Privacy Policy

Data controller and company information

Top500People is operated by Tayoo s.r.o., a company registered in the Czech Republic. Tayoo s.r.o. is the data controller for personal data processed through the Service, unless stated otherwise.

• Legal name: Tayoo s.r.o.
• Registered address: Táboritská 880/14, 13000 Praha 3, Czech Republic
• Company ID: 24152889
• VAT ID: CZ24152889
• Website: https://top500people.com
• Contact: info@top500people.com

1. Introduction

This Privacy Policy explains how we collect, use, store, and protect personal data when you use the Top500People website and related services (the “Service”).

The data controller is the entity operating the Service as identified in the imprint or contact section of the website. For EU/EEA data subjects, you may exercise your rights under the General Data Protection Regulation (GDPR) as described below.

2. Data we collect

Depending on how you use the Service, we may process:

• Account data: email address, name, profile image (if you use social login or upload one), hashed password if you register with email/password, and role (e.g. user or administrator).
• Usage data: pages viewed, interactions (such as likes, duels, league context), IP address, browser type, device identifiers, approximate location derived from IP, timestamps, and security-related logs.
• Referral and affiliate data: affiliate code, referral relationships, click counts, commission and payout records.
• Payment data: purchases of virtual credits are processed by Stripe; we receive payment status, transaction identifiers, amounts, and related metadata—not your full card number on our servers. When you start a credit purchase, we record the version of our Terms you accepted, the time of that step, your IP address, and browser information as proof of consent and for fraud prevention.
• Stripe Connect: if you participate in affiliate payouts, Stripe collects and processes identity and bank details required for payouts under their terms.
• Content you submit: suggested profiles, descriptions, images, links, reports, and other content you upload or send.
• Communications: messages you send to us (e.g. support requests).

3. Purposes and legal bases (GDPR)

We process personal data for the following purposes, relying on applicable legal bases under Article 6 GDPR:

• Performance of a contract: providing accounts, credits, rankings, duels, and affiliate features you request (Art. 6(1)(b)).
• Legitimate interests: security, fraud prevention, abuse detection, analytics to improve the Service, and enforcing our Terms (Art. 6(1)(f)), balanced against your rights.
• Legal obligation: compliance with tax, accounting, or law-enforcement requests where required (Art. 6(1)(c)).
• Consent: where we ask for consent (e.g. certain cookies or marketing emails), you may withdraw at any time (Art. 6(1)(a)).

4. Cookies and similar technologies

We use cookies and similar technologies for authentication (session), language/locale preferences, security, and (where applicable) analytics. You can control cookies through your browser settings; blocking essential cookies may affect functionality.

5. Recipients and processors

We use trusted service providers who process data on our instructions:

• Hosting and infrastructure: our application and database are hosted with providers appropriate to the deployment (e.g. cloud hosting).
• Stripe: payment processing and Connect payouts.
• Authentication providers: e.g. Google OAuth when you choose “Sign in with Google”.
• Caching and rate limiting: Redis may store transient technical data (e.g. rate-limit counters, cached ranking data).
• Object storage: profile images may be stored on compatible object storage (e.g. S3-compatible) in production environments.

6. International transfers

Some providers may process data outside your country (including the United States). Where required, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions, or we ensure your consent where applicable.

7. Retention

We retain personal data only as long as necessary for the purposes above: for example, account data while your account is active; transaction and tax records for periods required by law; security logs for a limited period; and cached data for short TTLs. When data is no longer needed, we delete or anonymise it in line with our internal policies.

8. Security

We implement technical and organisational measures appropriate to the risk (e.g. encryption in transit, access controls, least privilege). No method of transmission over the Internet is 100% secure.

9. Your rights

Depending on applicable law, you may have the right to access, rectify, erase, restrict processing, data portability, object to processing based on legitimate interests, and withdraw consent where processing is consent-based.

You may lodge a complaint with a supervisory authority in your country of residence (for EU/EEA data subjects, a list of authorities is available at https://edpb.europa.eu/sme_main_en).

10. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children below the applicable minimum age. If you believe we have collected such data, contact us and we will delete it.

11. Automated decision-making

Rankings and statistics are generated automatically from community activity and algorithms. We do not use solely automated decisions that produce legal or similarly significant effects on you within the meaning of GDPR Article 22 in a way that would require specific consent beyond what is described here.

12. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the new version on the Service and update the “Last updated” date. Material changes may be communicated via the Service or email where appropriate.

13. Contact

For privacy requests or questions, contact us using the contact details published on the Service (e.g. footer or About page). You may also contact the data protection officer if one is designated there.