Tournament Organizers: Plus is free until October 1st! Learn more →

Privacy Policy

Last updated: March 27, 2026

1. Data Controller

The data controller for the personal data processed on getpaird.io is:

  • Entity: TimeVault TCG
  • Contact: [email protected]
  • Hosting: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (European Union).

2. Data Collected

2.1 User-Provided Data

  • Account data: Email address, name, first name, last name, username, password (stored as a bcrypt hash — the actual password is never stored).
  • Optional profile data: Avatar, biography, city, geographic coordinates, social handles (Discord, Twitch, Instagram, Twitter/X, YouTube, Facebook, LinkedIn, TikTok).
  • Player profiles: First name, last name.
  • Social authentication: Google, Discord, and/or Apple provider identifiers, used to link accounts for OAuth sign-in.

2.2 Tournament Data

  • Registrations: Status, barcode, check-in status, custom fields defined by the Organizer.
  • Decklists: Name, archetype, card lists, notes. Decklists are the creative content of the player.
  • Penalties: Category, name, level, notes, judge identifier.
  • Results: Scores, match status, reporter identity.

2.3 Payment Data

No credit card data is stored by the Platform.

  • Stripe transaction identifiers, amounts paid and refunded, payment method and status.
  • Subscription data: Stripe customer identifier.
  • Stripe Connect: encrypted Stripe account identifiers and API keys.

2.4 Technical Data

  • Push notifications: Device push tokens (Expo/Apple/Google).
  • Sessions: Stored in Redis with a lifetime of 3 days (4320 minutes).
  • Analytics: IP address and navigation data collected via Google Analytics 4 (ID: G-CNF4TMEDY8), only after user consent, with anonymize_ip: true enabled.

3. Purposes and Legal Basis

3.1 Contract Execution

Processing necessary to provide the services: account management, tournament participation, payment processing, transactional notifications.

3.2 Legitimate Interest

Platform improvement, fraud prevention, anonymous statistics for service enhancement.

3.3 Consent

  • Analytics cookies (Google Analytics 4), collected only after explicit user consent.
  • Push notifications, activated via the native OS prompt.
  • Refund protection (optional opt-in at registration).

3.4 Legal Obligation

Retention of transaction data for fiscal and accounting obligations under French law.

4. Data Recipients

4.1 Organizers

Tournament Organizers and staff have access to: display names, email addresses, decklists, results, and penalties of registered players. Organizers must not use this data for purposes other than tournament management.

4.2 Sub-processors

  • Stripe (USA): Payment processing. PCI DSS Level 1 certified.
  • HelloAsso (France): Alternative payment processing.
  • Brevo (France): Transactional email delivery.
  • Mailjet (France): Transactional email delivery.
  • AWS SES (EU-West-3): Transactional email delivery.
  • Expo / Apple / Google (USA): Push notification delivery.
  • Google Analytics 4 (USA): Web analytics, only after user consent.
  • Scryfall / Moxfield (USA): Card data APIs only. No personal data is transmitted to these services.

4.3 Transfers Outside the EU

Services based in the USA are covered by EU Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework, ensuring an adequate level of data protection.

5. Data Retention

  • Active accounts: Data retained for the duration of the account activity.
  • Unverified accounts: Deleted daily via automated cleanup.
  • Abandoned registrations: Cleaned every 5 minutes via automated process.
  • Transaction data: Retained for 7 years in compliance with French fiscal obligations.
  • Account deletion: Personal data is hard-deleted. Tournament results may be retained in anonymized form for historical and competitive integrity purposes.

6. Your Rights (GDPR)

In accordance with the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access (Art. 15): Obtain a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your personal data, subject to legal retention requirements.
  • Right to restriction (Art. 18): Request limitation of how we process your data.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interest.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

You also have the right to file a complaint with the French data protection authority: CNIL — www.cnil.fr.

7. Security

We implement appropriate technical and organizational measures to protect your data:

  • All data is transmitted over HTTPS/TLS.
  • Passwords are hashed using bcrypt (10 rounds).
  • Stripe API keys are encrypted at rest.
  • Hosting within the European Union (Hetzner, Germany).
  • Access to production systems is restricted and controlled.

8. Minors

  • Users aged 16 and over may use the Platform freely.
  • Users aged 13 to 15 may use the Platform with verifiable parental consent.
  • Users under the age of 13 are not permitted to use the Platform.

If we become aware that personal data has been collected from a child without appropriate consent, we will delete that data promptly.

9. Modifications

This Privacy Policy may be updated at any time. Significant changes will be communicated to users by email. The date of the last update is indicated at the top of this page.

10. Contact

For any questions regarding this Privacy Policy or to exercise your data rights:

GetPaird

GetPaird.io

Free · Tournaments on the go

GET
We use cookies to analyze traffic and improve your experience. Cookie Policy