Back to home

Privacy Policy

Last updated: March 17, 2026

1. Data Controller

osocios.club ("we", "us", "the Platform") is operated by Osocios S.R.L, with registered address in Barcelona, Spain. For privacy inquiries, contact us at privacy@osocios.club.

2. What Data We Collect

2.1 Club Visitors (Invite Requests)

When you request an invite to a club, we collect:

  • Your name
  • Your contact information (email or phone, as you provide)
  • Optional message
  • Timestamp of your consent to this policy

2.2 Club Members

When a club creates your member account, the following is stored:

  • Member code (your unique identifier)
  • Full name (if provided by the club)
  • PIN hash (for staff accounts only — we never store your PIN in plain text)
  • Membership status and expiry date
  • Activity data: spin history, quest completions, event RSVPs and check-ins, badge achievements

2.3 Club Owners (Administrators)

  • Email address
  • Password (stored as a secure hash, never in plain text)

2.4 Cookies

We use the following cookies:

  • clubos-member-token — Authentication session (7 days, essential)
  • clubos-staff-token — Staff authentication session (12 hours, essential)
  • clubos-owner-token — Admin authentication session (24 hours, essential)
  • clubos-lang — Language preference (30 days, functional)

All cookies are HttpOnly, Secure, and SameSite=Lax. We do not use tracking or advertising cookies.

2.5 Uploaded Content

Club administrators may upload images (logos, event photos, gallery images). Members may upload proof images for quest completion when required by the club.

3. Legal Basis for Processing

  • Consent — For invite requests and voluntary data submissions
  • Legitimate interest — For member account management by club administrators
  • Contract performance — For club owner accounts and platform services

4. How We Use Your Data

  • To authenticate you and manage your sessions
  • To enable club features (events, quests, rewards, badges)
  • To process invite requests on behalf of clubs
  • To send password reset emails (club owners only)
  • To maintain audit logs of administrative actions

5. Data Processors (Third Parties)

ProcessorPurposeLocation
SupabaseDatabase and file storageEU (eu-west-1)
VercelWeb hosting and deploymentEU
ResendTransactional email (password resets)US
TelegramStaff notifications (only if configured by club)Global

6. Data Retention

  • Member accounts are kept while the club is active. Deletion available upon request.
  • Invite requests are kept until reviewed by the club administrator.
  • Password reset tokens expire after 1 hour.
  • Activity logs and spin history are retained for the lifetime of the club.
  • Authentication cookies expire as noted above.

7. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

  • Access — Request a copy of your personal data
  • Rectification — Correct inaccurate data
  • Erasure — Request deletion of your data ("right to be forgotten")
  • Data portability — Receive your data in a structured format
  • Object — Object to processing based on legitimate interest
  • Withdraw consent — Withdraw consent at any time for consent-based processing

To exercise any of these rights, contact us at privacy@osocios.club.

8. Supervisory Authority

You have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

9. Changes to This Policy

We may update this privacy policy from time to time. The "last updated" date at the top reflects the most recent revision. Continued use of the platform after changes constitutes acceptance.