1. INTRODUCTION AND DATA CONTROLLER

Welcome to the Privacy Policy of Chantoff. We respect your privacy and are committed to protecting your personal data in strict compliance with the General Data Protection Regulation (Regulation (EU) 2016/679 - GDPR), the ePrivacy Directive (Directive 2002/58/EC), and all applicable data protection laws of the Slovak Republic and the European Union. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you access, download, or use our mobile applications, website (chantoff.com), and related services (collectively, the "Service" or the "Platform"). The data controller responsible for processing your personal data is:

• Company Name: Chantoff s. r. o.
• Registered Seat: Hlaváčiková 3163/27, Bratislava - mestská časť Karlova Ves, 841 05, Slovak Republic
• Company ID (IČO): 57 580 782
• Registration: Registered in the Commercial Register of the District Court Bratislava III, Section: Sro, File No.: 198775/B
• Contact E-mail: [email protected]

By using our Service, you acknowledge that you have read and understood the practices described in this Privacy Policy.

2. THE DATA WE COLLECT, PURPOSES, AND LAWFUL BASES

To operate our non-monetary, social sports platform, we process different categories of personal data on specific legal grounds under Article 6 of the GDPR:

3. PROTECTION OF MINORS (AGES 16-17) AND ANTI-PROFILING

Chantoff enforces a zero-tolerance policy regarding the registration of children under 16 years of age (U16). To ensure a safe, private, and non-exploitative environment for minor users aged 16 to 17, our system architecture deploys strict "Private by Default" safeguards:

• No Behavioral Profiling or Targeting: We explicitly prohibit the processing of minor users' personal data for the purposes of behavioral profiling, interest-based tracking, or targeted marketing. Any advertising shown to minors is strictly contextual (based on the current sport or match viewed) rather than behavioral.
• Automatic Geolocation Deactivation: Approximate and precise geolocation tracking is completely disabled on the system level for all users aged 16 to 17.
• On-Device Safety Filters: A permanent on-device AI moderation filter is active at all times on minor profiles to screen out toxic text, nudity, or inappropriate communication.
• Creator Economy Ban: Minor accounts are systemically blocked from participating in any monetization features (Creator Economy) or linked in-app purchases, ensuring no financial pressure or exploitation can occur.

4. DATA RETENTION PERIODS

In compliance with the principle of storage limitation (Article 5(1)(e) GDPR), we retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with statutory retention requirements:

• User Account and Profile Data: Retained for the entire duration of your active relationship with the Platform. If your account remains completely inactive for three (3) consecutive years, we will contact you to confirm your status; if no response is received, your profile and related personal data will be queued for automatic deletion.
• Cybersecurity Server Logs and IP Addresses: Stored securely for a maximum period of 30 days and then automatically deleted or permanently anonymized. We may retain specific logs for a longer period only if required to investigate an ongoing active security incident or to cooperate with law enforcement authorities.
• App Analytics & Telemetry: Aggregated and anonymized events (e.g., Firebase Analytics events with anonymized IP addresses) are retained for a maximum of 26 months before automatic deletion. Fully anonymized clean datasets (which contain no personal identifiers) may be stored indefinitely for historical analysis.
• Billing, Invoices, and Subscription History: Retained for 10 years from the end of the fiscal year in which the transaction occurred, as required by local Slovak and international tax, commercial, and accounting laws.

5. ACCOUNT DELETION AND THE SECURE "DEACTIVATION" PROTOCOL

If you decide to terminate your relationship with Chantoff, you can initiate a deletion request directly within the Platform’s settings or by contacting [email protected]. To protect users from malicious or accidental account deletion, we enforce a secure two-phase deletion protocol:

1. Phase 1: The 30-Day Grace Period: Upon verifying your identity, your profile is immediately hidden from public view, and the account enters a 30-day deactivation phase. If you regret your decision, you can cancel the deletion at any time during this period simply by logging back into your account.
2. Phase 2: The Permanent Purge: Once the 30-day grace period expires, our systems trigger the permanent and irreversible deletion process. Personal data is purged from active databases. To ensure absolute data safety, removing data from secure, encrypted backup systems and disaster recovery archives may take up to an additional 90 days (the entire process from the initial request to complete backup deletion is completed within a maximum of 120 days).

6. THE GDPR "SQUAD LEAVER" EXCEPTION AND DATA ANONYMIZATION

Chantoff features a team competition mode called Chant Squads, where groups of users pool their statistics to climb global team standings. Under Article 17 of the GDPR (the right to erasure/right to be forgotten), individuals have the right to have their personal data deleted. However, immediate deletion of team-associated sports results and ranking history would break the mathematical integrity of the database, corrupt team standings, and unfairly penalize remaining team members. To balance your right to privacy with the legitimate interest of the community, we apply the "Squad Leaver" Protocol under Article 6(1)(f) of the GDPR:

• Absolute Purge of Identifiers: Upon permanent account deletion, all Personally Identifiable Information (PII) – including your email address, real name, profile picture, social media authentication tokens, device IDs, and IP history – is permanently and irreversibly destroyed.
• Data Anonymization & Freezing: Your historically accumulated statistics and squad contributions are completely disconnected from your identity and permanently anonymized. These statistical records are reassigned to a generic, random system identifier (e.g., Deleted\_User\_749391).
• Preservation of Team Standings: These frozen, anonymous statistical metrics remain part of the historical record of your former Chant Squad. Because this data can no longer be linked back to a natural person, it ceases to be personal data under Chapter II of the GDPR, and its retention is fully compliant with European law.

7. THIRD-PARTY DATA SHARING AND INTEGRATIONS

We do not sell, rent, or trade your personal data with third parties. To operate the Platform, we share personal data only with trusted service providers under strict Data Processing Agreements (DPAs) in compliance with Article 28 of the GDPR:

• Social Login Partners (OAuth): If you sign up using Google, Apple, or Facebook, these platforms verify your identity and share basic authentication data with us. Your data is subject to the privacy settings and policies of those respective networks.
• Sports Data Provider (Enetpulse): While our sports scores, lineups, and match timelines are populated via Enetpulse, we do not share any of your personal data, IP addresses, or account statistics with Enetpulse.
• Affiliate Shopping Integrations: The Platform displays ticketing and merchandise widgets (such as SeatGeek, Ticketmaster, and Skimlinks). When you interact with these widgets, the third-party providers may collect technical device identifiers or cookies under their own privacy policies.
• Analytics Providers: We utilize Google Firebase Analytics and Singular to track app performance. This system is configured with IP anonymization activated, ensuring that your raw IP address is truncated and cannot be linked back to your device or identity.
• Consent Management Platform (CMP): We use a specialized third-party CMP to manage your cookie and tracking consents in a transparent manner.
• Advertising Partners: To support our Platform and keep bringing you great content, we work with selected third-party advertising networks. With your explicit consent—managed through our Consent Management Platform (CMP)—these partners may collect device identifiers (such as Apple IDFA or Google Advertising ID), cookies, and non-identifiable usage data to deliver personalized ads tailored to your interests. If you choose not to consent, you will still see advertisements, but they will be generic and not personalized to your preferences.

8. ALGORITHMIC TRANSPARENCY AND AI ACT COMPLIANCE

Chantoff utilizes advanced artificial intelligence (AI) and automated algorithms to enhance the social experience and moderate community interactions:

• AI Chat Assistant (Chantie): When you interact with our automated community manager, Chantie, the system logs the conversation to provide contextually relevant answers. In accordance with Article 50(1) of the EU AI Act, you will receive a clear disclosure upon your first interaction informing you that you are communicating with an AI.
• Synthetic Content Watermarking: Any visual, audio, or metadata content (such as shareable social badges) generated or manipulated by our AI is embedded with a machine-readable, durable, and invisible watermark and provenance metadata (C2PA), in compliance with Article 50(2) of the AI Act.
• Automated Content Moderation: We deploy automated filters to detect and flag Prohibited Content (hate speech, nudity, violence, spam) in The Feed and GameDay Chats. If an automated decision results in content removal or account restriction, you will receive a detailed Statement of Reasons (under Article 17 of the DSA) and have the right to request human review.

9. YOUR GDPR RIGHTS

Under the GDPR, you have the following rights regarding your personal data, which you can exercise at any time by contacting our support team at [email protected]:

1. Right of Access (Art. 15 GDPR): The right to obtain confirmation as to whether your personal data is being processed, and to receive a copy of your stored data.
2. Right to Rectification (Art. 16 GDPR): The right to request the correction of inaccurate or incomplete personal data.
3. Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR): The right to request the permanent deletion of your personal data, subject to lawful exceptions (such as our Squad Leaver Protocol or statutory tax retention periods).
4. Right to Restriction of Processing (Art. 18 GDPR): The right to block or restrict the processing of your personal data under certain conditions.
5. Right to Data Portability (Art. 20 GDPR): The right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
6. Right to Object (Art. 21 GDPR): The right to object to the processing of your data, particularly where we rely on legitimate interest as our legal basis.
7. Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing before the withdrawal.

10. DATA SECURITY AND INTERNATIONAL DATA TRANSFERS

10.1. Security Safeguards

We implement robust technical and organizational security measures designed to protect your personal data from unauthorized access, alteration, disclosure, accidental loss, or destruction.

• Full data encryption in transit via Transport Layer Security (TLS/SSL).
• Advanced AES-256 encryption for data at rest on our secure servers.
• Multi-Factor Authentication (MFA) and strict role-based access control (RBAC) restricted to authorized personnel.
• Continuous network monitoring, firewalls, and regular security vulnerability assessments.

10.2. International Data Transfers

Chantoff is a global platform. All primary personal data is stored on secure servers located within the European Union (e.g., Google Cloud's EU regions). If we transfer personal data outside the European Economic Area (EEA), we ensure a similar level of protection is afforded by implementing appropriate safeguards, specifically the Standard Contractual Clauses (SCCs) approved by the European Commission, or by transferring to countries that have been deemed to provide an adequate level of protection by the European Commission.

12. CHANGES TO THIS PRIVACY POLICY

We may update our Privacy Policy from time to time to reflect changes in our data practices, operational requirements, or legal obligations.

12.1. How we notify you

If we make any material changes to this Privacy Policy (such as changing how we use your personal data or adding new third-party partners), we will notify you before the changes take effect. This may be done through a prominent notice inside the Platform, an app notification, or via email. For minor updates that do not affect your rights (like fixing typos or formatting), we will simply update the "Last Updated" date at the top of this policy.

12.2. Your review and consent

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your privacy. By continuing to use our Platform after changes become effective, you acknowledge that you have read and understood the updated Privacy Policy. Where required by applicable data protection laws (such as the GDPR), we will proactively request your explicit consent for any new data processing activities through our Consent Management Platform (CMP).

12.2. If you disagree

If you do not agree with the updated practices described in a revised Privacy Policy, you must stop using the Platform and your account. You can also contact us at any time to exercise your right to delete your data.

13. CONTACT US AND SUPERVISORY AUTHORITY DETAILS

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

• Postal Address: Chantoff s. r. o., Hlaváčiková 3163/27, 841 05 Bratislava - Karlova Ves, Slovak Republic
• E-mail: [email protected]

You also have the right to file a complaint at any time with a competent supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. The competent supervisory authority in the Slovak Republic is:

• Name: Office for Personal Data Protection of the Slovak Republic (Úrad na ochranu osobných údajov Slovenskej republiky)
• Address: Hraničná 12, 820 07 Bratislava 27, Slovak Republic
• Website: https://www.dataprotection.gov.sk/