Privacy Policy

1. Who this Policy applies to

This Policy explains how the individual operator of EliteScore (the "controller" for GDPR purposes) collects and uses personal data when you use the EliteScore website, application, and related services (together, the "Service"), or when you contact us.

This Policy also applies to accountability buddies — third parties whose email addresses are provided by users of the Service. If you have received an accountability buddy invitation email, this Policy explains what data we hold about you, why, and what rights you have. Your rights are set out in Section 8.

This Policy is prepared in accordance with:

• Regulation (EU) 2016/679 (GDPR);
• The Dutch Uitvoeringswet AVG (UAVG) and other applicable Dutch implementing legislation;
• The ePrivacy Directive as transposed in the Netherlands (Telecommunicatiewet).

Please read this Policy alongside the Terms of Service.

2. Who is the data controller

The controller is the individual developer who operates EliteScore, based in the Netherlands. We are currently unregistered as a legal entity. Our registration details (KvK number, legal name, address) will be added here once registration is complete.

Contact for privacy matters: elitescore0@gmail.com — please include "GDPR / Privacy" in the subject line.

We are not currently required to appoint a Data Protection Officer (DPO). If this requirement changes, DPO contact details will be published here.

3. What personal data we collect

We may collect and process the following categories of personal data depending on how you use the Service:

Account data: email address, display name or username, password (stored using appropriate hashing; never in plain text), and any authentication tokens from third-party sign-in providers.

Service and activity data: challenges you join, tasks you complete, proof submissions, scores, streaks, ranks, and any content you submit as part of a challenge.

Leaderboard display preference: your choice of whether your leaderboard entry shows your nickname (the default) or your real name. This preference can be changed at any time in your account settings.

Communications data: messages and emails you send us, for example for support requests.

Integration data: if you sign in using a third-party provider (such as Google), we receive only the information that provider makes available to us.

Accountability buddy data: if you choose to use the accountability buddy feature, we collect your full name (as provided at registration) and the email address you supply for your buddy. Your full name may be included in notification emails sent to your buddy so they can identify who has added them. The buddy's email address is used solely to send challenge-related notifications and an initial opt-out notice (see Section 4 below for the legal basis).

Technical and usage data: IP address, browser type, device type, operating system, language settings, timestamps of Service interactions, and security-related events.

We do not intentionally collect special categories of personal data as defined in Article 9 GDPR (such as health data, religious beliefs, or biometric data). Please do not include such information in free-text fields or submissions. If you do, we may delete it if it is not necessary for the Service.

4. Why we process your data and our legal basis

We process personal data only where we have a lawful basis under Article 6 GDPR. The bases we rely on are:

Performance of a contract (Art. 6(1)(b) GDPR): We process account data and activity data to provide the Service as described in the Terms of Service — running your account, processing challenge entries, maintaining leaderboards, and delivering the features you use.

Legitimate interests (Art. 6(1)(f) GDPR): We process technical and usage data to keep the Service secure, detect and prevent abuse and fraud, fix bugs, and improve the Service. Our legitimate interests in running a functioning and secure service are balanced against your rights and interests. You may object to this processing at any time (see Section 8).

Accountability buddy notifications (Art. 6(1)(f) GDPR — Legitimate interests): When you activate the accountability buddy feature, we process your full name and your buddy's email address to send the buddy notifications about your challenge progress. This processing is based on our legitimate interest in operating a feature you have explicitly activated. The buddy's legitimate interests and rights are protected by: (a) receiving a first-contact notification that explains the processing in accordance with Articles 13–14 GDPR, sets out their rights, includes a link to these Terms and this Privacy Policy, and provides a clear opt-out mechanism; and (b) the deletion of their data when the challenge ends, when you delete your account, or when the buddy opts out — whichever occurs first. If you are an accountability buddy reading this, you can opt out at any time by clicking the unsubscribe link in any email you receive from us, or by contacting elitescore0@gmail.com.

Legal obligation (Art. 6(1)(c) GDPR): We may process data where we are required to do so by applicable law, for example in response to a lawful request from a competent authority.

Consent (Art. 6(1)(a) GDPR): Where we ask for your consent — for example for non-essential cookies — we will request it clearly and separately. You can withdraw consent at any time without affecting the lawfulness of any processing carried out before withdrawal.

Marketing communications: We do not send marketing communications on the basis of legitimate interests. Any marketing or promotional communications will only be sent where you have given separate, explicit consent by ticking an opt-in checkbox at the relevant point of collection. You can withdraw that consent at any time.

5. Who we share data with

We do not sell your personal data.

We may share data with the following categories of recipients:

Service providers (processors): We use third-party providers for hosting, email delivery, and analytics. These providers act on our instructions and are bound by data processing agreements in accordance with Article 28 GDPR. A list of current sub-processors is available on request.

Authorities: We may disclose data to law enforcement, courts, or regulators where we are legally required to do so, or where necessary to establish or defend legal claims.

International transfers: If any of our processors are located outside the EEA, we rely on an adequacy decision by the European Commission, Standard Contractual Clauses (SCCs), or another approved transfer mechanism. Supplementary measures are applied where required by applicable guidance (including post-Schrems II requirements).

Course publishers: We do not share your personal data with any of the third-party educational institutions or course publishers whose content is referenced on this Service. EliteScore has no data-sharing agreements, affiliate arrangements, or commercial relationships with these organisations.

6. Third-party courses and no affiliation

EliteScore is an independent gamification and accountability platform. We are not affiliated with, endorsed by, sponsored by, or in any commercial or legal partnership with any of the educational institutions or organisations whose courses appear on this Service, including but not limited to Harvard University, Google LLC, Massachusetts Institute of Technology (MIT), and Microsoft Corporation. All course names, trademarks, service marks, and logos referenced on this Service belong exclusively to their respective owners.

7. How long we keep your data

We keep your personal data only for as long as necessary for the purposes described above, or as required by law.

As a general guide:

• Account data is kept for as long as your account is active.
• Activity and challenge data is kept for the duration of the relevant challenge, plus a reasonable period for dispute resolution.
• Accountability buddy data is deleted when the associated challenge ends, when you delete your account, or when the buddy opts out — whichever occurs first.
• Leaderboard entries are anonymised or removed upon account deletion.
• Security and technical logs are kept for a short period (typically weeks to a few months) for incident response purposes.
• Support correspondence is kept as long as reasonably necessary to resolve the matter and comply with any legal obligations.

When the retention period ends, we delete or irreversibly anonymise your data unless a longer period is required by law (for example, a legal hold).

8. Your rights under GDPR (Articles 12–22)

As a data subject — including if you are an accountability buddy — you have the following rights, subject to the conditions and limitations set out in the GDPR:

• Right of access (Art. 15): You can request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You can ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17): You can ask us to delete your data where the conditions under Art. 17 are met.
• Right to restriction of processing (Art. 18): You can ask us to limit how we use your data in certain circumstances.
• Right to data portability (Art. 20): Where processing is based on contract or consent and carried out by automated means, you can ask for your data in a structured, machine-readable format.
• Right to object (Art. 21): You can object at any time to processing based on legitimate interests, including profiling. You also have an unconditional right to object to processing for direct marketing.
• Right to withdraw consent: Where we rely on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
• Rights related to automated decision-making (Art. 22): We do not currently make decisions about you solely by automated means that produce legal or similarly significant effects. If this changes, we will inform you and provide the applicable rights.

To exercise any of these rights, contact us at elitescore0@gmail.com (subject line: "GDPR / Privacy"). We will respond within one month, extendable by up to two further months in complex cases as permitted by the GDPR. We may need to verify your identity before fulfilling a request.

9. Complaints and supervisory authority

If you are unhappy with how we handle your data, please contact us first. If your concern is not resolved, you have the right to lodge a complaint with a data protection supervisory authority.

Netherlands: Autoriteit Persoonsgegevens (AP)
Website: https://www.autoriteitpersoonsgegevens.nl
Post: Postbus 93374, 2509 AJ Den Haag, Netherlands

If you are located in another EEA Member State, you may also contact your local supervisory authority.

10. Cookies and similar technologies

We may use cookies and similar technologies for the following purposes:

• Strictly necessary: These are required for the Service to function (for example, to keep you logged in). They do not require your consent.
• Analytics: We may use analytics tools to understand how the Service is used. Where this involves setting cookies or accessing information on your device, we will ask for your consent before doing so, in accordance with Dutch ePrivacy rules (Telecommunicatiewet) and the GDPR.
• Personalisation: Where features personalise your experience beyond what is strictly necessary, we will ask for consent where required.

You can control or delete cookies through your browser settings. Disabling strictly necessary cookies may prevent parts of the Service from working.

A more detailed cookie list will be added to this Policy as the Service develops.

11. Security and data breaches

We apply appropriate technical and organisational measures to protect your personal data, as required by Article 32 GDPR. During the beta phase, these measures include password hashing, encrypted data transmission (HTTPS), and access controls. We keep our security practices under review.

In the event of a personal data breach, we will act in accordance with our obligations under Articles 33 and 34 GDPR. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours. Where the risk is assessed as high, we will also notify you directly by email without undue delay, describing the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address it. We maintain an internal record of all data breaches in accordance with Article 33(5) GDPR.

No system is completely secure. Please use a strong and unique password and notify us immediately if you suspect any unauthorised access to your account.

12. Children

The Service is not directed at anyone under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has registered or provided us with data, please contact us at elitescore0@gmail.com and we will take steps to delete the relevant data promptly.

13. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top of this page will reflect any changes. If we make a material change to how we process your data, we will notify you by email or through the Service before the change takes effect. Where a change requires a new legal basis (for example, a new use of your data that requires consent), we will request that consent separately.

14. Contact

Privacy and data protection questions: elitescore0@gmail.com

Please include "GDPR / Privacy" in the subject line.