Effective: 2026-06-04
Last updated: 2026-06-04
This Privacy Policy explains how MITH UG (haftungsbeschränkt) (“MITH”, “we”, “us”, “our”) collects, uses, and protects personal data when you use Rodeo (the “Service”), accessible at rodeo.ad. We process your data in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
The controller responsible for data processing is:
MITH UG (haftungsbeschränkt)
Brüderstraße 14
10178 Berlin
Germany
Email: hello@rodeo.ad
Impressum: https://rodeo.ad/impressum
For privacy-related inquiries, contact: privacy@rodeo.ad
We have not appointed a Data Protection Officer as we are not required to under Art. 37 GDPR (we are below the relevant thresholds and do not process special categories of data on a large scale). For all data protection inquiries, please contact us at the address above.
When you create a Rodeo account and use the Service, we collect:
Account data (provided by you at signup)
Usage data (collected automatically as you play)
Technical data (collected automatically by our infrastructure)
Communication data (if you contact us)
We do NOT collect: precise location, biometric data, health data, political opinions, religious beliefs, ethnic origin, sexual orientation, criminal records, or any other Article 9 GDPR special category data.
We process your personal data on the following legal bases:
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the Service (account, betting, leaderboards, items) | 6(1)(b) — performance of contract |
| Sending account emails (verification, password reset) | 6(1)(b) — performance of contract |
| Securing the Service (rate-limiting, abuse prevention) | 6(1)(f) — legitimate interest |
| Processing payments (B2B seat purchases) | 6(1)(b) + 6(1)(c) — contract + legal obligation |
| Responding to support requests | 6(1)(b) or 6(1)(f) |
| Complying with legal obligations (tax, accounting) | 6(1)(c) — legal obligation |
| Sending product updates (only if you opt in) | 6(1)(a) — consent |
For processing based on consent (6(1)(a)), you may withdraw your consent at any time without affecting the lawfulness of processing before withdrawal.
For processing based on legitimate interest (6(1)(f)), you have a right to object under Art. 21 GDPR. We will assess your objection and discontinue processing unless we can demonstrate compelling legitimate grounds that override your interests.
We use the following third-party services to operate Rodeo. Each has signed a Data Processing Agreement (DPA) with us as required by Art. 28 GDPR. Each is responsible only for the data we entrust to them for the specified purpose, and may not use it for any other purpose.
| Subprocessor | Purpose | Data shared | Location | Transfer safeguard |
|---|---|---|---|---|
| Vercel Inc. | Hosting + edge network | All Service traffic | USA / EU edge | EU Standard Contractual Clauses (SCCs) + DPA |
| Supabase, Inc. | Database, authentication, file storage | Account data, usage data | EU (Frankfurt) | DPA; data stored in EU |
| Resend Inc. | Transactional email delivery | Email address, email contents | USA | EU Standard Contractual Clauses + DPA |
| Upstash Inc. | Redis cache layer | Short-lived session and rate-limit keys | EU | DPA; data stored in EU |
| Stripe Payments Europe Ltd. | Payment processing (B2B seat purchases) | Billing contact, payment data | Ireland (EU) / USA | Stripe’s own GDPR-compliant processing; EU SCCs |
For non-EU transfers (Vercel, Resend, Stripe), we rely on the EU Standard Contractual Clauses (Modules 2 and 3) as the transfer safeguard under Chapter V GDPR, supplemented by the providers’ own technical and organizational measures.
We do NOT sell or rent your personal data to any third party.
We retain your personal data only as long as necessary for the purposes described above. Specifically:
Under the GDPR, you have the following rights regarding your personal data:
To exercise any of these rights, email privacy@rodeo.ad. We will respond within one month per Art. 12(3) GDPR.
You can request account deletion at any time by emailing privacy@rodeo.ad or via Settings → Account → Delete account. Deletion is processed within 30 days (a 14-day grace period during which you can cancel the deletion, followed by hard delete). After hard delete, only legally required records (billing, accounting) are retained per § 147 AO.
Rodeo uses the minimum cookies necessary to operate. Specifically:
We do not use Google Analytics, Meta Pixel, or any other behavioral tracking. We do not load third-party advertising. Rodeo Products are ad-free.
We protect your data with industry-standard technical and organizational measures:
In the event of a data breach affecting your personal data, we will notify the supervisory authority within 72 hours per Art. 33 GDPR and notify you without undue delay per Art. 34 GDPR.
We do NOT use your personal data for automated decision-making within the meaning of Art. 22 GDPR (no scoring, no profiling, no automated rejections).
Match settlement and leaderboard calculations are deterministic game mechanics (parimutuel math defined in the Game Rules), not automated decisions about you as a person.
Rodeo is intended for users aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@rodeo.ad and we will delete the account.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via the email address on your account at least 14 days before the changes take effect. The current version is always available at https://rodeo.ad/privacy.
For any questions about this Privacy Policy or how we handle your personal data, contact:
MITH UG (haftungsbeschränkt)
Brüderstraße 14
10178 Berlin
Germany
Email: privacy@rodeo.ad
General contact: hello@rodeo.ad