Privacy Policy

1. Scope and controller

1. This Policy applies to personal information processed in connection with the Service, including pre-launch waitlist registration, Founding Member checkout, authentication, and in-product activity once accounts are available.
2. For purposes of the EU/UK General Data Protection Regulation ("GDPR") and similar laws, Blitzly is the data controller (or co-controller, where applicable) for personal information described herein, unless we act strictly as a processor on behalf of another party in a specific engagement (which we will disclose where relevant).

2. Information we collect

We collect information that you provide directly, information generated when you use the Service, and limited information from our service providers as described below.

1. Contact and account identifiers. We collect email addresses and related identifiers when you submit our waitlist forms, authenticate, or communicate with us. Account profiles (for example, display names, titles, or preferences) may be stored in our application database hosted on Supabase (PostgreSQL, authentication, and related Supabase products). We use Supabase to operate secure sign-in and to persist user and waitlist records subject to our configuration and access controls.
2. Payment and transaction metadata. Founding Member and other paid offerings are processed through Stripe. We do notstore full payment card numbers, card verification values, or magnetic stripe data on our servers. Stripe collects and processes payment details in accordance with Stripe's privacy policy and industry standards (including PCI-DSS). We may receive and retain limited payment-related metadata from Stripe (for example, transaction identifiers, payment status, customer identifiers, billing email, and amounts) as necessary to confirm purchases, prevent fraud, and maintain records of entitlements.
3. Technical and usage data. We may collect device, browser, log, diagnostic, and security information (including IP address, approximate location derived from IP, timestamps, and error logs) as needed to operate, secure, and improve the Service and to detect abuse.
4. Communications. If you contact support or respond to surveys, we process the contents of those communications and associated metadata.

3. How we use information

1. To provide, maintain, secure, and improve the Service, including real-time trivia features.
2. To process waitlist signups, Founding Member purchases, receipts, entitlements, and customer support.
3. To authenticate users, enforce our Terms of Service, and detect fraud, abuse, or cheating.
4. To comply with legal obligations and defend our legal rights.
5. With appropriate legal bases where required (including consent where we rely on consent), to send operational or promotional communications; you may opt out of promotional messages where applicable using the mechanism provided in the message or by contacting us.

4. GDPR / UK GDPR and CCPA / CPRA rights and compliance

Depending on your location, you may have statutory rights regarding personal information. We honor applicable requests in line with verifying your identity and the scope of the law.

1. Access and portability. You may request a copy of the personal information we hold about you, subject to exceptions provided by law.
2. Correction. You may request correction of inaccurate or incomplete personal information.
3. Deletion and the "Right to be Forgotten." You may request deletion of your personal information where applicable law requires or permits erasure. We will delete or anonymize information in accordance with law, except where retention is necessary to complete transactions, comply with legal obligations, resolve disputes, enforce our agreements, or pursue legitimate interests that are not overridden by your rights (for example, fraud prevention or security logs retained for a limited period).
4. Restriction and objection. Where applicable, you may request restriction of processing or object to certain processing, including processing based on legitimate interests or direct marketing.
5. Withdrawal of consent. Where we rely on consent, you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
6. Non-discrimination (CCPA/CPRA). We will not discriminate against you for exercising privacy rights granted under the California Consumer Privacy Act (as amended by the CPRA) or similar state laws, subject to permitted incentives disclosed in compliance with law.
7. Authorized agents. You may designate an authorized agent to submit requests where permitted by law; we may require proof of authorization and verify your identity directly with you.
8. How to submit requests. Submit privacy requests using the contact details in Section 10. We will respond within the timeframe required by applicable law (for example, without undue delay under GDPR, or within 45 days for many U.S. state requests, subject to extension where permitted).

5. Cookies and similar technologies

1. We use cookies and similar technologies that are strictly necessary to operate the Service, including for authentication, session integrity, security (for example, CSRF protection where applicable), load balancing, and fraud prevention.
2. We do not use non-essential advertising or behavioral tracking cookies as part of this Policy's baseline description of the Service; if we introduce optional analytics or marketing cookies in the future, we will update this Policy and, where required, obtain consent before activation in jurisdictions that mandate it.
3. You may control cookies through your browser settings; disabling strictly necessary cookies may impair sign-in or security features.

6. Third-party sharing and sub-processors

We share personal information with third parties only as described in this Policy or with your direction or consent. Our material sub-processors for the Service currently include:

1. Stripe, Inc.(payments, fraud signals, receipts, and related payment infrastructure). Information you provide at checkout is processed by Stripe according to Stripe's terms and privacy policy.
2. Supabase, Inc. (hosted database, authentication, storage, and related backend services). Customer content and account data stored in Supabase is processed under our agreements with Supabase and subject to our security configuration.
3. We may also use additional infrastructure, email delivery, analytics, or support vendors from time to time; where those vendors process personal information on our behalf, we impose contractual obligations consistent with this Policy and applicable law.

7. International transfers

1. We may process information in the United States and other countries where we or our service providers operate. Those countries may have data protection laws that differ from your country of residence.
2. Where required, we implement appropriate safeguards (such as Standard Contractual Clauses or equivalent mechanisms) for transfers of personal information from the EEA, UK, or Switzerland.

8. Retention

1. We retain personal information for as long as necessary to fulfill the purposes described in this Policy, including legal, accounting, and dispute-resolution requirements.
2. Payment records and entitlement metadata may be retained for periods consistent with tax, accounting, and anti-fraud obligations.

9. Security

1. We implement administrative, technical, and organizational measures designed to protect personal information against unauthorized access, loss, or alteration. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

10. Children

1. The Service is not directed to children under the age where parental consent is required in their jurisdiction (for example, under 13 in the United States, or 16 where higher thresholds apply under local law). We do not knowingly collect personal information from children in violation of applicable law. If you believe we have collected information from a child unlawfully, contact us and we will take appropriate steps to delete it.

11. Changes to this Policy

1. We may update this Policy from time to time. We will post the updated version on the Service and revise the "Last Updated" date. Where required by law, we will provide additional notice or obtain consent.

12. Contact

1. For privacy inquiries or to exercise rights described in this Policy, contact us at privacy@blitzly.com, or through any additional contact method we publish on the Service.