Legal
Privacy Policy
Last updated: 17 June 2026
This Privacy Policy explains how XD Labs ("we", "us", "our") collects, uses, and protects personal data when you use Serie A 38-0 — both the website at serie-a-38-0.com (the "Site") and the Serie A 38-0 mobile app for Android and iOS (the "App"). Together we call them the "Service".
Serie A 38-0 is an unofficial football squad-building game and is not affiliated with, endorsed by, or connected to Lega Serie A or any football club. It is a fan-made project.
1. Who we are (Data Controller)
The data controller for the Service is XD Labs. For any privacy question, data request, or complaint, contact us at support@xdlabs.dev.
2. Data we collect
What we collect depends on how you use the Service.
2.1 If you play as a guest
- On-device game data only. Your chosen club name, language, settings, draft progress, daily streak, achievements, and cosmetics are stored locally on your device (browser localStorage on the Site; on-device storage in the App). This data does not leave your device and is not linked to an identity on our servers.
2.2 If you create an account (mobile App)
Accounts are optional and used to sync progress and enable leaderboards and friend challenges.
| Data | Purpose |
|---|---|
| Email address | Sign-in via one-time email code; account identity |
| Account identifier | Links your saved data to your account and enforces access control |
| Display name (club name), language | Shown on leaderboards and to friends you challenge |
| Game results (wins/draws/losses, points, rating, picks, achievements, cosmetics) | Cloud save, leaderboards, friend challenges |
| Friend code & friend relationships | Adding friends and head-to-head challenges |
2.3 Advertising & analytics data
- Mobile ads (Google AdMob). When ads are enabled, Google may process a mobile advertising identifier and standard device/ad-request information to serve and measure ads. Whether ads are personalized depends on the consent you provide (see Advertising & consent).
- Web ads (Google AdSense). The Site shows ads via Google AdSense, which may use cookies and similar technologies, subject to the consent shown on the Site.
- Web analytics (PostHog). The Site uses PostHog only if you opt in via the cookie banner, to understand which game modes are used. The App does not include an analytics SDK.
2.4 Support
- If you email us or use a contact/deletion form, we receive the information you provide (e.g. your email and message) to handle your request.
3. Why we use your data & legal bases (GDPR)
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Provide the game and save progress locally | Performance of a contract / legitimate interests |
| Account sign-in, cloud sync, leaderboards, friends | Performance of a contract |
| Personalized advertising and non-essential cookies/analytics | Consent |
| Non-personalized advertising to keep the game free | Legitimate interests |
| Security, fraud/score-tampering prevention | Legitimate interests |
| Responding to your requests | Legitimate interests / legal obligation |
4. Advertising & consent
The Service is free and supported by ads. In the mobile App, ads are provided by Google AdMob and are on by default, but:
- In the European Economic Area, the United Kingdom, and Switzerland, we use Google's certified consent flow (UMP) to ask for your consent before personalized ads are shown. You can reopen these choices at any time from Settings → Ad privacy settings.
- On iOS, we ask for App Tracking Transparency permission; you can decline and still play.
- You can choose non-personalized ads (and turn the personalization preference off) during first launch and in Settings. Declining personalization does not remove ads; it makes them non-personalized.
Learn how Google uses data from sites and apps that use its services: policies.google.com/technologies/partner-sites.
5. Service providers (processors) & third parties
We share data only with providers that help us run the Service, under appropriate agreements:
| Provider | Role |
|---|---|
| Clerk | Authentication / sign-in (email, account identity) — mobile App |
| Supabase | Database & backend for cloud save, leaderboards, friends |
| Google AdMob / AdSense | Advertising (App / Site) |
| PostHog | Opt-in web analytics (Site only) |
| Netlify | Website hosting and form delivery |
We do not sell your personal data, and we do not share it for cross-context behavioral advertising beyond the ad consent described above.
6. International transfers
Some providers may process data on servers outside your country, including in the European Union and the United States. Where data leaves the EEA/UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.
7. Data retention
- Local (guest) data stays on your device until you clear it or uninstall the App.
- Account data is kept while your account is active. When you request deletion, we remove your account and associated data from our database, and ask our providers to do the same, without undue delay.
- Support emails are kept only as long as needed to handle your request and for reasonable record-keeping.
8. Your rights & deletion
Under the GDPR (and similar laws such as the UK GDPR and California's CCPA/CPRA) you may have the right to:
- access the personal data we hold about you;
- correct or update inaccurate data;
- delete your data ("right to be forgotten");
- export a copy of your data (portability);
- object to or restrict certain processing, and withdraw consent at any time;
- lodge a complaint with your data protection authority (in Italy, the Garante per la protezione dei dati personali).
To delete your account and data: in the App, open Settings → Delete account / data, or use our account & data deletion request page, or email support@xdlabs.dev. Guests can erase all local data instantly from Settings.
9. Children
The Service is not directed to children under the age required for data consent in their country (16 in much of the EU; 13 elsewhere). We do not knowingly collect personal data from children below that age. If you believe a child has provided us data, contact us and we will delete it.
10. Security
We use industry-standard measures to protect your data, including encryption in transit, access controls, and row-level security so that accounts can only access their own data. No method of transmission or storage is completely secure, but we work to protect your information.
11. Changes to this policy
We may update this policy from time to time. We will change the "Last updated" date above and, for material changes, provide a more prominent notice. Continued use of the Service after an update means you accept the revised policy.
12. Contact
XD Labs — support@xdlabs.dev