Privacy Policy
Last updated: April 2026
1. Data Controller
Wombi Enterprises Ltd, a private limited company incorporated in Cyprus (registration number HE437408), with registered address at Efesou 9, 5280 Paralimni, Cyprus, is the data controller responsible for your personal data. Contact: hello@puntazofantasy.com
2. Data We Collect
We collect the following personal data: (a) Account and authentication data: email address, username, password stored as a bcrypt hash (never in plain text), display name (optional), avatar URL (optional), email verification status. (b) Preferences: preferred language (es/en) and email notification preferences (predictions open, deadline reminders, tournament finished, predictions paused). (c) Game data: bracket predictions, Pick 5 selections, scores, tournament history, and group memberships. (d) Groups: groups you create or belong to, invitations sent or received. (e) Notification log: internal history of emails sent to your account for audit and duplicate prevention. (f) Transient data: your IP address is processed in real time to validate the contact form CAPTCHA and to protect the Platform against abuse, but is not stored in a persistent log.
3. Data We Do NOT Collect
We do not collect: date of birth, physical location or GPS data, gender, nationality, payment or financial data of any kind, phone numbers, or social media profiles. We do not maintain a persistent log of your IP address or browsing activity.
4. Publicly Visible Information
Please note that some information associated with your account may be visible to other users or to visitors of the Platform: (a) your username and, if you provide them, your display name and avatar appear on your public profile and in the rankings of any group you belong to; (b) your aggregated game statistics (total points, positions, tournaments played) are viewable on your public profile; (c) your individual predictions for each tournament may be accessible via the corresponding public endpoints once the tournament's prediction deadline has closed; (d) public groups you belong to are visible to any visitor of the Platform, together with their rankings; private groups are only visible to their members.
5. Legal Bases for Processing
We process your data under the following legal bases pursuant to Article 6 GDPR: (a) Contract execution (Art. 6(1)(b)): processing of account data, preferences, game data, groups and functional notifications is necessary to provide you with the Service and is based on your acceptance of the Terms of Use at registration; (b) Legitimate interest (Art. 6(1)(f)): transient processing of IP addresses, CAPTCHA validation and security measures respond to our legitimate interest in maintaining Platform security and preventing abuse.
6. Specific Processing Operations
(a) Contact form and account registration: when you submit a message via the contact form or complete the CAPTCHA during account registration, your IP address is transmitted to Cloudflare Turnstile to validate the CAPTCHA and prevent automated abuse. For the contact form, the message content together with your email are additionally transmitted to our team via our transactional email provider. (b) Email notifications: we send functional notifications (account verification, password reset) and game notifications according to your preferences (predictions open, deadline reminders, tournament finished, predictions paused). You can manage your preferences or unsubscribe from your account or via the link included in each email. (c) Group invitations: when another user invites you to a group or you invite someone else, the minimum data necessary to deliver the invitation is processed (recipient, sender identity and associated group).
7. Data Retention
Your account data and associated game data are retained while the account is active. When you request account deletion from the Platform, your personal data (account data, predictions, group memberships, password reset tokens) are deleted permanently and immediately, without any grace period or recoverable personal backup. Internal notification log records (NotificationLog) may be retained, associated with an internal identifier, for as long as reasonably necessary for audit and duplicate prevention purposes. Email verification tokens have a logical validity of 24 hours, and password reset tokens of 1 hour; after those periods they cease to be valid. We do not maintain a persistent log of IP addresses.
8. International Transfers and Sub-processors
To provide the Service we rely on the following sub-processors, some of which may process data outside the European Economic Area: (a) Postmark, a transactional email provider based in the United States, which processes your email address and the content of emails sent from the Platform; (b) Cloudflare, used for Turnstile CAPTCHA on the contact form and on the account registration form, and, where applicable, as a network infrastructure provider, with global presence including the United States, processing your IP address and technical metadata for security purposes; (c) Umami Analytics, when enabled, running on our own or European infrastructure. Where these sub-processors involve international transfers outside the EEA, such transfers are carried out on the basis of the safeguards provided in Chapter V GDPR, in particular the Standard Contractual Clauses (SCC) approved by the European Commission. You may request additional information about these safeguards at hello@puntazofantasy.com.
9. Your Rights
Under the GDPR, you have the following rights: Right of access (Art. 15): request a copy of your personal data; Right to rectification (Art. 16): correct inaccurate data; Right to erasure (Art. 17): request deletion of your data, which you can also exercise directly from the account section of the Platform; Right to data portability (Art. 20): receive your data in a machine-readable format; Right to object (Art. 21): object to processing based on legitimate interest, including the right to object to email notifications by managing your preferences or using the unsubscribe link included in each email. To exercise any of these rights, contact us at hello@puntazofantasy.com. We will respond within one month of receiving your request, as required by law.
10. Children's Privacy
The Platform is not directed at individuals under 16 years of age. By accepting the Terms of Use at registration, you confirm that you are at least 16 years old. We do not knowingly collect personal data from children under 16. If we become aware that personal data of a child under 16 has been collected, we will delete that data promptly.
11. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. The competent authority for our Company is: Office of the Commissioner for Personal Data Protection, Kypranoros 15, 1061 Nicosia, Cyprus, commissioner@dataprotection.gov.cy, +357 22 818 456. If you reside in another EU/EEA member state, you may also contact your local data protection authority (e.g., AEPD in Spain, Garante per la protezione dei dati personali in Italy, CNIL in France).
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on the Platform and/or by email. The date at the top of this page indicates when this policy was last updated.