Privacy Policy

Introduction

We built DoublePik for football fans — a place to predict scores, compete with friends, and see how your instincts hold up against the world. We take your privacy as seriously as you take your predictions.

This Privacy Policy explains what personal data we collect when you use DoublePik, why we collect it, how we use it, how long we keep it, and what rights you have over your data.

DoublePik is operated by Ruba Odeh, trading as DoublePik (‘we’, ‘us’, ‘our’), an individual based in the United Arab Emirates. You can contact our Data Protection Officer at [email protected].

This policy applies to all users of the DoublePik mobile application (iOS and Android), the DoublePik web application, and any related services. By creating an account and using DoublePik you agree to the collection and use of your data as described in this policy.

1. Data We Collect

We collect the following categories of personal data:

1.1 Account Data

When you create a DoublePik account we collect:

• •Email address — used to identify your account, send notifications, and process data requests
• •Username — your public display name on leaderboards, pools, and the Lounge
• •Date of birth — used to verify minimum age requirements
• •Nationality — used to personalise your experience and display your flag on leaderboards
• •Password — stored as a one-way cryptographic hash; we never store your password in plain text

1.2 Profile Data

Data you choose to add to your profile:

• •Status chant — optional short message shown on your public profile
• •Favourite team — selected per tournament, shown beside your name on leaderboards
• •Profile icon, border, and background — cosmetic choices purchased or selected in the Shop

1.3 Gameplay Data

Data generated by your use of DoublePik’s core features:

• •Match predictions — the scores you submit for each match
• •Tournament picks — your predicted Winner, Runner-up, and Third Place for each tournament
• •DoublePik selections — which matches you chose to double your points on
• •Prediction outcomes — ACE, STRIKE, HIT, or BUST results for each prediction
• •Points and rankings — your total points and leaderboard position per tournament and pool
• •Pool memberships — which pools you have created or joined and your role within them

1.4 Communications Data

• •Pool chat messages — messages you send within pool chat. Retained for 12 months after the pool's tournament closes, then permanently deleted.
• •Showdown emoji reactions — real-time reactions sent in 1v1 Showdown battles. These are transmitted between users in real time and are not stored permanently on our servers.

1.5 Payment and Transaction Data

DoublePik uses a token-based virtual currency system. Real-money in-app purchases (IAP) are not available in the current version — tokens are earned through daily login rewards only. This section describes our planned data practices for when IAP is introduced in a future version. When you make in-app purchases we collect:

• •Token purchase history — what you purchased and when
• •In-app purchase receipts — verified by Apple App Store or Google Play
• •Token wallet balance and transaction ledger

We do not collect, store, or process your payment card details. All payment processing is handled directly by Apple App Store and Google Play. We only receive a confirmation of successful purchase.

1.6 Technical Data

• •Device push tokens — used to send push notifications to your device via Expo's push notification service (which uses Apple APNs for iOS and Google FCM for Android). Deleted on logout or when the token expires.
• •Push notification logs — a record of notifications sent to your device. Retained for 90 days then deleted.
• •Server access logs — standard server logs for security monitoring. Retained for 90 days then deleted.
• •Error logs — anonymised application error reports via Sentry. Retained for 90 days.

1.7 Data We Do Not Collect

DoublePik does not collect or store:

• •Payment card numbers, bank account details, or financial credentials
• •Precise location data or GPS coordinates
• •Biometric data
• •Contacts or address book data
• •Camera or microphone data
• •Browsing history outside of DoublePik — note: third-party advertising pixels on doublepik.com (Meta, TikTok, X) may correlate your activity across other sites that use the same pixels. We do not receive that browsing data ourselves. See Sections 1.8 and 8 for details.

1.8 Advertising and Analytics Data

When you use DoublePik’s web application (doublepik.com) and consent to marketing cookies, we share certain data with our advertising platforms (Meta, TikTok, X) so that we can measure ad campaign performance and improve our marketing. The data shared with each platform may include:

• •Pages visited on doublepik.com
• •Buttons clicked (such as App Store and Google Play download buttons)
• •Pool invite link engagement (when you arrive via a /pools/join invite link)
• •Technical context: IP address, browser user agent, screen size, language, timezone
• •Advertising identifiers set by each platform's cookies

No personal account data is shared with advertising platforms. Specifically, we do not share your email address, username, date of birth, predictions, points, or pool memberships with Meta, TikTok, or X.

Each platform processes this data under its own privacy policy. See Section 5 for service provider details and Section 8 for opt-out instructions.

2. How We Use Your Data

We use the data we collect for the following purposes, under the following legal bases:

3. How Long We Keep Your Data

We retain your data only as long as it is needed for the purposes described in this policy.

4. Your Rights

Depending on where you are located, you have the following rights over your personal data. We will respond to all requests within 30 days. You can exercise most rights directly within the app. For other requests, contact our Data Protection Officer at [email protected].

4.1 Right to Access

You have the right to request a copy of all personal data we hold about you. To request your data, contact us at [email protected]. We will respond within 30 days and provide your data in JSON format via a secure download link that expires 48 hours after generation.

4.2 Right to Rectification

If any of your personal data is inaccurate or incomplete, you have the right to have it corrected. You can update most data directly within the app from Settings → Edit Profile.

4.3 Right to Erasure (Right to Be Forgotten)

You have the right to request deletion of your account and personal data at any time. You can do this directly within the app from Settings → Delete Account.

What happens when you delete your account:

• •Account deletion is immediate and permanent. Once you confirm deletion in Settings → Delete Account, your account is deleted instantly — there is no grace period or cancellation window.
• •Your personal identifiers (email, username, date of birth, nationality, chant, cosmetics) are removed immediately. Your prediction history and competitive record are anonymised and attributed to 'Deleted User' to preserve leaderboard integrity.
• •Pool chat messages are deleted permanently.
• •Financial transaction records are retained in anonymised form for 7 years as required by UAE Commercial Transactions Law.

4.4 Right to Data Portability

You have the right to receive a copy of your personal data in a structured, machine-readable format (JSON). Your export will include: account information, complete prediction history, tournament picks, pool memberships, wallet transaction history, and notification preferences.

To request an export, contact us at [email protected]. We will provide a secure download link within 30 days. The link expires 48 hours after generation.

4.5 Right to Object and Restrict Processing

You have the right to object to processing of your personal data where we rely on legitimate interest as our legal basis. You also have the right to request that we restrict processing of your data in certain circumstances. To exercise these rights, contact us at [email protected].

4.6 Right to Opt Out of Marketing

We may send you promotional push notifications if you have opted in to promotional offers in your notification settings. You can opt out at any time from Settings → Notification Settings → Promotional Offers.

For the DoublePik web application, EU/UK users can opt out of advertising tracking via the cookie consent banner displayed on first visit. You can manage your cookie preferences at any time by clicking ‘Customize’ in the banner or by clearing your browser cookies for doublepik.com. Choosing ‘Reject all’ or unchecking the Marketing category prevents Meta, TikTok, and X pixels from loading.

4.7 How to Exercise Your Rights

• •Email: [email protected] (Data Protection Officer)
• •Response time: within 30 days of receipt
• •Identity verification: we may ask you to verify your identity before processing your request

5. Who We Share Your Data With

We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes. We share data only with the following service providers who process it on our behalf, under strict contractual obligations:

We may also disclose your data if required to do so by law, court order, or regulatory authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of DoublePik, its users, or others.

6. International Data Transfers

DoublePik is operated from the UAE. Your data is stored on servers located in the EU (Supabase on Hetzner). Data transfers between the UAE and the EU are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, which satisfy both UAE PDPL and GDPR cross-border transfer requirements.

All service providers are contractually bound by Data Processing Agreements that require them to protect your data to at least the standard required by GDPR.

In addition, when you consent to marketing cookies on doublepik.com, advertising and analytics data (Section 1.8) is transferred to the global infrastructure of Meta, TikTok, and X. These providers operate Data Processing Agreements and Standard Contractual Clauses that satisfy GDPR and UAE PDPL cross-border transfer requirements.

7. Minimum Age

DoublePik requires users to be at least 13 years old to create an account. DoublePik is a general audience sports prediction platform — not a service directed at children. The social features within the app (pool chat, Showdown) are secondary to its primary purpose of football prediction and competition.

Local age requirements — important note for users in certain countries:

While DoublePik’s global minimum age is 13, some countries require a higher minimum age for digital services:

• •Germany, Netherlands, Hungary, Lithuania, Luxembourg, Slovakia — minimum age 16
• •France — minimum age 15
• •Canada — minimum age 14
• •Austria, Bulgaria — minimum age 14

If you are located in one of these countries, you must comply with your local minimum age requirement. By creating an account you confirm that you meet the minimum age requirement applicable in your country.

Users under 16 are strongly advised to seek parental guidance before making any in-app purchases including token purchases and Premium upgrades. In-app purchases involve real money and parents or guardians should be involved in any spending decisions made by users under 16.

If we become aware that a user under the minimum age applicable in their country has created an account, we will delete the account and all associated personal data promptly. If you believe a minor has created an account on DoublePik, please contact us at [email protected].

8. Cookies and Tracking

The DoublePik web application uses cookies and similar technologies to maintain your logged-in session. For EU users, cookie consent is obtained before any non-essential tracking is activated.

DoublePik uses Meta Pixel, TikTok Pixel, and X Pixel on the doublepik.com website to measure advertising campaign performance and improve our marketing. These pixels load only after you grant consent via the cookie banner on first visit. You can withdraw consent at any time — see Section 4.6 for instructions.

9. Data Security

We take the security of your personal data seriously. We implement the following technical and organisational measures to protect your data:

• •All data in transit is encrypted using TLS / HTTPS
• •All data at rest is encrypted at the database level (Supabase / PostgreSQL)
• •Passwords are stored as cryptographic hashes — we cannot retrieve your password
• •Device tokens are deleted immediately on logout
• •Access to production systems is restricted to authorised team members only
• •Error monitoring (Sentry) processes only anonymised data — no personal identifiers

9.1 Data Breach Response

In the event of a confirmed data breach involving personal data, DoublePik will:

• •Contain the breach immediately and isolate affected systems
• •Notify the UAE Data Office within 72 hours of discovery (UAE PDPL requirement)
• •Notify affected EU users within 72 hours if the breach poses a high risk to their rights (GDPR requirement)
• •Notify all affected users by email within 72 hours regardless of jurisdiction
• •Document the breach and our response in an internal incident report retained for 3 years

10. Regulatory Compliance

DoublePik’s data practices are designed to comply with the following regulations:

UAE Personal Data Protection Law (PDPL)

DoublePik is operated from the UAE and is subject to the UAE PDPL. Our lawful basis for processing is contractual performance (providing the service) and legitimate interest (security and product improvement). Data breaches are reportable to the UAE Data Office within 72 hours.

EU General Data Protection Regulation (GDPR)

GDPR applies to all EU users regardless of where DoublePik operates from. We comply with GDPR as our primary design standard. If you believe we have not handled your data in accordance with GDPR, you have the right to lodge a complaint with your local EU supervisory authority. A list of EU data protection authorities can be found at edpb.europa.eu.

UK GDPR

UK GDPR applies to all UK users. You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):

California Consumer Privacy Act (CCPA)

CCPA applies to California users. DoublePik does not sell your personal data. You have the right to know what data we collect, the right to request deletion, and the right to opt out of sale (which does not apply as we do not sell data). To exercise CCPA rights contact [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our data practices, new features, or changes in applicable law. When we make material changes we will notify you by:

• •Sending a push notification to your device
• •Displaying an in-app notice on your next login
• •Updating the Effective Date at the top of this policy

Continued use of DoublePik after a change to this policy constitutes your acceptance of the updated terms. If you do not agree to a material change you should stop using DoublePik and delete your account.

12. Contact Us

If you have any questions about this Privacy Policy, want to exercise your rights, or wish to make a complaint, please contact our Data Protection Officer:

We will respond to all privacy-related requests within 30 days of receipt.