Legal

Privacy Policy

Last updated: May 2026

This policy explains how Tofiko collects, uses and protects your personal data. We process your data lawfully and transparently under the EU General Data Protection Regulation (GDPR).

1. Who we are

Tofiko is an AI-powered football analytics platform operated at tofiko.com. Tofiko is the data controller for the personal data described here. For any privacy question or request, contact us at privacy@tofiko.com.

2. What data we collect

  • Account data — your email address, and (if you sign in with Google) the basic profile your provider returns. Authentication is handled by our processor Supabase.
  • Subscription data — your plan tier and subscription status. Payments are handled by Stripe; we store a Stripe customer reference and status, but we never see or store your card details.
  • Product data — items you save (e.g. your watchlist) and basic preferences.
  • Technical data — essential cookies and limited server logs (e.g. IP address) used to keep you signed in and to protect the service.

We do not knowingly collect data from anyone under 18, and we do not collect special-category (sensitive) personal data.

3. How we use your data

  • To create and operate your account and authenticate you;
  • To provide the tier of service you are entitled to;
  • To manage subscriptions and process payments (via Stripe);
  • To send essential service messages (e.g. sign-in links, account or billing notices);
  • To secure the service and prevent abuse.

We do not sell your data, we do not use it for advertising, and we do not carry out automated decision-making or profiling that produces legal effects for you.

4. Legal basis for processing

We rely on performance of a contract (to provide your account and subscription), our legitimate interests (to secure and improve the service), legal obligations (e.g. tax/accounting once payments are enabled), and your consent where it is required (e.g. any future marketing emails).

5. Processors and sub-processors

We share data only with the providers we need to run the service, under appropriate data-processing terms:

  • Supabase — authentication and database;
  • Stripe — payment processing and subscription billing;
  • Vercel — hosting of the web application;
  • Our hosting provider — the server running our API and database, located in the European Union;
  • Email provider — used to deliver transactional emails.

Where a provider processes data outside the EU/EEA, that transfer is covered by appropriate safeguards (such as the EU Standard Contractual Clauses). We do not sell, rent or share your personal data with any other third party.

6. Data retention

We keep your account data for as long as your account is active. If you delete your account or ask us to erase your data, we remove it from our systems within 30 days, except where we must keep certain records (e.g. invoices) to meet legal obligations.

7. Your rights under the GDPR

  • Access — get a copy of the data we hold about you;
  • Rectification — correct inaccurate data;
  • Erasure — delete your account and data (“right to be forgotten”);
  • Portability — receive your data in a portable format;
  • Restriction / objection — limit or object to certain processing;
  • Withdraw consent — at any time, where processing is based on consent;
  • Complain — to your national data protection authority (in Italy, the Garante per la protezione dei dati personali).

To exercise any of these rights, email privacy@tofiko.com.

8. Cookies

We use only essential and functional cookies. See our Cookie Policy for the full list.

9. Changes to this policy

We may update this policy from time to time. The “last updated” date above reflects the latest revision; we will notify you of material changes where required.

10. Contact

For any privacy question or request, contact privacy@tofiko.com.