Back to homeTerms of Service

Privacy Policy – Spherun.com

Last updated: 2026-07-05

1. Data controller

The controller is Paweł Pilichowski, operating a sole proprietorship in Poland. Privacy contact: contact@spherun.com.

2. Scope and legal grounds for processing

We process personal data under GDPR as follows:

  • Account registration: Email, nickname, password hash — Art. 6 (1) (b) GDPR (contract). Authentication via Zitadel.
  • Payments and tax: Billing data, country, Stripe transaction IDs (VAT-OSS, export of services) — Art. 6 (1) (c) GDPR (legal obligation).
  • Analytics and telemetry: Session identifiers, in-game events, cookies via PostHog (EU hosting: eu.i.posthog.com) — Art. 6 (1) (f) GDPR (legitimate interest: product improvement).
  • Anti-cheat: IP address, browser/device fingerprints — Art. 6 (1) (f) GDPR (security and fair play).
  • Real-time chat: Message content, timestamps, sender ID — Art. 6 (1) (b) GDPR (social features) and (f) GDPR (moderation, spam, safety). Logs retained only as long as needed for moderation or legal defense.

3. Third-party processors

3.1. Zitadel

Zitadel AG (identity provider) processes authentication data: email address, nickname, password hash, account identifier (sub), email verification status, and login metadata. Zitadel infrastructure is hosted in the European Union. Zitadel privacy policy: https://zitadel.com/privacy-policy.

3.2. Stripe

Stripe Payments Europe, Ltd. / Stripe Inc. process payment data submitted at checkout:

  • email address (customer identification and receipts),
  • payment card details (entered directly in Stripe's form — we do not store card numbers or CVV),
  • billing country, VAT/tax ID (when provided), transaction and subscription identifiers,
  • data required by Stripe Tax (VAT-OSS, export of services).

Stripe privacy policy: https://stripe.com/privacy.

3.3. PostHog

PostHog, Inc. (EU instance: eu.i.posthog.com) — product analytics, in-game events, and session telemetry. Cookie details in section 7.

3.4. OVH Cloud

OVH Groupe SA (OVH Cloud) — hosting of the entire production infrastructure in data centers within the European Union, including:

  • real-time game and chat servers (WebSocket),
  • PostgreSQL database (accounts, profiles, statistics, billing records),
  • Dragonfly cache (Redis-compatible) — arena state, live match sessions,
  • RabbitMQ message queue (statistics sync, background jobs),
  • Next.js frontend (spherun.com web application).

Data processed on OVH servers covers all categories listed in section 2, to the extent necessary to operate the Service.

3.5. IFIRMA

IFIRMA S.A. (ifirma.pl) — accounting and VAT-OSS filings based on billing documents provided by the controller.

4. Cross-border transfers

Because the Service is global and uses Stripe and PostHog, data may be processed outside the EEA, including the United States. We rely on Standard Contractual Clauses (SCCs) and transport encryption.

5. Your rights

You may request access, rectification, erasure, restriction, portability, and object to processing based on legitimate interest. You may lodge a complaint with your supervisory authority (in Poland: PUODO).

6. Data retention

CategoryRetention period
User account (email, nickname, profile, skill build)Until account deletion on request; backup copies up to 90 days after deletion
Statistics and matches (leaderboards, match history, XP)For the lifetime of the account; after deletion — anonymization or removal within 30 days
Payments, Stripe, accountingTransaction IDs and accounting documents — 5 years from the end of the tax year (legal obligation); Stripe data per Stripe's policy
Server and security logs (IP, anti-cheat, application errors)Up to 90 days; logs related to a security incident — until the investigation is closed
Chat logs (moderation)Until moderation is complete or the limitation period for claims expires
PostHog analyticsUp to 12 months from the event; session identifiers per PostHog EU project settings

After these periods, data is deleted or anonymized unless further retention is required by law.

7. Cookies and similar technologies

The Service uses cookies and localStorage/sessionStorage for the following purposes:

Name / sourcePurposeDurationRequired
Auth.js session (authjs.session-token / __Secure-authjs.session-token)Maintains signed-in user session (JWT)Up to 30 days or until sign-outYes (account)
PostHog (ph_*, eu.i.posthog.com)Product analytics, visitor identifier, in-game eventsUp to 12 months (cookie) / sessionNo
NEXT_LOCALERemembers selected interface language365 daysNo
spherun_pending_nick (pendingNick)Temporary nickname storage during registration/login10 minutes (cookie) / until tab close (sessionStorage)No

Opting out of analytics: You may block PostHog via browser settings (third-party cookie blocking / eu.i.posthog.com), tracking-protection extensions, or a "Do Not Track" signal where honored. Essential login cookies (Auth.js) cannot be declined without losing account access.

8. Exercising your GDPR rights

Requests regarding the rights in section 5 (access, rectification, erasure, portability, objection) should be sent to contact@spherun.com.

  1. We respond within 30 days of receiving a valid request.
  2. To verify identity, we may ask you to confirm the email address linked to your account or provide additional information to uniquely identify you.
  3. Account deletion: After successful verification, we delete your Zitadel account, profile data, and statistics linked to your identity (subject to retention periods in section 6 for accounting records and legal obligations). Active Premium subscriptions should be cancelled before or during the deletion process — see the Terms of Service for details.
v0.1.68