Skorby Privacy Policy — surviveF5 GmbH

1. Introduction

Welcome to the privacy policy for the Skorby services provided by surviveF5 GmbH. This document explains how we collect, process, store, and protect your data when you use the Skorby website (skorby.com), the Skorby mobile app, and the Skorby Livestream app, together with their associated services. We are committed to protecting your personal data and ensuring transparency in accordance with the European Union General Data Protection Regulation (GDPR) and, for data accessed from Google accounts, the Google API Services User Data Policy, including its Limited Use requirements.

2. Data Controller

The data controller responsible for the processing of your personal data is:

surviveF5 GmbH
Lärchenweg 13, 40669 Erkrath, Germany
E-mail: info@surviveF5.com
Phone: +49 21048181032

For any questions regarding this privacy policy or our data practices, please contact us using the details above.

3. Data We Process

3.1 Skorby App - General Data

Generic Match Data and History: The Skorby app stores generic match data and its history together with an anonymized user ID. No additional personal data is collected by the app itself.

3.2 Pro Version Data

Score Data: When using the Pro version, your score data is stored on our servers hosted by Amazon Web Services (AWS). AWS acts as our data processor.
Purchase Data: When you make a purchase, your purchase history along with your user ID is stored by RevenueCat, which handles payment processing as a data processor. Purchase data in RevenueCat is retained for 6 years.

3.3 Web Board Data (Paid Plan)

If you use the web board feature on a paid plan, we additionally collect and store the following data:

Browser type and version
Operating system used
Time of the server request
IP address
Browser language (e.g., German)
Log files

This data is stored for a period of 90 days.

3.4 Skorby Livestream App – Google User Data

The Skorby Livestream Android app lets you stream your Skorby scoreboard overlay to your own YouTube channel. Streaming to YouTube requires you to sign in with your Google account and to authorize the app to manage broadcasts on your channel. This section describes, specifically and in full, how the app handles data obtained from your Google account, in line with the Google API Services User Data Policy – Limited Use requirements.

3.4.1 Data Accessed

When you sign in, the app requests the following OAuth scopes from Google:

openid, profile, email — the standard Google Sign-In identity scopes. From the resulting sign-in object, the app reads only your email address; your display name, Google user ID, and profile photo URL are not read or persisted by the app.
https://www.googleapis.com/auth/youtube — manage your YouTube account. The app uses this scope solely to read and manage live-streaming resources on the YouTube channel you are signed into. Concretely, the app calls the YouTube Data API v3 to:
- list your own upcoming and past live broadcasts (title, description, scheduled start time, thumbnail URL, privacy status, lifecycle status, made-for-kids flag, latency preference, bound stream ID) so you can pick or copy one;
- list your own live streams and read their status, health, and CDN ingestion address / stream key so the app can connect via RTMP and monitor stream health;
- create a new live stream and a new live broadcast on your channel using the title, description, privacy setting, schedule, latency, and made-for-kids flag that you entered in the app;
- bind a broadcast to a stream, transition it through its lifecycle states (ready → testing → live → complete), and update properties such as auto-start; and
- upload the thumbnail image you chose for the broadcast.

The app does not request the youtube.force-ssl or youtube.readonly scopes, and it does not access any Google data outside of the operations listed above. All operations apply exclusively to the signed-in user's own YouTube channel.

3.4.2 Data Usage

Google user data is used only to provide the live-streaming feature you explicitly initiate: showing you a list of your own broadcasts to choose from, creating the broadcast you configure, uploading the thumbnail you select, binding the broadcast to an RTMP ingest, transitioning its lifecycle while you stream, and displaying its real-time health. Your email address is used solely to label the currently signed-in account in the app's destination picker (e.g. “Signed in as you@example.com”). Google user data is never used for advertising, analytics, profiling, or to develop, improve, or train generalized or non-personalized AI / machine-learning models.

3.4.3 Data Sharing

Google user data accessed by the Skorby Livestream app is not shared, sold, transferred, or otherwise made available to any third party. All YouTube Data API calls are made directly from your Android device to Google's servers (youtube.googleapis.com and www.googleapis.com). No Google user data, OAuth token, email address, broadcast metadata, or YouTube content is sent to surviveF5's servers (AWS), to RevenueCat, or to any other processor. surviveF5's backend is used only for the unrelated Skorby scoreboard and overlay features described in sections 3.1–3.3 and never receives YouTube data.

3.4.4 Data Storage and Protection

Email address: stored locally on your device in the app's private EncryptedSharedPreferences store, which is backed by the Android Keystore using AES-256 (AES256-SIV for keys, AES256-GCM for values). It is excluded from Android Auto Backup and never leaves the device.
OAuth tokens: the app does not persist any access or refresh tokens itself. Access tokens are requested on demand from Google Play Services (GoogleAuthUtil.getToken); Google Play Services caches and silently refreshes them in its own secure storage, outside the app's own storage.
YouTube content (broadcast lists, stream keys, ingestion addresses, thumbnails, etc.): fetched on demand for the duration of the active screen and kept only in volatile in-memory state. None of it is written to disk, to logs, to cloud backup, or to any server.
Transport security: all calls to Google APIs use HTTPS / TLS.

3.4.5 Data Retention and Deletion

You are in full control of the Google user data accessed by the Skorby Livestream app:

Disconnect from inside the app: tap Disconnect on the Skorby Livestream sign-in screen to revoke the app's access to your Google account, clear the stored email address, and end the OAuth session.
Revoke from your Google account: you can alternatively revoke the app's access at any time at myaccount.google.com/permissions. This invalidates the OAuth grant and Google Play Services' cached tokens for the app.
Uninstall the Skorby Livestream app to remove the locally stored email address and all app data from your device.
Manage YouTube content directly: broadcasts, streams, and thumbnails created by the app live on your own YouTube channel and can be edited or deleted by you at any time via YouTube Studio. surviveF5 cannot delete YouTube content on your behalf because we never store it.
Deletion request: as no Google user data is held on surviveF5 servers, there is nothing for us to delete server-side. If you would like written confirmation of this or have any other deletion request, please write to info@surviveF5.com and we will respond within 30 days.

3.4.6 Limited Use Affirmation

The Skorby Livestream app's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

Google user data is used only to provide and improve the user-facing features of the Skorby Livestream app described above.
Google user data is not transferred to others except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with the user's explicit prior consent.
Google user data is not used for serving advertisements, including retargeted, personalized, or interest-based advertising.
Humans at surviveF5 do not read Google user data. Limited exceptions, as permitted by Google's policy, apply only where the user has given explicit consent, where required for security purposes (such as investigating abuse), to comply with applicable law, or where the data has been aggregated and is used for internal operations in line with applicable privacy obligations.
Google user data is not used to develop, improve, or train generalized or non-personalized AI and/or machine learning models.

4. Purpose of Data Processing

We process your data for the following purposes:

Providing and Maintaining the App: Storing match data and history, as well as score data (in the Pro version), is necessary to offer you the full functionality of the Skorby app.
Payment Processing: Purchase data is stored to manage payment transactions via RevenueCat.
Service Improvement and Security: Log data from the web board is processed for technical administration, security, and troubleshooting.
Live Streaming to YouTube: Google user data accessed via the Skorby Livestream app (email address and YouTube live-streaming resources) is used exclusively to authenticate you, to let you pick or configure a broadcast on your own channel, to create and operate that broadcast, and to monitor stream health while you are live. Details are in section 3.4.

5. Legal Basis for Processing

Our processing of your personal data is based on the following legal grounds:

Performance of a Contract: The processing is necessary for the performance of the contract between you and surviveF5 GmbH (e.g., to provide the app and its features).
Legitimate Interests: In some cases, processing is required for our legitimate interests in ensuring the security, quality, and improvement of our services.
Consent: Where applicable, processing may be based on your explicit consent, which you can withdraw at any time (see Section 7.6).

6. Data Retention

Generic Match Data & History: Data is stored on our servers for as long as the web board exists (typically 24 hours).
Web Board Log Data: Log files and related data are stored for 90 days.
Purchase Data: Purchase data stored via RevenueCat is retained for 6 years.
Skorby Livestream – Email Address: Stored locally on your Android device until you sign out of the app, revoke access at myaccount.google.com/permissions, or uninstall the app. It is never stored on our servers.
Skorby Livestream – YouTube Content: Broadcast lists, stream keys, ingestion addresses, and thumbnails fetched from the YouTube Data API are held only in volatile in-memory state for the duration of the active screen and are not retained on the device or on our servers.
Skorby Livestream – OAuth Tokens: Not persisted by the app. Tokens are managed by Google Play Services and remain valid until you revoke the app's access via your Google Account.

7. Your Rights as a Data Subject

If your personal data is processed, you are entitled to the following rights under the GDPR:

7.1 Right to Access

You can request information about whether and which personal data we process, and you have the right to access your personal data (Art. 15 GDPR). Please note that this right may be subject to limitations in certain cases.

7.2 Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to have it corrected or completed (Art. 16 GDPR).

7.3 Right to Erasure and Restriction of Processing

Subject to legal requirements, you may request the deletion (Art. 17 GDPR) or restriction of processing of your personal data (Art. 18 GDPR). Note that the right to erasure does not apply when data processing is necessary to comply with a legal obligation (Art. 17(3)(b) DSGVO).

7.4 Right to Object

You can object at any time to the processing of your personal data based on your particular situation (Art. 21 GDPR). If your objection is justified under applicable law, we will cease processing your personal data.

7.5 Right to Data Portability

If applicable (per Art. 20 GDPR), you can request that we provide you with your personal data in a structured, commonly used, and machine-readable format.

7.6 Withdrawal of Consent

If data processing is based on your consent, you have the right to withdraw your consent at any time. Withdrawal only affects future data processing; previously processed data remains lawful.

7.7 Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with the supervisory authority. The responsible authority is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestr. 2-4, 40213 Düsseldorf, Germany
Phone: 0211/38424-0
Fax: 0211/38424-10
E-mail: poststelle@ldi.nrw.de

We recommend that you contact us first using the details in Section 2 before reaching out to the supervisory authority.

Requests to exercise your rights should be made in writing to the contact details provided above.

8. Data Sharing and Transfers

Data Processors:
- Amazon Web Services (AWS): Your score data (for the Pro version) is stored on AWS servers, which may be located worldwide, including in the United States.
- RevenueCat: Your purchase data and user ID are processed by RevenueCat, a US-based company. Data stored by RevenueCat is stored in the United States.
International Data Transfers: Because AWS and RevenueCat operate and store data in the United States, your data may be transferred outside the European Economic Area (EEA). Such transfers are made in accordance with applicable data protection regulations, and we implement appropriate safeguards (such as Standard Contractual Clauses) to ensure that your data is adequately protected.
Google (Skorby Livestream app only): When you use the Skorby Livestream app and sign in with your Google account, the app communicates directly from your device with Google's YouTube Data API on your behalf, in order to manage live broadcasts on your own channel. Google acts as an independent data controller for the data you authorize it to process; its handling of that data is governed by the Google Privacy Policy. surviveF5 does not receive, store, or relay this data.
Google User Data – Limited Use: Google user data accessed via the Skorby Livestream app is never sold, transferred to third parties for unrelated purposes, used for advertising, read by humans at surviveF5 (except in the narrow circumstances permitted by Google's policy and outlined in section 3.4.6), or used to develop or train generalized AI / ML models. See section 3.4 for the full disclosure required by the Google API Services User Data Policy.
No Additional Third-Party Transfers: We do not transfer your data to any other third parties outside of the above-mentioned processors and, for the Skorby Livestream app, the Google APIs you authorize.

9. Data Security

We implement appropriate technical and organizational measures to protect your data from unauthorized access, alteration, disclosure, or destruction. These measures are continuously evaluated and improved as necessary. For the Skorby Livestream Android app specifically, the locally stored email address is held in EncryptedSharedPreferences backed by the Android Keystore (AES-256), OAuth access tokens are managed by Google Play Services rather than stored by the app, and all communication with Google APIs uses HTTPS / TLS.

10. Changes to This Privacy Policy

We may update this privacy policy periodically to reflect changes in our practices or for legal, technical, or regulatory reasons. The current version will always be available within the app and on our website. Please review the policy regularly to stay informed about how we protect your data.

11. Contact

If you have any questions about this privacy policy or our data practices, please contact us: