Play. Rank. Repeat.

Privacy Policy

Last updated: 2026-06-10 (version 2026-06-10-v4)

Last revised: 2026-06-10 (version 2026-06-10-v4 — added credits wallet data to data collection and fiscal retention).

This Privacy Policy explains how MeetPlayNow ("we", "us", "the platform") collects, uses, and protects personal data of players, organizers, and visitors. It is issued in compliance with the EU General Data Protection Regulation (GDPR) and the Thai Personal Data Protection Act B.E. 2562 (PDPA).

1. Data Controller

The data controller for personal data processed through MeetPlayNow is:

GiBSeS OÜ Juhkentali 8, 10132 Tallinn, Estonia Email for privacy matters: privacy@meetplaynow.com

GiBSeS OÜ is registered in Estonia (EU). For PDPA-related contacts from Thai users, the same address applies; we have no separate Thai establishment at this time.

2. Data We Collect

We collect only data needed to operate the platform:

  • Account data: email address (required for account creation), hashed password, locked/disabled status, audit timestamps.
  • Profile data: display name, optional public handle (slug), optional biography, optional avatar URL, sport ratings (computed from match results).
  • Optional contact data: phone number (used only for tournament-related warnings if you opt in).
  • Operational data: IP address and user agent at login, signup, and consent events (for security audit and fraud prevention).
  • Tournament data: registrations, payment receipts, match results, ranking history.
  • Billing data (only if you choose to provide it): legal name, VAT number, billing address — collected exclusively for invoice issuance under Estonian fiscal law.
  • Credits wallet data: your credit balance and an append-only ledger of credit movements (grants, purchases, spends, refunds) with amounts, reasons, and timestamps — used to operate the wallet and as accounting records of credit purchases.
  • Chatbot data (only if you opt in): conversation transcripts with Khun Somtum and the locale you used. See section 9 below.

We do not collect special categories of data (health, biometrics, political opinions, religion, etc.).

3. Legal Basis for Processing (GDPR Art. 6)

We rely on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)): account creation, tournament participation, payment processing, match scoring.
  • Legitimate interest (Art. 6(1)(f)): security audit logs, fraud prevention, abuse moderation, platform integrity.
  • Legal obligation (Art. 6(1)(c)): retention of payment and invoicing records under Estonian fiscal law.
  • Consent (Art. 6(1)(a)): non-essential cookies, marketing communications, public profile visibility, optional phone-number contact, and chatbot interactions (see section 9).

You may withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

4. Retention

  • Account data: kept while your account is active. On deletion or purge request, we anonymize personal identifiers and disable login.
  • Payment and invoicing records: retained for 7 years in line with Estonian fiscal obligations.
  • Credit purchase records: the ledger of purchased-credit transactions is retained for 7 years as part of our accounting and invoicing records under Estonian fiscal law.
  • Audit and security logs: retained for 12 months and then aggregated or deleted.
  • Consents ledger: retained as long as required to evidence the lawfulness of processing (typically lifetime of the account plus statutory limitation period).
  • Chatbot conversation transcripts: retained for 30 days for quality assurance and abuse-prevention review, then automatically purged.

5. Your Rights (GDPR Art. 15-22)

You have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Rectification of inaccurate or incomplete data (Art. 16).
  • Erasure ("right to be forgotten") subject to legal retention obligations (Art. 17).
  • Restriction of processing in specific cases (Art. 18).
  • Data portability in a structured, machine-readable format (Art. 20). When you download your data, IP addresses in the audit history are masked to /24 (IPv4) or /64 (IPv6) for data minimization — only the network prefix is retained, not the full host address.
  • Objection to processing based on legitimate interest (Art. 21).
  • Not to be subject to automated decisions with legal or similarly significant effect (Art. 22). We do not perform such automated decisions on the platform.

6. How to Exercise Your Rights

You can exercise any of the rights above by:

  • Sending an email to privacy@meetplaynow.com, or
  • Using the privacy controls available in /dashboard/privacy when logged in.

We will reply within 30 days. If we cannot honor a request (e.g. erasure conflicts with fiscal retention), we will explain the reason in writing.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or with your local supervisory authority.

7. PDPA Thailand

The same rights described in section 5 apply to users resident in Thailand under the PDPA (B.E. 2562). The platform is intended for users aged 18 or above; users under 20 in Thailand may be required to provide parental consent in accordance with Thai law.

8. Cookies

We use cookies and similar technologies. Details are in our Cookie Policy. Strictly necessary cookies are always active; preference, analytics, marketing cookies, and the chatbot toggle are loaded only with your consent.

9. Chatbot Service (Khun Somtum)

MeetPlayNow offers an optional AI chatbot named Khun Somtum to help you navigate the platform, answer questions about tournaments, sports, rules, and onboarding. You can use it in any language (with first-class support for English and Thai).

Activation. The chatbot is opt-in. It is loaded only after you grant the "Khun Somtum chatbot" consent in our cookie banner or in your /dashboard/privacy settings. If consent is withheld or revoked, the widget is not loaded and no conversation data is sent to our chatbot infrastructure.

Data we process for the chatbot.

  • The text of messages you send and receive.
  • The locale you use during the conversation.
  • A non-persistent session identifier (random UUID) for anonymous visitors, or your account user ID if you are logged in. We use this only to apply rate limits and to associate a transcript with you on request.

Where the chatbot runs. Conversations are processed by our self-hosted automation pipeline (n8n) running on EU infrastructure. The pipeline forwards messages to a third-party large-language-model (LLM) provider for response generation. Message content is sent to the LLM provider for the sole purpose of generating a reply. We do not allow the provider to train its models on your messages.

Retention. Conversation transcripts are retained for 30 days for quality assurance, abuse review, and to debug problems you may report. After 30 days they are automatically purged. You can request earlier deletion of your transcripts at any time at privacy@meetplaynow.com.

Rate limits. Anonymous visitors are limited to 5 messages per browser session; logged-in users have higher limits. These limits help us prevent abuse and control costs; they are not a profiling mechanism.

No automated decisions. The chatbot does not take any decision that has legal or similarly significant effects on you (no account suspensions, no payments, no eligibility decisions). If a chatbot suggestion conflicts with the official tournament rules or the platform terms, the official rules and terms prevail.

Withdrawal of consent. You can revoke chatbot consent at any time from the cookie banner or /dashboard/privacy. Revocation hides the widget on next page load and stops new data collection. Existing transcripts will be purged within the standard 30-day window or, on request, immediately.

Legal basis. GDPR Art. 6(1)(a) consent for EU/EEA users; PDPA Section 24(1) consent for users in Thailand.

10. International Data Transfers

Personal data is hosted in the European Union (Estonia). We do not transfer data outside the EU/EEA except for:

  • Stripe, Inc. (United States), our payment processor. Transfers are covered by Standard Contractual Clauses (SCC) and the EU-U.S. Data Privacy Framework (DPF).
  • Chatbot LLM provider (see section 9) when chatbot consent is granted. Where the provider is located outside the EU/EEA, transfers are covered by appropriate safeguards (Standard Contractual Clauses or equivalent).

11. Security

We apply industry-standard safeguards: TLS in transit, hashed passwords, principle of least privilege, audit logging, and regular review of access rights.

12. Updates to This Policy

We may update this Privacy Policy. Material changes will be notified by email or in-app notice; the current version is always available at /privacy. The previous versions remain accessible on request via privacy@meetplaynow.com.

13. Contact

For any privacy-related question or request: privacy@meetplaynow.com.