Trumfo

Privacy Policy

Version 1.0 · Effective June 1, 2026

This document is provided in English as the authoritative version.

1. Who We Are

Trumfo is a free, non-commercial sports prediction platform available at trumfo.com. We provide a tournament prediction game for entertainment purposes, with no monetary exchange of any kind.

For all privacy matters, you can contact us at: legal@trumfo.com.

2. What We Collect

We collect the following categories of personal data:

  • (a) Account data: Your display name, email address, and password (stored as a bcrypt hash — your plain-text password is never stored or seen by us). If you sign in via Google, we also receive your Google profile name, email address, and profile picture URL, as provided by Google. Your favourite team is optional and only stored if you choose to set it.
  • (b) Activity data: Your match predictions (scores), accumulated points, group memberships, chat messages, emoji reactions, and tournament special picks (champion, top scorer, bracket).
  • (c) Technical data: Your IP address (used for security monitoring and rate-limiting only), browser and device type, pages visited, and error logs. This data is collected automatically when you use the platform.
  • (d) What we do NOT collect: We do not collect payment or financial information of any kind. We do not collect precise geolocation data. We do not knowingly collect data from individuals under the age of 13 (or under 16 in the EU/EEA).

3. Why We Collect It (Legal Basis)

We process your personal data for the following purposes and on the following legal grounds under the GDPR and equivalent laws:

  • Account data — processed on the basis of contractual necessity: we need your email and name to provide you with an account and the service.
  • Activity data — processed on the basis of contractual necessity (to record and score your predictions) and legitimate interest (to operate leaderboards and group features).
  • Technical data — processed on the basis of legitimate interest (security, debugging, and platform stability).

We do not use any of your data for advertising purposes. We do not sell, rent, or trade your personal data to anyone, ever.

4. Third Parties

We share data only with the following service providers, strictly for the purposes of running the platform:

  • Railway — hosts our PostgreSQL database. Your data is stored on Railway's infrastructure.
  • Vercel — hosts the Trumfo web application. All web requests pass through Vercel's infrastructure.
  • Google (Sign-In only) — if you choose “Sign in with Google”, Google provides your name, email address, and profile picture to us. We do not send any data back to Google beyond the OAuth authentication flow.
  • Pusher — provides real-time delivery of chat messages and live match updates. Pusher transmits messages in transit but does not persistently store your personal data.
  • football-data.org — provides match fixtures, live scores, and player statistics. We send only query parameters (team IDs, match IDs) to this API; no user personal data is shared with them.

We do not use any other third-party services that receive personal data. There are no analytics providers, advertising networks, or data brokers involved.

5. International Transfers

Our service providers (Railway, Vercel, Pusher) may process data in data centres located outside your country of residence, including in the United States.

  • EU/EEA users: Transfers to the United States are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission, or other appropriate safeguards as required by Chapter V of the GDPR.
  • Brazilian users: Transfers comply with Chapter V of the LGPD and applicable ANPD guidance.

By using Trumfo, you acknowledge that your data may be transferred internationally. If you have concerns about specific transfers, contact us at legal@trumfo.com.

6. Retention

We retain different categories of data for different periods:

  • Account data — retained until you delete your account.
  • Prediction and game data — retained until account deletion or 2 years after your last activity, whichever comes first.
  • Chat messages — automatically deleted after 12 months from creation.
  • Technical logs — retained for a maximum of 30 days.
  • After account deletion: all personal data is permanently and irreversibly removed from all systems within 30 days of the deletion request.

7. Your Rights

All users of Trumfo have the following rights, regardless of jurisdiction:

  • Access: Request a copy of the personal data we hold about you.
  • Deletion: Request permanent deletion of your account and all associated data (available directly in Profile Settings).
  • Correction: Request correction of inaccurate personal data.
  • Portability: Request an export of your data in JSON format.

EU/EEA users (GDPR): In addition to the above, you have the right to object to processing, the right to restrict processing, and the right to lodge a complaint with your national data protection supervisory authority. We will respond within 30 days.

Brazilian users (LGPD): In addition to the above, you have the right to information about third-party sharing and the right to petition the Autoridade Nacional de Proteção de Dados (ANPD). We will respond within 15 days.

US users (CCPA): You have the right to know what personal information we collect, the right to delete it, and the right to opt out of sale. We do not sell personal information.

To exercise any of these rights, contact us at legal@trumfo.com.

8. Cookies

Trumfo uses only essential cookies. We do not use advertising cookies or tracking pixels of any kind. No cookie consent banner is required because we do not process cookies beyond what is strictly necessary for the service to function.

  • Session cookie (NextAuth): A secure, HTTP-only cookie used to keep you signed in. It contains an encrypted JWT token. This cookie is deleted when you sign out.
  • Locale cookie: A small cookie storing your preferred language (en, es, or pt). This is not linked to your identity.

9. Children's Privacy

Trumfo is not directed at children. Users must be at least 13 years old to register. Users in the EU/EEA must be at least 16 years old.

If we discover that an account belongs to a user below the applicable minimum age, we will permanently delete the account and all associated data without notice.

If you are a parent or guardian and believe your child has registered on Trumfo, please contact us immediately at legal@trumfo.com.

10. Security

We take security seriously and implement industry-standard measures to protect your data:

  • Passwords are hashed using bcrypt with 12 rounds. We never store or have access to your plain-text password.
  • All data is transmitted exclusively over HTTPS (TLS). No data is transmitted in plain text.
  • Database access is restricted to application servers only, with appropriate network firewall rules.
  • We conduct periodic security reviews of our infrastructure and dependencies.

Despite these measures, no system is perfectly secure. In the event of a data breach that affects you, we will notify you in accordance with applicable law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or via an in-app notification. For minor changes, we will update the effective date at the top of this page.

We store the version of this Policy you accepted. If a material change requires re-acceptance under applicable law, we will ask for your consent before you continue using the platform.

12. Contact

For all privacy-related inquiries, requests to exercise your rights, or complaints, please contact us at: legal@trumfo.com.

We aim to respond to all requests within 30 days. Brazilian users will receive a response within 15 days as required by the LGPD.