Privacy Policy – Spherun.com
Last updated: 2026-07-05
1. Data controller
The controller is Paweł Pilichowski, operating a sole proprietorship in Poland. Privacy contact: contact@spherun.com.
2. Scope and legal grounds for processing
We process personal data under GDPR as follows:
- Account registration: Email, nickname, password hash — Art. 6 (1) (b) GDPR (contract). Authentication via Zitadel.
- Payments and tax: Billing data, country, Stripe transaction IDs (VAT-OSS, export of services) — Art. 6 (1) (c) GDPR (legal obligation).
- Analytics and telemetry: Session identifiers, in-game events, cookies via PostHog (EU hosting: eu.i.posthog.com) — Art. 6 (1) (f) GDPR (legitimate interest: product improvement).
- Anti-cheat: IP address, browser/device fingerprints — Art. 6 (1) (f) GDPR (security and fair play).
- Real-time chat: Message content, timestamps, sender ID — Art. 6 (1) (b) GDPR (social features) and (f) GDPR (moderation, spam, safety). Logs retained only as long as needed for moderation or legal defense.
3. Third-party processors
3.1. Zitadel
Zitadel AG (identity provider) processes authentication data: email address, nickname, password hash, account identifier (sub), email verification status, and login metadata. Zitadel infrastructure is hosted in the European Union. Zitadel privacy policy: https://zitadel.com/privacy-policy.
3.2. Stripe
Stripe Payments Europe, Ltd. / Stripe Inc. process payment data submitted at checkout:
- email address (customer identification and receipts),
- payment card details (entered directly in Stripe's form — we do not store card numbers or CVV),
- billing country, VAT/tax ID (when provided), transaction and subscription identifiers,
- data required by Stripe Tax (VAT-OSS, export of services).
Stripe privacy policy: https://stripe.com/privacy.
3.3. PostHog
PostHog, Inc. (EU instance: eu.i.posthog.com) — product analytics, in-game events, and session telemetry. Cookie details in section 7.
3.4. OVH Cloud
OVH Groupe SA (OVH Cloud) — hosting of the entire production infrastructure in data centers within the European Union, including:
- real-time game and chat servers (WebSocket),
- PostgreSQL database (accounts, profiles, statistics, billing records),
- Dragonfly cache (Redis-compatible) — arena state, live match sessions,
- RabbitMQ message queue (statistics sync, background jobs),
- Next.js frontend (spherun.com web application).
Data processed on OVH servers covers all categories listed in section 2, to the extent necessary to operate the Service.
3.5. IFIRMA
IFIRMA S.A. (ifirma.pl) — accounting and VAT-OSS filings based on billing documents provided by the controller.
4. Cross-border transfers
Because the Service is global and uses Stripe and PostHog, data may be processed outside the EEA, including the United States. We rely on Standard Contractual Clauses (SCCs) and transport encryption.
5. Your rights
You may request access, rectification, erasure, restriction, portability, and object to processing based on legitimate interest. You may lodge a complaint with your supervisory authority (in Poland: PUODO).
6. Data retention
| Category | Retention period |
|---|---|
| User account (email, nickname, profile, skill build) | Until account deletion on request; backup copies up to 90 days after deletion |
| Statistics and matches (leaderboards, match history, XP) | For the lifetime of the account; after deletion — anonymization or removal within 30 days |
| Payments, Stripe, accounting | Transaction IDs and accounting documents — 5 years from the end of the tax year (legal obligation); Stripe data per Stripe's policy |
| Server and security logs (IP, anti-cheat, application errors) | Up to 90 days; logs related to a security incident — until the investigation is closed |
| Chat logs (moderation) | Until moderation is complete or the limitation period for claims expires |
| PostHog analytics | Up to 12 months from the event; session identifiers per PostHog EU project settings |
After these periods, data is deleted or anonymized unless further retention is required by law.
7. Cookies and similar technologies
The Service uses cookies and localStorage/sessionStorage for the following purposes:
| Name / source | Purpose | Duration | Required |
|---|---|---|---|
Auth.js session (authjs.session-token / __Secure-authjs.session-token) | Maintains signed-in user session (JWT) | Up to 30 days or until sign-out | Yes (account) |
PostHog (ph_*, eu.i.posthog.com) | Product analytics, visitor identifier, in-game events | Up to 12 months (cookie) / session | No |
| NEXT_LOCALE | Remembers selected interface language | 365 days | No |
spherun_pending_nick (pendingNick) | Temporary nickname storage during registration/login | 10 minutes (cookie) / until tab close (sessionStorage) | No |
Opting out of analytics: You may block PostHog via browser settings (third-party cookie blocking / eu.i.posthog.com), tracking-protection extensions, or a "Do Not Track" signal where honored. Essential login cookies (Auth.js) cannot be declined without losing account access.
8. Exercising your GDPR rights
Requests regarding the rights in section 5 (access, rectification, erasure, portability, objection) should be sent to contact@spherun.com.
- We respond within 30 days of receiving a valid request.
- To verify identity, we may ask you to confirm the email address linked to your account or provide additional information to uniquely identify you.
- Account deletion: After successful verification, we delete your Zitadel account, profile data, and statistics linked to your identity (subject to retention periods in section 6 for accounting records and legal obligations). Active Premium subscriptions should be cancelled before or during the deletion process — see the Terms of Service for details.