Last updated: 12 March 2026 · Beta version — subject to change
Rivals is a competitive gaming platform where players create and enter tournaments, compete for prizes, and build teams with other players around the world. We are currently in Beta — the platform is live and tournament entry fees and prize payouts are active, but some features are still being refined.
This Privacy Policy explains what personal information we collect about you, why we collect it, how we use and protect it, and what rights you have over it. It applies whenever you use Rivals — through our app, website, or any related services.
We’ve written it in plain English. If something isn’t clear, email us at privacy@rivalsapp.com.
Rivals Group Ltd is a company registered in England and Wales, with offices at 71–75 Shelton Street, Covent Garden, London WC2H 9JQ.
We are the data controller of your personal information — meaning we are responsible for deciding how it is collected, stored, used, and protected. If you are based in the UK or European Economic Area, we operate under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
For privacy questions or to exercise your rights, contact us at privacy@rivalsapp.com.
Before we get into the detail:
We don’t sell your personal information. We never have, and we never will.
We only collect what we need. We ask for the minimum required to run the platform, process transactions, and keep competitions fair.
You’re in control. You can access, correct, and request deletion of your data. We explain how in the Your Privacy Rights section.
We take security seriously. Sensitive data is encrypted in transit and at rest. Access to your information is restricted to those who need it.
We’re transparent about changes. If this policy changes in a way that meaningfully affects you, we will notify you before the change takes effect.
Rivals is intended for users aged 18 and over. Because Rivals involves tournament entry fees and prize payouts, we require all users to be at least 18 years old to register.
We do not currently collect date of birth at registration. We are actively developing age verification features and working to align our practices with age-related legal requirements in all jurisdictions we operate in. We are committed to introducing formal age gating before full commercial launch.
If you are under 18, you are not permitted to use Rivals. If we discover that a user under 18 has registered, we will close the account, ensure any balance is returned, and delete all associated personal data promptly.
If you believe a person under 18 has registered for an account, please contact us at privacy@rivalsapp.com.
We collect information in three ways: information you give us directly, information we collect automatically when you use the platform, and information we receive from third-party services you connect.
Account registration. When you register, we collect your username, email address, and password (stored securely using industry-standard hashing). First name, last name, and region are optional and may be collected during onboarding.
Connected gaming accounts. You may optionally link your Steam or Discord account using OAuth. When you do, we receive your Steam ID or Discord user ID and basic profile information from those platforms.
Profile information. You may optionally add a profile picture, bio, social media links, and team information. This information is visible to other users according to your privacy settings.
Bank details for prize withdrawals. If you request a bank transfer payout, we collect your account holder name, account number, and bank routing information (such as an IFSC code for INR transfers). These details are shared with our payment partner to execute the transfer and are deleted from our systems immediately after your withdrawal is processed. Only a masked reference is retained for audit purposes.
KYC information. For certain withdrawal methods, our payment partner may require identity verification. KYC documents are submitted directly to our payment partner — they are not stored by Rivals after submission. We retain only a verification status flag.
Dispute messages. If you raise a dispute about a match result, we collect and store the text you submit as part of our dispute resolution process.
Support communications. If you contact us for support, we collect and store those communications.
Security metadata. We capture IP address and device type at specific security-critical events — password reset, email verification, and account recovery. This is not collected on every page visit.
Fraud prevention signals. We use Google reCAPTCHA to protect the platform against automated abuse. reCAPTCHA collects browser signals, page context, and behavioural data on our behalf. See Section 5 for more detail.
Server logs. We retain basic request logs (request paths, response codes, timestamps) for 90 days for security and debugging purposes.
Authentication tokens. Your login session is maintained using an authentication token stored locally on your device.
Steam: if you link your Steam account, we receive your Steam ID and basic profile information.
Discord: if you link your Discord account, we receive your Discord user ID and basic profile information.
Dota 2 game data: we use third-party gaming APIs to retrieve your Dota 2 match history, statistics, and ranking data, linked via your Steam account.
Twitch and YouTube: if you connect these accounts, we retrieve channel information and audience metrics to support platform features.
Google reCAPTCHA: we receive a risk score from Google’s bot-detection system to protect accounts during registration and security-sensitive actions.
We process your personal data only for specific purposes and only where we have a valid legal basis. Here is a breakdown by purpose.
When you register for Rivals, you enter into an agreement with us. We process your information to deliver on that agreement:
Create and manage your account
Run tournaments, record match results, and maintain leaderboards and rankings
Process entry fees and pay out competition prizes
Send account-related communications — including email verification, password reset, match notifications, and prize confirmations
Enable connected services you choose to link, such as Steam and Discord
We process certain data where we have a legitimate business interest, provided that interest is not overridden by your rights:
Security and fraud prevention: we monitor for suspicious activity, protect account integrity, and prevent cheating to maintain fair competitions.
Platform improvement: we analyse how the platform is used to develop better features and fix issues.
Referral programme: we track and reward successful referrals as part of our growth programme.
Dispute resolution: we retain dispute messages to investigate and resolve match disputes fairly.
Maintain financial records as required by applicable law (we retain financial data for 7 years)
Comply with KYC and anti-money laundering requirements for certain withdrawal methods
Respond to lawful requests from regulatory authorities or law enforcement
Where we rely on consent, we will ask for it explicitly. Currently this applies to:
Marketing communications: if you opt in, we may send you updates about new features, tournaments, or promotions. You can withdraw consent at any time by emailing privacy@rivalsapp.com or using the unsubscribe link in any marketing email.
We share personal data only as necessary to provide the platform. We never sell your data. The table below sets out our key service providers, what data they receive, and why.
Provider
What they receive
Purpose
Stripe
Checkout session details; card data handled directly by Stripe (Rivals never sees card numbers, expiry, or CVV)
Entry fee deposits and payment processing
OnMeta
Account holder name, account number, routing code (IFSC / QRPH), KYC documents for eligible withdrawals
Bank transfer prize payouts (INR and PHP)
Digital wallet custody provider
Wallet creation and transfer instructions; private keys managed by the provider
Secure management of your Rivals balance
Amazon Web Services (SES)
Your email address and the content of each email sent
Account email delivery (verification, password reset, notifications)
Amazon Web Services (S3)
User-uploaded files (e.g. profile pictures)
Secure file storage
Steam
Steam ID, basic profile info (when you link your account)
Account authentication and game data
Discord
Discord user ID, basic profile info (when you link your account)
Account authentication
OpenDota API
Steam account ID (used to retrieve match data)
Dota 2 match and statistics enrichment
Twitch / YouTube
Channel info, audience metrics (when you connect these accounts)
Platform connection verification
Google reCAPTCHA
Browser signals, IP address, behavioural data (collected by Google’s script)
Bot and fraud detection
We may update this list as the platform evolves, particularly as we are currently in Beta. Providers are selected for their security standards and, where applicable, regulatory compliance.
We may disclose your information if required to do so by law, court order, or regulatory authority. Where legally permitted, we will try to notify you before complying with such a request.
In the event of a merger, acquisition, or sale of all or part of our business, your personal data may be transferred as part of that transaction. We will notify you if this happens and any successor will be bound to honour this Privacy Policy.
Rivals is based in the UK. When we work with third-party service providers, your data may be transferred to and processed in countries outside the UK, including the United States.
We take steps to ensure that all international transfers comply with UK data protection law. Where we transfer data to countries not covered by a UK adequacy decision, we rely on UK Standard Contractual Clauses or other legally recognised transfer mechanisms.
Key transfers outside the UK include:
Stripe, Google (reCAPTCHA), Amazon Web Services, Steam, Discord, Twitch, and YouTube: data processed in the United States
Our digital wallet custody provider: operates across multiple jurisdictions under applicable financial regulation
OnMeta: processes INR and PHP bank transfer withdrawals, primarily in India
We are in the process of establishing formal Data Processing Agreements (DPAs) with all service providers who handle personal data on our behalf. These will be in place before full commercial launch. For questions about our transfer safeguards, contact us at privacy@rivalsapp.com.
We keep your data only as long as necessary. The table below sets out our retention schedule by data type.
Data type
Retention period
Server and security logs
90 days
Financial records (transactions, balances, ledger entries)
7 years (UK legal minimum)
Dispute messages
3 years
Match and gameplay data
Retained while account is active; anonymised within 30 days of account deletion
Profile and account data (non-financial)
Deleted or anonymised within 30 days of account deletion
Bank account details
Deleted immediately after withdrawal is processed; masked reference retained for audit
Unverified / incomplete registrations
Deleted after 90 days of inactivity
When you close your account, we anonymise your non-financial data within 30 days. Financial records are retained for 7 years as required by law but are not linked to your active profile after anonymisation.
You have rights over your personal data. We have set these out below based on where you are based. To exercise any right, email us at privacy@rivalsapp.com. We will respond within 30 days and may ask you to verify your identity before processing your request.
If you are based in the UK, you have the following rights:
Right to access: request a copy of the personal data we hold about you.
Right to rectification: ask us to correct inaccurate or incomplete data.
Right to erasure: ask us to delete your data. Note that we may need to retain certain data to comply with legal obligations, such as financial records.
Right to restriction: ask us to limit how we process your data in certain circumstances.
Right to data portability: request a copy of data you have provided to us in a portable, machine-readable format.
Right to object: object to processing based on our legitimate interests. We will stop unless we have compelling grounds to continue.
Right to withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
Right to complain: you can lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.
If you are based in India, you have the following rights under the DPDP Act 2023:
Right to access information: request a summary of the personal data we hold and how it is being processed.
Right to correction and erasure: request correction of inaccurate data or deletion of data that is no longer necessary.
Right to grievance redressal: contact us at privacy@rivalsapp.com. We will acknowledge your grievance within 48 hours and aim to resolve it within 30 days.
Right to nominate: you may nominate another person to exercise your rights on your behalf in the event of your death or incapacity.
Regardless of where you are based, you can contact us at privacy@rivalsapp.com to access, correct, or request deletion of your personal data. We will respond within 30 days.
We take the security of your personal information seriously. Here is what we do:
Data in transit is encrypted using industry-standard TLS encryption.
Passwords are stored using a secure one-way hashing algorithm — we never store your password in plain text.
Sensitive financial data is handled by regulated, certified third-party processors. Rivals never stores your card number, expiry, or CVV.
Bank account details provided for prize withdrawals are deleted immediately after your withdrawal is processed.
Access to personal data within our team is restricted on a need-to-know basis.
Security-sensitive events such as password resets are logged to support fraud detection and account protection.
No system is completely secure. If you believe your account has been compromised or you have identified a security issue, please contact us immediately at privacy@rivalsapp.com.
Rivals is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18.
We are actively developing age verification features and working to meet applicable age-related legal requirements in our key markets. We are committed to ensuring Rivals is not accessible to minors.
If you believe a person under 18 has created an account on Rivals, please contact us at privacy@rivalsapp.com. We will investigate promptly and, where confirmed, close the account, arrange return of any balance, and delete all associated personal data.
We may update this Privacy Policy as the platform evolves. The date at the top of this document shows when it was last updated.
When we make changes that meaningfully affect how we handle your personal data, we will notify you by email or through the app before the change takes effect. For minor updates such as clarifications or corrections, we may update the policy without prior notice.
Your continued use of Rivals after a policy update takes effect constitutes acceptance of the updated policy. If you do not agree with a change, you can close your account at any time.
For privacy-related questions, rights requests, or concerns:
Email: privacy@rivalsapp.com
Post: Rivals Group Ltd, 71–75 Shelton Street, Covent Garden, London WC2H 9JQ
We aim to respond to all privacy requests within 30 days.
If you are based in the UK and are unhappy with our response, you have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.