Privacy Policy

This notice is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR") and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.

1. Data Controller

The Data Controller is:

Obsidian Technologies di Fabio Dadone
VAT No.: IT02864680414
Address: Via Campania 4, 61032 Fano (PU), Italy
Email: info@bravo6.app

The Controller has not appointed a Data Protection Officer (DPO), as this is not required under Art. 37 of the GDPR. For any request regarding the processing of personal data, the Data Subject may contact the Controller directly at info@bravo6.app.

2. Personal Data Collected

2.1 Data provided by the User

Registration data (mandatory):

email address
password (stored in encrypted form — hash)
first and last name
date of birth (required to verify the minimum age requirement)
username (unique identifier of the User on the Platform)
callsign (in-game nickname chosen by the User, e.g. "Ghost", "Viper")

Profile data (optional):

avatar (profile image, uploaded to servers and publicly accessible via direct URL)
bio (text description, max 200 characters)
telephone number
preferred tactical role (e.g. Sniper, Assault, Support, Medic, Recon)
primary weapon
preferred camo (camouflage)
language and measurement unit preferences

Venue data (for business accounts):

venue and field names
full address (street, postcode, city, province) and geographic coordinates of the venue
telephone number, email address and website
description and images of the venue and fields (uploaded to servers and publicly accessible via direct URL)
opening hours, pricing, field characteristics

Payment data (for business accounts with paid subscription):

billing data (name, billing address, VAT number/tax ID) — collected directly by Stripe through its checkout page, not stored by Bravo6
payment method data (card number, CVV, etc.) is managed exclusively by Stripe and is never stored by Bravo6
Bravo6 stores in its own database the technical subscription identifiers (Stripe customer ID, subscription ID, plan, billing cycle, current period) necessary for service management

User-generated content:

messages sent in Event chats
titles, descriptions and details of created Events (including notes, game modes, requirements)
votes cast regarding other players
reports concerning other Users
reviews with comments and ratings
blocks of other Users
venues saved as favourites
friend requests and friendship relationships with other Users

2.2 Automatically generated data

Usage data:

events the User registered for and actual participation (attendance and absences recorded by the hosting Venue)
Rank (skill level), experience points (XP) and attendance rate
notification preferences configured by the User
weekly availability and event-specific availability (dates and time slots in which the User declares themselves available to participate), used by the matchmaking system to find the optimal time for Events
in-app notifications received by the User

Technical data:

IP address
browser type and version
operating system and device type
pages visited and actions performed on the Platform (only if the User has consented to analytics cookies)

Geolocation data:

device GPS position, requested with the User's explicit consent, used exclusively on the client side (in the User's browser) to calculate the distance to available fields. GPS position is never transmitted to Bravo6's servers nor stored in the database. It is temporarily saved in the browser's local storage (localStorage) with an automatic expiry of 30 minutes.

2.3 Data received from third parties

When the User registers through the Google authentication service ("Sign in with Google"), Bravo6 receives from Google the following information associated with the User's Google account:

email address
full name
profile picture (avatar)

Such data is used exclusively for the creation and pre-population of the User's profile on the Platform. The User may modify or remove such information at any time from the Profile section.

This notice is also provided pursuant to Art. 14 of the GDPR with reference to personal data not collected directly from the Data Subject. The source of the data is Google LLC, within the scope of the Google OAuth 2.0 service, voluntarily activated by the User at the time of registration.

3. Purposes and Legal Bases for Processing

Purpose	Data processed	Legal basis (Art. 6 GDPR)
Registration and account management	Email, password, name, date of birth, username, callsign	Performance of contract (Art. 6(1)(b))
Service provision (profile, events, chat, rank)	Profile data, content, usage data	Performance of contract (Art. 6(1)(b))
Venue payment and subscription management	Billing data, subscription history	Performance of contract (Art. 6(1)(b))
Compliance with tax and accounting obligations	Billing data and payment history	Legal obligation (Art. 6(1)(c)) — Italian Presidential Decree 600/73 and 633/72
Service communications (confirmations, event notifications, payment notices)	Email	Performance of contract (Art. 6(1)(b))
Searching fields by proximity	GPS position (client-side only)	Consent (Art. 6(1)(a))
Statistical analysis of site usage (Google Analytics)	Anonymous technical and browsing data	Consent (Art. 6(1)(a))
Moderation and Platform security	Reports, content, IP address	Legitimate interest of the Controller (Art. 6(1)(f))
Marketing communications	Email	Explicit and separate consent (Art. 6(1)(a))
Minimum age verification (14 years)	Date of birth	Legal obligation (Art. 6(1)(c)) — Art. 2-quinquies Italian Legislative Decree 196/2003

4. Public Data

The User acknowledges that the following information is visible to other registered users on the Platform:

callsign
username
avatar and bio
full name (if provided)
selected sport
tactical role, primary weapon, preferred camo
Rank, experience points (XP) and attendance rate

This information is necessary for the matchmaking service to function and to allow participants to evaluate who they will be playing with.

Not visible to other users: email address, date of birth, telephone number, payment data.

When a Player registers for an Event, the hosting Venue may view their callsign, username, name, avatar and individual attendance rate for the purposes of Event management and attendance recording.

5. Recipients and Data Processors

Personal data may be shared with the following third parties, acting as Data Processors pursuant to Art. 28 of the GDPR:

Provider	Location	Data processed	Purpose	Extra-EU transfer
Supabase Inc.	USA — servers in EU (Stockholm, eu-north-1)	Full database, authentication, file storage	Database hosting, user authentication, file storage	No — data resides on AWS servers within the European Union
Resend Inc.	EU (Ireland)	Recipient email address, transactional email content (including: venue and field names, booking dates and times, aggregate participation data)	Sending service emails (confirmations, notices)	No
Stripe Technology Europe, Ltd.	Ireland (EU entity) — group headquartered in USA	Email, user identifiers (in metadata), payment method data. Stripe also collects billing address and VAT number/tax ID directly from the User through its checkout page	Processing Venue subscription payments	Partial — Stripe is based in Ireland but transfers some data to its US parent company under the EU-US Data Privacy Framework
Google LLC (Google Analytics 4)	USA	Browsing data (pages visited, session duration), technical data (IP, browser, device)	Statistical analysis of site usage	Yes — Google is certified under the EU-US Data Privacy Framework. Activated only with User consent
Google LLC (Google Maps API)	USA	Address search queries, geographic coordinates of Venues	Map display and Venue location calculation	Yes — Google is certified under the EU-US Data Privacy Framework
Vercel Inc.	USA	Access logs, IP addresses, build artefacts	Hosting and distribution of the web application	Yes — infrastructure data only, no User personal data intentionally transmitted. Vercel is certified under the EU-US Data Privacy Framework

5.1 Extra-EU transfers

Transfers of personal data to the United States are based on the following safeguards:

EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023): Google LLC, Stripe Inc. and Vercel Inc. are certified under the Data Privacy Framework;
Standard Contractual Clauses (SCCs): where applicable, contracts with providers include the SCCs adopted by the European Commission.

The Controller has entered into Data Processing Agreements (DPAs) with each Data Processor, as required by Art. 28 of the GDPR.

6. Cookies and Tracking Technologies

6.1 Technical cookies (necessary)

The Platform uses strictly necessary technical cookies for the service to function. These cookies do not require User consent:

Cookie	Provider	Purpose	Duration
Session cookie	Supabase	Authentication and session maintenance	Session

6.2 Analytics cookies (subject to consent)

The Platform uses Google Analytics 4 to analyse site usage and improve the service. Google Analytics cookies are activated only after explicit User consent via the cookie banner on the site.

Cookie	Provider	Purpose	Duration
_ga	Google Analytics	Unique user identification	2 years
_ga_[ID]	Google Analytics	Session state maintenance	2 years
_gid	Google Analytics	Unique user identification (short-term)	24 hours

6.3 Data in localStorage and sessionStorage

The Platform uses the browser's local storage (localStorage and sessionStorage) to save information that is not transmitted to external servers. The main categories of data stored are:

Key	Content	Expiry
GPS position	Latitude, longitude, timestamp	30 minutes (automatic deletion)
Cookie preferences	User's choice (acceptance/rejection of analytics)	6 months
Notification preferences	Notification settings by category	None (persistent until changed)
Profile privacy preferences	Profile visibility, statistics and activity display (client-side cosmetic preferences)	None (persistent until changed)
User profile cache	Local copy of profile data (name, email, bio, sport, etc.) to reduce server requests	Browsing session
Search filters	Filters applied to event and field searches (distance, price, dates, participants)	None (persistent until changed)
Interface preferences	Theme (light/dark), measurement unit, language, calendar views, selected sport	None (persistent until changed)

The Platform also uses sessionStorage (session memory, cleared when the browser is closed) to temporarily store search results and navigation state.

6.4 Managing cookie preferences

The User may change their preferences at any time via the "Manage cookies" link in the site footer and in the Settings section of the app. Revoking consent to analytics cookies results in the immediate deactivation of Google Analytics and the removal of associated cookies.

7. Data Retention Period

Data category	Retention period
Registration and profile data	For the duration of the account. Deleted or anonymised upon account deletion
Usage data (events, rank, statistics)	For the duration of the account. Deleted upon account deletion
User-generated content (reviews, favourites, friendships, blocks, reports)	For the duration of the account. Deleted or anonymised upon account deletion
Uploaded files (avatars, venue and field images)	For the duration of the account. Deleted from storage servers upon account deletion
Chat messages	For the duration of the account. Upon account deletion: messages are anonymised (content replaced, author made anonymous) to preserve conversation continuity for other participants
Billing and payment data (Venue)	7 years from the date of the last transaction, in compliance with tax obligations (Italian Presidential Decree 600/73 and 633/72 — assessment limitation periods)
Browsing and analytics data	Per Google Analytics policies (up to 26 months, configurable)
Cookie consent registry	6 years from the date of consent (statute of limitations for Data Protection Authority sanctions). The registry includes: user identifier, choice expressed (acceptance/rejection), date and time of consent, browser and device type (user agent)
GPS position (localStorage)	30 minutes (automatic client-side deletion)
Reports	For the time necessary to manage the report and for an additional period necessary for the protection of rights in the event of disputes

8. Data Subject Rights

Pursuant to Articles 15-22 of the GDPR, the Data Subject has the right to:

Access (Art. 15): obtain confirmation of whether personal data is being processed and access such data;
Rectification (Art. 16): obtain correction of inaccurate data or completion of incomplete data, directly through the Profile section of the Platform or by request to the Controller;
Erasure (Art. 17): obtain the deletion of personal data, via the "Delete account" function in the Settings section of the Platform or by request to the Controller. Erasure is subject to the exceptions provided by law (e.g. tax obligations);
Restriction (Art. 18): obtain restriction of processing in the cases provided by law;
Portability (Art. 20): receive personal data in a structured, commonly used and machine-readable format;
Objection (Art. 21): object to the processing of personal data on legitimate grounds;
Withdrawal of consent (Art. 7): withdraw consent at any time for geolocation, analytics cookies or marketing communications, without affecting the lawfulness of processing based on consent given prior to withdrawal.

8.1 How to exercise your rights

The Data Subject may exercise their rights:

for access, rectification and erasure: directly through the Platform's features (Profile and Settings sections);
for all rights: by sending a request to info@bravo6.app, specifying the right they wish to exercise. The Controller will respond within 30 days of receiving the request, extendable by a further 60 days in cases of complexity, subject to notice to the Data Subject.

8.2 Right to lodge a complaint

The Data Subject has the right to lodge a complaint with the relevant supervisory authority.

For users in the EU — Italian Data Protection Authority (Garante per la protezione dei dati personali):
Piazza Venezia, 11 — 00187 Rome, Italy
www.garanteprivacy.it
Email: protocollo@gpdp.it

For users in the United Kingdom — Information Commissioner's Office (ICO):
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
www.ico.org.uk
Email: icocasework@ico.org.uk

9. Processing of Minors' Data

The Platform is intended for Users aged 14 years or over, in accordance with Art. 2-quinquies of Italian Legislative Decree 196/2003 (which sets the minimum age for consent to the processing of personal data in relation to information society services in Italy at 14 years) and Art. 8 of the GDPR.

Registration of persons under 14 years of age is technically prevented by the Platform. The Controller does not knowingly collect personal data from persons under 14 years of age. Should the Controller become aware that data has been collected from a person under 14, the data will be promptly deleted.

For Users aged between 14 and 17, processing takes place on the basis of the declaration made by the User at registration that they have obtained the consent of a parent or legal guardian.

10. Information for United Kingdom Residents

If you are resident in the United Kingdom, the processing of your personal data is also carried out in compliance with the UK General Data Protection Regulation (UK GDPR) as incorporated into UK law by the Data Protection Act 2018 and the European Union (Withdrawal) Act 2018.

Your rights under the UK GDPR are substantially identical to those described in Section 8 above. You may exercise your rights by contacting the Controller at info@bravo6.app or by lodging a complaint with the Information Commissioner's Office (ICO) as indicated in Section 8.2.

Transfers of personal data from the UK to the European Economic Area are covered by the UK adequacy regulations. Transfers to the United States are based on the UK Extension to the EU-US Data Privacy Framework.

The Controller does not currently have a UK Representative appointed under Art. 27 of the UK GDPR. Should the Controller's activities require such appointment, this section will be updated accordingly.

11. Data Security

The Controller implements appropriate technical and organisational measures to protect personal data from unauthorised access, loss, alteration or destruction, including:

password encryption (hashing);
encrypted communications via HTTPS protocol;
database-level access control policies (Row Level Security);
authentication via JWT tokens with limited expiry;
database hosting in an EU region (Stockholm) on AWS infrastructure with encryption at rest and in transit;
access limitation according to the principle of least privilege.

12. Changes to this Policy

The Controller reserves the right to amend this policy at any time by publishing the updated version on the Platform at https://bravo6.app/privacy. In the event of substantial changes, the User will be notified by email and/or in-app notice. The date of the last update is indicated at the top of this document.

13. Contact

For any enquiries regarding the processing of personal data:

Email: info@bravo6.app
Controller: Obsidian Technologies di Fabio Dadone — VAT No. IT02864680414
Address: Via Campania 4, 61032 Fano (PU), Italy

This policy is provided pursuant to Regulation (EU) 2016/679 (GDPR), Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018, and applicable Italian data protection law. For United Kingdom residents, this policy also satisfies the requirements of the UK GDPR. In the event of any discrepancy between the Italian and English versions, the Italian version shall prevail.