about you.
• Rectification — correct anything that is wrong.
• Erasure — ask us to delete your account and the personal data tied to it.
• Restriction and objection — tell us to stop processing data, in particular for analytics (legitimate interest).
• Portability — receive your data in a structured machine-readable format.
• Withdraw consent — where we relied on consent (e.g. future marketing emails), you can withdraw it at any time without affecting prior processing.
• Lodge a complaint — you can complain to your local data protection authority. In Poland this is the President of the Personal Data Protection Office (UODO, uodo.gov.pl).

To exercise any of these rights, email us at contact@svexpress.eu from the address tied to your account. We respond within 30 days.

9. Security

Passwords are not stored because the service uses passwordless magic-link sign-in. The site is served over HTTPS only. Login tokens are single-use, 32-hex random, and expire after 15 minutes. Application logs are kept on the same VPS and are not shared with third parties.

No internet service can guarantee absolute security. If we discover a personal data breach that puts your rights at risk, we will notify the relevant authority within 72 hours as required by Art. 33 GDPR, and notify you directly when appropriate.

10. Children

The service is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child has provided us with personal data, please write to us at contact@svexpress.eu and we will delete it.

11. Changes to this policy

We may update this policy from time to time. When we make material changes (new processors, new categories of data, new purposes), we update the “Last updated” date at the top and, for registered users, send a notification to the email on file at least 14 days before the change takes effect.

12. Contact

SV express
EU VAT: PL5423371491
Poland
Email: contact@svexpress.eu