Privacy Policy

1. About this policy

This policy describes how Validate and Innovate Pty Ltd (“we”, “us”, “our”) handles personal information when you use Armchair Pro, available at armchairpro.com.

We operate under Australian law, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). If you’re outside Australia, you can still use the app on the same terms.

2. What we collect

We collect personal information directly from you when you interact with the app:

• Email address — when you sign up, request access during the pre-launch gate, or submit any of our enquiry forms
• Display name and handle — when you create your account or update your profile
• Marketing consent preference — captured at signup and adjustable in your settings
• Predictions, picks, and tipping selections — every prediction you make
• League content — leagues you create or join, including the league name, description, prize structure, payment details, and other content you enter
• Enquiry content — anything you submit through our contact, founding partner, or business enquiry forms

We also collect technical information automatically:

• Authentication metadata — timestamps, IP address at sign-in, browser and device type. Used to operate the service and maintain security.
• Usage analytics via Vercel Web Analytics — aggregate page-view information. Vercel Web Analytics is cookieless and doesn’t track users across websites or use persistent identifiers.
• Server logs and error reports — standard operational data for diagnostics and security monitoring.

Cookies we set

• Session cookies required to keep you signed in (set by our authentication provider, Supabase). These expire when your session expires.
• Pre-launch access cookie (armchairpro_gate_v1) — used only during the pre-launch period to remember you’ve entered the access password. This will be removed when the tournament starts.

We don’t set advertising cookies, third-party tracking cookies, or marketing cookies.

3. How we use personal information

We use personal information to:

• Operate the app and provide the service you’ve signed up for
• Authenticate you and keep your account secure
• Score predictions, run league leaderboards, and surface results
• Send transactional emails (magic-link sign-in, account-related notifications)
• Send marketing emails — but only if you’ve consented to them
• Respond to enquiries and support requests
• Improve the app and develop new features
• Protect the service, our users, and our business from misuse, fraud, or security threats
• Comply with our legal and regulatory obligations

We may also use personal information for purposes related to those above that you would reasonably expect, consistent with the Australian Privacy Principles.

4. Aggregated and de-identified data

We may aggregate and de-identify personal information so that it no longer identifies any individual. Once data is de-identified in accordance with applicable guidance, it ceases to be personal information and is not subject to the protections in this policy.

We may use, retain, share, license, or commercialise aggregated and de-identified data indefinitely and for any purpose, including:

• Analytics and reporting
• Trend insights and benchmarking
• Product development and research
• Public or private statistical publications
• Licensing to third parties for commercial purposes

For example, we might publish or sell statistics like “27% of Australian users picked Argentina to win” without that information identifying any specific user.

5. Who we share personal information with

We share personal information only as described below:

Third-party service providers

We use the following third parties to operate the app. Each acts as a processor on our behalf, under contract, and only for the specific purpose listed:

• Supabase — database and authentication. Stores your account, predictions, league memberships, and related data. Hosted in Sydney, Australia.
• Vercel — hosting and Web Analytics. Vercel may store technical logs and aggregate analytics in the United States and other countries.
• Resend — email delivery for transactional and marketing emails.
• API-Football — tournament data provider. No personal information is sent to API-Football; data flows inbound only.

We may add, change, or remove service providers at our discretion as the app evolves.

Within sponsored leagues

If you join a sponsored league:

• The sponsor can see your display name and how your predictions are performing within their league
• The sponsor cannot see your email address, your predictions in other leagues, or any other information about you outside that league

Within private leagues

Other members of any league you join can see your display name, predictions in that league, and league standings. League creators can see the same information for all members of leagues they’ve created. Predictions and content you submit within a league are visible to that league’s members.

Required disclosures

We’ll disclose personal information if required by law, in response to a valid legal process (subpoena, court order, warrant), if we believe disclosure is necessary to prevent serious harm, or to protect our rights or property.

Business transfers

If we sell, transfer, restructure, merge, or otherwise change the ownership of the business or its assets (in whole or in part), personal information held by us may be transferred as part of that transaction. Any acquirer or successor will be bound by this policy or a substantially equivalent one. We’ll provide notice of any such transfer where required by law.

6. Marketing emails

We send marketing emails only to users who’ve consented to receive them. Every marketing email includes an unsubscribe link.

To stop receiving marketing emails:

• Use the unsubscribe link in any marketing email
• Email us at michael@validateinnovate.com.au with the subject “Unsubscribe”

Transactional emails (sign-in links, account notifications, important service messages) aren’t marketing and you can’t opt out of these while you have an account.

7. Retention

We retain personal information for as long as we have a legitimate operational, legal, or business reason to do so. This varies by data type:

• Account data — for as long as your account is active, and for a reasonable period after deletion for backup, fraud prevention, and legal compliance purposes
• Pre-launch landing-page signups — retained until the launch communication cycle completes
• Enquiry submissions — retained for up to 2 years for follow-up purposes
• Server logs and analytics — retained per our providers’ standard schedules
• Aggregated and de-identified data — retained indefinitely (see clause 4)

We may retain personal information longer where required by law, where we have a legitimate business interest in doing so (for example, defending legal claims, audit purposes, or to enforce our terms), or where deletion is not technically feasible.

8. Your rights

Under the Australian Privacy Principles, you have the right to:

• Access personal information we hold about you
• Correct personal information that’s inaccurate, incomplete, or out of date
• Request deletion of your account and associated personal information
• Withdraw consent for marketing emails at any time
• Complain about how we handle your personal information

To exercise any of these rights, email michael@validateinnovate.com.au. We’ll respond within 30 days. We may require you to verify your identity before processing your request. We may charge a reasonable cost for fulfilling access requests that are unusually broad or that require substantial effort.

If we can’t fulfil your request (for example, where we’re legally required to retain certain information), we’ll explain why.

If you’re not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner: https://www.oaic.gov.au/

If you’re in the EU or UK, you may have additional rights under GDPR or UK GDPR. We’ll consider those requests in good faith.

9. Account deletion

We don’t currently offer a self-serve account deletion button in the app. To delete your account:

• Email michael@validateinnovate.com.au from the email address associated with your account
• Include “Delete my account” in the subject line
• We’ll confirm the request and remove your account and associated data within 30 days

Once deleted, your data can’t be recovered. Leagues you created will continue to exist (so other members can keep playing), but your participation, display name, and predictions will be removed from those leagues. Aggregated and de-identified data derived from your activity may be retained per clause 4.

10. Security

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure:

• HTTPS encryption for all connections to the app
• Authentication handled by Supabase using industry-standard practices (magic links, no plaintext passwords)
• Production data access limited to authorised personnel
• Database hosted by Supabase in Sydney

No system is perfectly secure. We don’t guarantee absolute protection against unauthorised access, breach, or loss.

If we become aware of a data breach that creates a risk of serious harm to users, we’ll notify affected users and the Office of the Australian Information Commissioner as required by the Notifiable Data Breaches scheme.

11. Children

Armchair Pro is not directed at children under 16. We don’t knowingly collect personal information from children under 16. If you’re a parent or guardian and believe your child has created an account, contact us at michael@validateinnovate.com.au.

12. International users and data location

The app uses infrastructure that may store and process data outside Australia, notably in the United States where Vercel and Resend operate. By using the app, you consent to your personal information being processed in those locations, subject to local laws that may give authorities access through their own legal processes.

13. Changes to this policy

We may update this policy at any time. When we do, we’ll update the “Last updated” date at the top. For material changes that materially reduce your privacy protections, we’ll provide notice through the app or by email, where reasonably practicable, before they take effect.

Your continued use of the app after changes take effect constitutes acceptance of the updated policy.

14. Contact

Operator: Validate and Innovate Pty Ltd (acting through Michael Di Natale)

Email: michael@validateinnovate.com.au

For any privacy-related questions, data access or correction requests, account deletion, or to update your contact preferences, email us using the address above.