Your data,under the table.

P4cely is operated by Francesco Romito, acting as an individual data controller (persona fisica) based in Italy. There is no legal entity behind the brand — you are dealing directly with the person who built it.

For any privacy question, request, or formal complaint, email francesco.romito01@gmail.com. We respond within thirty (30) days, sooner where the law requires.

Only what we need to make the coaching product work. There is no advertising tracker on this site, no analytics pixel, no resale of data.

Platform identity

Steam ID or Epic Online Services ID, returned by the OAuth flow you start at /login. Read-only — we never post on your behalf.

Profile details

First name, last name, nickname, contact email — provided by you at /onboarding/profile.

Replays

The .replay files we sync from Rocket League (via PsyNet) or that you upload manually, plus the per-frame metrics we derive.

Account & session

Supabase auth cookies (strictly necessary), session JWT, last-seen timestamp.

Billing

Subscription status and Stripe customer/subscription IDs. Card numbers and any payment instrument live exclusively at Stripe — we never see them.

Technical logs

Server-side request logs (IP address, user agent, route, status code), retained for security and abuse triage.

• Performance of contract (GDPR art. 6.1.b) — providing the service you signed up for: identity, replays, profile, account, and Pro subscription if you purchase one.
• Legal obligation (art. 6.1.c) — billing records and tax-relevant data we must keep for the period required by Italian/EU law.
• Legitimate interest (art. 6.1.f) — server logs for security, fraud prevention and stable operation of the queue infrastructure.

Running the service requires hosting, auth, payments, storage and an AI model. The following processors handle data on our behalf, each under a Data Processing Agreement and EU Standard Contractual Clauses where applicable:

Supabase Inc.

Authentication, Postgres database. Region: EU (Frankfurt). DPA published.

Stripe, Inc.

Payment processing, subscription management. Region: US, transfers under SCCs. PCI-DSS compliant.

Cloudflare, Inc.

R2 object storage for replay files, edge networking. Region: EU/global. SCCs in place.

Google LLC (Gemini API)

Generates the natural-language coach report from match summaries. Region: US, SCCs. Inputs are not used to train Google's foundation models.

Vercel Inc.

Frontend hosting and edge runtime for OG images. Region: EU/US.

Fly.io, Inc.

API server, worker, internal Redis. Region: EU (CDG/AMS).

Some of our sub-processors are based in the United States. Where data leaves the EEA we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where the recipient is certified, the EU–US Data Privacy Framework. Copies of the relevant clauses are available on request.

Replays & derived metrics

For the lifetime of your account. Erased within thirty (30) days of account deletion.

Profile & identity

For the lifetime of your account.

Technical server logs

Up to thirty (30) days, then rotated.

Billing records

Ten (10) years, as required by Italian tax law (DPR 600/1973, art. 22).

Backups

Routine encrypted backups expire on a thirty (30) day rolling window.

We use only strictly-necessary cookies — the Supabase auth session and a CSRF token. There is no analytics, no marketing tracker, and no third-party cookie. Because these cookies are essential to deliver the service, no consent banner is required under the e-Privacy Directive and Italian Provvedimento 231/2021.

You can, at any time:

• access the data we hold about you (art. 15);
• correct anything inaccurate (art. 16);
• erase your data (art. 17) — we will purge replays, profile and identity, except billing records we must keep for tax compliance;
• receive your data in a portable format (art. 20);
• restrict or object to specific processing (arts. 18 & 21);
• withdraw any consent you previously gave, without affecting the lawfulness of processing carried out before withdrawal (art. 7).

To exercise any of these rights, email francesco.romito01@gmail.com. You also have the right to lodge a complaint with the Italian supervisory authority — the Garante per la protezione dei dati personali — garanteprivacy.it.

P4cely is not intended for children under sixteen (16). If we discover we have processed the data of a minor without verifiable parental consent, we will delete the account.

When we update something material — a new sub-processor, a new category of data — we will revise the date at the top of this page and, for active users, send a one-line email to the contact address on file. Continuing to use the service after the effective date counts as acknowledgement.