Tippa

Privacy Policy

Last updated: 21 May 2026

Tippa ("we", "us") operates this prediction-market app for friends. This policy explains what personal data we process about you, why, and the rights you have under the EU General Data Protection Regulation (GDPR).

1. Data controller

The data controller is the operator of this Tippa instance. You can reach us by email at privacy@tippa.app.

2. Data we process

  • Account data: email address, password hash (handled by our auth provider).
  • Profile data: display name and (optional) avatar image you upload.
  • Social graph: friendships you create and friend requests you send or receive.
  • App content: markets you create, options you add, bets you place.
  • Technical data: standard server logs (IP, timestamp, user agent) for security and abuse prevention.

3. Purpose and legal basis

  • Providing the service — Art. 6(1)(b) GDPR (performance of contract).
  • Security, abuse prevention, server logs — Art. 6(1)(f) (legitimate interest).
  • Legal compliance (e.g. responding to lawful requests) — Art. 6(1)(c).

4. Sub-processors

We use the following sub-processors who process data on our behalf:

  • Lovable Cloud (managed Supabase, EU region) — database, authentication, storage.
  • Cloudflare — hosting and DDoS protection.

5. International transfers

Your data is stored in the European Union. If a sub-processor needs to transfer it outside the EEA, we rely on Standard Contractual Clauses approved by the European Commission.

6. Retention

We keep your data for as long as your account is active. Inactive accounts are deleted after 24 months. You can delete your account at any time from your profile page.

7. Your rights

Under GDPR you have the right to:

  • Access your personal data (use "Download my data" on your profile).
  • Rectify inaccurate data (edit your profile).
  • Erase your data ("Delete my account" on your profile).
  • Restrict or object to processing.
  • Receive your data in a portable, machine-readable format (JSON export).
  • Lodge a complaint with your local data-protection authority.

8. Visibility of your content

Markets you create are visible only to the audience you choose (public, friends, or selected friends). Your display name and avatar are visible to other authenticated users who share a market with you. Your email address is never shown to other users; friend requests by email match exactly and do not reveal whether an account exists with a given email beyond what is needed to send a request.

9. Cookies

We use strictly necessary cookies/local storage to keep you signed in. We do not use third-party tracking or advertising cookies.

10. Breach notification

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours and, where required, notify affected users without undue delay.

11. Children

Tippa is not directed at children under 16. Do not create an account if you are under 16.

12. Changes to this policy

We will post material updates here and update the "Last updated" date above.