Privacy Policy
Last updated: 15 June 2026
This English version is a non-binding translation provided for convenience. The legally binding version of this Privacy Policy is the German version, available at playmatchplan.com/de/privacy-policy. In the event of any discrepancy between the German and English versions, the German version prevails.
General Information
Matchplan GmbH, Königsdorfer Straße 4, 50933 Köln (hereinafter "Matchplan", "we" or "us") takes the protection of personal data very seriously.
We treat personal data confidentially and always in accordance with the applicable data protection laws, in particular Regulation (EU) 2016/679 (hereinafter "GDPR"), the German Federal Data Protection Act (hereinafter "BDSG") and the provisions of this Privacy Policy.
The purpose of this Privacy Policy is to inform you (hereinafter "data subject" or "you") in accordance with Art. 12 et seq. GDPR about how and for what purposes we process your personal data when you use our app "Matchplan" (hereinafter the "Matchplan App") and when you contact us.
Unless otherwise stated in this Privacy Policy, the terms used have the meaning assigned to them in the Terms and Conditions (available at playmatchplan.com/terms-conditions).
Controller
The controller within the meaning of the GDPR for the personal data processed in connection with the use of the app or any contact is:
Matchplan GmbH
Königsdorfer Straße 4
50933 Köln
Germany
Email: hello@playmatchplan.com
If you have any questions about this Privacy Policy or the processing of your personal data, you can reach us using the contact details above.
Categories, purposes and legal bases of the personal data processed
We process various categories of your personal data for various purposes. Below you can see which personal data we process in which context, for which purposes and on which legal basis.
Downloading the app
When downloading the Matchplan App from the Google Play Store or the Apple App Store, and each time you use the Matchplan App, certain personal data is processed automatically. This includes in particular the following data categories:
- Google account and associated email address (when downloading via the Google Play Store)
- Apple account and associated email address (when downloading via the Apple App Store)
Legal basis: The legal basis for this processing is Art. 6(1)(b) GDPR, as the processing is necessary to perform the usage agreement.
Storage period: The personal data processed during download (Google account or Apple account and associated email address) is not stored by Matchplan. The privacy notices of Google or Apple apply.
Provision of the app
- Device and usage data (device ID, session ID, platform iOS or Android, app version, access times, session duration)
- IP address
- Technical error and crash data
Legal basis: The legal basis for processing the device and usage data and the IP address is Art. 6(1)(b) GDPR, as the processing is necessary to perform the usage agreement. The processing of technical error and crash data is based on Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring the quality and stability of the Matchplan App.
Storage period: Server and error logs are deleted after 30 days at the latest. In some cases, for example due to statutory retention obligations, we may be required to store personal data for longer.
Registration and user account
When you register and use your user account, we process the following personal data:
- Email address
- Password
- Username and display name
- Profile picture
- Language setting and time zone
- Referral code (if used)
- Confirmation of the minimum age
Legal basis: We process this personal data to create and manage your user account and to document consents given. The legal basis for the processing is Art. 6(1)(b) GDPR, as the processing is necessary to perform the usage agreement or to carry out pre-contractual measures.
Storage period: The personal data is stored for the duration of the user account. When the account is deleted, the personal registration and user-account data is deleted. Inactive user accounts are anonymized after three years of inactivity. You can delete your account directly in the Matchplan App.
Registration via Google
You have the option to register and log in to the Matchplan App with your Google account. When you use this function, Google transmits the following personal data to us:
- Email address
- Name
- Google account identifier / ID token
Legal basis: We process the personal data transmitted by Google exclusively for registration and login. The legal basis for the processing is Art. 6(1)(b) GDPR, as the processing is necessary to perform the usage agreement or to carry out pre-contractual measures.
Storage period: The personal data is stored for the duration of the user account. When the account is deleted, the personal data is deleted.
Registration via Apple
You have the option to register and log in to the Matchplan App with your Apple ID. When you use this function, Apple transmits the following personal data to us:
- Email address (or Apple relay address)
- Name
- Apple account identifier / ID token
Legal basis: We process the personal data transmitted by Apple exclusively for registration and login. The legal basis for the processing is Art. 6(1)(b) GDPR, as the processing is necessary to perform the usage agreement or to carry out pre-contractual measures.
Storage period: The personal data is stored for the duration of the user account. When the account is deleted, the personal registration data is deleted.
Game-related data
As part of using the game and competition functions, we process the following game-related data:
- Predictions, picks and moves
- Points, level, skill rating
- League, division, streaks, achievements
- Collections (cards/packs)
- Store Points
- Season pass progress
- Social connections (friends, groups, invitations)
- Activity history
- Comparison statistics
Legal basis: We process this personal data to provide the game, competition, progression, reward and social functions of the Matchplan App. The legal basis is Art. 6(1)(b) GDPR, as the processing is necessary to perform the usage agreement.
Storage period: The game-related personal data is stored for the duration of the user account and deleted when the account is deleted.
In-app purchases and payment processing
Payment processing for in-app purchases of virtual goods is carried out exclusively via the Apple App Store or Google Play Store. The entry and processing of your payment data is performed solely by the respective app store provider. Matchplan does not receive or store any payment data. We process only the following purchase and transaction data:
- Transaction / order ID
- Product ID
- Purchase date and receipt
Legal basis: We process the above purchase and transaction data to unlock and manage the virtual goods acquired and to fulfil statutory retention obligations. The legal basis for processing to perform the contract is Art. 6(1)(b) GDPR. The processing to fulfil statutory retention obligations is based on Art. 6(1)(c) GDPR.
Storage period: Purchase and transaction data is stored for the duration of the statutory retention obligations.
Order confirmation
After completing an in-app purchase, we send you an order confirmation to the email address stored in your user account. In doing so, we process your email address and the purchase details (product, price, transaction ID, purchase date). This serves to fulfil our statutory information obligations pursuant to Sec. 312i(1) no. 3 German Civil Code (BGB) in conjunction with Art. 246c EGBGB and to process the contract.
Legal basis: The legal basis is Art. 6(1)(b) GDPR (performance of the contract) and Art. 6(1)(c) GDPR (fulfilment of statutory obligations).
Storage period: The personal data processed as part of the order confirmation is stored for the duration of the statutory retention obligations.
Push notifications
If you allow push notifications on your device, we process the following personal data with your consent:
- Push / device token, platform, device ID
- Delivery and open logs
Legal basis: We process this personal data to send you push notifications (including matchday reminders, rewards, notices) and to measure delivery and open rates and to optimize the notification service. The legal basis is Art. 6(1)(a) GDPR. You give your consent by activating the push notification function for the Matchplan App in your device's system settings. You can withdraw this consent at any time with effect for the future by deactivating push notifications in your device settings.
Storage period: This personal data is stored as long as you have push notifications activated. After deactivation, the personal data is deleted unless other retention grounds exist.
Marketing communication
With your consent, we process the following personal data to send marketing and product emails:
- Email address
- First name (optional)
- Opt-in status
Legal basis: We process this personal data to send you marketing and product emails and to manage our marketing contact list. The legal basis is Art. 6(1)(a) GDPR. You give your consent as part of the newsletter sign-up process (double opt-in) by means of a separate declaration of consent referring to this Privacy Policy. You can withdraw this consent at any time with effect for the future, for example by clicking the unsubscribe link in our emails. The withdrawal does not affect the lawfulness of the processing carried out on the basis of the consent up to the withdrawal.
Storage period: Your personal data is deleted as soon as the purpose of storage and processing no longer applies. Your email address is stored for as long as your newsletter subscription is active. In some cases, for example due to statutory retention obligations, we may be required to store your personal data beyond this period.
Contacting us
When you contact us, for example by email at hello@playmatchplan.com, we process the following personal data in connection with your request:
- Email address
- Content of the request
Legal basis: We process this personal data to handle and respond to your support and contact requests. If you contact us in the context of an existing usage agreement or to obtain pre-contractual information, the legal basis is Art. 6(1)(b) GDPR. In all other cases, the legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in responding appropriately to user requests.
Storage period: The personal contact data is deleted as soon as the purpose of storage no longer applies, for example after your request has been conclusively dealt with. In some cases, for example due to statutory retention obligations, we may be required to store your personal data beyond this period.
Cookies
No cookies are used in the Matchplan App.
Recipients of data; processors
We use specialized service providers that process personal data on our behalf (hereinafter "processors"). With each processor we have concluded a data processing agreement pursuant to Art. 28 GDPR which, insofar as the processor is established outside the EEA, contains the European Commission's Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. The processors we use process personal data exclusively in accordance with our instructions and not for their own purposes.
Our current processors are:
| Processor | Purpose of engagement | Processing region |
|---|---|---|
| Supabase | Database hosting, authentication, file and image storage (Storage) | EU |
| Vercel | Hosting and operation of the backend and API infrastructure | EU |
| Cloudflare | Content delivery network: caching and delivery of public image files (e.g. avatars, pack images) | Global (edge network), provider USA |
| Upstash | In-memory store (Redis) for rate limiting and token / session management | EU |
| Functional Software (Sentry) | Error and crash analysis (error and crash tracking) incl. masked session recordings for error diagnosis | EU |
| Resend | Sending transactional emails (e.g. password reset) and marketing emails; management of the marketing contact list | EU |
| Expo Application Services | Sending push notifications via the Expo push service; provision of app updates | USA |
| Apple | "Sign in with Apple" (authentication), iOS push (APNs), app distribution (App Store) | USA |
| "Sign in with Google" (authentication), Android push (Firebase Cloud Messaging), app distribution (Google Play) | USA |
Data transfers to third countries
Your personal data is generally processed in Germany and in other countries of the European Economic Area (EEA). Insofar as transfers to third countries outside the EEA (in particular the USA) are necessary for technical reasons, these are carried out only on the basis of appropriate safeguards pursuant to Art. 44 et seq. GDPR. We conclude the European Commission's currently valid Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR with all processors established outside the EEA. Insofar as processors are additionally certified under the EU-US Data Privacy Framework, we additionally rely on the corresponding adequacy decision of the European Commission pursuant to Art. 45 GDPR. We will provide you with the relevant documentation on request.
Minors
The Matchplan App is intended exclusively for persons who have reached the age of 16. Persons under the age of 16 are not permitted to use the app. Upon registration, users confirm that they are at least 16 years old. We do not knowingly collect personal data from children under the age of 16. Should we become aware, or be informed, that a person under the age of 16 has transmitted personal data without the appropriate consent of a parent or guardian, we will delete that data without undue delay. If you, as a parent or guardian, believe that your child has created an account with Matchplan without your consent, please contact us at hello@playmatchplan.com.
No obligation to provide personal data
The provision of certain personal data is necessary to use the Matchplan App, for example to create a user account. Beyond that, you are not obliged to provide us with personal data. If you do not provide us with required data, it may not be possible for us to make the Matchplan App or individual functions available to you.
Your rights as a data subject
As a data subject, you have the following rights:
Right to withdraw consent (Art. 7(3) GDPR)
You can withdraw your consent to the processing of your personal data at any time pursuant to Art. 7(3) GDPR. Please note that the withdrawal only takes effect for the future. Processing carried out before the withdrawal remains unaffected.
Right of access (Art. 15 GDPR)
Under the conditions of Art. 15 GDPR, you have the right to obtain confirmation at any time as to whether personal data concerning you is being processed. If so, you have the right under Art. 15 GDPR to access this data and to a copy of it. The restrictions of Sec. 34 BDSG apply.
Right to rectification (Art. 16 GDPR)
Under the conditions of Art. 16 GDPR, you have the right to request the rectification of inaccurate personal data concerning you and the completion of incomplete data.
Right to erasure (Art. 17 GDPR)
Under the conditions of Art. 17 GDPR, you have the right to request that personal data concerning you be erased without undue delay. In the Matchplan App you also have the option to delete your account directly.
Right to restriction of processing (Art. 18 GDPR)
Under the conditions of Art. 18 GDPR, you have the right to request the restriction of the processing of your personal data.
Right to data portability (Art. 20 GDPR)
Under the conditions of Art. 20 GDPR, you have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format. Please note that this right only applies insofar as the processing is based on your consent or a contract and is carried out by automated means.
Right to object (Art. 21 GDPR)
Under the conditions of Art. 21 GDPR, you have the right to object to the processing of your personal data.
Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
Without prejudice to any other administrative or judicial remedy, you have the right under Art. 77 GDPR to lodge a complaint with a competent supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement. The supervisory authority responsible for us is the Landesbeauftragte für Datenschutz und Informationsfreiheit, https://www.ldi.nrw.de/. A list of all German data protection authorities with their contact details can be found on the website of the Datenschutzkonferenz (DSK).
Automated decisions; profiling
The processing of your personal data carried out by us does not involve automated individual decision-making within the meaning of Art. 22(1) GDPR.
Data security
We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, loss, destruction or unauthorized access by third parties. Our security measures are continuously reviewed and improved in line with technological developments.
Changes to this Privacy Policy
We review this Privacy Policy regularly and may update it at any time. If we make changes, we will adjust the date of the last update above. Please review this Privacy Policy regularly to stay informed about any updates. The current version is available at any time in the app under Settings and at playmatchplan.com/privacy-policy.