The data controller for personal data is IKKI, a French simplified joint-stock company (SASU) registered with the Paris Trade and Companies Register under number 979 951 340, whose registered office is located at 117 rue Lamarck, 75018 Paris, France, reachable by email at contact@footfoot.co. For any question regarding the protection of your personal data or to exercise your rights, you can use this contact or the in-app contact form.
Account data: email address, username, hashed password (bcrypt), date of birth (age verification). Profile data: avatar, favourite team, language, time zone. Game data: predictions, leaderboards, contests joined, FootCoins, achievements, activity history. Technical data: IP address, device type, browser, session identifier, security logs. Payment data: no card data is stored by footfoot; payments are processed directly by Stripe. We retain only the transaction reference and payment status.
Performance of the contract (article 6.1.b GDPR): delivering the Service, managing the account, processing purchases. Legitimate interest (article 6.1.f GDPR): Service security, fraud prevention, anti-multi-accounting, aggregated statistics. Consent (article 6.1.a GDPR): push notifications, marketing emails, non-essential analytics cookies. Legal obligation (article 6.1.c GDPR): retention of payment records (10 years), responses to judicial requests.
Your data is accessible only to authorised footfoot personnel and to the following processors, bound by contractual clauses: Stripe Payments Europe Ltd (Ireland) — payment processing; Vercel Inc. (USA) — frontend hosting, covered by Standard Contractual Clauses (SCC); Hetzner Online GmbH (Germany) — backend and database hosting; Football-Data.org — sports data provision (no personal data transmitted); Resend (USA) — transactional emails; PostHog (USA) — product analytics, IP anonymisation enabled; Sentry (USA) — technical error monitoring. No data is sold to third parties.
Some processors are located in the United States. These transfers are governed by Standard Contractual Clauses adopted by the European Commission (decision 2021/914) and additional safeguards (encryption, pseudonymisation). A copy of these guarantees is available on request.
Active account: your data is retained as long as your account exists. Inactive account: automatic deletion after 24 months without login. Account deleted on request: erasure within 30 days. Payment and billing data: 10 years (French accounting and tax obligation). Security and connection logs: 12 months. Anonymised data (aggregated statistics): retained indefinitely.
Under the GDPR, you have the following rights: right of access, right of rectification, right to erasure ("right to be forgotten"), right to restriction of processing, right to data portability, right to object, right to withdraw consent at any time, right to set post-mortem instructions. To exercise these rights, contact contact@footfoot.co. A response will be provided within one month. You also have the right to lodge a complaint with the CNIL (www.cnil.fr) or your local supervisory authority.
Footfoot uses cookies that are strictly necessary for the operation of the Service (session, authentication, language preferences) which do not require consent. Analytics cookies (PostHog) and technical cookies (Sentry) are only activated after your explicit consent via the cookie banner. You can change your preferences at any time from your settings. No third-party advertising tracking cookie is set without your consent.
Footfoot implements appropriate technical and organisational measures to protect your data: TLS 1.3 encryption in transit, bcrypt password hashing, JWT with rotation, restricted and audited database access, encrypted backups, 24/7 incident monitoring. In the event of a data breach likely to affect your rights, you will be notified promptly and the CNIL will be informed within 72 hours in accordance with article 33 GDPR.
The Service is open to users aged 16 and over. Paid purchases require legal age (18) or a guardian's consent. Minors' data benefits from enhanced protections: no personalised analytics, no direct marketing, reinforced moderation of social features.
Footfoot reserves the right to modify this Privacy Policy. Substantial changes will be notified by email or in-app at least 15 days before they take effect. The last update date is shown at the top of this document.
Last updated: May 2026.