Rotat8
Sign inGet started

Privacy Policy

Last updated: March 2026

1. Introduction & Controller

This Privacy Policy explains how Rotat8 ("we", "us") collects, uses, and protects your personal data. Rotat8 is the data controller for information processed through this Service.

2. Data We Collect

We collect the following information:

  • Email address (provided at registration)
  • Password (stored as a bcrypt hash — we never store your plaintext password)
  • Game data: match scores, player names, substitution records, goal logs
  • Player names and position information you enter
  • IP address (used for rate limiting only, not stored long-term)
  • Authentication cookie (httpOnly JWT, session management only)
  • Basic usage telemetry such as page path, referrer domain, campaign parameters, browser language, and user agent to understand how the site is used and diagnose issues

3. How We Use Your Data

  • To provide and operate the Service
  • To authenticate you and maintain your session
  • To send password reset emails when requested
  • To protect the Service from abuse (rate limiting)
  • To understand which pages and campaigns are being used
  • To monitor errors and trace requests when diagnosing problems

We do not use your data for advertising, profiling, or any purpose beyond operating the Service.

4. Data Storage

Your data is stored in a PostgreSQL database. We take reasonable technical measures to protect it. The Service is currently in private beta and hosted in a controlled environment.

5. Cookies

We use a single httpOnly cookie named token to manage your authenticated session. This cookie is not accessible to JavaScript and is not used for tracking. We do not use third-party analytics cookies. We do use self-hosted, cookieless analytics and observability telemetry to understand page usage, referrers, and request behaviour.

6. Data Sharing

We do not sell, rent, or share your personal data with third parties for commercial purposes. Password reset emails are delivered via a transactional email provider, who processes your email address solely to deliver that message.

7. Data Retention

We retain your data for as long as your account is active. If you request deletion of your account, we will remove your personal data within 30 days, subject to any legal retention requirements.

8. Your Rights

Under GDPR and UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data
  • Lodge a complaint with the ICO (ico.org.uk)

To exercise any of these rights, contact us.

9. Security

Passwords are hashed with bcrypt. Authentication cookies are httpOnly and SameSite=Strict. The Service uses HTTPS in production. We take reasonable steps to protect your data against unauthorised access.

10. Changes to Policy

We may update this Privacy Policy from time to time. We will notify active users of material changes. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

Questions about this policy? Contact us.