Privacy Policy

Version 2026-05-28 · Applies to aixi.football

Who we are, and the two roles we play

aixi.football (the "Service") is operated by Lukas Oberhuber, trading as Blabberate (a sole trader, based in England and Wales). Contact: info@blabberate.com. We are the data controller for some of the personal data described below and a data processor for the rest — read on for which applies to you.

• We are the controller for personal data about account holders (organisers who register and log in). We decide why we collect it (to provide the Service) and how it's used.
• We are the processor for personal data about players, venues, and people who tap our bot in Telegram. Your organiser is the controller of that data — they decide why it's held and what to do with it; we only act on their instructions, by running the tool they use.

What we collect about account holders (organisers)

• Account credentials: a username and a securely hashed password you choose at registration.
• Account preferences: timezone, and any payment information you choose to display on your team's bills.
• An optional contact email, if you give us one at registration or in Settings. We use it to reach you about your account (a security issue, a data-protection request, or a notice about a change to these terms). If you don't provide one, we'll only be able to notify you in-app on your next login.
• Acceptance metadata: a record that you accepted the Terms, Privacy Policy and the Data Processing terms when you registered, and which version was in force.
• Essential cookies: a session cookie to keep you signed in and a CSRF token cookie to protect form submissions. No advertising or third-party tracking cookies.
• Operational logs generated by Cloudflare and our app (request paths, timestamps, error traces) used to keep the Service secure and to diagnose issues.

What we process on behalf of organisers (about players and others)

When you (the organiser) use the Service, you control which data goes in. Most of it you enter yourself in the app's forms; some pieces — for example a Telegram identifier we attach to a player after they tap one of the bot's messages — are captured automatically on your behalf. We store the broad categories below as your records, so you can run your game:

• Player records — profile details you keep against each player (such as their name, your performance ratings, status, any contact details you add, and any Telegram identifiers we've linked to them on your instructions), plus their attendance and team history and any payment-tracking notes.
• Telegram interaction data — when the bot posts your game's invite, line-up, bill or recap, anyone in your group can tap a button. We capture enough Telegram-published information about the tapper (their profile name, their Telegram identifier, optionally their @username) to match the tap to the right player. If we can't recognise the tapper, we keep a short-lived "pending tapper" record for you to review and link. When a tap is matched to a player automatically, we also keep a short, capped log of those automatic links (player name plus the tapper's Telegram identifiers, oldest entries evicted) so we can notify you in the app.
• Game, venue and billing data — game dates and times, scores, line-ups, venue details (including any bank details you ask us to print on a bill), invoices, and any documents you upload alongside your account.

The detailed field-level inventory lives in our internal Record of Processing Activities, which we keep up to date as the product changes.

How we use the data we control

We use account-holder data to provide the Service to you under our contract (authenticating, storing your account, sending you essential service emails) and under our legitimate interests to secure the Service, to improve the product, and to monitor for, diagnose and fix issues.

For data we hold as a processor, our purposes are limited to what's needed to run the Service for your organiser, on their documented instructions (which they give by using the app). See our Data Processing terms for the detail.

Who we share data with (sub-processors)

• Cloudflare — hosting (Workers), storage (R2 / S3 API), and content delivery. Personal data is stored as JSON files in R2 and served via Cloudflare's network.
• Telegram — when you connect a Telegram chat to your account, we send game messages (invites, line-ups, bills, score recaps) and read tap events through Telegram's Bot API. We don't send anything to Telegram if you haven't connected a chat.

We don't sell your data, and we don't share it for advertising. We may change sub-processors over time; we'll keep the list above current and notify organisers of substantive changes per the Data Processing terms.

International transfers

Cloudflare and Telegram operate global networks, so personal data may be transferred to and processed in countries outside the UK. We rely on the safeguards those providers maintain (e.g. UK adequacy regulations, standard contractual clauses, or equivalent) for any such transfers.

How long we keep data

We keep account-holder data while your account is active. If you ask us to delete your account, we remove the account-holder record and the account's stored data within a reasonable period, subject to limited retention required to comply with legal obligations or to resolve disputes. For data we process on the organiser's behalf, retention is whatever the organiser sets — they can ask us to delete a player, a game, a venue, or their whole account at any time. Unrecognised Telegram "pending tapper" records are minimised and removed once linked or after they fall out of relevance, and the automatic-link log is capped at a handful of recent entries with older ones evicted automatically.

How we protect it

We use industry-standard technical and organisational measures appropriate to the risk:

• Traffic to and from the Service is encrypted in transit.
• Stored data is encrypted at rest by our hosting provider.
• Passwords are kept as one-way hashes using a modern algorithm.
• Service secrets are held in our hosting provider's secret store.
• Access to production data is restricted to the operator.

Your rights

You have the right to:

• be told what we hold about you (this policy is part of that);
• request a copy of your personal data (right of access);
• have inaccurate data corrected (rectification);
• have your data deleted (erasure), subject to legal exceptions;
• restrict or object to certain processing;
• where we rely on consent, withdraw it at any time (this doesn't affect prior lawful processing);
• complain to the UK Information Commissioner's Office (the ICO) — https://ico.org.uk.

To exercise any of these, email info@blabberate.com. We may ask for information to confirm who you are before we respond.

If you're a player (and never signed up)

You're probably here because someone organising your weekly football game uses aixi.football to manage it. Your organiser is the data controller for your details (name, phone, attendance, payments, Telegram interactions with their group) — they decided to hold that data to run the game, and they choose how long to keep it.

To correct or delete your data, ask your organiser first — they can edit or remove a player record directly in aixi. If they're not reachable, or you want our help, email info@blabberate.com and we'll pass the request on or act on it as the organiser's processor.

Data breaches

If a personal data breach occurs that's likely to result in a risk to people's rights and freedoms, we'll report it to the ICO within 72 hours of becoming aware of it and notify affected individuals where required. For account holders, if you've given us a contact email we'll write to that address; if you haven't, we'll surface an in-app notice you'll see the next time you log in. Organisers (as controllers) will be informed without undue delay so they can meet their own obligations.

Changes to this policy

We may update this policy as the product develops. The version date at the top of this page reflects the current version; we'll keep prior acceptance metadata against the version it was accepted under, and we'll give notice in-app where reasonable.

Questions? Email info@blabberate.com. See also our Terms of Use and Data Processing terms.