PRIVACY POLICY — PODIUM
Effective date: June 1, 2026 Last updated: June 1, 2026 Version: 1.0
Preamble
This Privacy Policy (hereinafter the "Policy") describes how your personal data is collected, used, stored and protected when you use the Podium mobile application and website (hereinafter the "Service"), accessible in particular via the domain podium.fan.
Podium is a social network entirely dedicated to sports, allowing its users to share publications, make predictions, interact within sports communities, and follow sports entities (clubs, athletes, competitions).
We attach fundamental importance to the protection of your privacy and undertake to process your data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 ("GDPR") and the French Data Protection Act no. 78-17 of January 6, 1978 as amended.
1. Data controller
The controller of your personal data is:
Théophile Roques Sole trader operating under the name "Podium" 16 rue des Moines, 75017 Paris, France SIRET: 105 172 076 00017
Dedicated data protection contact: admin@podium.fan
The data controller also acts as Data Protection Officer (DPO) within the meaning of Article 37 of the GDPR, without this designation being legally required given the nature and scale of the processing carried out.
Important notice: Podium is currently operated under sole trader status. A migration to a corporate structure (SAS) is planned. In the event of a transfer of business, this Policy will be updated and users will be informed in accordance with Article 11 below.
2. Scope
This Policy applies to all personal data collected in connection with your use of the Service, whether through the mobile application (iOS) or the website. It does not apply to third-party websites to which the Service may redirect, which have their own privacy policies.
3. Age requirements
The Service is open to persons aged 15 or over, in accordance with the threshold of autonomous digital consent set by Article 7-1 of the French Data Protection Act.
When you register, you must provide your date of birth, which is used exclusively to verify compliance with this age condition. Any registration made by a person who has not reached the required age will result in the immediate deletion of the account as soon as we become aware of it.
Additionally, the Podium application is listed on the App Store with a 17+ classification (Apple's own policy). This classification may result in additional access restrictions on the App Store side that are independent of our contractual threshold of 15 years.
4. Data collected
We collect the following categories of data.
4.1 Registration and profile data
- Email address
- Password (stored in hashed form, never in plain text)
- Username
- Date of birth (age verification)
- Favorite sports, clubs and athletes (provided during onboarding)
- Profile picture (optional)
- Third-party authentication identifiers if you choose to log in via Sign in with Apple or Google Sign-In
4.2 Data generated by your use of the Service
- Publications of any format: Posts, Takes (articles), Scenas (short vertical videos)
- Comments on publications
- Predictions made on upcoming matches
- Votes cast on interactive widgets and polls
- Club affiliations, subscriptions (follows), blocks, reports
- Messages exchanged in conversations (Discord-style threads)
- Mentions, shares and interactions with other users
4.3 Technical data automatically collected
- IP address
- Device identifiers (IDFA on iOS, subject to your consent via App Tracking Transparency)
- Device model, operating system and version
- Installed version of the Podium application
- Connection logs (date, time, session duration)
- Language and region settings on the device
4.4 Behavioral data (analytics)
Subject to your prior consent, we collect data relating to your interaction with the Service via the PostHog tool: pages viewed, actions performed, navigation paths within the application, session duration, features used. These data are collected for product improvement and audience analysis purposes. This collection includes session recording (session replay) capturing your navigation within the application; input fields and images are automatically masked before transmission.
4.5 Data processed for moderation purposes
The content you publish (text, images, video frames) may be automatically analyzed for moderation purposes via the OpenAI Moderation API, in order to detect any inappropriate content (violence, hate, sexual content, etc.).
4.6 Data NOT collected
For transparency, we specify that Podium does not collect:
- Your banking details (no payments within the Service to date)
- Your phone contacts
- Your precise geolocation
- Health data or so-called "sensitive" data within the meaning of Article 9 of the GDPR
- No data is transmitted to API-Sports (our sports data provider): the communication is unidirectional (we retrieve public data on athletes and competitions, without sending any user data)
5. Purposes and legal bases of processing
In accordance with Article 6 of the GDPR, each processing of your data is based on an identified legal basis.
| Purpose | Legal basis | Details |
|---|---|---|
| Creation and management of your account | Performance of the contract (Terms of Use) | Registration, authentication, profile management |
| Publication of content and social interactions | Performance of the contract | Posts, comments, predictions, votes, conversations |
| Personalization of the feed (Forum) | Performance of the contract | Algorithm based on your favorite sports/clubs/athletes |
| Badge system, credibility score and predictions | Performance of the contract | Profiling intrinsic to the Service. Public display of badges is entirely at your discretion (toggle on/off on your profile) |
| Content moderation | Legitimate interest | Automatic detection of inappropriate content via OpenAI Moderation |
| Platform security and fraud prevention | Legitimate interest | Detection of abnormal behavior, fight against bots and spam |
| Product analytics (PostHog) | Consent | Service improvement, audience measurement |
| Push notifications | Consent | Match alerts, key events, network activity |
| Non-essential cookies and trackers | Consent | See section 9 |
| Retention of connection logs | Legal obligation | Article 6-II of the LCEN (Law No. 2004-575) |
| Response to judicial requisitions | Legal obligation | Cooperation with competent authorities upon legal request |
Profiling and automated decisions: The Forum recommendation algorithm and the calculation of your credibility score constitute profiling within the meaning of Article 22 of the GDPR. These processing operations do not have a legal or similarly significant effect on you: they only determine which content is offered to you within the Service. You retain at any time the possibility of publicly hiding your badges and your score.
6. Recipients of your data and subprocessors
Your data may be communicated to the following recipients, strictly to the extent necessary for the performance of their missions.
6.1 Technical subprocessors
| Subprocessor | Purpose | Data location | Safeguards |
|---|---|---|---|
| Supabase (Supabase Inc.) | Database hosting, authentication, edge functions | Dublin (Ireland) — EU region | Supabase DPA + hosting entirely within the European Union |
| Cloudflare Stream (Cloudflare, Inc.) | Hosting and delivery of Scenas videos | European Union | Cloudflare DPA + Standard Contractual Clauses (SCCs) of the European Commission |
| Apple (Apple Inc.) | Distribution via the App Store, push notifications (APNs), Sign in with Apple | European Union / United States | SCCs + Data Privacy Framework (DPF) |
| Google (Google LLC) | Google Sign-In (if you choose this authentication method) | European Union / United States | SCCs + Data Privacy Framework (DPF) |
| OpenAI (OpenAI, L.L.C.) | Automated content moderation (Moderation API) | United States | SCCs + Data Privacy Framework (DPF) |
| PostHog (PostHog Inc.) | Product analytics | European Union (EU cloud) | PostHog DPA + EU hosting |
| Resend (Resend, Inc.) | Sending transactional emails (email verification, password reset, notifications) | European Union | Resend DPA |
6.2 Public authorities
Your data may be communicated to competent public authorities (judicial authority, police services, CNIL) upon legally founded request.
6.3 Transfers outside the European Union
Some of our subprocessors (Apple, Google, OpenAI) may process data from the United States. These transfers are framed by:
- The Standard Contractual Clauses adopted by the European Commission (Decision 2021/914);
- The Data Privacy Framework (DPF) adopted by the European Commission's adequacy decision of July 10, 2023, to which these subprocessors are certified.
These safeguards ensure a level of protection equivalent to that required by the GDPR.
7. Retention periods
We retain your data for the following periods:
| Data category | Retention period |
|---|---|
| Account data (active account) | As long as your account is active |
| Account data (inactive account) | Automatic deletion after 3 years of inactivity (CNIL recommendation), preceded by a warning email |
| Connection logs | 1 year from connection (Article 6-II LCEN) |
| Publications and comments | As long as your account is active; full deletion upon account deletion |
| Data after account deletion | 30-day soft delete (recovery possible upon request) then full deletion, including public publications |
| Moderation data (reports, sanctions) | 3 years after the last moderation action, for evidentiary purposes |
| Analytics data (PostHog) | 12 months from collection |
| Billing data (when applicable in the future) | 10 years (accounting obligation) |
Account deletion: Upon deletion of your account, all of your public publications (Posts, Takes, Scenas, comments) will be deleted. This deletion may affect the coherence of discussion threads in which you have participated. This policy reflects our commitment to the right to erasure enshrined in Article 17 of the GDPR.
8. Your rights
In accordance with the GDPR, you have the following rights over your personal data.
8.1 List of your rights
- Right of access (Article 15 GDPR): obtain confirmation that your data is being processed and receive a copy thereof.
- Right to rectification (Article 16 GDPR): have inaccurate or incomplete data corrected.
- Right to erasure (Article 17 GDPR): obtain the deletion of your data in the cases provided for by the GDPR.
- Right to restriction of processing (Article 18 GDPR): request the suspension of processing in certain situations.
- Right to portability (Article 20 GDPR): receive your data in a structured, commonly used and machine-readable format.
- Right to object (Article 21 GDPR): object to the processing of your data based on legitimate interest.
- Right to withdraw your consent (Article 7 GDPR): withdraw at any time your consent to processing that depends on it (analytics, push notifications, non-essential cookies).
- Right to define post-mortem directives (Article 85 of the French Data Protection Act): give instructions regarding the fate of your data after your death.
- Right to lodge a complaint with the CNIL (Article 77 GDPR): Commission Nationale de l'Informatique et des Libertés, 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 — www.cnil.fr.
8.2 How to exercise your rights
- Account deletion: you can delete your account directly from the application, in the Settings section of your profile. The deletion takes effect immediately (30-day soft delete then final deletion).
- Export of your data (portability): you can exercise this right by writing to admin@podium.fan. An export of your data will be sent to you in a structured format (JSON).
- Other rights: by email to admin@podium.fan, accompanied by proof of identity if necessary to verify your status.
We undertake to respond to any request within one month of receipt, in accordance with Article 12 of the GDPR. This period may be extended by two months in the case of a complex request; you will then be informed within the initial period.
9. Cookies, trackers and SDKs
9.1 Mobile application
The Podium mobile application does not use cookies in the strict sense of the term. However, it integrates third-party SDKs which collect technical and behavioral identifiers subject to the same consent requirements as cookies, in accordance with CNIL doctrine.
The following SDKs are integrated into the application:
| SDK | Purpose | Subject to consent? |
|---|---|---|
| Supabase | Authentication, operation of the Service | No (strictly necessary) |
| Cloudflare Stream | Playback of Scenas videos | No (strictly necessary) |
| Apple APNs | Push notifications | Yes |
| PostHog | Product analytics and session recording (images masked) | Yes |
9.2 Website
The Podium website uses cookies, the detailed list and purposes of which are set out in our consent management banner, accessible during your first visit and modifiable at any time from the footer.
9.3 App Tracking Transparency (iOS)
In accordance with Apple's requirements, you will be asked at the first launch of the application to authorize or refuse tracking via the advertising identifier (IDFA). Your refusal does not in any way affect your ability to use the Service.
9.4 Managing your preferences
You can change your consent preferences at any time in the Settings section of your profile. Withdrawal of consent does not affect the lawfulness of processing carried out before that withdrawal.
10. Data security
We implement appropriate technical and organizational measures to ensure the security of your data:
- Encryption in transit: all communications between the application/website and our servers are encrypted via TLS 1.2 or higher.
- Encryption at rest: data stored in Supabase is encrypted at the storage level.
- Password hashing: passwords are stored via a secure hash function (bcrypt/argon2).
- Access compartmentalization: only authorized administrators have access to user data, on the basis of a least-privilege principle.
- Regular backups of databases.
- Automated content moderation to prevent the dissemination of illegal content.
In the event of a data breach likely to result in a high risk to your rights and freedoms, we undertake to inform you as soon as possible and to notify the CNIL within 72 hours, in accordance with Articles 33 and 34 of the GDPR.
11. Host status (LCEN)
Podium acts as a passive host within the meaning of Article 6-I-2 of French Law No. 2004-575 of June 21, 2004 on confidence in the digital economy (LCEN). As such, Podium has no general obligation to monitor content published by its users, but acts promptly to remove any manifestly illegal content brought to its attention.
Reporting illegal content: admin@podium.fan
12. Important clarifications
12.1 No money betting
Podium offers a free prediction system for gamification and community engagement purposes. No financial stake is required and no monetary winnings are paid out. Podium is in no way a sports betting platform within the meaning of the French Internal Security Code, and is therefore not subject to regulation by the French National Gaming Authority (ANJ).
12.2 Future advertising
To date, the Service does not display any advertising. However, it is possible that advertising spaces may be introduced in a future version of the Service. Any such development will be subject to an update of this Policy and, where applicable, to obtaining your consent.
12.3 Advertising profiling
No advertising profiling is carried out to date. No data is shared with advertising networks or third-party platforms for targeting purposes.
13. Changes to the Policy
We reserve the right to modify this Policy at any time, in particular to reflect changes in the Service, applicable legislation, or our practices.
In the event of substantial modification, you will be informed by notification in the application and/or by email at least 30 days before the modifications take effect. Continued use of the Service after this date will constitute acceptance of the new version.
The version history is archived and can be consulted on request at admin@podium.fan.
14. Applicable law and jurisdiction
This Policy is governed by French law. Any dispute relating to its interpretation or execution shall fall within the exclusive jurisdiction of the French courts, subject to mandatory provisions applicable to consumers allowing them to bring the matter before the court of their domicile.
15. Contact
For any question relating to this Policy or to your personal data:
Email: admin@podium.fan Postal mail: Théophile Roques — Podium — 16 rue des Moines, 75017 Paris, France
Podium Privacy Policy — Version 1.0 — In force as of June 1, 2026