Privacy Policy
Last updated: April 2, 2026
This privacy policy describes how My Roster (hereinafter “we”, “our” or “the Application”) collects, uses and protects your personal data in accordance with the General Data Protection Regulation (GDPR — Regulation EU 2016/679).
1. Data Controller
The data controller is:
My Roster Email: [email protected]
2. Data Collected
Data We Collect
When you use the Application, we collect the following data:
- Email address: provided during registration (directly or through an OAuth provider such as Apple, Google or Discord).
- User identifier: automatically generated when your account is created.
- Followed teams: the list of sports and esports teams you choose to follow.
- Time zone: automatically detected from your device or manually selected, in order to display match times in your local time.
- Application preferences: onboarding status, theme, display settings.
- Purchase data: subscription identifier and premium status, managed through RevenueCat. We never have access to your payment information (credit card, etc.).
- Usage data: anonymized application usage events (screens viewed, actions performed) collected via PostHog for service improvement purposes.
Data We Do NOT Collect
- Geographic location: we do not collect your GPS position.
- Contacts: we do not access your address book.
- Financial data: payments are handled exclusively by Apple (App Store) and Google (Play Store). We never have access to your payment information.
- Health data: no health data is collected.
- Advertising identifiers: we do not use advertising trackers.
3. Purposes of Processing
Your data is used exclusively to:
- Provide the service: display your personalized match calendar based on the teams you follow.
- Authentication: manage your account and your session.
- Personalization: adapt match times to your time zone.
- Service improvement: understand overall application usage (aggregated and anonymized data only).
- Communication: contact you in the event of a significant change to the service or your rights.
4. Legal Basis for Processing (Article 6 of the GDPR)
| Processing | Legal Basis |
|---|---|
| Account management and authentication | Performance of a contract (Art. 6.1.b) |
| Display of personalized calendar | Performance of a contract (Art. 6.1.b) |
| Service improvement (aggregated data) | Legitimate interest (Art. 6.1.f) |
| Product analytics via PostHog (anonymized usage data) | Legitimate interest (Art. 6.1.f) |
| Subscription management via RevenueCat | Performance of a contract (Art. 6.1.b) |
| Communication about service changes | Legitimate interest (Art. 6.1.f) |
5. Data Sharing
We do not sell, rent or share your personal data with third parties for commercial or advertising purposes.
Your data may be processed by the following sub-processors, strictly within the scope of providing the service:
| Sub-processor | Role | Location |
|---|---|---|
| Supabase Inc. | Database hosting and authentication | EU / US (depending on project configuration) |
| Apple Inc. | Authentication via Sign in with Apple | US |
| Google LLC | Authentication via Sign in with Google | US |
| Discord Inc. | Authentication via Sign in with Discord | US |
| PostHog Inc. | Product analytics (anonymized usage data) | EU (EU hosting) |
| RevenueCat Inc. | In-app subscription management | US |
| Railway Corp. | Sync service hosting (back-end) and website hosting | US |
Data transfers to the United States may occur under the EU-US Data Privacy Framework (DPF).
6. Data Retention
| Data | Retention Period |
|---|---|
| User account and associated data | As long as the account is active |
| Data after account deletion | Deleted within 30 days |
| Anonymized technical logs | 90 days maximum |
You may delete your account at any time from the “Profile” screen of the Application. Deletion results in the permanent erasure of all your personal data within 30 days.
7. Your Rights (Articles 15 to 21 of the GDPR)
In accordance with the GDPR, you have the following rights:
- Right of access (Art. 15): obtain a copy of your personal data.
- Right to rectification (Art. 16): correct inaccurate or incomplete data.
- Right to erasure (Art. 17): request the deletion of your data (“right to be forgotten”).
- Right to restriction of processing (Art. 18): restrict processing under certain conditions.
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interest.
To exercise your rights, contact us at: [email protected]
We are committed to responding within one month of receiving your request.
If you believe your rights are not being respected, you may lodge a complaint with the Commission Nationale de l’Informatique et des Libertes (CNIL): www.cnil.fr.
8. Cookies
The mobile application does not use cookies.
The website (my-roster.com) does not use tracking cookies or advertising cookies. Only strictly necessary technical cookies may be used for the operation of the site (for example, for light/dark theme management). These cookies are exempt from consent under Article 82 of the French Data Protection Act (loi Informatique et Libertes).
9. Security
We implement appropriate security measures to protect your data:
- Encryption of data in transit (HTTPS/TLS).
- Password encryption (bcrypt hashing).
- Authentication via JWT tokens with expiration.
- Database-level security policies (Row Level Security).
- Restricted access to production data (separate access keys per service).
10. Changes to This Policy
We reserve the right to modify this privacy policy. In the event of a substantial change, we will notify you by email or by notification in the Application. The date of the last update is indicated at the top of this document.
11. Contact
For any questions regarding the protection of your personal data:
- Email: [email protected]
- General email: [email protected]