Politique de confidentialité

Date d'entrée en vigueur 2026-07-06 · Dernière mise à jour 2026-07-06

1. Who we are

Scorvo ("the Service") is operated by Osii (business registration number 247-70-00655), represented by LEE JAE WON, located at Q139, B1, 8-126 Yongmun-dong, Yongsan-gu, Seoul, Republic of Korea. For any privacy question or to exercise your rights, contact us at support@scorvo.io. The operator also serves as the person responsible for personal data protection.

The English version of this policy is the governing text. Translations are provided for convenience; if there is any conflict, the English version prevails.

2. Controller and processor roles

Account, billing, and operational log data are processed by Osii as the data controller. For member data that a club operator enters about their players and teams (names, contacts, notes, photos, records), the club operator is the controller and Scorvo acts as a processor that stores and processes that data on the operator's instructions. The Data Processing Addendum governs that relationship.

3. What we collect and why

  • Account and authentication: your email address and name, managed through our authentication provider (Clerk); your interface language; sign-in sessions. Legal basis: performance of the service contract.
  • Club and competition data you create: clubs, teams, players, tournaments, matches, scores, statistics, venues, and notes. Legal basis: performance of the service contract.
  • Member (player) data entered by club operators: player name, optional contact, notes, jersey number, position, role, status, and optional photo. Legal basis: the operator's legitimate interest in running their club; the operator is the controller for this data (see Section 8 on the source of this data).
  • Billing data: your plan, subscription status, and AI credit ledger. Card and payment details are handled by Paddle, our Merchant of Record — we never receive or store your card number (see Section 7).
  • AI import content: files you upload for AI analysis (images, PDFs, spreadsheet text) and the necessary context (see Section 6).
  • Diagnostic data: server logs for reliability and abuse prevention. We do not write your email address or names into application logs.

4. Cookies and local storage

Scorvo uses only strictly necessary cookies and functional local storage. We run no advertising, analytics, or tracking scripts, so there is no cookie banner.

  • Authentication cookies set by Clerk to keep you signed in. These load on all pages, including the public landing and share pages, so the app can tell whether you are signed in.
  • A NEXT_LOCALE cookie that remembers your chosen language.
  • Paddle sets cookies only when you open the payment checkout.
  • Google Maps loads only when you explicitly activate place search, and only then may set its cookies (see Section 9).
  • Functional browser storage keeps a few values: local storage holds which notifications you have read and whether a one-time guide has been shown; session storage temporarily holds an in-progress import draft, which is cleared when the tab closes.

5. Who receives your data (subprocessors and third parties)

We use the infrastructure providers below to run the Service. They process data on our behalf as subprocessors. Because this infrastructure is operated outside Korea, the transfers below are disclosed under Article 28-8 of the Personal Information Protection Act (PIPA). These providers process personal data in the United States; Cloudflare additionally operates a global network, and OpenAI processes EEA/Switzerland customer data through OpenAI Ireland. The current subprocessor list is published on our Subprocessors page.

RecipientPurposeDataLocationRetention
ConvexApplication database and backendAll app records you createUnited StatesUntil account deletion
ClerkAuthentication and accountsEmail, name, sessionsUnited StatesUntil account deletion
Cloudflare R2File and photo storageUploaded photos and AI import filesUnited States (global network)Until deletion / 30 days for AI files
OpenAIAI import analysisUploaded file content, player namesUnited StatesNot stored by us; see Section 6
ResendTransactional email deliveryEmail address, message contentUnited StatesAs needed to deliver
VercelWeb application hostingRequest dataUnited StatesOperational logs

Paddle (payments), Google Maps (place search), and OpenWeather (venue weather) are independent third-party services rather than subprocessors. Paddle is an independent controller of your payment data. You can review each provider's own privacy terms on our Subprocessors page.

6. AI features

When you use AI import, the files you upload (images, PDFs, or extracted spreadsheet text) and your club's player names are sent to the OpenAI API to extract records. Player contact details are not sent. We set the request so that OpenAI does not store the content for reuse (store disabled); OpenAI may retain inputs briefly for abuse monitoring, up to 30 days, and does not use API data to train its models. Uploaded source files are stored in our own storage for up to 30 days and then deleted automatically.

If you connect Scorvo to an external AI client through MCP, that client can, on your instruction, read a minimized set of your club's records (identifiers, names, and roster fields) to help you import or edit data. Player contacts and free-text notes are not shared over MCP. What is transferred is driven by your own commands in that client.

7. Payments

Payments are processed by Paddle.com as our Merchant of Record. Paddle collects and processes your payment details as an independent controller and handles tax, invoicing, refunds, and disputes. Scorvo stores only your plan, subscription identifiers, and credit balance — never your card number.

8. Data we receive from club operators (source notice)

If you are a player whose data was entered by a club operator, we did not collect it from you directly. We received it from the operator, who is the controller and is responsible for having a lawful basis (including any guardian consent for minors) to enter it. The categories are your name and any contact, notes, and photo the operator added. You may exercise your rights by contacting us at support@scorvo.io or through the club that entered your data.

9. Maps and place search

Venue place search uses Google Maps, which loads only after you explicitly activate it. When you activate it, your search text is sent to Google to return suggestions. If you do not activate it, no data is sent to Google and you can enter venue details manually.

10. Retention and deletion

  • Account and app data: kept until you delete your account, then removed across our database, file storage, and authentication provider.
  • AI import source files: automatically deleted 30 days after upload.
  • Player photos and team/club images: the stored original is destroyed when you remove or replace it, and when the related record or account is deleted.
  • When you delete your account, we also immediately cancel any active subscription with Paddle.

11. Your rights

You may request access to, correction of, deletion of, or restriction of processing of your personal data, and you may object to processing based on legitimate interests. Registered users can edit and delete their own data in the app and delete their account from account settings. Players whose data was entered by an operator can contact support@scorvo.io directly or reach out through their club. For data portability, we will provide a machine-readable copy of your data on request.

12. Security

Access to your data is gated by authentication and a single-owner model, so records and files are reachable only by their owner. Photos and files have no public URL; they are served only through short-lived, signed links to the owner. We restrict access to production data and monitor for abuse.

13. Share pages

When an operator creates a share link for a tournament or match, anyone with that link — including players and non-registered visitors — can view the shared names and results. Share links use unguessable tokens and are excluded from search engine indexing. Operators control whether and what to share.

14. Children

Account creation is available only to people aged 14 or older. Where a club operator records data about youth players, the operator is responsible for obtaining any legally required guardian consent.

15. Data breaches

If a personal data breach occurs, we will notify the relevant supervisory authority and affected individuals as required by applicable law, including Article 33 of the GDPR (within 72 hours where feasible) and Article 34 of PIPA.

16. Changes to this policy

We may update this policy. Material changes will be reflected by updating the effective date shown at the top, and, where appropriate, by additional notice within the Service.