PRIVACY POLICY

This Privacy Policy explains how FUTGenie ("we," "our," or "us") collects, uses, stores, and protects personal data when you use our website at futgenie.gg, our browser extension, our mobile application, and any related services (together, the "Service").

We are committed to handling your personal data lawfully, fairly, and transparently in accordance with the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation where it applies, and the Privacy and Electronic Communications Regulations 2003 (PECR).

By using the Service you confirm that you have read and understood this Privacy Policy. If you do not agree with it, please do not use the Service.

The Service is operated by FUTGENIE LTD, a company registered in England and Wales.

• Company number: 16929230
• Registered address: 71-75 Shelton Street, London, England, WC2H 9JQ
• Email: [email protected]

FUTGENIE LTD is the "data controller" responsible for your personal data under UK GDPR. We are not required to appoint a Data Protection Officer; for any data protection enquiries, please email [email protected].

We collect the following categories of personal data:

• Account & profile data: name, email address, hashed password (if you sign up with email), authentication identifiers from third-party login providers (e.g. Google, Apple), and your account preferences.
• Subscription & billing data: subscription tier, billing status, billing country, and limited card metadata (the last four digits and expiry date). Full payment-card details are entered directly into Stripe and are never stored on our servers.
• EA / game-platform identifiers: the EA account identifier(s) (such as persona ID) associated with your use of the Service, so we can scope your data to the correct account. We do not collect or store your EA password or other EA login credentials.
• Usage data from the extension and app: SBC solves and completions, pack opening reward outcomes, auction and transfer market activity initiated through the Service, in-app settings, and feature usage.
• Technical and device data: IP address, user-agent string (browser, operating system, device type), a randomly generated visitor identifier we set on first visit, country derived from your IP address, and the type of client used (web, extension, or mobile).
• Activity logs: a record of significant events (such as logins, key actions, and referral-link clicks) together with the technical data above. These are stored in our internal activity-log database for security, abuse-prevention, and product-analytics purposes.
• Anti-abuse retention record: when you delete your account we keep a one-way SHA-256 hash of your normalised email address and your EA account identifier(s) for up to 30 days (see section 7).
• Communications: any messages, support tickets, or feedback you send us, and our replies.
• Referral data: if you arrive via a referral link, we log the referral code together with the technical data above so we can attribute the referral if you subsequently sign up.

We do not knowingly collect any "special category" personal data (such as health, ethnicity, political opinions, or sexual orientation). Please do not send us such information.

Under UK GDPR we must have a lawful basis for each purpose for which we process your data. The bases we rely on are:

• To provide and operate the Service — Article 6(1)(b) UK GDPR: performance of a contract with you.
• To process payments and manage subscriptions — Article 6(1)(b) (contract) and Article 6(1)(c) (compliance with legal obligations, such as tax and accounting record-keeping).
• To detect and prevent fraud, abuse, and security incidents (using activity logs, technical data, and the anti-abuse retention record) — Article 6(1)(f): our legitimate interests in protecting the Service and our users.
• To enforce free-tier limits and prevent re-registration abuse (using the anti-abuse retention record) — Article 6(1)(f): our legitimate interests in the commercial sustainability of our free tier.
• For product analytics and service improvement (using usage and technical data, aggregated wherever possible) — Article 6(1)(f): our legitimate interests in improving the Service.
• To communicate with you about your account (support, important service announcements, and billing notices) — Article 6(1)(b): contract.
• To send you marketing emails about new features or offers — Article 6(1)(a): your consent. You can withdraw consent at any time using the unsubscribe link in every marketing email.
• To comply with legal and regulatory obligations — Article 6(1)(c).

Where we rely on legitimate interests, we have carried out a legitimate-interests assessment balancing our interests against your rights and freedoms. You can object to such processing at any time — see section 10.

We share personal data only with the following categories of recipient. Where they act as our processors, they are bound by written agreements meeting the requirements of UK GDPR Article 28.

• Stripe (Stripe Payments Europe Ltd / Stripe Inc.) — payment processing and subscription management.
• Railway (Railway Corp.) — application hosting and managed database hosting.
• Resend (Resend, Inc.) — delivery of account, billing, and support emails.
• Google Analytics (Google LLC / Google Ireland Ltd) — aggregated product analytics.
• Professional advisers (accountants, lawyers, auditors) acting under a duty of confidentiality.
• Law-enforcement bodies and regulators where we are required by law to disclose data, or to establish, exercise, or defend legal claims.
• A successor entity in the event of a merger, acquisition, or restructuring of FUTGENIE LTD, subject to equivalent protections.

We do not sell, rent, or trade your personal data, and we do not share it for third-party advertising.

Some of the processors listed in section 5 (notably Stripe, Railway, Resend, and Google Analytics) operate or store data outside the United Kingdom, including in the United States and the European Economic Area.

Where we transfer personal data outside the UK, we rely on one or more of the safeguards permitted under UK GDPR Article 46, including:

• UK adequacy regulations covering the destination country;
• the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses;
• the EU–US Data Privacy Framework together with the UK Extension, where the recipient is certified.

You can request a copy of the safeguards in place for any particular transfer by emailing [email protected].

We keep personal data only for as long as is necessary for the purposes set out in this Privacy Policy. Specific retention periods are as follows:

• Account data: retained for the lifetime of your account, plus up to 30 days after deletion to allow account recovery.
• Subscription and billing records: retained for 6 years after the end of the financial year in which the transaction occurred, to comply with UK tax and accounting law.
• Activity logs: retained for up to 24 months, then deleted or fully anonymised.
• Last-login IP address and visitor identifier on your user record: overwritten on each subsequent login, and deleted when your account is deleted.
• Anti-abuse retention record: a one-way SHA-256 hash of your normalised email and EA account identifier(s) only, with no name, password, payment details, or other personal information. Retained for up to 30 days after account deletion, then automatically purged. We use it solely to prevent bypass of free-tier daily limits. You may request earlier erasure at any time by emailing [email protected].
• Support correspondence: retained for up to 24 months after the matter is resolved.
• Marketing consent records: retained while you remain subscribed, plus 2 years after you unsubscribe so we can demonstrate compliance.

Where deletion is not immediately feasible (for example, data held in encrypted backups), we will isolate the data, ensure it is not used for any other purpose, and delete it as soon as backups are rotated out of retention.

We use a small number of cookies and similar storage technologies (such as localStorage and sessionStorage) on our website and extension. We group them as follows:

• Strictly necessary: session and authentication cookies, security tokens, and load-balancing cookies. These are essential to deliver the Service you have requested and are set without consent, as permitted under PECR.
• Functional: a randomly generated visitor identifier used to link pre-signup and post-signup activity for fraud prevention and to ensure features such as referral attribution work correctly.
• Analytics: Google Analytics, which sets cookies (typically _ga, _ga_*) to measure aggregated page views and feature use so we can understand how the Service is used and improve it. We use IP-anonymisation features where available and do not link analytics data with advertising identifiers.

Where cookies or storage are not strictly necessary (including the Google Analytics cookies above), we ask for your consent through a cookie banner the first time you visit, and we do not set those cookies until you have given consent. You can change or withdraw your consent at any time through the cookie-settings link in the website footer, or by clearing your browser storage. We do not use third-party advertising cookies.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. These include:

• encryption of data in transit using HTTPS/TLS;
• encryption of sensitive data at rest, including password hashes using modern algorithms (such as bcrypt or argon2) and tokenisation of payment details by Stripe;
• access controls based on the principle of least privilege for staff and infrastructure;
• secure software-development practices and monitoring of third-party dependencies for vulnerabilities;
• regular backups and recovery testing.

No system is perfectly secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected users without undue delay.

Under UK GDPR you have the following rights in respect of the personal data we hold about you:

• Right of access — ask for a copy of your personal data.
• Right to rectification — ask us to correct inaccurate or incomplete data.
• Right to erasure (the "right to be forgotten") — ask us to delete your personal data in certain circumstances.
• Right to restriction — ask us to limit how we process your data while a query is resolved.
• Right to data portability — receive your data in a structured, commonly used, machine-readable format, or have it transmitted to another controller, where processing is based on consent or contract.
• Right to object — object to processing based on our legitimate interests, and to direct marketing at any time.
• Right to withdraw consent — where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
• Rights relating to automated decision-making — we do not carry out solely automated decisions that produce legal or similarly significant effects on you.

To exercise any of these rights, email [email protected]. We will respond within one calendar month of receiving your request. We may extend that period by up to two further months for complex or numerous requests, and will tell you within the first month if we do so.

We may need to verify your identity before acting on a request. Exercising your rights is free of charge, unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on it.

If you have a complaint about how we handle your personal data, please contact us first at [email protected] so we can try to resolve it.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

• Website: https://ico.org.uk
• Helpline: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

If you live in the EU or EEA, you can also contact your local data-protection supervisory authority.

The Service is not intended for, and is not directed at, children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact [email protected] and we will delete that data without delay.

We may update this Privacy Policy from time to time. The "Effective Date" at the top of the policy shows when it was last updated. For material changes that affect your rights, we will give you reasonable advance notice by email or through the Service before the changes take effect. Your continued use of the Service after the new Effective Date constitutes acceptance of the updated policy.

For any questions about this Privacy Policy or how we handle your personal data, please contact us:

• Email: [email protected]
• Post: FUTGENIE LTD, 71-75 Shelton Street, London, England, WC2H 9JQ