Privacy Policy

Last updated: February 25, 2026

1. Introduction

This Privacy Policy describes how Omby ("the App", "we", "us", "our") collects, uses, stores, shares, and protects personal data when you use our mobile application and related services. We are committed to protecting your privacy and processing your data in compliance with the General Data Protection Regulation (GDPR) and applicable Portuguese data protection laws.

By creating an account and using the App, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the App.

2. Data Controller

Omby is the data controller responsible for the processing of your personal data. For any questions or requests regarding your data, you can contact us at:

Email: omby.general@gmail.com

3. Data We Collect

We collect the following categories of personal data:

Account Information

Data you provide when creating and managing your account:

  • Full name (first name and last name)
  • Email address
  • Date of birth
  • City of residence
  • Profile photo (optional)
  • Player position preference (optional)

Authentication Data

Data collected through the sign-in process:

  • Firebase Authentication identifier (unique user ID)
  • Authentication provider information (Google Sign-In, Apple Sign-In, or email/password)
  • Authentication tokens (for session management)

Financial & Payment Data

Data related to payments and financial transactions within the App:

  • Wallet balance and transaction history (deposits, payments, refunds, withdrawals)
  • Omby Gems balance and reward history
  • Bank account details (IBAN) when requesting withdrawals
  • Payment method type (card, Google Pay, Apple Pay) — Omby does not store card numbers; these are processed exclusively by Stripe

Event & Activity Data

Data generated through your use of the App:

  • Events created, joined, or cancelled
  • Attendance and participation history
  • Chat messages within event and group conversations
  • Votes, ratings, and feedback given to other players
  • Penalty and reliability history (Yellow/Red cards)
  • Trophies, titles, and achievement data

Social & Connection Data

  • Friend/connection list
  • Group memberships and roles
  • Referral codes and referral history

Device & Technical Data

Data collected automatically when you use the App:

  • Device model, operating system, and version
  • App version
  • Push notification token (Expo Push)
  • IP address (collected by infrastructure providers)
  • Usage analytics (screens visited, features used, session duration)

4. How We Collect Your Data

We collect personal data through the following means:

  • Directly from you: when you create an account, fill in your profile, create or join events, send chat messages, or make payments.
  • Automatically: through Firebase Analytics, device information, and push notification services when you use the App.
  • From third parties: authentication data from Google or Apple when you use social sign-in; payment confirmation from Stripe when you make transactions.

5. Legal Basis for Processing

Under the GDPR, we process your personal data based on the following legal grounds:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide the App's services — account management, event organization, payments, wallet operations, and communication features.
  • Legitimate Interest (Art. 6(1)(f)): Processing necessary for our legitimate interests, including fraud prevention, platform security, abuse detection, analytics to improve our services, and maintaining the reliability and trust of the community (penalty system, reputation data).
  • Consent (Art. 6(1)(a)): Processing based on your explicit consent, such as push notifications, marketing communications, and optional profile information. You may withdraw consent at any time.
  • Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, including financial record-keeping obligations.

6. How We Use Your Data

We use your personal data for the following purposes:

  • Providing and operating the App's core services: account management, event creation and participation, payments, wallet operations, and chat.
  • Processing payments and managing your Wallet balance, including deposits, event payments, refunds, penalty deductions, and bank withdrawals.
  • Facilitating communication between users through event chat and group chat.
  • Sending push notifications related to your events, groups, and account activity.
  • Operating the gamification system: trophies, leaderboards, Omby Gems, quests, streaks, and titles.
  • Maintaining platform trust and safety: penalty system, reliability indicators, fraud detection, and abuse prevention.
  • Analyzing usage patterns to improve the App's features, performance, and user experience.
  • Enforcing our Terms and Conditions, including investigating violations and applying account restrictions.
  • Complying with legal obligations, including financial record-keeping.

7. Data Sharing & Third Parties

We share your personal data with the following categories of third parties, only to the extent necessary for the purposes described in this Privacy Policy:

We do not sell your personal data to third parties. We do not share your data with advertisers for targeted advertising purposes.

Service Providers

  • Firebase (Google Cloud): Authentication, database (Firestore), file storage (profile photos), analytics, and push notification infrastructure. Data is processed in the EU and US under Google's data processing terms.
  • Stripe: Payment processing for wallet deposits, event payments, and bank withdrawals. Stripe processes payment card data directly — Omby never receives or stores full card numbers. Stripe's privacy policy applies to payment data processing.
  • Expo (React Native): Push notification delivery service. Receives device push tokens to deliver notifications.
  • Vercel: Hosting for the Omby website (omby.app). Does not process App user data directly.

Other Users

Certain data is visible to other App users as part of the platform's functionality:

  • Your profile name, photo, city, player position, trophies, titles, and penalty status are visible to other users.
  • Your participation in events is visible to other participants of the same event.
  • Chat messages are visible to members of the same event or group chat.
  • Leaderboard rankings are publicly visible within the App.

Legal & Safety Disclosures

We may disclose your personal data if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

8. International Data Transfers

Some of our service providers (Firebase/Google Cloud, Stripe) may process data outside the European Economic Area (EEA), including in the United States. When this occurs, we ensure that appropriate safeguards are in place, including:

  • EU-US Data Privacy Framework certifications
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data processing agreements with all service providers

These safeguards ensure that your data receives a level of protection equivalent to that provided under EU data protection law.

9. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes described in this Privacy Policy, subject to the following guidelines:

  • Account data: Retained for as long as your account is active. If you request account deletion, we will remove your personal data within a reasonable timeframe, except where retention is required by law. To request deletion, contact us at omby.general@gmail.com.
  • Financial transaction data: Retained for 7 years to comply with Portuguese financial record-keeping obligations.
  • Chat messages: Retained for as long as the associated event or group exists. We may periodically delete messages from completed events to manage storage.
  • Analytics data: Aggregated and anonymized analytics data may be retained indefinitely. Individual-level analytics data is retained for 14 months (Firebase Analytics default).
  • Penalty and reputation data: Retained for the duration specified in the penalty rules (up to 30 days or a set number of games), then automatically deleted.

When data is no longer needed, it is securely deleted or anonymized using industry-standard methods.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Firebase Authentication for secure access control
  • Stripe PCI DSS Level 1 compliance for payment data
  • Access controls limiting data access to authorized personnel
  • Regular security reviews of our infrastructure and codebase

While we take reasonable measures to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining the highest practical standards.

11. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

  • Right of Access (Art. 15): You have the right to request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): You have the right to request correction of inaccurate or incomplete personal data. You can update most of your profile information directly in the App.
  • Right to Erasure (Art. 17): You have the right to request deletion of your personal data, subject to legal retention obligations (e.g., financial records). Account deletion can be requested by contacting us.
  • Right to Restriction (Art. 18): You have the right to request restriction of processing of your personal data in certain circumstances.
  • Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format.
  • Right to Object (Art. 21): You have the right to object to processing based on legitimate interest, including profiling.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact us at omby.general@gmail.com. We will respond to your request within 30 days, as required by the GDPR.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados — CNPD) at www.cnpd.pt.

12. Children's Privacy

The App is not intended for users under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided personal data to us, please contact us at omby.general@gmail.com.

13. Cookies & Local Storage

The Omby mobile application does not use cookies. The App uses local device storage (AsyncStorage) to store your preferences, session data, and cached information on your device. This data remains on your device and is not transmitted to our servers unless necessary for the App's functionality.

We use Firebase Analytics to collect usage data (see Section 3: Device & Technical Data). Firebase Analytics uses device identifiers to associate usage data with your account.

The Omby website (omby.app) may use essential cookies for functionality purposes. No third-party advertising or tracking cookies are used.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will notify you through the App or by other appropriate means before the changes take effect.

The "Last Updated" date at the top of this page indicates when the Privacy Policy was last revised. We encourage you to review this Privacy Policy periodically.

15. Contact Us

If you have any questions about this Privacy Policy, the data we hold about you, or if you would like to exercise any of your data protection rights, please contact us at:

Email: omby.general@gmail.com

OmbyOmby — Protecting your privacy with transparency and care.