Privacy Policy
Register
The Buzzer Lab

Privacy Policy

1. Introduction

This Privacy Policy explains how The Buzzer Lab collects, uses, and protects your personal data. We've written it to be as clear as possible — not as legal smoke, but as a plain account of what we do with your information and what rights you have.

This Policy applies to everyone who visits thebuzzerlab.com, subscribes to our newsletter, creates an account, or becomes a member.

If you have any question about this Policy or how we handle your data, contact us.

2. Who We Are (Data Controller)

The Buzzer Lab was built by one person, out of a love for EuroLeague basketball and a frustration at not being able to find this kind of analysis anywhere else. It's an independent project, not a company.

The person responsible for your data is:

Yiannis Konstantakopoulos
Operating as an individual business (sole trader)
Kyrillou & Methodiou 19, 55132, Thessaloniki, Greece
Greek Tax ID (ΑΦΜ): 061461788
Email: hello@thebuzzerlab.com

3. The Short Version

Before the details, here's the essence:

  • We collect only the data we need to operate the service — account information, billing details (but never your actual card number), newsletter subscription, and limited analytics. The full list is in Section 4.
  • We don't sell your data. Ever.
  • To run the service, we work with specific service providers: Stripe for payments, Beehiiv for newsletter, Resend for transactional emails, and our hosting provider. The exact data each one receives is shown in the table in Section 5.
  • Our analytics is self-hosted and doesn't use cookies or track you across sessions.
  • You have full rights under EU GDPR — access, correction, deletion, portability, and more. Section 8 explains how to exercise each one.
  • We keep data only as long as we need it. Specific retention periods for each type of data are listed in Section 7.

4. What Data We Collect and Why

We collect different categories of data depending on how you use the service.

Account data

When you create an account or become a member, we collect:

  • Your name
  • Your email address
  • Your chosen password — but see the explanation below
  • Information you create within your account: players and teams you've favourited, comparisons you've saved for later, and display preferences you've chosen

Why: We need this information to provide you with an account, authenticate you, send you account-related communications, and personalise the service for you. We also analyse this data in aggregate — for example, looking at which players and teams are most followed overall, or which comparisons are most frequently created — to inform editorial decisions and improve the service. These aggregated analyses do not identify individual members.

Legal basis: Performance of a contract (the membership or account agreement between us) for the personal account features; legitimate interest for the aggregated analysis.

About passwords

When you create an account, we don't store your actual password. Instead, we store a transformed version of it called a "hash" — a one-way scrambled form. We can check whether the password you type matches the one you set, but we cannot reverse the process to see what your actual password is.

This means that even if our database were ever compromised, your password would not be readable. It also means that if you forget your password, we can't tell you what it was — we can only let you reset it.

Payment information

When you become a member or purchase a one-off product, payments are processed by Stripe. Your full card details — including the card number, expiration date, and security code — are entered directly into a Stripe-hosted form and go straight to Stripe's secure servers. We never see or store your card information.

What we do see and store is:

  • Your billing name
  • Your billing email
  • Your country (for VAT purposes)
  • The last 4 digits of your card and the card type (so we can display, for example, "Visa ending in 4242" in your account)
  • References from Stripe identifying your customer record and subscription on their side
  • Transaction records: the amount, date, and product purchased

Why: To process your payment, issue invoices, comply with tax law, and maintain billing records.

Legal basis: Performance of a contract, and compliance with our legal obligations (Greek tax law).

Newsletter subscription data

If you subscribe to our newsletter, we collect:

  • Your email address
  • The date you subscribed and confirmed your subscription (we use double opt-in)
  • Engagement data: which newsletter emails you open and which links you click

Why: To deliver the newsletter, understand what content resonates, and improve future issues.

Legal basis: Your consent (which you give when subscribing and can withdraw at any time).

Transactional email data

When we send you account-related emails (welcome messages, payment confirmations, password resets, and similar), our email service provider receives:

  • Your email address
  • The content of the email being sent
  • Delivery status (sent, delivered, bounced)

Why: To deliver service-related communications you need in order to use your account.

Legal basis: Performance of a contract.

Website usage data (analytics)

We use a self-hosted, privacy-respecting analytics tool (Matomo) configured to minimise personal data collection. Specifically, we collect:

  • Aggregated page views and the pages you visit
  • Referrer information (which site or search engine sent you to us)
  • Your country (derived from your IP address, which is then anonymised)
  • Device type, browser, and operating system (in aggregate)
  • Session-level interaction with the site (within a 30-minute window)

Important: Our analytics setup does not use cookies, does not store persistent identifiers on your device, and does not track you across sessions. Your IP address is truncated (anonymised) before being processed, so we cannot identify individual visitors. This data does not leave our infrastructure — we do not share it with any third party.

Why: To understand how the website is used in aggregate, identify what content is popular, and improve the service.

Legal basis: Our legitimate interest in operating and improving the service. Because the data is anonymised and aggregate, this processing does not require your consent under EU law.

Member interaction data

When you use member features — running comparisons, saving favourites, and similar actions — we log those interactions against a pseudonymous identifier stored in your account. We don't use this to monitor individuals in normal operation.

We may consult it in two specific situations: if you request a refund (to verify whether member features were accessed during the refund window), and if we investigate a report of abuse or account sharing.

Why: To protect the integrity of the service and ensure fair use for all members.

Legal basis: Our legitimate interest in operating a fair and sustainable service.

You can view your own interaction log at any time via the data export on your account page.

Support communications

If you email us with a question, complaint, or feedback, we keep a record of that correspondence:

  • Your email address
  • Your name
  • The content of your message and our reply

Why: To respond to you, keep context for any follow-up, and improve the service.

Legal basis: Our legitimate interest in providing support, performance of a contract where you're a member, and the consent of the person reaching out — by contacting us, you're choosing to share that information with us.

5. Service Providers We Work With

To deliver The Buzzer Lab, we work with several specialised service providers. Each one handles a specific part of how the service operates — accepting payments, delivering emails, hosting the website. They act on our instructions and on our behalf, not for their own purposes, and each is bound by a Data Processing Agreement that limits how they can handle your data.

Provider What they do Where they're based Legal safeguards
Stripe Process payments and manage subscription billing United States DPA signed; certified under the EU-US Data Privacy Framework; Standard Contractual Clauses
Beehiiv Deliver our newsletter and manage subscriber lists United States DPA signed; Standard Contractual Clauses
Resend Deliver our transactional emails United States DPA signed; Standard Contractual Clauses
Fusioned Ltd. Host our website and database United Kingdom (company); servers located in Greece, EU DPA signed; data remains within the EU
Matomo (self-hosted) Provide website analytics on our own infrastructure Our own server (Greece, EU) Self-hosted — no third party receives this data

Beyond this list, your data does not go anywhere else. We don't share it with advertisers, marketing partners, data brokers, social media platforms, or any other third party.

There are only two exceptions:

  • Legal obligation. If we're required by law to disclose data (for example, in response to a valid court order or tax authority request), we will comply, while challenging requests we believe to be improper.
  • Business transfer. If the service is ever transferred to a new operator, that operator assumes the same rights and obligations as the current one and is bound by the same privacy rules established for this project.

6. Where Your Data Lives Geographically

Some of the service providers we use are based outside the European Union — specifically in the United States (Stripe, Beehiiv, Resend). Our hosting provider, Fusioned Ltd., is a UK-registered company, but its servers are located in Greece. This means your data is physically stored within the EU and never leaves it.

When personal data crosses the EU's borders to reach US-based providers, EU law requires us to ensure that your data remains protected at a level equivalent to what it would have inside the EU.

For our US-based providers

Each one has signed legally binding contracts (called Standard Contractual Clauses) that commit them to handle your data with the same protections you would have under EU law. Stripe is additionally certified under the EU-US Data Privacy Framework, which is a formal programme recognised by the European Commission as providing adequate protection.

For our hosting provider

Fusioned Ltd. is incorporated in the United Kingdom, but the servers that run The Buzzer Lab are physically located in Greece. Your data — the website database, your account details, your usage — resides on hardware inside the EU and is subject to EU data protection law. No cross-border data transfer occurs in connection with hosting.

If you'd like more detail on the specific safeguards in place for any of these transfers — including copies of the actual contracts — contact us.

7. How Long We Keep Your Data

We keep your personal data only as long as needed for the purposes for which it was collected, or as required by law.

Type of Data How Long We Keep It
Active account data (name, email, preferences, etc.) For as long as your account is active
Account data after cancellation 30 days after account closure, then deleted
Billing records (transactions, invoices) 7 years, as required by Greek tax law
Newsletter subscription data (active subscribers) Until you unsubscribe
Newsletter data (after unsubscribe) 12 months, then deleted
Information you've created (favourites, saved comparisons) As long as your account is active; deleted with the account
Website analytics data 14 months for detailed records; aggregate reports retained longer
Support email correspondence 2 years from your last interaction with us
Transactional email logs (Resend) Approximately 90 days, per the provider's standard retention

When the retention period ends, we either delete the data or anonymise it so it can no longer be linked to you.

8. Your Rights Under GDPR

Under the EU General Data Protection Regulation, you have the following rights regarding your personal data. We honour all of them.

Right of access. You can request a copy of the personal data we hold about you. We'll provide it within 30 days, free of charge.

Right to rectification. If any of your data is inaccurate or incomplete, you can ask us to correct it.

Right to erasure ("right to be forgotten"). You can request that we delete your personal data. We'll comply unless we're legally required to retain certain data (for example, billing records under tax law). In that case, we'll explain what we must keep and for how long.

Right to restrict processing. You can ask us to limit how we use your data in certain situations, such as while a dispute about accuracy is being resolved.

Right to data portability. You can request your data in a structured, commonly used format (such as JSON or CSV) so you can move it elsewhere.

Right to object. You can object to processing based on our legitimate interests. We'll stop unless we have compelling legitimate grounds that override your rights, or we need the data for legal claims.

Right to withdraw consent. Where we process data based on your consent (such as newsletter subscription), you can withdraw that consent at any time. This doesn't affect the lawfulness of processing before withdrawal.

Right to lodge a complaint. You have the right to file a complaint with a data protection authority. In Greece, this is the Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα): www.dpa.gr. If you live in another EU country, you may also file a complaint with your local authority.

To exercise any of these rights, reach us via our contact page. We'll respond within 30 days. We may need to verify your identity before acting on certain requests, to protect your data.

9. Cookies and Tracking Technologies

We use only the bare minimum of cookies and tracking technologies needed to operate the service.

Strictly necessary cookies

These cookies are essential for the service to function and don't require your consent under EU law:

  • Session cookies that keep you logged in while you use the site.
  • Security cookies that protect against common web attacks (such as CSRF).
  • Payment cookies set by Stripe during checkout, necessary to complete your purchase.

Analytics

Our analytics setup (Matomo, self-hosted, configured for privacy) does not use cookies. Visitor measurement is done in aggregate, without persistent identifiers or cross-session tracking. Because no personal data is processed and no information is stored on your device, no consent banner is required.

No advertising or marketing cookies

We don't use advertising cookies, marketing trackers, social media pixels, or third-party tracking of any kind. There are no Facebook pixels, Google Analytics tags, or similar technologies on our site.

10. Security

We take the security of your data seriously and use appropriate technical and organisational measures to protect it:

  • All connections to the site use HTTPS encryption.
  • Passwords are stored as one-way hashes (see Section 4 for what this means); we never have access to your plain-text password.
  • Access to systems containing personal data is restricted to the operator and is protected by strong authentication.
  • Our service providers (Stripe, Beehiiv, Resend, our hosting provider) maintain industry-standard security certifications and practices.

No system is perfectly secure, but we work to maintain a high standard. If we become aware of a security breach that affects your personal data, we will notify you and the relevant authorities as required by law.

11. Children

The Buzzer Lab is not directed at children under 18. We don't knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact us and we'll delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, new features, legal requirements, or feedback from users.

When we make material changes, we'll notify you by email (to the address associated with your account or newsletter subscription), by a prominent notice on the website, or both. The notice will explain what's changing and when it takes effect, giving you time to review.

For minor changes (corrections, clarifications, minor wording), we'll update the document and revise the effective date without separate notice.

13. Contact

Questions, requests, or concerns about your data or this Privacy Policy?

Use our contact page to get in touch.

Postal address:
Yiannis Konstantakopoulos
Κυρίλλου & Μεθοδίου 19
55132, Thessaloniki, Greece

We aim to respond within 30 days. For urgent matters (such as a request to immediately stop processing), please indicate so in the subject line.

Last updated: May 2026