PRIVACY POLICY

We collect what we need to run 1v1 battles, score them with AI, process payments, and keep the platform safe. We don't sell your data, don't track you across the internet, and don't store your live video.

The data controller is Rares (sole operator of go-rizzy.online), based in Romania. Contact: gorizzysupport@gmail.com.

From your account:

• Email address (via Google sign-in)
• Your chosen username
• The avatar image you upload, if any
• The country your IP geolocates to

During matches:

• Live video and audio — streamed peer-to-peer via LiveKit so your opponent can see and hear you. We do not record or store these streams on our servers.
• One video framefrom the start of each match — analyzed by OpenAI's moderation API to block nudity. Logged with the scores (not the image itself) for audit purposes.
• Audio transcriptof what you said during your turn — generated client-side (Web Speech API) or server-side (OpenAI Whisper), then sent to OpenAI GPT-4o-mini to score the round. The transcript is stored briefly as part of the match's verdict payload (max ~1 KB per match).
• Match metadata: opponent ID, scores, who won, timestamps.

From payments:

• Stripe processes all card transactions. We see only the transaction ID, amount, and which coin pack you bought. We never see your card number, CVV, or billing address.

Automatically:

• Your IP address — for fraud / VPN detection (we send it to ip-api.com for geolocation + proxy lookup) and abuse prevention. Stored in moderation logs.
• Browser type and OS — sent in standard HTTP headers.
• Local storage flags — like whether you've seen the rules popup or finished the liveness check. Stored on your device.

• Run the matchmaking and battle system
• Score battles with AI
• Show your username + avatar + score on the leaderboard
• Process coin purchases via Stripe
• Detect and prevent abuse (VPN bans, NSFW screening, harassment reports)
• Send essential service emails (not marketing)

Legal basis (GDPR): performing our contract with you (running the app you signed up for), our legitimate interest in keeping the platform safe, and your consent where required (e.g. camera/microphone access via your browser).

We use these third-party services to run the app. Each one processes your data on our behalf under their own privacy terms:

• Supabase (database + auth) — stores your account data, match history, ratings. EU hosting.
• LiveKit— handles the peer-to-peer video/audio streams. Doesn't persist the streams.
• OpenAI (USA) — receives your moderation frame, your audio for transcription, and the round transcripts for scoring. OpenAI does not use API inputs to train their models (per their API data policy).
• Stripe — handles payment processing.
• ip-api.com — receives your IP for proxy/VPN lookup.
• Google — handles your sign-in via OAuth.
• Vercel — hosts the website and runs the API routes.

We do not sell your data, run third-party ad trackers, or share it with anyone for marketing.

OpenAI, Stripe, and ip-api are based outside the EU. Data sent to them is transferred to the US (OpenAI, Stripe) or the EU (ip-api.com Pro). These transfers rely on Standard Contractual Clauses approved by the European Commission.

• Account data — until you delete your account. Account deletion is permanent and immediate.
• Match history + scores + transcripts — kept for as long as your account exists, then deleted along with it.
• Moderation logs (NSFW scans, VPN blocks, reports against you) — kept up to 12 months after the event for safety review, then deleted.
• Payment records — kept for 10 years as required by Romanian accounting law, even after account deletion.

You can ask us to:

• Tell you exactly what data we hold about you
• Correct anything that's wrong
• Delete your account and data
• Export your data in a portable format
• Restrict or object to certain processing

Email gorizzysupport@gmail.com for any of these. We respond within 30 days. You also have the right to lodge a complaint with the Romanian data protection authority (ANSPDCP) at dataprotection.ro.

go-rizzy is for adults 18 and over. We don't knowingly collect data from anyone under 18. If you find out a minor is using the platform, email us and we'll close the account.

We use:

• Auth cookies from Supabase to keep you logged in.
• Mobile-detection cookie (gz-mobile) set by our middleware to route you to the correct layout.
• Local storage flags for UX state: rules popup seen, current phone-skin streak, etc.

We don't use third-party analytics, advertising, or tracking cookies.

We use HTTPS everywhere, hash all secrets, lock down access with server-side authorization, and host on managed providers with their own security programs. That said: no system is bulletproof. If you spot a vulnerability, please report it to gorizzysupport@gmail.com before disclosing publicly.

We may update this policy. The "last updated" date at the top shows when. Material changes get an in-app notice. Continued use after a change means you accept it.

Privacy questions, data requests, or anything else: gorizzysupport@gmail.com.