Privacy Policy — BZZR
Version: 1.1 Last updated: May 13, 2026 Application: BZZR — iOS and Android mobile application
1. Publisher identity
BZZR is published by SCALE ME UP:
- Legal name: SCALE ME UP
- Legal status: French Société par actions simplifiée unipersonnelle (SASU)
- Share capital: 1 500 €
- Registered office: 20 rue du 22 septembre, 92400 Courbevoie
- Business registration number (SIRET): 88237079400027
- Trade register (RCS): 882 370 794 R.C.S. Nanterre
- EU VAT number: FR48882370794
- General contact email: contact@scalemeup.studio
- GDPR contact email: privacy@scalemeup.studio
- Data Controller: Matthieu Herdhuin
For any question relating to this Privacy Policy or to exercise your rights, please write to the email address above.
2. Data we collect
BZZR is an editorial NBA statistical analysis application. We collect the following categories of data:
2.1 Data provided directly by the user
- Account: email address and password (hashed) at registration
- Profile: nickname (optional), favorite NBA teams, time zone
- Preferences: anti-spoiler blur option state, language
- Uploaded image: the screenshot you submit via the "Decode my ticket" feature is processed to produce a statistical reading. The image is transmitted to our AI provider (Anthropic) and is not retained durably on our side (see §4).
2.2 Data collected automatically
- Technical data: device model, OS version, app version, advertising identifier (IDFA on iOS / AAID on Android)
- Usage data: in-app screens viewed, usage events (for product improvement)
- Diagnostic data: crash reports, technical traces in case of error (via a monitoring tool such as Sentry, integration planned)
2.3 Payment data
BZZR does not collect or store any payment data. In-app transactions are processed exclusively through Apple (App Store) and Google (Google Play) payment systems. Our provider RevenueCat receives only the subscription confirmation (status, expiration date), not your banking information.
3. Purposes of processing
Your data is used for:
| Purpose | Legal basis |
|---|---|
| Creating and managing your user account | Performance of contract |
| Providing app features (scores, analyses) | Performance of contract |
| Personalizing the experience (favorite teams, preferences) | Legitimate interest |
| Analyzing your ticket via AI ("Decode my ticket") | Performance of contract |
| Managing the Premium subscription | Performance of contract |
| Displaying advertising (Free users) | Legitimate interest / consent (per ATT iOS and Google UMP) |
| Audience measurement and product improvement | Legitimate interest |
| Bug detection and technical stability | Legitimate interest |
| Legal obligations | Legal obligation |
4. Subprocessors and data recipients
We rely on third-party providers (subprocessors under GDPR) that may process your data on our behalf:
| Subprocessor | Role | Data location |
|---|---|---|
| Supabase (Supabase Inc.) | Database hosting, user authentication, technical storage | EU region (eu-north-1) |
| RevenueCat (RevenueCat Inc.) | Technical management of in-app subscriptions | United States |
| Google AdMob (Google LLC) | Ad serving for Free users | United States and EU |
| Anthropic (Anthropic PBC) | AI analysis of images submitted via "Decode my ticket" and generation of NBA statistical analyses | United States |
| Sentry (Functional Software Inc.) — integration planned | Crash reporting and technical monitoring | EU (Frankfurt) |
| Apple / Google | App distribution, in-app payments, push notifications | International |
For data transfers to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, on the EU-US Data Privacy Framework when the subprocessor is certified.
5. Image submitted via "Decode my ticket"
When you use the "Decode my ticket" feature:
- The image is base64-encoded on your device
- It is transmitted via an encrypted connection (HTTPS) to our
infrastructure (Supabase Edge Function
analyze-ticket) - It is immediately transmitted to Anthropic for analysis by the Claude Sonnet 4.5 model
- The JSON response is returned to your device
- No persistent copy of the image is retained by BZZR. Anthropic may retain images according to their own retention rules (see their policy: https://www.anthropic.com/privacy)
We advise you not to send images containing personal information that is not necessary for the statistical analysis of the ticket.
6. Retention periods
| Data | Retention period |
|---|---|
| Active user account | As long as you keep your account |
| Account deletion requested | Deleted within 30 days, subject to legal obligations |
| Technical usage data | 13 months maximum |
| Crash reports | 90 days |
| Server logs | 90 days |
| Billing data (via Apple/Google) | As required by law (10 years in France) |
7. Your rights
Under GDPR (EU) and CCPA (California), you have the following rights:
- Right of access: obtain a copy of your data
- Right to rectification: correct inaccurate data
- Right to erasure ("right to be forgotten"): request the deletion of your data. This right can be exercised directly from the app (Profile → Account → Delete my account) or by email
- Right to data portability: receive your data in a machine-readable format
- Right to object: refuse certain processing (e.g., advertising)
- Right to restriction: temporarily freeze processing
- Right to withdraw consent: at any time, without affecting the lawfulness of prior processing
To exercise these rights, write to privacy@scalemeup.studio. We respond within 30 days.
If you believe we are not complying with your rights, you can lodge a complaint with the CNIL (French data protection authority): https://www.cnil.fr/en/plaints, or your local supervisory authority.
California residents have additional rights under the CCPA, including the right to opt out of the sale of personal information. We do not sell personal information.
8. Account deletion
Per App Store requirements (since June 2022), you can delete your account directly from the application:
Profile → Account → Delete my account
Deletion is irreversible. It triggers:
- erasure of your user profile (
user_profiles); - erasure of your preferences;
- erasure of your analyzed tickets history;
- automatic stop of your Premium subscription (also manage on Apple/Google side to stop renewal).
Some data may be retained beyond for legal purposes (billing: 10 years; anti-fraud logs: 1 year).
9. Minors and adult audience
BZZR is designed for adult audiences (18+). The Insights tab features a permanent "+18 — editorial statistical analysis" banner displayed at the bottom of the screen.
We explicitly clarify:
- no market odds, lines, spreads, or totals are displayed on the surface of the app;
- the Insights reads are editorial statistical content (matchups, x-factor, team signals), not betting recommendations;
- the published content does not in any way encourage betting or wagering.
We do not knowingly collect data concerning children under 13. If you are a parent or guardian and you believe your child has provided us data, please contact us: we will delete it immediately.
10. Advertising and tracking
For Free users, the app displays advertising via Google AdMob.
On iOS
When you open the app, iOS asks for your tracking authorization through the App Tracking Transparency (ATT) mechanism. You may decline: ads will still display but will not be personalized.
On Android and iOS (EU)
During your first session, Google asks for your consent via the User Messaging Platform (UMP) for the use of advertising cookies. You can refuse or accept per category.
You can change these preferences at any time:
- iOS: Settings → Privacy & Security → Tracking
- Android: Google Settings → Ads → Reset advertising ID
11. Security
We implement reasonable technical and organizational measures to protect your data:
- TLS encryption for all network communications;
- hashed passwords (bcrypt) — we never store your password in clear;
- Row Level Security (RLS) policies on Supabase to compartmentalize data access;
- restricted access to data on a need-to-know basis;
- encrypted database backups.
No system being infallible, we cannot guarantee absolute security. In case of a data breach, we will notify the CNIL within 72 hours and affected users without undue delay, in accordance with GDPR.
12. Policy changes
We may modify this policy to reflect legal, technical, or product changes. The "Last updated" date at the top of the document indicates the version in effect.
For substantial changes, we will notify you via:
- a banner in the application;
- an email (if you have an account).
13. Contact
For any question:
- Email: contact@scalemeup.studio
- Postal address: 20 rue du 22 septembre, 92400 Courbevoie
To exercise your GDPR rights: privacy@scalemeup.studio