Your data,under the table.

P4cely is operated by Francesco Romito, acting as an individual data controller (persona fisica) based in Italy. There is no legal entity behind the brand — you are dealing directly with the person who built it.

For any privacy question, request, or formal complaint, email francesco.romito01@gmail.com. We respond within thirty (30) days, sooner where the law requires.

Only what we need to make the coaching product work. There is no advertising tracker on this site, no resale of data. If you allow optional analytics, we use Google Analytics 4 only for aggregate traffic and product-funnel measurement.

Platform identity

Steam ID or Epic Online Services ID, returned by the OAuth flow you start at /login. Read-only — we never post on your behalf.

Profile details

First name, last name, nickname, contact email — provided by you at /onboarding/profile.

Replays

The .replay files we sync from Rocket League (via PsyNet) or that you upload manually, plus the per-frame metrics we derive.

Account & session

Supabase auth cookies (strictly necessary), session JWT, last-seen timestamp.

Billing

Subscription status and Polar.sh customer/subscription IDs. Card numbers and any payment instrument live exclusively at Polar (and its underlying acquirer) — we never see them.

Technical logs

Server-side request logs (IP address, user agent, route, status code), retained for security and abuse triage.

Optional analytics

If you consent, Google Analytics 4 receives page-view and referrer metadata so we can understand aggregate acquisition and activation. No advertising features are enabled.

• Performance of contract (GDPR art. 6.1.b) — providing the service you signed up for: identity, replays, profile, account, and Pro subscription if you purchase one.
• Legal obligation (art. 6.1.c) — billing records and tax-relevant data we must keep for the period required by Italian/EU law.
• Legitimate interest (art. 6.1.f) — server logs for security, fraud prevention and stable operation of the queue infrastructure.
• Consent (art. 6.1.a) — optional analytics, only after you choose to allow it in the cookie/analytics prompt. You can withdraw consent by clearing the site data in your browser.

Running the service requires hosting, auth, payments, storage and an AI model. The following processors handle data on our behalf, each under a Data Processing Agreement and EU Standard Contractual Clauses where applicable:

Supabase Inc.

Authentication, Postgres database. Region: EU (Frankfurt). DPA published.

Polar Software, Inc.

Merchant of Record for Pro subscriptions: checkout, payment processing, invoicing and VAT remittance. Region: US, transfers under SCCs. PCI-DSS compliant.

Cloudflare, Inc.

R2 object storage for replay files, edge networking. Region: EU/global. SCCs in place.

Google LLC (Gemini API + Google Analytics 4)

Generates coach reports from match summaries and, only if you consent, processes aggregate site analytics. Region: US, SCCs. Gemini inputs are not used to train Google's foundation models.

Vercel Inc.

Frontend hosting and edge runtime for OG images. Region: EU/US.

Fly.io, Inc.

API server, worker, internal Redis. Region: EU (CDG/AMS).

Some of our sub-processors are based in the United States. Where data leaves the EEA we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where the recipient is certified, the EU–US Data Privacy Framework. Copies of the relevant clauses are available on request.

Replays & derived metrics

For the lifetime of your account. Erased within thirty (30) days of account deletion.

Profile & identity

For the lifetime of your account.

Technical server logs

Up to thirty (30) days, then rotated.

Billing records

Ten (10) years, as required by Italian tax law (DPR 600/1973, art. 22).

Backups

Routine encrypted backups expire on a thirty (30) day rolling window.

We use strictly-necessary cookies for the Supabase auth session and CSRF protection. The Google Analytics tag is not loaded until you allow analytics in the prompt; even after you allow it, Google's Consent Mode v2 keeps all advertising signals (ad_storage, ad_user_data, ad_personalization) denied. We do not use advertising cookies or third-party marketing trackers.

Your choice is stored locally under p4cely:analytics-consent. You can revisit or withdraw it at any time:

You can, at any time:

• access the data we hold about you (art. 15);
• correct anything inaccurate (art. 16);
• erase your data (art. 17) — we will purge replays, profile and identity, except billing records we must keep for tax compliance;
• receive your data in a portable format (art. 20);
• restrict or object to specific processing (arts. 18 & 21);
• withdraw any consent you previously gave, without affecting the lawfulness of processing carried out before withdrawal (art. 7).

To exercise any of these rights, email francesco.romito01@gmail.com. You also have the right to lodge a complaint with the Italian supervisory authority — the Garante per la protezione dei dati personali — garanteprivacy.it.

P4cely is not intended for children under sixteen (16). If we discover we have processed the data of a minor without verifiable parental consent, we will delete the account.

When we update something material — a new sub-processor, a new category of data — we will revise the date at the top of this page and, for active users, send a one-line email to the contact address on file. Continuing to use the service after the effective date counts as acknowledgement.