ScrimX

PRIVACY POLICY

Last updated: February 26, 2026

1. Introduction

Welcome to ScrimX ("Platform", "Service", "we", "us", or "our"). ScrimX is a Software-as-a-Service (SaaS) platform operated by Starcode Tech vl. Karlo Starčević, a sole proprietorship (obrt) registered in the Republic of Croatia.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Platform, in compliance with the General Data Protection Regulation (GDPR) (EU Regulation 2016/679), the Croatian Data Protection Act, the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

By using ScrimX, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Data Controller

The data controller responsible for your personal data is:

  • Business name: Starcode Tech vl. Karlo Starčević
  • Business type: Sole Proprietorship (obrt), Republic of Croatia
  • Website: scrimx.com
  • Contact email: info@starcode.tech

You can look up our business registration through the official Croatian Court Register (Sudski registar) or the Croatian Chamber of Trades and Crafts (Hrvatska obrtnička komora).

3. Personal Data We Collect

3.1 Data You Provide Directly

  • Account information: email address, nickname (gaming alias), first name, last name, password (stored as a bcrypt hash — we never store plaintext passwords)
  • Profile information: avatar/profile picture URL, bio, user role (coach/player)
  • Team & organization data: team name, tag, logo, description, game preference, region
  • Linked game accounts: in-game name, tag line, platform, game type (e.g., League of Legends, Valorant, CS2, Rocket League)
  • Content you create: scrim data, strategies, scouting reports, tasks, calendar events, match results, player statistics
  • Payment information: processed securely through Stripe — we do not store your full credit card details on our servers. We store only Stripe customer IDs and subscription metadata.

3.2 Data Collected Automatically

  • Usage data: pages visited, features used, timestamps, interaction patterns
  • Device & browser data: IP address, browser type and version, operating system, device identifiers
  • Cookies & analytics: we use Google Analytics and essential cookies (see our Cookie Policy)

4. Legal Basis for Processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)): processing necessary to provide the ScrimX service you signed up for — account management, team features, scrim scheduling, etc.
  • Consent (Art. 6(1)(a)): analytics cookies and marketing communications (you can withdraw consent at any time)
  • Legitimate interest (Art. 6(1)(f)): security monitoring, fraud prevention, service improvement, and aggregate analytics
  • Legal obligation (Art. 6(1)(c)): tax and accounting requirements under Croatian law

5. How We Use Your Data

  • To create and manage your account, authenticate sessions, and verify your email
  • To provide core platform features: team management, scrim scheduling, matchmaking, strategy boards, scouting, leaderboards, and calendars
  • To process payments and manage subscriptions through Stripe
  • To send transactional emails (verification codes, account notifications)
  • To monitor platform security, prevent abuse, and maintain system integrity
  • To analyze usage patterns (with consent) to improve the Service
  • To comply with legal obligations

6. Data Sharing & Third-Party Services

We do not sell your personal data. We share data only with:

  • Stripe, Inc. — payment processing (PCI-DSS compliant). See Stripe's Privacy Policy
  • Google LLC (Google Analytics) — website analytics (with your consent). See Google's Privacy Policy
  • Riot Games API / Game APIs — to verify and link your in-game accounts (only data you explicitly choose to link)
  • Cloud infrastructure providers — hosting and database services with appropriate data processing agreements in place

All third-party processors are bound by data processing agreements (DPAs) and are required to process your data in accordance with GDPR and applicable laws.

7. International Data Transfers

Some of our third-party service providers (e.g., Stripe, Google) may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including:

  • EU-U.S. Data Privacy Framework adequacy decisions
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Binding Corporate Rules where applicable

8. Data Retention

  • Account data: retained for as long as your account is active. Upon account deletion, personal data is erased within 30 days, except where retention is required by law.
  • Email verification codes: automatically expire after 15 minutes and are purged periodically.
  • Payment records: retained as required by Croatian tax law (up to 11 years for financial records).
  • Analytics data: Google Analytics data retention is set to 14 months.
  • Anonymized/aggregated data: may be retained indefinitely for statistical purposes.

9. Your Rights

9.1 Under GDPR (EU/EEA Residents)

  • Right of access (Art. 15): request a copy of your personal data
  • Right to rectification (Art. 16): correct inaccurate or incomplete data
  • Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing (Art. 18): limit how we use your data
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format
  • Right to object (Art. 21): object to processing based on legitimate interests
  • Right to withdraw consent (Art. 7(3)): withdraw consent for analytics/marketing at any time
  • Right to lodge a complaint: with the Croatian Personal Data Protection Agency (AZOP) or your local supervisory authority

9.2 Under CCPA (California Residents)

  • Right to know what personal information is collected and how it is used
  • Right to delete personal information
  • Right to opt-out of the sale of personal information (we do not sell your data)
  • Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at info@starcode.tech. We will respond within 30 days (GDPR) or 45 days (CCPA).

10. Data Security

We implement appropriate technical and organizational measures, including:

  • Passwords hashed with bcrypt (cost factor 12)
  • JWT-based authentication with short-lived access tokens (15 min) and rotating refresh tokens (7 days)
  • HTTPS/TLS encryption for all data in transit
  • Database encryption at rest
  • Role-based access controls
  • Regular security updates and dependency audits

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

11. Children's Privacy

ScrimX is not intended for children under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

12. Cookies & Tracking Technologies

We use cookies and similar technologies. For detailed information about the types of cookies we use and how to manage your preferences, please see our Cookie Policy.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also notify you via email. Your continued use of ScrimX after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

  • Email: info@starcode.tech
  • Website: scrimx.com
  • Business: Starcode Tech vl. Karlo Starčević, Republic of Croatia

Supervisory authority: Agencija za zaštitu osobnih podataka (AZOP) — azop.hr