This Privacy Policy describes how Go Shoot! collects, uses, shares and protects the personal data of users who use the Go Shoot! website, web app and mobile app (collectively, the "Service"). The Policy is drafted in accordance with EU Regulation 2016/679 ("GDPR") and applicable data-protection law.
The goal is to provide clear, transparent and proportionate information about the processing activities actually carried out through the Service.
For any privacy-related enquiry or to exercise the rights set out in the GDPR, please contact: [email protected].
1. Data Controller
The Data Controller is:
- Name: David Gargaro
- Contact email (also for privacy requests): [email protected]
- Certified email (PEC): [email protected]
- VAT number: 14471740960
Where a Data Protection Officer (DPO) has been appointed, the relevant contact details are as follows:
- DPO: Not applicable
- DPO contact: Not applicable
2. Scope of Application
This Policy applies to personal-data processing carried out through:
- the Go Shoot! website at goshootapp.com;
- the Go Shoot! web app at goshootapp.com/app;
- the Go Shoot! mobile app for Android and iOS;
- any contact forms, informational pages, registration, login, tournament management, maps, support, in-app purchases and related Service communications.
Where specific sections of the site or app are governed by dedicated or supplementary policies, those policies will prevail for the processing described therein.
3. Categories of Data Processed
Depending on the features used, the Service may process the following categories of personal data.
3.1 Data provided directly by the user
The Controller may process data voluntarily submitted by the user during registration, use of the Service or contact with support, such as:
- email address;
- nickname / username;
- any content submitted through contact forms or support requests;
- any information provided when entering tournaments, creating events or using Service features.
Unless otherwise specified, the Service does not require submission of a real name, surname, phone number or payment data directly to the Controller.
3.2 Service usage data
During use of the Service, data required to deliver its core features may be processed, for example:
- tournaments created or joined by the user;
- results, statistics and match history;
- decks, combos, preferences or virtual collections saved by the user;
- profile settings and in-Service preferences.
Some of this data may be visible to other users of the Service to the extent strictly necessary for the social, competitive or organizational features of the product, as described within the app.
3.3 Geolocation data Mobile appWeb app
Where the user uses the map feature or nearby-event search, the Service may access the device's geographic location, with the user's prior consent, solely to display tournaments or content relevant to their location.
Unless expressly stated otherwise in the Service:
- location is not collected in the background;
- location is not used for incompatible additional purposes;
- denying geolocation permission does not prevent use of other essential Service features, except those strictly dependent on location.
3.4 Camera / QR scan data Mobile app
If the Service provides QR scanning or similar features, the device may request camera access solely to enable scanning of codes required to use those features.
Unless otherwise specified:
- no photos or video recordings are saved as a result of scanning;
- no visual content is processed for purposes beyond the scan itself;
- denying camera permission only prevents use of the feature that requires it.
3.5 Technical and log data
The Controller and the technology providers used to deliver the Service may process technical and operational data, such as:
- IP address or equivalent technical identifiers;
- device and operating system data;
- technical logs, application events, errors and diagnostic information;
- Service performance data and app crash information.
Such data may be processed to ensure security, stability, maintenance, abuse prevention and the correction of malfunctions.
3.6 Advertising and monetisation data WebsiteMobile app
If the Service displays advertisements or includes monetisation features, data such as the following may be processed:
- device advertising identifiers, where applicable;
- data on ad impressions, interactions or performance;
- device and contextual technical data required to serve personalised or non-personalised ads, in line with the user's expressed preferences and applicable law.
For details on advertising preferences and applicable legal bases, see Section 7 of this Policy.
3.7 In-app purchase and subscription data Mobile app
Where the Service includes in-app purchases, subscriptions or paid content, payments are handled by the respective store providers or third-party payment platforms. Unless otherwise stated, the Controller does not directly process the user's complete payment data (e.g. card number or bank details), but may receive limited information strictly necessary to verify the status of a purchase, subscription or premium feature activation.
4. Purposes of Processing and Legal Bases
Personal data is processed only where a valid legal basis exists, as required by the GDPR.
| Purpose | Data processed | Legal basis |
|---|---|---|
| Creating and managing user accounts | Email, nickname, credentials or account identifiers | Performance of a contract or pre-contractual measures — Art. 6(1)(b) GDPR |
| Delivering the core Service features, including tournaments, decks, results and user functionality | Service usage data, account content, functional data | Performance of a contract — Art. 6(1)(b) GDPR |
| Geolocation to show nearby events or content | Location data | Consent — Art. 6(1)(a) GDPR |
| Camera access for QR scanning | Camera access, related technical data | Consent / device permission; where applicable, performance of the service requested by the user |
| Security, abuse prevention, maintenance, technical logging and operational continuity | Technical data, logs, technical identifiers | Legitimate interest of the Controller — Art. 6(1)(f) GDPR |
| Crash analysis, diagnostics and stability improvement | Technical data, error logs, crash reports | Legitimate interest of the Controller — Art. 6(1)(f) GDPR |
| Displaying non-personalised advertisements | Minimal technical data, contextual information | Legitimate interest of the Controller — Art. 6(1)(f) GDPR |
| Displaying personalised advertisements and related measurement | Advertising ID, preferences, ad interactions, relevant technical data | Consent — Art. 6(1)(a) GDPR |
| Handling support requests and enquiries | Data in the request, email, message content | Pre-contractual measures, contract or legitimate interest, depending on the nature of the request |
| Compliance with legal, tax, accounting or regulatory obligations | Data required for compliance | Legal obligation — Art. 6(1)(c) GDPR |
Providing data required for the delivery of essential Service features is necessary; failure to do so may prevent registration or use of certain features. Providing data processed on a consent basis is optional and withholding consent does not, except to the extent required, affect access to the remaining Service features.
5. Processing Methods
Personal data is processed using electronic tools and, where necessary, organisational procedures designed to ensure a level of security appropriate to the risk, in accordance with the GDPR principles of lawfulness, fairness, transparency, data minimisation, accuracy, storage limitation and integrity and confidentiality.
Processing is carried out by persons authorised by the Controller and, where necessary, by third-party providers appointed as data processors or acting as independent data controllers, according to their respective applicable legal roles.
6. Source of Data
Personal data may be collected:
- directly from the user;
- automatically during use of the Service;
- through technology providers or platforms for authentication, payment, hosting, mapping, crash reporting, analytics or advertising, to the extent necessary for Service delivery.
7. Consent, Advertising, Cookies and Similar Technologies
Where the Service uses advertising tools, SDKs, cookies, device identifiers or similar technologies subject to consent, the user will receive, where required by law, a choice mechanism or a consent management platform (CMP/UMP) allowing them to accept, refuse or modify preferences relating to optional processing activities.
In particular, for users located in the European Economic Area, the United Kingdom or Switzerland, preferences relating to personalised advertising, where applicable, must be collected in accordance with the rules and frameworks adopted by the providers involved.
If the website uses cookies or similar tools beyond those that are strictly technically necessary, a dedicated cookie policy or supplementary notice should be published with detail on cookie categories, purposes, duration and how to manage preferences.
Current Service configuration:
- CMP / UMP used (mobile app): Google User Messaging Platform (UMP), integrated with Google AdMob, compliant with the IAB TCF framework and Google guidelines for the European Economic Area.
- CMP used (website): Google "Privacy & messaging" (CMP integrated in Google AdSense), compliant with the IAB TCF v2.2 framework and Google guidelines for the EEA, UK and Switzerland. The panel is shown on first visit; choices can be modified at any time via the "Manage cookie preferences" link in the footer.
- Advertising on the website: the site uses Google AdSense with Auto-ads to display advertisements on marketing pages only (landing, pricing, informational). The page hosting the web app (goshootapp.com/app) is excluded from the advertising network. Ads may be personalised or non-personalised depending on preferences expressed through the CMP panel. For more information: policies.google.com/technologies/ads.
- Advertising on the mobile app: both personalised and non-personalised ads via Google AdMob. Personalised ads are shown exclusively to adult users who have given consent through the UMP panel at first app launch. Users who are minors or have not given consent are shown non-personalised ads only.
- Modifying preferences: on the mobile app, at first launch or from Settings → Privacy in a future version of the Service. On the website, from the initial CMP panel or the "Manage cookie preferences" link in the footer.
- Analytics on the website: Google Analytics 4 with anonymised IP, compliant retention periods and Google Consent Mode v2 (
ad_storage,analytics_storage,ad_user_data,ad_personalizationsignals) coordinated with the CMP. - Dedicated cookie policy: for details of the cookies used by the website, their respective providers, durations and purposes, see the Cookie Policy.
8. Recipients of Data and Categories of Third Parties
Data may be communicated or made accessible, to the extent strictly necessary, to the following categories of recipients:
- authorised staff or collaborators of the Controller;
- cloud infrastructure, hosting, database and authentication providers;
- stability, security, support and maintenance tool providers;
- map, notification, social or federated authentication providers;
- store providers and payment platforms for in-app purchase management;
- advertising partners and their technology providers, within the limits of the user's expressed preferences;
- legal, tax or administrative advisors, where necessary;
- public authorities or entities legally entitled to receive data.
By way of example, the Service may use the following providers or categories of providers:
| Provider / Category | Purpose / Service | Privacy role (to be verified in the specific case) |
|---|---|---|
| Google / Firebase | authentication, database, hosting, messaging, crash reporting, analytics and related services | Data Processor (under Google's standard Data Processing Addendum) |
| Google Maps / mapping services | maps, geolocation, event search | Independent Controller |
| Google AdMob | ad delivery and measurement on the mobile app | Independent Controller |
| Google AdSense | ad delivery and measurement on the website's marketing pages (excluding the web app) | Independent Controller |
| Google Analytics 4 | anonymised statistical analysis of web traffic, integrated with Google Consent Mode v2 | Data Processor (under Google's Data Processing Addendum) |
| Google Sign-In / Apple Sign-In | federated authentication | Independent Controllers |
| Apple / Google Play | app distribution, in-app purchases, subscriptions | Independent Controllers |
For up-to-date information on the processing carried out by third parties, please also consult their respective privacy policies.
9. International Data Transfers
Where some Service providers process personal data outside the European Economic Area or allow access from third countries, the transfer will comply with Articles 44 et seq. of the GDPR, using one of the guarantee mechanisms provided by applicable law, such as adequacy decisions, Standard Contractual Clauses (SCCs) or other permitted instruments.
Transfer details:
- Providers involved in extra-EEA transfers: Google LLC and Apple Inc. (United States of America), in connection with the services listed above (Firebase, Google Maps, AdMob, Google Analytics, Google/Apple Sign-In, Google Play and the App Store).
- Transfer mechanism used: EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023) for certified providers, supplemented, where applicable, by Standard Contractual Clauses (SCCs) approved by the Commission as an additional safeguard.
- Provider policies:
- Google — policies.google.com/privacy
- Firebase — firebase.google.com/support/privacy
- Google AdMob — support.google.com/admob/answer/6128543
- Google AdSense — policies.google.com/technologies/ads
- Apple — apple.com/legal/privacy
10. Data Retention
Personal data is retained for no longer than necessary to achieve the purposes for which it was collected, subject to legal retention obligations or the need to defend claims in legal proceedings.
| Data category | Criterion / retention period |
|---|---|
| Account data (email, nickname, profile) | For the duration of the account and for the time strictly necessary to handle any requests after account closure |
| Tournament data, results, decks, user content | For the duration of the account or in accordance with Service settings and declared operational requirements |
| Geolocation data | Only for the time strictly necessary to deliver the feature, unless otherwise specified |
| QR scan / camera data | Not retained, unless expressly stated otherwise in the Service |
| Crash reports and technical logs | 90 days (Firebase Crashlytics default retention) |
| Purchase, subscription and administrative compliance data | For the period required by applicable accounting, tax or contractual law |
| Support and assistance data | For the time necessary to handle the request and any defence needs |
| Advertising / monetisation data | According to the provider's settings, user preferences and the technology partner's documentation |
Upon termination of the relationship with the user or account deletion, data will be deleted or anonymised within a reasonable time, subject to retention obligations or legal defence requirements.
11. Data Subject Rights
The user, as a data subject, may exercise at any time the rights recognised by Articles 15–22 of the GDPR, within the limits and under the conditions provided by applicable law.
In particular, the user may request:
- access to personal data;
- rectification of inaccurate data or completion of incomplete data;
- erasure of personal data;
- restriction of processing in the cases provided for;
- data portability, where applicable;
- objection to processing based on legitimate interest;
- withdrawal of consent at any time, without affecting the lawfulness of processing based on consent given before withdrawal.
To exercise these rights, please write to: [email protected].
To request deletion of your account and your data, use the dedicated function within the app (Profile → Delete Account) or send an email to [email protected].
The data subject also has the right to lodge a complaint with the competent supervisory authority. In Italy, the relevant authority is the Italian Data Protection Authority (Garante per la protezione dei dati personali): garanteprivacy.it.
12. Minors
The Service is intended for users aged 14 or over. Where processing is based on consent in relation to information society services offered directly to minors, the rules of Article 8 GDPR and applicable national law apply.
Service configuration regarding minors:
- Declared minimum age: 14 years, consistent with the digital consent threshold under Italian law (Art. 2-quinquies of Legislative Decree 196/2003 as amended, in conjunction with Art. 8 GDPR).
- Parental consent: not applicable. The Service is not intended for users under 14 and does not knowingly collect personal data relating to children below this threshold. Should a minor under 14 create an account, the Controller will delete the data as soon as it becomes aware of this.
- Personalised advertising restrictions for minors: personalised advertising is never shown to users under 18. Google AdMob is configured with the
tagForUnderAgeOfConsentparameter (and, where applicable,tagForChildDirectedTreatment), preventing the use of device advertising identifiers for profiling purposes when the user is a minor.
If the Controller becomes aware that personal data has been collected in violation of rules applicable to minors, it will take reasonable steps to delete the data or restrict processing, within technically and legally applicable limits.
13. Security
The Controller implements appropriate technical and organisational measures to protect personal data from unauthorised access, loss, destruction, unlawful disclosure or use, taking into account the state of the art, implementation costs, the nature of the data and the risks to the rights and freedoms of data subjects.
Such measures may include, depending on the context:
- encryption of communications via HTTPS/TLS;
- access controls;
- data segregation rules;
- secure authentication systems;
- technical monitoring and incident management;
- backup and recovery procedures.
In the event of a personal data breach, the Controller will manage the incident in accordance with Articles 33 and 34 GDPR, including, where required, notifications to the competent authority and to data subjects.
14. Nature of Data Provision
Providing data marked as required or mandatory is necessary for registration and for the delivery of essential Service features. Failure to provide it may make it impossible to access the Service or use certain features.
Providing data processed for optional purposes, such as geolocation, personalised advertising, optional analytics tools or consent-based processing, is optional. Withholding or refusing consent does not affect use of the remaining essential features, except to the extent strictly dependent on the data requested.
15. Automated Decision-Making and Profiling
Unless otherwise specified in this Policy or in dedicated notices, the Controller does not carry out solely automated decision-making processes that produce legal or similarly significant effects on the user within the meaning of Article 22 GDPR.
Where forms of advertising personalisation, ranking or preference-based suggestions are used, such processing will be described specifically in the relevant sections or dedicated notices.
16. Links to Third-Party Sites or Services
The Service may contain links to third-party websites, stores, social networks or services. The Controller is not responsible for the privacy practices of such parties, which are governed by their respective policies.
17. Changes to This Policy
The Controller reserves the right to update or amend this Policy at any time, including as a result of regulatory changes, technical developments of the Service or changes in processing activities.
In the event of material changes, users will be informed through appropriate means given the Service context, for example via a notice on the website, an in-app notification, email or another suitable channel.
The updated version of this Policy will always be available at: goshootapp.com/privacy-en.
18. Contact
For questions relating to this Policy or to exercise the rights provided under privacy law, please contact:
- Email (privacy and support): [email protected]
- Certified email (PEC): [email protected]