Privacy policy

Last updated: 19 May 2026

1. Introduction

At Bobibets, your data belongs to you. We run a free social football prediction game played among friends, and we only process the information needed to operate it, in accordance with Regulation (EU) 2016/679 (the “GDPR”) and the French “Informatique et Libertés” Act.

The data controller is RedBoxStudio OÜ, an Estonian company located at Sepapaja 6, 15551 Tallinn, Estonia (see Legal notice). For any question regarding your data, write to dpo@bobibets.com.

2. Data we collect

We group the data we collect into five categories, depending on how you use the service.

2.1 Account identification

• Email address
• Unique username
• Password (stored hashed and salted, never in clear text)
• Google identifier if you sign in via Google OAuth
• Account creation date and last sign-in date

2.2 Profile

• Display name, profile picture (avatar)
• Preferred language (FR / EN)
• Favorite teams (optional)
• Date of birth (to verify the age threshold — see § 10)
• Subscription plan: Amateur, Pro or Legend

2.3 Gameplay activity

• Predictions placed (match, pick, stake in virtual points, locked odds, outcome)
• Leagues created or joined, and your role in each
• Rankings, badges, completed quests
• Balance and history of the virtual currency $BB
• Messages posted in league chats

2.4 Payments and orders

• Subscriptions (Pro, Legend): Stripe customer identifier, subscription status, dates. Credit card numbers never transit through our servers: they are entered directly on Stripe’s secure pages.
• Store orders: shipping address, phone number (optional), amount, status, tracking number.
• Issued invoices (accounting obligation).

2.5 Technical data

• IP address, user agent (browser, OS)
• Access logs
• Cookies and similar identifiers (see our Cookie policy)

3. Purposes

• Create and manage your account, authenticate you
• Provide the service: predictions, leagues, rankings, quests, store
• Process subscription payments and physical orders
• Prevent fraud, cheating, abuse and secure the service
• Respond to you when you contact us (support)
• Notify you of important service changes (transactional emails)
• Send you product or marketing communications, only with your consent (which you can withdraw at any time)
• Meet our legal obligations (accounting, taxation, judicial requests)

4. Legal bases

Each processing activity relies on one of the following legal bases (GDPR art. 6):

• Performance of the contract: account creation, service delivery, management of subscriptions and orders
• Legitimate interest: service security, fraud and cheating prevention, product improvement based on aggregate statistics
• Consent: non-essential cookies, marketing communications
• Legal obligation: retention of invoices and accounting records, responses to authorized requests

5. Processors and recipients

We never sell your data. We only share it with providers necessary to operate the service, under contract (GDPR art. 28):

6. Retention periods

• Active account: for the entire duration of service use
• Inactive account: 3 years after your last sign-in, for fraud and cheating prevention
• Payment data and invoices: 10 years from issuance (accounting obligation)
• Store orders: 10 years (accounting obligation and statutory warranty)
• Technical logs: 12 months maximum
• Cookies: durations detailed in the Cookie policy

You can request the deletion of your account at any time; however, certain data may be retained beyond that point to comply with legal obligations (e.g. invoices for 10 years).

7. Transfers outside the European Union

Your data is hosted in France (AWS Paris). Some of our processors — Stripe, Printful, Google and Cloudflare — may process data from the United States. These transfers are covered by the Standard Contractual Clauses adopted by the European Commission (decision 2021/914), supplemented where applicable by additional measures (encryption, data minimization).

8. Your rights

Under articles 15 to 22 of the GDPR, you have the following rights:

• Right of access to your data
• Right to rectification
• Right to erasure (“right to be forgotten”)
• Right to restriction of processing
• Right to data portability
• Right to object, in particular to direct marketing
• Right to withdraw consent at any time
• Right to set post-mortem directives (under French law)

To exercise these rights, write to dpo@bobibets.com. We reply within one month.

If you believe your rights are not being respected, you can lodge a complaint with a supervisory authority:

• France: CNIL — cnil.fr
• Estonia: Andmekaitse Inspektsioon (AKI) — aki.ee

9. Security

• HTTPS (TLS) encryption across the entire service
• Passwords stored hashed and salted using industry-standard techniques, never in clear text
• Hosting within the European Union (AWS Paris)
• Access limited to authorized staff (principle of least privilege)
• Anti-bot protection and rate limiting on sensitive routes
• Regular encrypted backups

10. Minors

The service is open to users aged 15 and over, in line with the digital consent threshold set by French law (article 8 GDPR as transposed). The specific terms applicable to minors are detailed in the Terms and conditions.

11. Changes

This policy may evolve to reflect legal or technical changes. For any material change, we will notify you by email and/or via an in-app banner at least 15 days before it takes effect. The “last updated” date is shown at the top of this page.

12. Contact

For any question about this policy or your personal data:

dpo@bobibets.com
RedBoxStudio OÜ — Sepapaja 6, 15551 Tallinn, Estonia