Legal · GDPR

Data controller · GDPR / EU 2016/679 · Last updated 2026-04-25

Publisher
RedBuffed is an independent, non-commercial beta project. The data controller is the project operator, contactable at [email protected]. Hosting infrastructure: production hosting provider (to be specified at launch).
Data we process
  • Riot identifiers: PUUID, summoner name, tag line, region, profile icon, level.
  • Match data: public ranked / normal match results retrieved from Riot API.
  • Cycle phase dates: only the start/end dates of cycle phases you submit. We do not collect mood, symptoms, intimacy, or any other tracker field.
  • Session token: an opaque session identifier (HttpOnly cookie or bearer token).
  • Anonymous research ID: a UUID unlinked from your identity in any exported dataset.
Legal basis (Art. 6 & 9 GDPR)
Cycle phase data is health data within Art. 9 GDPR. Processing is based on your explicit consent given at onboarding. Riot match data and account identifiers are processed under contract (Art. 6.1.b, performance of the Service you requested).
Storage & encryption
Cycle phase dates are encrypted at rest with AES-128-CBC + HMAC-SHA256 (Fernet) using a per-user key derived via HKDF-SHA256 from a server master secret and your anonymous user ID. The master secret is stored in a separate environment configuration. Match data and Riot identifiers are stored in the application database, not encrypted at column level (they are public-facing identifiers).
Retention
Account data is retained as long as your account is active. On deletion, all account data, cycle entries, match data, and sessions are erased from the production database immediately. Backups, if any, are rotated and overwritten within 30 days.
Your rights (Art. 15–22 GDPR)
You have the right to access, rectify, port, and erase your data, and to withdraw consent at any time. The user menu offers one-click full account deletion (right to erasure). For access or portability requests, email [email protected]. You may also lodge a complaint with your national data-protection authority (e.g. CNIL in France).
Cookies & tracking
We use one strictly-necessary HttpOnly session cookie. We do not use advertising, analytics, or third-party tracking cookies.
Sub-processors
Riot Games (public Match-V5 / Account-V1 API) is queried server-side to retrieve match history. No personal cycle data is ever sent to Riot. Hosting and database providers (to be named at production launch) act as processors under DPA.
Trademarks
League of Legends, Riot Games and all associated marks are property of Riot Games, Inc. RedBuffed isn't endorsed by Riot Games and doesn't reflect the views or opinions of Riot Games or anyone officially involved in producing or managing League of Legends.
← Back home