Privacy Policy (App)

In this Privacy Policy, we inform you about the processing of personal data and about the access and storage of information on your device when you use OneFootball app.

In addition to this Privacy Policy for our app, we also have a Privacy Policy for the OneFootball website.

Content of this Privacy Policy:

1. Controller and Contact Person

2. Download from an App Store

3. Data Processing by Our App

4. Use of tools

5. Online Presence in Social Networks

6. Data Disclosure

7. Data Transfer to Third Countries

8. OneFootball Partner Marketing

9. Token Airdrop / Airdrop Claim

10. 1F Predict

11. Storage Duration

12. Your Rights, Particularly Withdrawal and Objection

13. Changes to the Privacy Policy

1. Controller and Contact Person

The contact person and so-called controller for the processing of your personal data when using this app within the meaning of the General Data Protection Regulation (GDPR) is

OneFootball GmbH

Donaustraße 44

12043 Berlin

Germany

If you have any questions about data protection in connection with the use of our website, our app, OneFootball support and the OneFootball TV app (hereinafter referred to as OneFootball services), you can also contact our external data protection officer at any time. This can be contacted at the above postal address and by email at privacy@onefootball.com (keyword: "Attn: Data Protection Officer"). We expressly point out that when using this e-mail address, the contents are not exclusively taken note of by our data protection officer. If you wish to exchange confidential information, we therefore ask that you first contact us directly via this e-mail address.

2. Download from an App Store

In order to download and install the OneFootball app from an app store (Google Play, Apple AppStore or another app store via your SmartTV), you may first have to register for a user account with the provider of the respective app store and conclude a corresponding user agreement. We have no influence on the content of this contract; in particular, we are not a party to such a user contract. When you download and install the app, the necessary information is transmitted to the respective provider of the app store (e.g. Google or Apple), in particular your user name, your email address and the customer number of your app store account, the time of the download and the individual device identification number. We have no influence on this data collection and we are not responsible for it. We only process the data provided to the extent necessary for downloading and installing the app on your mobile device (e.g. iPhone, iPad or Android device). We do not store this data for any other purpose.

3. Data Processing by Our App

3.1 App Access Data When Using Our App

When you use the OneFootball app, we collect the following technical data to enable the functions of the OneFootball app, which is automatically collected from your mobile device and transmitted to us when you use it.

The following app access data is automatically recorded each time the OneFootball app is used:

  • Date and time of use

  • Your device name (e.g. "Apple iPhone 14" or "Samsung Galaxy S9")

  • Operating system and version as well as information on screen resolution

  • App version and application ID to identify your app installation

  • General device data, such as language and regional settings

  • IP address of the end device

  • Details of the approximate location from which you are using our app

To improve the app, the OneFootball app also sends us error messages after a crash (i.e. after the OneFootball app was unexpectedly terminated due to a program error or it no longer responded to your inputs). The error messages do not contain any personal data, but only the aforementioned technical app access data and information about which part of the OneFootball app software code caused the error. The IP address of your end device is not transmitted.

The app access data is generally recorded in internal log files for a period of three months after the end of the respective access and then anonymized, unless otherwise specified in this privacy policy.

The data processing of this connection data is absolutely necessary to enable the use of the app, to ensure the permanent functionality and security of our systems and to maintain our app in general administrative terms. The connection data is also stored in internal log files for the purposes described above, temporarily and limited in content to what is absolutely necessary, in order to find the cause and take action in the event of repeated or criminal calls that jeopardize the stability and security of our services.

The legal basis for this processing is Art. 6 para. 1 lit. b GDPR if the app is used in the course of the initiation or performance of a contract, and otherwise Art. 6 para. 1 lit. f GDPR due to our legitimate interest in enabling the app service and the permanent functionality and security of our systems.

3.2 Push Notification on Mobile Devices

In order to be notified of certain events and topics on mobile devices via push notifications (also called "notifications" by iOS), you must grant the OneFootball app the necessary authorization. When you open the OneFootball app for the first time and register or log in, you will be asked for this authorization. You can adjust the permissions for push notifications in the settings of your operating system or switch push notifications on or off later.

On iOS, you can switch this setting on or off under "Settings" under the menu item "Messages".

On Android, you can find this setting under "Settings" under the menu item "Apps" (or "Application Manager"). After selecting the OneFootball app, you can switch push notifications on or off here.

3.3 Contact Information

You have various options for getting in touch with us. These include the contact form and the e-mail address feedback@onefootball.com. In this context, we process your data exclusively for the purpose of communicating with you.

The legal basis for this processing is Art. 6 para. 1 lit. b GDPR, insofar as your details are required to answer your inquiry or to initiate or execute a contract, and otherwise Art. 6 para. 1 lit. f GDPR due to our legitimate interest in you contacting us and us being able to answer your inquiry.

The data collected by us when you contact us will be automatically deleted after your request has been fully processed, unless we still need your request to fulfill contractual or legal obligations (see section 9 "Storage period").

3.4 Registration

You have the option of registering with an account for our login area in order to be able to use the full range of functions of our services. We have highlighted the data you are required to enter as mandatory fields. Registration is not possible without this data.

An e-mail address and password are required.

The following data may be processed as part of the registration process:

  • Salutation, Gender (optional);

  • First and Last name (optional);

  • Date of Birth (optional);

  • Profile Picture (optional)

The legal basis for processing the data required for registration (mandatory fields) is Art. 6 para. 1 lit. b GDPR. For all other data, the legal basis is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR to enable you to customize, adapt and change your account, or your consent pursuant to Art. 6 para. 1 lit. a GDPR, insofar as you have given us this.

Our app offers you the option of logging in with an existing account from the social networks listed below:

  • Facebook Login: Meta Platforms Ireland Ltd, Serpentine Avenue, Block J, Dublin 4, Ireland (for persons outside the USA and Canada) or Meta Platforms Inc, 1601 Willow Road, Menlo Park, California 94025, USA (for persons from the USA and Canada) - Privacy Policy: https://www.facebook.com/privacy/policy/;

  • Google Sign-In for Websites: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (for persons from the European Economic Area and Switzerland) or Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (for all other persons) - Privacy Policy: https://policies.google.com/privacy;

  • Register with Apple: Apple Distribution International ltd, Hollyhill Industrial Estate, Hollyhill Cork, Republic of Ireland (for persons from the European Economic Area and Switzerland) or Apple Inc, One Apple Park Way, Cupertino, CA 95014, USA (for all other persons). 

  • Firebase: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (for persons from the European Economic Area and Switzerland) or Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (for all other persons) - Privacy Policy: https://policies.google.com/privacy.

Once you have logged in with one of your existing accounts, additional registration is no longer required. If you want to use the function, you will first be redirected to the relevant social network. There you will be asked to log in with your login name and password. We do not, of course, take any notice of this login data. The server to which a connection is established may be located in the USA or in other third countries.

By confirming the corresponding log-in button, the relevant social network learns that you have logged into your account on our site and links your social network account with your account in our app. The following data is also transmitted to us:

  • Facebook login: e-mail address, public profile information (in particular Facebook ID, name, profile picture), possibly other profile information such as age, date of birth, Facebook friends, gender, place of residence, like information, profile URL, locations, posts, photos, videos; cookies used in particular: "_fbsr";

  • Google Sign-In for Websites: Email address, Google ID, name, profile picture URL, gender and date of birth,

  • Sign in with Apple: E-mail address (you can also choose the e-mail address of an Apple Relay service), Apple ID

  • Firebase: e-mail address

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

Your personal data may also be transferred by Meta, Google and Apple to the USA and processed there. Meta Platforms Inc. and Google LLC have joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR. Apple is obliged by standard contractual clauses to comply with the level of data protection in the EU.

3.4.1 Use Without Registration

You can use essential functions of our platform without registering. However, the use of these basic functionalities, such as specifying a favorite team and tracking clubs, leagues, associations and players, as well as displaying soccer results and content, requires the processing of personal data.

In order to be able to use the basic functions, we generate a device-specific identification number (pseudonym) when the app is opened for the first time. Information such as the operating system, IP address and server request time is also processed for the technical display of content. The IP addresses are deleted or anonymized after processing, whereby the location is only determined up to the geographical level of the country.

The data in the technical logs are analyzed anonymously in order to improve our platform and correct possible errors. The data processing is based on our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR to show you content based on your interests (namely clubs, leagues, associations and players).

3.4.2 Settings in the User Account and Operating System

In the privacy settings of the user account, under "Personalized advertising and content, measurement of advertising and content, target group research and development of services", you can specify whether you wish to receive customized advertising.

Personalized advertising will only be displayed if you as a user have reached the required age. The required age varies depending on the country in which you are located and the legal requirements for personalized advertising that apply there.

On mobile devices, you can also deactivate the advertising ID of the respective device and thus prevent personalized advertising. On Android, the Google advertising ID can be reset or deactivated under the settings of the Google account used. On iOS, the IDFA can be reset under the Privacy menu item in the settings ("Reset Ad ID"); this creates a new ID that is not merged with the previously collected data. If you activate the "No ad tracking" option, we can only take limited measures, such as determining unique usage ("unique user") or combating fraud.

3.5 Orders

During an order process (e.g. pay-per-view), we collect the mandatory data required for contract processing:

  • Salutation;

  • First and last name;

  • Date of birth;

  • E-mail address;

  • Billing address;

  • Payment information (e.g. IBAN, credit card, etc.);

  • Phone number

The legal basis for processing is Art. 6 para. 1 lit. b GDPR.

3.6 Newsletter

You have the option of subscribing to our newsletter, in which we regularly inform you about new products and promotions.

3.6.1 Subscribing to the Newsletter

We use the so-called double opt-in procedure to subscribe to our newsletter, i.e. we will only send you newsletters by e-mail if you confirm in our notification e-mail by clicking on a link that you are the owner of the e-mail address provided. If you confirm your e-mail address, we will store your e-mail address, the time of registration and the IP address used for registration until you unsubscribe from the newsletter. The sole purpose of this storage is to send you the newsletter and to be able to prove your registration. In addition, we measure whether our newsletter can be delivered at all.

The legal basis for processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future by unsubscribing from the newsletter. A corresponding unsubscribe link can be found in every newsletter. A message to the contact details given above or in the newsletter (e.g. by e-mail or letter) is of course also sufficient.

3.6.2 Newsletter Tracking

We want to share content that is as relevant as possible for our users via our newsletter and better understand what they are actually interested in. We therefore use standard market technologies in our newsletters to measure interactions with the newsletters (e.g. opening of the email, links clicked on). We use this data in pseudonymous form for general statistical evaluations and to optimize and further develop our content and user communication. On the one hand, this is done with the help of small graphics embedded in the newsletter (so-called pixels), which establish a connection to the server of the images when the email is opened. On the other hand, we use links where we first register a click on this link and only then forward it to the desired target page.

The legal basis for this is your consent in accordance with Art. 6 para. 1 lit. a GDPR. The information in the end device is then accessed on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. You can revoke your consent to the analysis of user behavior at any time with effect for the future by unsubscribing from the newsletter. You can also prevent the measurement of the opening of an email by deactivating graphics or the output of HTML content in your email program by default.

The data on the interaction with our newsletters is stored pseudonymously for 90 days and then completely anonymized.

3.7 Existing Customer Advertising via E-Mail

If you register with us or make a purchase from us, we will also use your contact details to send you further information about our products and services that is relevant to you by email ("existing customer advertising"). This may include, in particular, news, promotions and offers as well as feedback and other surveys.

The legal basis for this data processing is Art. 6 para. 1 lit. f GDPR in conjunction with Section 7 para. 3 UWG, according to which data processing is permitted to safeguard legitimate interests, insofar as this concerns the storage and further use of the data for advertising purposes. You can object to the use of your data for advertising purposes at any time by clicking on the corresponding link in the emails or by sending a message to the contact details given above (e.g. by email or letter) without incurring any costs other than the transmission costs according to the basic rates.

3.8 Surveys

You have the opportunity to take part in one of our surveys. We use the results of these surveys to improve our service. The legal basis for data processing when participating in the survey is your consent in accordance with Art. 6 para. 1 lit. a GDPR. We base the sending of the surveys on your consent in accordance with Art. 6 para. 1 lit. a GDPR, provided you have given us this consent.

We use the information and survey responses you provide to better understand your interests and preferences. For this purpose, we analyze your responses to provide you with targeted advertisements that are tailored to your preferences and activities.

This processing of your data is carried out in accordance with the applicable data protection laws. You have the option at any time to object to receiving personalized advertising or to withdraw your consent to the processing of survey results for advertising purposes. 

In addition, you can object to the sending of a satisfaction survey and the use of your data for advertising purposes at any time by clicking on the corresponding link in the e-mails or by sending a message to the above-mentioned contact details (e.g. by e-mail or letter) or revoke your consent with effect for the future without incurring any costs other than the transmission costs according to the basic rates.

3.9 Competitions

You can take part in our competitions. In the context of competitions, we use your data for the purpose of running the competition and notifying you of the prize. Detailed information can be found in the conditions of participation for the respective competition or the data protection information. The legal basis for processing is the competition contract (sometimes also referred to as "conditions of participation") in accordance with Art. 6 para. 1 lit. b GDPR. Data processing for other or further purposes, in particular for advertising, is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR.

We base the sending of the offer to participate in the competition on your consent in accordance with Art. 6 para. 1 lit. a GDPR, provided you have given us this consent.

You can object to the sending of an offer to participate in competitions and the use of your data for advertising purposes at any time by using a corresponding link in the e-mails or by sending a message to the contact details above (e.g. by e-mail or letter) or revoke your consent with effect for the future without incurring any costs other than the transmission costs according to the basic rates.

3.10 Job Applications

You can find the privacy policy for job applications here.

3.11 Fan Shop

3.11.1 Data collection and transfer to sellers

You can purchase products from third parties in our FanShop. The selection and display of products are not contextual and do not involve profiling. The seller’s information is available on the product page. We will forward your order, including the personal information collected during the order process and your email address, to the seller.

The seller will then process this data independently to fulfill your order and for commercial purposes, such as accounting and record-keeping. We will receive updates from the seller about the delivery status to ensure the contract fulfilment and, if applicable, about any cancellation. The legal basis for the data processing is the performance of the contract (Art. 6 I 1 lit. b DSGVO).

More information about the sellers and links to their privacy policies can be found at the following links:

Name: eleven teamsports GmbH, Germany

Address: https://www.11teamsports.com/de-de/11teamsports/impressum/

Privacy Information: https://www.11teamsports.com/de-de/informationen/datenschutz/

3.11.2 Data Collection by the Payment Service Provider

A payment service provider is involved in the payment process. We transmit the order information, including the personal information collected during the order process (name, address, email, phone number) to this provider as necessary for payment processing. The payment service provider then independently collects your payment data (e.g., credit card number). This data is not shared with OneFootball or the seller; we only receive confirmation of successful payment. In the case of a cancellation or other valid return, any refund will also be processed through the payment provider. The legal basis for this is contract fulfillment (Art. 6 I 1 lit. b DSGVO).

The payment service provider may offer various payment methods at checkout. Depending on the selected method, it may share certain data with the respective third-party payment service provider (e.g. Klarna AB or PayPal S.à r.l.) in order to process the payment. These third-party providers are solely responsible for any further processing of the data. 

For further information, please refer to the payment provider's privacy information:

Stripe Payments Europe Ltd., Ireland

Address: https://stripe.com/de/legal/imprint

Privacy Information: https://stripe.com/de/privacy

4. Use of tools

4.1 Technologies Used

The app uses various services and applications (collectively "tools") that are offered either by us or by third parties. These include, in particular, tools that use technologies to store or access information in the end device:

  • Cookies: Information stored on the end device, consisting in particular of a name, a value, the storing domain and an expiration date. So-called session cookies (e.g. PHPSESSID) are deleted after the session, while so-called persistent cookies are deleted after the specified expiration date. Cookies can also be removed manually.

  • Web storage (local storage / session storage): information stored on the end device, consisting of a name and a value. Information in session storage is deleted after the session, while information in local storage has no expiration date and remains stored unless a mechanism for deletion has been set up (e.g. storage of a local storage with a time entry). Information in local and session storage can also be removed manually.

  • JavaScript: programming codes (scripts) embedded or called up in the app that, for example, set cookies and web storage or actively collect information from the end device or about the usage behavior of visitors. JavaScript may be used for "active fingerprinting" and the creation of user profiles. JavaScript can be blocked by a setting in the end device, although most services will then no longer work.

  • Pixel: tiny graphic automatically loaded by a service that can make it possible to recognize visitors by automatically transmitting the usual connection data (in particular IP address, information about the browser, operating system, language, address called up and time of the call) and, for example, to determine whether an email has been opened or a website visited. With the help of pixels, "passive fingerprinting" and the creation of user profiles can be carried out. The use of pixels can be prevented, for example, by blocking images, such as in emails, although the display is then severely restricted.

  • TC-String: For providers participating in the Transparency and Consent Framework ("TCF") of the Interactive Advertising Bureau ("IAB"), user preferences recorded in a content management platform are encoded and stored in a sequence of letters and numbers, the so-called Transparency and Consent String ("TC-String"). With the help of this TC-String, providers can display targeted advertising to users.

With the help of these technologies and also by simply establishing a connection on a page, so-called "fingerprints" can be created, i.e. usage profiles that do not require the use of cookies or web storage and can still recognize visitors. Fingerprints based on the connection setup cannot be completely prevented manually.

Most browsers are set by default to accept cookies, the execution of scripts and the display of graphics. However, you can usually adjust your browser settings so that all or certain cookies are rejected or scripts and graphics are blocked. If you completely block the storage of cookies, the display of graphics and the execution of scripts, our services may not work or may not work properly.

In the following, the tools we use are listed by category, whereby we inform you in particular about the providers of the tools, the storage duration of cookies or information in local storage and session storage as well as the transfer of data to third parties. We also explain in which cases we obtain your voluntary consent to use the tools and how you can withdraw this consent.

4.2 Legal Basis and Withdrawal

4.2.1 Legal Basis

We use tools necessary for the app on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in order to provide the basic functions of our app. In certain cases, these tools may also be required for the fulfillment of a contract or for the implementation of pre-contractual measures, in which case the processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR. Access to and storage of information in the end device is absolutely necessary in these cases and is carried out on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 2 TTDSG.

If personal data is transferred to third countries, we refer you to Section 7 ("Data transfer to third countries"), also with regard to any associated risks. We will inform you if an adequacy decision exists for the third country in question or if standard contractual clauses or other guarantees have been concluded for the use of certain tools. If you have given your consent to the use of certain tools and the associated transfer of your personal data to third countries, we will (also) transfer the data processed when using the tools to third countries on the basis of this consent in accordance with Art. 49 para. 1 lit. a GDPR.

4.2.2 Obtaining Your Consent

To obtain and manage your consent, we use the OneTrust tool from OneTrust, LLC, 1200 Abernathy Rd, Suite 700, Atlanta, Georgia 30328 ("OneTrust") as a consent management platform ("CMP"). This generates a banner that informs you about the data processing in our app and gives you the opportunity to consent to all, individual or no data processing using optional tools. This banner appears when you open our app and when you call up your settings again to change them or revoke your consent. The banner also appears when you open our app again if you have deactivated the storage of cookies or the cookies or information in the local storage have been deleted or have expired.

When you use the app, your consents or revocations, your IP address, information about your device and the time of your visit are transmitted to OneTrust. In addition, the necessary information is stored on your device to document the consents given and revocations ("Cookielaw by OneTrust (formerly Optanaon)".

Data processing is necessary to provide you with the legally required consent management and to fulfill our documentation obligations. The legal basis is Art. 6 para. 1 lit. f GDPR, justified by our interest in fulfilling the legal requirements for consent management. Access to and storage of information in the end device is absolutely necessary in these cases and is carried out on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 2 TTDSG.

4.2.3 Withdrawal of your Consent or changing your selection

You can withdraw your consent for certain tools, i.e. for the storage and access to information in the end device, the processing of your personal data and the transfer of your data to third countries, at any time with effect for the future. To do this, click on "Privacy settings" under "Settings". There you can also change the selection of tools you wish to consent to the use of and obtain additional information on the tools used. Alternatively, you can assert your revocation directly with the provider for certain tools.

4.3 IAB Transparency and Consent Framework

When using OneTrust, the current version of the IAB Transparency and Consent Framework ("TCF") standard is observed, which specifies conclusive categories of processing purposes and the associated legal bases. TCF also enables your decisions made in the CMP, such as consents, revocations and objections, to be forwarded directly to the providers of the technologies in the CMP. The so-called TC string is used for this purpose. This ensures that your current request is always observed and complied with by the providers.

The following user data is transmitted to OneTrust when using the app: consents, revocations and objections, IP address, information about the browser, end device and the time of the visit.

4.4 Essential Tools

We use certain tools to enable the basic functions of our website ("essential tools"). These include, for example, tools to prepare and display website content, to manage and integrate tools, to provide payment processing services, to detect and prevent fraud and to ensure the security of our website. Without these tools, we would not be able to provide our service. Therefore, essential tools are used without consent.

The legal basis for essential tools is the necessity to fulfill our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR in the provision of the respective basic functions and the operation of our app. In cases where the provision of the respective functions is necessary for the performance of a contract or for the implementation of pre-contractual measures, the legal basis for data processing is Art. 6 para. 1 lit. b GDPR. Access to and storage of information in the end device is absolutely necessary in these cases and is carried out on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 2 TTDSG.

4.4.1 Own Tools

We use our own necessary tools that access information in the end device or store information on the end device, in particular:

  • for login authentication,

  • for load distribution,

  • to save your language settings,

  • to note that information placed on our website has been displayed to you - so that it will not be displayed again the next time you visit the website.

4.5 Functional Tools

We also use optional tools to improve the user experience of our app and to offer you more functions ("functional tools"). Although these are not absolutely necessary for the basic functions of the app, they can offer users considerable advantages, particularly in terms of user-friendliness and the provision of additional communication, display or payment channels. This can include, in particular, the integration of external content such as maps and videos as well as logging in via an existing social network account or, for example, a comment function.

The legal basis for the functional tools is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. To withdraw your consent, see 4.2.3: "Withdrawing your consent or changing your selection".

In the event that personal data is transferred to third countries, we refer to Section 7 ("Data transfer to third countries") in addition to the information provided below.

4.6 Analysis Tools

In order to improve our services, we use optional tools to recognize visitors and to statistically record and analyze general usage behavior based on access data ("analysis tools"). We also use analysis services to evaluate the use of our various marketing channels. The usage information collected is processed and enables us to understand the usage habits of our users. This helps us to adapt and optimize the design of our website and app and to make the user experience more pleasant.

The legal basis for the analysis tools is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. To withdraw your consent, see 4.2.3: "Withdrawing your consent or changing your selection".

In the event that personal data is transferred to third countries, we refer to Section 7 ("Data transfer to third countries") in addition to the information provided below.

4.7 Marketing Tools

We also use optional tools for advertising purposes ("marketing tools"). Some of the access data collected when you use our app is used to create usage profiles, which in particular store your usage behavior, the advertisements you have viewed or clicked on and, based on this, the classification into advertising categories, interests and preferences. By analyzing and evaluating this access data, we are able to present you with personalized advertising, i.e. advertising that corresponds to your actual interests and needs, on our website and in our app and on the websites and services of other providers. We also analyse your usage behaviour in order to recognize you on other sites and to address you in a personalized manner based on your use of our site (so-called retargeting). In addition, we evaluate the effectiveness and success of our advertising campaigns (in particular so-called conversions and leads).

Additionally, we conduct surveys to better understand your interests and preferences, allowing us to continuously improve our services and products and ensure a personalized user experience. The information collected through these surveys is used to create and enhance usage profiles, enabling personalized advertising. Before participating in a survey, you will be informed about the purpose of data processing and must provide explicit consent. Participation in these surveys is voluntary. For more information on surveys, please refer to Section 3.8 of this Privacy Policy.

The legal basis for processing is your consent pursuant to Art. 6 (1) (a) GDPR. You can withdraw your consent at any time with future effect by contacting us via the contact details provided above (e.g., by email or letter). This will incur no costs beyond the basic transmission fees

Marketing tools also include optional social network tools that are used to share posts and content via these networks ("social media plugins").

The legal basis for the marketing tools is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. To withdraw your consent, see 4.2.3: "Withdrawing your consent or changing your selection".

In the event that personal data is transferred to third countries, we refer to Section 7 ("Data transfer to third countries") in addition to the information provided below.

In the following section, we would like to explain the tools and the providers used in more detail and the data collected. The following tools and provider are used for these purposes:

  • “Matchmaker” Tool provided by Permutive Limited, 145 City Road, London EC1V1AW, United Kingdom, Link to Permutive’s Privacy Policy and contact information: privacy@permutive.com. Permutive Limited provides data management and audience segmentation services that enables us to analyze and activate user data in a privacy-compliant manner. Their platform uses real-time, first-party data to help us deliver targeted advertising without relying on third-party cookies.

The data collected may include in particular:

  • the IP address of the device;

  • the information of a cookie and in local or session storage;

  • the device identifier of mobile devices (e.g. device ID, advertising ID);

  • Referrer URL (previously visited page);

  • Pages accessed (date, time, URL, title, duration of visit);

  • Downloaded files;

  • Clicked links to other websites; 

  • Information from surveys, such as user preferences and interests;

  • if applicable, achievement of certain goals (conversions);

  • Technical information: Operating system; browser type, version and language; device type, make, model and resolution;

  • Approximate location (country and city if applicable).

However, the data collected is only stored under a pseudonym, so that no direct conclusions can be drawn about individuals.

4.8 Purposes, Functions and Service Providers

Processing purposes and functions, as well as the individual providers ("suppliers") can be viewed in the CMP, which can be accessed in the settings under "Data protection settings".

5. Online Presence in Social Networks

We maintain an online presence on social networks in order to communicate with customers and interested parties and to provide information about our products and services. User data is generally processed by the relevant social networks for market research and advertising purposes. This allows user profiles to be created based on the interests of users. Cookies and other identifiers are stored on the computers of the data subjects for this purpose. Based on these user profiles, advertisements are then placed within the social networks and on third-party websites, for example.

As part of the operation of our online presences, we may have access to information such as statistics on the use of our online presences provided by the social networks. These statistics are aggregated and may contain, in particular, demographic information (e.g. age, gender, region, country) and data on interaction with our online presence (e.g. likes, subscriptions, sharing, viewing images and videos) and the posts and content distributed via it. This may also provide information about the interests of users and which content and topics are particularly relevant to them. This information can also be used by us to adapt the design and our activities and content on the online presence and to optimize it for our audience. Please refer to the list below for details and links to the social network data that we can access as the operator of the online presence. The collection and use of these statistics is generally subject to joint responsibility. Where this applies, the relevant contract is listed below.

The legal basis for data processing is Art. 6 para. 1 lit. f GDPR, based on our legitimate interest in effective information and communication with users, or Art. 6 para. 1 lit. b GDPR, in order to stay in contact with our users and to inform them and to carry out pre-contractual measures with interested parties.

If you have an account with the social network, it is possible that we can see your publicly available information and media when we access your profile. In addition, the social network may allow us to contact you. This can take place, for example, via direct messages or posted contributions. The content of communication via the social network and the processing of content data is the responsibility of the social network as a messenger and platform service. As soon as we transfer personal data from you to our own systems or process it further, we are independently responsible for this and this is done to carry out pre-contractual measures and to fulfill a contract in accordance with Art. 6 Para. 1 lit. b GDPR.

The legal basis for the data processing carried out by the social networks on their own responsibility can be found in the data protection information of the respective social network. Under the links below you will also find further information on the respective data processing and the options to object.

We would like to point out that data protection requests can be made most efficiently with the respective provider of the social network, as only these providers have access to the data and can take appropriate measures directly. You can of course also contact us with your request. In this case, we will process your request and forward it to the provider of the social network.

Below is a list with information on the social networks on which we have an online presence:

6. Data Disclosure

The data collected by us will only be passed on if there is a legal basis for this under data protection law in the specific case, in particular if:

  • you have given your express consent in accordance with Art. 6 para. 1 lit. a GDPR,

  • the disclosure pursuant to Art. 6 para. 1 lit. f GDPR is necessary for the assertion, exercise or defense of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,

  • we are legally obliged to disclose data in accordance with Art. 6 para. 1 lit. c GDPR, in particular if this is necessary for legal prosecution or enforcement due to official inquiries, court orders and legal proceedings, or

  • this is legally permissible and required under Art. 6 para. 1 lit. b GDPR for the processing of contractual relationships with you or for the implementation of pre-contractual measures that are carried out at your request.

Some of the data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, these may include, in particular, data centers that store our website and databases, software providers, IT service providers that maintain our systems, agencies, market research companies, group companies and consulting firms. If we pass on data to our service providers, they may only use the data to fulfill their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound by our instructions, have suitable technical and organizational measures in place to protect the rights of the data subjects and are regularly monitored by us.

7. Data Transfer to Third Countries

As explained in this privacy policy, we use services whose providers are partly located in so-called third countries (outside the European Union or the European Economic Area) or process personal data there, i.e. countries whose level of data protection does not correspond to that of the European Union. If this is the case and the European Commission has not issued an adequacy decision for these countries (Art. 45 GDPR), we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include the standard contractual clauses of the European Union or binding internal data protection regulations.

Where this is not possible, we base the transfer of data on exceptions under Art. 49 GDPR, in particular your express consent or the necessity of the transfer for the fulfillment of the contract or for the implementation of pre-contractual measures.

If a transfer to a third country is planned and there is no adequacy decision or suitable guarantees, it is possible and there is a risk that authorities in the respective third country (e.g. secret services) may gain access to the transferred data in order to collect and analyze it, and that the enforceability of your data subject rights cannot be guaranteed. When obtaining your consent via the consent banner, you will also be informed of this.

8. OneFootball Partner Marketing

In the course of registering on the OneFootball platform and, if applicable, later in the course of use, you can consent to 'OneFootball Partner Marketing'. OneFootball cooperates with a large number of well-known partners, including clubs, leagues, associations or advertising and technical service providers ("OneFootball partners"). You can find a detailed list of our OneFootball partners and their contact details on our 'OneFootball Partner Website'.

If you give your consent to 'OneFootball Partner Marketing', OneFootball is authorized to pass on the following information of your user account to the OneFootball partners:

  • Name,

  • E-mail address,

  • Device-ID,

  • Salutation (if known),

  • Date of birth (if known),

  • Gender (if known),

  • Favorite club (if known),

  • IP-address (if known),

  • Streaming purchase history (if applicable).

In addition, you agree that the OneFootball partners may contact you by e-mail for the following marketing purposes: Product and event information, exclusive promotions, competitions, offers, information from advertising partners of OneFootball partners and birthday mailings.

The processing and transmission of your data is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can of course withdraw your consent at any time with effect for the future. To revoke your consent, please click on "Manage consent" in the settings of your user profile and press the 'OneFootball Partner Marketing' button. Alternatively, you can also inform us of your revocation at any time in writing by e-mail to privacy@onefootball.com or via the contact form on our website or by clicking on the unsubscribe link in the relevant newsletter.

9. Token Airdrop / Airdrop Claim

If you use the Airdrop Claim feature in FanPass, we process your personal data in order to verify your eligibility for the airdrop and, if you are eligible, to enable you to claim your tokens, select a vesting option (3, 6, or 9 months), and enter into and perform the related agreement with OneFootball. We also process your data to properly administer the airdrop and to reallocate any unclaimed tokens, or tokens not contractually secured within the applicable deadline, to the treasury wallet in accordance with the applicable airdrop terms and conditions.

9.1 Categories of Personal Data Processed

In this context, we process in particular your wallet address, transaction and claim data, your email address, and your username or handle. We obtain this data either directly from you or from our internal systems. To the extent that we also consult publicly accessible blockchain data (for example, to verify on-chain eligibility criteria or transaction history), such data may not have been collected directly from you. Where required under Article 14 GDPR, we will inform you of the source and categories of such data here.

9.2 Purposes and Legal Bases

To the extent that processing is necessary to carry out the claim process, enable the selection of a vesting option, and to enter into or perform the related agreement, the legal basis is Article 6(1)(b) GDPR (performance of a contract to which you are party).

To the extent that processing is necessary to verify airdrop eligibility, prevent abusive or multiple claims, ensure the technical and organisational integrity of the airdrop, or reallocate unclaimed or forfeited allocations to the treasury wallet in compliance with the applicable rules, the legal basis is Article 6(1)(f) GDPR (legitimate interests). Our legitimate interest lies in the secure, fair, and proper administration of the airdrop. We have balanced this interest against your rights and interests and consider that this processing does not override your fundamental rights, given that the processing is limited to what is necessary to administer the airdrop securely and fairly, and that the processing is reasonably foreseeable from your participation in the airdrop.

Where processing is based on Article 6(1)(f) GDPR, you have the right to object to such processing at any time on grounds relating to your particular situation. Please see Section 12 "Your Rights" for further details.

9.3 Recipients

Recipients of your data include the relevant internal teams as well as cloud service providers, blockchain node and RPC providers, and other blockchain infrastructure service providers engaged by us.

9.4 International transfers and blockchain

Where personal data is transferred outside the EEA in connection with off-chain processing, we use an appropriate transfer mechanism in accordance with applicable law, such as an adequacy decision or the Standard Contractual Clauses adopted by the European Commission.

Where personal data is recorded on a public blockchain, that data, in particular wallet addresses and transaction data, is accessible globally by the nature of the blockchain infrastructure. We take this into account when assessing international transfer risks and minimise the personal data written on-chain accordingly.

9.5 Automated processing, including automated reallocation

As part of the airdrop process, we use automated processing to:

  • verify your airdrop eligibility based on your wallet and participation data;

  • assess whether the required agreement has been signed within the applicable two-week deadline; and

  • automatically reallocate tokens to the treasury wallet if the required agreement is not signed within two weeks, or if allocated tokens are not claimed within one year.

The logic applied in these automated processes is as follows: 

(1) Whitelist eligibility check. At the point of first access to the 1F Predict Game, the system checks whether the wallet address connected by the User is recorded as a Whitelist Wallet in OneFootball's eligibility database. This check is binary: the wallet address either matches a verified entry in the whitelist or it does not. No further personal characteristics are assessed at this stage. A wallet that does not match is automatically denied access to the Airdrop claim flow. A wallet that matches is permitted to proceed to Contract Duration selection.

(2) Two-week TGE claim window monitoring. From the moment the Airdrop claim goes live, the system records a fixed deadline timestamp of exactly 14 days (expiring at 12:00 noon UTC on the 14th day). At that timestamp, the system automatically checks, for each Whitelist Wallet that has not yet executed an initial TGE claim, whether a confirmed Contract Duration selection and an executed initial claim transaction are recorded against that wallet address. If both are recorded, no action is taken. If either is absent, meaning the User has not selected a Contract Duration or has not executed the initial TGE claim transaction within the 14-day window, the system automatically marks the User's entire Airdrop allocation as forfeited and transfers it to the Reward Pool. No further action or human review is required before this transfer is executed.

(3) Soft Staking Requirement balance checks. At each prediction submission deadline during an Epoch, the system automatically queries the $OFC Token balance of each participating User's Wallet. If the balance recorded at a single balance check falls below the current Soft Staking Requirement (currently 1,000 $OFC), the system flags the User's account and triggers a notification to the User via the FanPass site; the User's Matchday Ratings for that occurrence are not invalidated. If the balance falls below the Soft Staking Requirement at two or more consecutive balance checks within the same Epoch, the system automatically invalidates the User's Matchday Ratings for the entire Epoch, rendering the User ineligible for 1F Predict Rewards and vesting acceleration for that Epoch.

(4) One-year unclaimed vesting token expiry. The system records the exact timestamp of the TGE. Exactly one year after that timestamp (at 12:00 noon UTC), the system automatically checks, for each User with an active vesting contract, whether any portion of their Total Eligible Airdrop Allocation has become claimable but remains unclaimed. Any such unclaimed vesting tokens are automatically transferred to the Reward Pool at that moment. This is a single fixed expiry event applied simultaneously to all unclaimed vesting amounts, regardless of when during the vesting period each individual amount became claimable.

(5) Reward Pool migration upon contract expiry. The system continuously monitors the status of each User's vesting contract. When the system determines that all vesting allocations under a User's contract have either been claimed, unlocked but not yet claimed, or forfeited through expiry or early termination, the User is automatically migrated from Reward Pool 1 (active contract holders) to Reward Pool 2 (post-Airdrop participants) for all subsequent Epochs.

The personal data used as inputs in each of these automated checks are: your wallet address; records of your Contract Duration selection and initial TGE claim transaction; your $OFC Token wallet balance at each relevant balance check timestamp; records of each monthly unlock and claim event; and the TGE timestamp. These automated processes produce decisions that directly affect your rights under this Privacy Policy, including your entitlement to Airdrop allocations, 1F Predict Game Rewards, and vesting acceleration. You have the right to request human review of any automated decision that you consider to have been applied incorrectly to your account. To exercise this right, please contact us at the OneFootball Help Center available here. You also have the right to express your point of view and to contest any such decision.

The legal basis for automated eligibility and reallocation decisions under Article 22(2) GDPR is Article 22(2)(a) (necessity for the performance of the contract between you and OneFootball).

Where an automated decision produces legal effects concerning you or similarly significantly affects you, you have the right to:

  • obtain human review of the decision by a member of OneFootball's team;

  • express your point of view; and

  • contest the decision.

To exercise these rights, please contact us at the OneFootball Support Center available here.

9.6 Retention

Where personal data is processed on a public blockchain, this may result in such data remaining permanently or long-term technically irremovable due to the characteristics of the blockchain. This applies in particular to wallet addresses and blockchain-based transaction data. Where on-chain deletion is not technically possible, we minimise the personal data written on-chain and delete or irreversibly sever the cryptographic link between off-chain identity data and on-chain records to the extent feasible and legally permitted.

Data stored off-chain, in particular information relating to eligibility verification, claim administration, communications, and contract performance, is generally retained for the duration of the airdrop programme and any applicable vesting period. Thereafter, we delete or anonymise such data after a period of three years following the end of the calendar year in which the relevant claim process was completed, unless statutory retention obligations or legitimate interests require longer retention. Where data forms part of records relevant under commercial or tax law, we retain such data for the duration of the applicable statutory retention periods (in Germany: generally six years for commercial correspondence and ten years for accounting-relevant records).

10. 1F Predict Game

If you participate in 1F Predict in FanPass, we process your personal data in order to enable your participation in the game, verify whether you hold the minimum amount of OFC tokens required for certain game features, record your predictions, calculate your performance and Matchday Score, place you in the relevant leaderboard category, and distribute tokens from the applicable reward pools. Depending on your participation and performance, this may also affect your eligibility for gameplay-related benefits, including accelerated airdrop unlocks and qualification for monthly prize pools.

10.1 Categories of personal data processed

In this context, we process in particular your wallet address, your username or handle, your prediction entries, gameplay and scoring data, and blockchain-based transaction and reward distribution data. We obtain this data either directly from you or from our internal records. To the extent that we also consult publicly accessible blockchain data (for example, to verify OFC token holdings), such data may not have been collected directly from you. Where required under Article 14 GDPR, we will inform you of the source and categories of such data here.

10.2 Purposes and legal bases

To the extent that processing is necessary to provide 1F Predict and related functionalities requested by you, the legal basis is Article 6(1)(b) GDPR (performance of a contract to which you are party).

To the extent that processing is necessary to verify eligibility, ensure the integrity of the game, prevent abuse or manipulation, operate leaderboards, and securely administer token rewards, the legal basis is Article 6(1)(f) GDPR (legitimate interests). Our legitimate interest lies in ensuring a secure, fair, and properly functioning gameplay and rewards system. We have weighed this interest against your rights and consider that this processing does not override your fundamental rights, given that the data processed is limited to what is necessary to administer the game securely and equitably.

Where processing is based on Article 6(1)(f) GDPR, you have the right to object to such processing at any time on grounds relating to your particular situation. Please see Section 9 "Your Rights" for further details.

10.3 Recipients

Recipients of your data include the relevant internal teams as well as cloud service providers, blockchain node or RPC providers, and other blockchain infrastructure service providers engaged by us. Off-chain processing generally takes place within Europe.

10.4 International transfers and blockchain

Where personal data is transferred outside the EEA in connection with off-chain processing, we use an appropriate transfer mechanism in accordance with applicable law, such as an adequacy decision or the Standard Contractual Clauses adopted by the European Commission.

Where personal data is recorded on a public blockchain - in particular wallet addresses and transaction and reward distribution data - that data is accessible globally by the nature of the blockchain infrastructure. We minimise the personal data written on-chain accordingly.

10.4 Automated processing

As part of 1F Predict, we use automated processing to: (i) verify whether you hold the required minimum amount of OFC tokens; (ii) record your predictions and calculate your Matchday Score; (iii) assign you to the relevant leaderboard category; and (iv) trigger reward distribution from the applicable reward pools.

(i) OFC token-holding check. To verify whether you hold the required minimum amount of $OFC Tokens, the system automatically queries the on-chain balance of the wallet address you have connected to 1F Predict at each prediction submission deadline during the Epoch. The check is performed by reading the balance recorded on the relevant blockchain at the moment of each submission deadline. The data used is your wallet address and the $OFC Token balance associated with it at that point in time. If your balance meets or exceeds the current minimum threshold, the check passes and your Matchday Score for the relevant matchday is counted towards your Epoch average for leaderboard and reward purposes. If your balance falls below the threshold at two or more consecutive checks within the same Epoch, your Matchday Scores for that Epoch are automatically invalidated, meaning you will not appear in the leaderboard rankings and will not receive a reward distribution for that Epoch.

(ii) Recording of predictions and calculation of your Matchday Score. When you submit predictions for a matchday, the system records your chosen outcome (home win, draw or away win) for each match alongside a timestamp confirming that submission occurred before the first match kick-off of the relevant matchday. Late submissions are automatically rejected. Once official match results are available, the system compares your submitted predictions against those results and generates a numerical Matchday Score between 0 and 10.0. The Score reflects the accuracy of your predictions across the matches included in that matchday's fixture list: the more of your predictions match the actual results, the higher your Matchday Score. The exact weighting applied to each match when deriving the Score is determined by a scoring methodology set by OneFootball. The data used in this process is: your wallet address, your submitted predictions for each match, the submission timestamp, and the official match results.

(iii) Assignment to leaderboard category and ranking. At the end of each Epoch, the system calculates your average Matchday Score by dividing the sum of your Matchday Scores across all matchdays within the Epoch by the number of matchdays in that Epoch. This average is used to rank you against other participants. Based on your Airdrop allocation status — specifically, whether you hold an active vesting contract — the system automatically assigns you to one of two leaderboard categories: Category 1 (participants with an active vesting contract) or Category 2 (participants without an active vesting contract or whose vesting contract has fully concluded). Within each category, participants are ranked in descending order of their Epoch average Matchday Score. If two or more participants share the same average score, a tiebreaker is applied automatically. The data used is: your wallet address, your individual Matchday Scores for the Epoch, your vesting contract status, and, where a tiebreaker is required, additional data points such as total number of predictions submitted, individual matchday highs or the timestamp of your final prediction submission for the Epoch.

(iv) Reward distribution trigger. Once leaderboard rankings for a given Epoch have been confirmed, the system automatically determines your reward entitlement based on your final rank within your leaderboard category and the applicable prize distribution percentages. If your rank falls within the top 100 of your category, the system calculates the $OFC Token amount corresponding to your rank's percentage share of the relevant Reward Pool and triggers distribution of that amount to your connected wallet address. If your rank falls outside the top 100, no reward is distributed for that Epoch. Reward distributions become claimable at 12:00 noon UTC on the first day of the month following the Epoch. Any Metagame Rewards that become claimable but are not claimed within one year of the Token Generation Event are automatically transferred to the Reward Pool. The data used is: your wallet address, your final leaderboard rank, your leaderboard category, and the Reward Pool size for the relevant Epoch.

(v) The personal data used as inputs across all four automated processes are: your connected wallet address; your $OFC Token balance at each balance check point; your submitted match predictions and their submission timestamps; official match results; your individual and average Matchday Scores; your vesting contract status; and your leaderboard rank and category. These automated processes produce outcomes that directly affect your entitlement to Metagame Rewards. You have the right to request human review of any automated outcome that you believe has been applied incorrectly to your account. To exercise this right, please contact us at the OneFootball Help Center available here. You also have the right to express your point of view and to contest any such outcome.

Where an automated decision produces legal effects concerning you or similarly significantly affects you — in particular automated decisions that determine your access to airdrop unlocks or prize pool qualification — you have the right to:

  • obtain human review of the decision by a member of OneFootball's team;

  • express your point of view; and

  • contest the decision.

To exercise these rights, please contact us at the OneFootball Help Center available here.

The legal basis for automated eligibility decisions under Article 22(2) GDPR is Article 22(2)(a) necessity for the performance of the contract between you and OneFootball. 

10.5 Retention

On-chain data. Where personal data is processed on a public blockchain — in particular wallet addresses and blockchain-based gameplay, transaction, and reward distribution data — that data may remain permanently or long-term technically irremovable due to the inherent characteristics of blockchain technology. Where on-chain deletion is not technically possible, we minimise the personal data written on-chain at the point of collection and, to the extent technically feasible and legally permitted, delete or irreversibly sever the cryptographic link between any off-chain identity data held by us and the corresponding on-chain records, so that the on-chain data can no longer be attributed to an identified or identifiable natural person by us. Once that link is severed, the remaining on-chain data no longer constitutes personal data within the meaning of Art. 4(1) GDPR as far as we are concerned, in accordance with Recital 26 GDPR.

Off-chain data, active participation period. Off-chain data relating to your participation in 1F Predict, including your username or handle, internal gameplay records, prediction history, Matchday Scores, leaderboard rankings, and reward distribution records — is retained for as long as your account remains active and for as long as necessary for the operation of 1F Predict, the administration and verification of rewards, the resolution of disputes, and compliance with our legal obligations. During the active participation period, your data is retained on the basis of contract performance (Art. 6(1)(b) GDPR) and, where applicable, our legitimate interests in maintaining accurate records and preventing fraud (Art. 6(1)(f) GDPR).

Off-chain data, post-participation retention. Following the end of your active participation, meaning the later of: (i) the date on which your Metagame vesting contract concludes or expires; (ii) the date on which your OneFootball account is deleted or deactivated; or (iii) the date on which your last reward or transaction becomes final, we retain your off-chain personal data for a further period of three years, calculated from the end of the calendar year in which the relevant event occurs. This three-year period reflects the standard civil limitation period under §§ 195, 199 BGB applicable to contractual claims arising from your participation in 1F Predict, during which data may be required to establish, exercise, or defend legal claims. At the end of this three-year period, your off-chain personal data is deleted or anonymised unless one of the following statutory retention obligations requires longer storage.

Statutory retention obligations. The following statutory retention periods override the three-year period above and may require us to retain certain categories of data for longer:

  • Commercial and accounting records (including records of Admin-Fee payments and reward distributions that constitute commercial transactions): up to 10 years from the end of the calendar year in which the transaction occurred, pursuant to § 147(1) AO and § 257(1) HGB

  • Anti-money laundering records (including wallet address verification records and transaction records where AML/KYC checks were performed): up to 5 years from the end of the calendar year in which the business relationship ended, with an absolute maximum of 10 years, pursuant to § 8(4) GwG.

  • Any other retention period required by applicable law, regulatory authority, or court order.

During any statutory retention period, access to your data is restricted to the extent technically and organisationally feasible, so that it is used only to fulfil the statutory retention obligation and not for any other purpose. This approach of restricting rather than immediately deleting data where statutory obligations apply is consistent with the requirements of § 35 BDSG and Art. 18 GDPR.

Deletion and anonymisation. At the expiry of the applicable retention period, your off-chain personal data is either permanently deleted or anonymised in a manner that renders re-identification impossible, so that the anonymised data is no longer subject to GDPR. Automated account deletion or anonymisation is triggered at the end of the applicable retention period. You may also request early deletion of your data pursuant to Art. 17 GDPR at any time, subject to our statutory retention obligations and our right to retain data to establish, exercise, or defend legal claims under Art. 17(3)(e) GDPR.

Your right to information on retention. You may request confirmation of the specific retention period applicable to your data at any time by contacting us at the OneFootball Help Center available here.

11. Storage Duration

In principle, we only store personal data for as long as necessary to fulfill the purposes for which we collected the data. We then delete the data immediately, unless we still need the data until the expiry of the statutory limitation period for evidence purposes for civil law claims, due to statutory retention obligations or there is another legal basis under data protection law for the continued processing of your data in the specific individual case.

For evidence purposes, we must retain contract data in particular for three years from the end of the year in which the business relationship with you ends. Any claims expire at the earliest at this time in accordance with the statutory limitation period.

Even after this, we still have to store some of your data for accounting reasons. We are obliged to do so due to statutory documentation obligations that may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The periods specified there for the retention of documents are two to ten years.

12. Your Rights, Particularly Withdrawal and Objection

You are entitled to the data subject rights formulated in Art. 7 para. 3, Art. 15 - 21 at any time if the respective legal requirements are met:

  • Right to withdraw your consent (Art. 7 (3) GDPR);

  • Right to object to the processing of your personal data (Art. 21 GDPR);

  • Right to information about your personal data processed by us (Art. 15 GDPR);

  • Right to rectification of your incorrect personal data stored by us (Art. 16 GDPR);

  • Right to erasure of your personal data (Art. 17 GDPR);

  • Right to restriction of processing of your personal data (Art. 18 GDPR);

  • Right to data portability of your personal data (Art. 20 GDPR).

To assert your rights described here, you can contact us at any time using the contact details above. This also applies if you wish to receive copies of guarantees to demonstrate an adequate level of data protection. If the relevant legal requirements are met, we will comply with your data protection request.

Your requests to assert data protection rights and our responses to them will be stored for documentation purposes for a period of up to three years and, in individual cases, beyond this period if there is reason to assert, exercise or defend legal claims. The legal basis is Art. 6 para. 1 lit. f GDPR, based on our interest in the defense against any civil claims under Art. 82 GDPR, the avoidance of fines under Art. 83 GDPR and the fulfillment of our accountability under Art. 5 para. 2 GDPR.

You have the right to withdraw your consent at any time. As a result, we will no longer continue the data processing that was based on this consent in the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

If we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your particular situation. If it concerns an objection to data processing for direct marketing purposes, you have a general right of objection, which we will implement without you having to give any reasons.

If you wish to exercise your right of withdrawal or objection, simply send an informal message to the contact details above.

Finally, you have the right to lodge a complaint with a data protection supervisory authority in accordance with Art. 77 GDPR. You can assert this right, for example, with a supervisory authority in the Member State of your place of residence, your place of work or the place of the alleged infringement. In Berlin, where we are based, the competent supervisory authority is Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin.

13. Changes to the Privacy Policy

We occasionally update this privacy policy, for example if we adapt our app or if the legal or regulatory requirements change.

Version: 1/2026

Status: March 2026