⚐ PRIVACY ⚐

Privacy Policy

Last updated: June 11, 2026
ℹ Fan project notice — Dirty Whistle is a private, non-commercial fan project run by a team of individuals. This Privacy Policy is written in good faith and in plain language; it has not been reviewed by legal counsel.

The Dirty Whistle team — a team of individuals running this non-commercial fan project — ("we", "us", "Dirty Whistle") operates the dirtywhistle.com website and related mobile experiences ("Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and the rights you have over your data.

This Policy applies globally and is written to comply with the EU General Data Protection Regulation (GDPR), UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA). If you're in a jurisdiction with stricter rules, those rules apply on top of this Policy.

1. Data we collect

1.1 Data you give us

  • Account info: email, password (hashed), display alias, country of residence, age confirmation.
  • OAuth provider data: if you sign in with Google / Apple / Facebook, we receive your basic profile (name, email, profile picture URL). We do not see your provider password.
  • Communications: messages you send to support, bug reports, feedback.
  • Optional profile data: profile picture, preferred language.

1.2 Data collected automatically

  • Gameplay data: your in-game money balance, credibility, picks, bets, match assignments, and the full audit log of money/credibility changes. This is the game itself — without it, there is no game.
  • Device & technical data: IP address (truncated for storage), browser type and version, operating system, screen size, timezone, referring URL.
  • Usage data: pages viewed, buttons clicked, time on page, conversion events — measured with Google Analytics 4 (see our Cookie Policy). We use this to improve the product, not to track you across the web.
  • Cookies: see our Cookie Policy for details.

1.3 Data we do NOT collect

  • Payment information (we don't process payments — the game is free).
  • Government-issued IDs.
  • Biometric data.
  • Children's data (we don't allow under-18 accounts).
  • Precise location data (beyond country at registration).

2. Why we use it (legal bases under GDPR)

PurposeLegal Basis
Operating your account & the gamePerformance of contract (Art. 6(1)(b))
Security, fraud prevention, age verificationLegitimate interest (Art. 6(1)(f))
Service emails (verify code, account changes)Performance of contract
Marketing emails / push notificationsConsent — opt-in only, opt-out anytime
Analytics & product improvementLegitimate interest (anonymized) or consent (cookie-based)
Legal obligations (responding to authorities)Legal obligation (Art. 6(1)(c))

3. Who we share data with

We never sell your personal data. We share it only with:

  • Service providers who help us run the Service:
    • Hosting & backend: Supabase (authentication and data sync) plus a managed cloud hosting provider for the web app
    • Email delivery: none — we don't send newsletters or marketing email
    • Analytics: Google Analytics 4 (Google LLC) — aggregate usage measurement; processes data including in the United States. Disabled while the game runs in pre-launch simulation mode
    • Error monitoring: none currently in use
  • Identity providers if you use OAuth (Google, Apple, Facebook) — these operate under their own privacy policies.
  • Law enforcement and courts when required by valid legal process. We will challenge requests that we believe are over-broad or improper.
  • Successor entities if Dirty Whistle is acquired, merged, or transferred — with notice to you, and your same rights apply to the new operator.

4. Where your data lives

Primary data storage: our backend provider's (Supabase) cloud infrastructure. Some service providers — notably Google Analytics — process data in the United States. For transfers outside the EEA/UK, we use Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR.

5. How long we keep data

  • Active accounts: as long as your account is active.
  • Closed accounts: we delete personal data within 90 days of account closure, except where retention is required by law.
  • Backups: retained up to 30 days after primary deletion, then purged.
  • Aggregated & anonymized data: retained indefinitely (cannot identify you).
  • Logs: server logs retained 90 days; security incident logs up to 2 years.

6. Your rights

You can exercise these rights anytime by emailing privacy@dirtywhistle.com:

6.1 GDPR rights (EU/UK)

  • Access — request a copy of the data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure ("right to be forgotten") — delete your data
  • Restriction — pause processing while a dispute is resolved
  • Portability — receive your data in a machine-readable format (JSON)
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — for any processing based on consent
  • Lodge a complaint with your local supervisory authority

6.2 CCPA rights (California)

  • Right to know — what personal info we collect, use, and disclose
  • Right to delete — request deletion of personal info
  • Right to correct — fix inaccurate personal info
  • Right to opt out of "sale" — we don't sell data, but you can confirm this anytime
  • Right to non-discrimination — exercising rights doesn't degrade your service

6.3 Deleting your account

You can request account deletion at any time. Your account is closed within 24 hours of request. Personal data is then purged within 90 days; backup purge follows within 30 more days. Anonymous aggregated game stats may remain (e.g. "X picks made in Group MD3 across all players") — these don't identify you.

7. Security

We protect your data with industry-standard measures: encrypted connections (HTTPS/TLS), encrypted passwords (bcrypt), strict access controls, regular security audits. No system is 100% secure — but we treat your data seriously and notify you within 72 hours if a breach affecting your data occurs, as required by GDPR Article 33.

8. Children

Dirty Whistle is not for users under 18. We do not knowingly collect data from under-18s. If you believe a minor has registered, contact us at privacy@dirtywhistle.com and we'll remove the account.

9. Changes to this Policy

We may update this Privacy Policy. Material changes will be announced via email or in-app notice at least 14 days before they take effect. Continued use after the effective date constitutes acceptance.

10. Contact

Privacy questions: privacy@dirtywhistle.com
Data Protection Officer: dpo@dirtywhistle.com
Postal address: see Contact.