What we collect.
What we don't.
The short version is on the cards. The full, binding policy follows. Rivala is operated by Maina Labs S.A.S. (Colombia), and we treat your data the way we'd want ours treated.
What we collect.
Your email, language, country, device and your picks — plus your Rivalacoins balance. Nothing else by default.
What we use it for.
Running your account, ranking your picks, syncing across devices and sending match notifications.
What we never do.
Sell your data. Share it with sportsbooks. Track you across other sites for our own profit.
Your rights.
Export everything as JSON, correct it, or delete it in one click. GDPR, CCPA, LGPD and Colombia's Ley 1581 all apply.
Cookies & ads.
One session cookie keeps you signed in. Analytics and ads load only with your consent, through Google's certified consent platform.
Who we are
Maina Labs S.A.S., NIT 902.054.153-2, with registered offices in Cajicá, Cundinamarca, Colombia ("Rivala", "we", "us"), is the data controller responsible for processing the personal data described in this policy. For any privacy matter you can reach us at privacy@rivala.io.
Scope
This policy explains how we collect, use, share and protect personal data when you use the Rivala website, mobile apps and related services. It applies to all users, wherever they are, and is layered on top of the rights granted by your local law.
Data we collect
We collect only what we need to run the game:
- Account data: email address, username and an encrypted password (handled by our authentication provider).
- Profile and preferences: language, country, time zone and notification settings.
- Gameplay data: your predictions and picks, points, Rivalacoins balance and league membership.
- Technical data: device type, app version, approximate country derived from your IP, and diagnostic or crash logs.
- Communications: messages you send us, e.g. support or data requests.
How we use your data and our legal bases
We process your data to: (a) provide and operate the service and your account — performance of our contract with you; (b) send match notifications and service messages — contract or your consent; (c) keep the platform secure and prevent fraud or abuse — our legitimate interest and legal obligations; (d) measure traffic through analytics — your consent; (e) show advertising — your consent; and (f) comply with the law and respond to lawful requests — legal obligation. Where we rely on the GDPR, these correspond to Article 6(1)(a), (b), (c) and (f).
Consent and Google's CMP
Where the law requires it (the EEA, the UK, California and other regulated regions), analytics and advertising load only after you give consent through Google's certified Consent Management Platform (Funding Choices), which complies with the IAB Transparency & Consent Framework v2.2 and applicable US privacy signals. You can review or change your choices at any time. If you decline, the app keeps working: analytics do not load and ads, if any, are served without personalization.
Advertising
Rivala plans to show rewarded advertising through Google AdMob. With your consent, ads may be personalized. Without consent, ads are served in non-personalized mode (npa) or not at all. We never share your predictions, account identifiers or Rivalacoins activity with advertisers for targeting.
Who we share data with
We use a small set of trusted service providers (processors) who act on our instructions:
- Supabase — authentication, database and storage.
- Vercel — website hosting and privacy-respecting traffic analytics.
- Google — AdMob advertising and the consent platform (subject to your consent).
- Email and push-notification providers — to deliver account and match messages.
International data transfers
We operate from Colombia, and some of our providers process data in the United States and the European Union. When data leaves your country, we rely on appropriate safeguards — such as the EU Standard Contractual Clauses, adequacy decisions, and the cross-border transfer rules of Colombia's Ley 1581 of 2012 — to protect it.
How long we keep it
We keep your personal data while your account is active and for a limited period afterwards. When you delete your account, we delete or irreversibly anonymize your data, except where we must retain certain records to comply with a legal obligation or to resolve disputes.
Your rights
Depending on where you live, you have the right to access, correct, delete, port, object to or restrict the processing of your data, and to withdraw consent at any time. Under the CCPA/CPRA you can also opt out of any "sale" or "sharing" of personal information — note that Rivala does not sell your data. You can exercise these rights in three ways: the self-service export and delete tools inside the app, the /data-request page, or by emailing privacy@rivala.io. You also have the right to lodge a complaint with your data protection authority — the Superintendencia de Industria y Comercio (SIC) in Colombia, your local supervisory authority in the EU/UK, or the ANPD in Brazil.
Security
We protect your data with encryption in transit, hashed passwords and strict access controls. No system is perfectly secure, but we work to keep your data safe and will notify you and the relevant authority if a breach legally requires it.
Children
Rivala is intended for users aged 18 and over and we do not knowingly collect personal data from minors. If you believe a minor has provided us data, contact privacy@rivala.io and we will delete it.
Changes to this policy
If we make a material change to this policy, we will notify you in-app and by email at least 30 days before it takes effect. The "last updated" date above always reflects the current version.
Contact
Maina Labs S.A.S. — Cajicá, Cundinamarca, Colombia. Privacy enquiries and rights requests: privacy@rivala.io. General contact: contact@rivala.io.