Privacy Policy

12 Points (“the App”, available at 12points.science and as native iOS and Android applications) is a Eurovision Song Contest companion. Users also may opt-in to participate in a citizen science project run by the University of Southern Denmark (“SDU”). This Privacy Policy explains what personal data we collect, on what legal basis, how we use and share it, how long we keep it, and what rights you have.

Please read this Policy together with our Terms of Service and, if you are a research participant, the Informed Consent Form you accepted at onboarding.

There are two distinct data controllers, depending on the data in question:

• Operation of the App (account, login, basic service): the 12 Points team. Contact: privacy@12points.science.
• Research data (only collected if you grant research consent): the University of Southern Denmark, Campusvej 55, 5230 Odense, Denmark. The Consent Form names the principal investigator and Data Protection Officer.

Your privacy footprint depends on whether you have granted research consent. Every account is in one of three states at any given time:

• Never consented. You have not granted research consent. The App operates in local-only mode: ratings, top 10, preference rankings, and any demographic answers you provide are saved on your device only and are never uploaded to our servers. Commenting and the friend-network features are unavailable.
• Currently consenting. You have granted research consent. Your ratings, top 10, demographic answers, comments, and friend-network activity are stored on our servers and may be processed for research as described in the Consent Form.
• Withdrawn (terminal). You previously consented and have since withdrawn. New activity is stored on your device only. You cannot grant research consent again on the same account. Existing server-side data is anonymised or deleted as described in Section 9.

Users under the age of 18 are automatically placed in local-only mode regardless of any consent selection, so no research data is ever collected from accounts identified as under 18.

We rely on the following lawful bases under the GDPR:

• Contract / service performance (Article 6(1)(b)): account information, authentication and session data, push tokens (if opted in). We need this data to provide the App you are signing up for.
• Explicit consent (Article 6(1)(a)): all research data described in Section 4.2. You can withdraw this consent at any time (Section 9), with the irreversibility caveat described there.
• Legitimate interests (Article 6(1)(f)): bot-protection signals, fraud-prevention logging, and the security IP/user-agent records associated with login. Our legitimate interest is keeping the App secure and protecting users; you may object to this processing under Section 12.
• Legal obligation (Article 6(1)(c)): where we are required by law to retain or disclose specific data (for example, in response to a valid court order).

Where the data is treated as research data, the further legal basis under GDPR Article 9 (where applicable) is your explicit consent (Article 9(2)(a)) and scientific research in the public interest (Article 9(2)(j)) read together with Article 89(1).

• To provide and operate the App (display ratings, leaderboards, social features, push notifications you opted in to).
• To generate aggregated, anonymised statistics that are visible to all users (for example, country averages or community top lists).
• To communicate with you about your account — email verification, password resets, security notices, and material changes to these policies.
• If you have consented, to conduct academic research on music preferences, social influence on rating behaviour, and cultural phenomena, and to publish research findings as described in Section 7.
• To detect, prevent, and respond to abuse, fraud, or violations of our Terms of Service.

We do not use your data for advertising, profiling, or automated decision-making that has legal or similarly significant effects on you.

We do not sell your personal information. We share data only in the following limited circumstances:

• Service providers processing data on our behalf under written contracts: Convex (database), Firebase (hosting), SendGrid (email), Cloudflare (bot protection), Google and Apple (sign-in), OneSignal (push notifications). See Section 8.
• Aggregated, anonymised research outputs may be included in academic publications, presentations, and educational materials.
• Open-science dataset releases. If you have granted research consent, the SDU research team may include data attributable to you without any identifiers (name, email, account ID) in datasets published in open-access repositories such as the Open Science Framework. Once published, these datasets cannot be recalled and we are not able to identify specific users in them due to the removal of identifiers. The Consent Form describes this in detail.
• Re-identification risk in published datasets. Direct identifiers are removed before publication, but the combination of demographic information and rating patterns may, in some rare cases, allow re-identification — especially for rare demographic combinations. We classify the published dataset as pseudonymous rather than strictly anonymous under the GDPR. We will take reasonable measures (aggregation, suppression of small subgroups) to mitigate this risk before any release.
• Legal obligations: where required by law, or to protect our or others’ rights, safety, or property.

We use the following third-party services to operate the App. Each processes only the minimum data necessary for its function. Please refer to their respective privacy policies for details.

• Convex: real-time database and backend infrastructure.
• Firebase: web hosting and performance monitoring.
• Google Sign-In: optional social login. We request only the openid, email, and profile OAuth scopes — this gives us your Google email address, basic profile information (name), and profile picture URL. We do not access Gmail, Google Drive, Contacts, Calendar, or any other Google services.
• Apple Sign-In: optional social login. We receive your email address (or a private Apple relay address) and, on first sign-in only, your name.
• SendGrid: transactional emails (verification, password resets).
• Cloudflare Turnstile: bot protection during sign-up and login.
• OneSignal: push notifications, only if you opt in.

Some of these providers (notably Convex, Firebase, SendGrid, Cloudflare, and OneSignal) are based in the United States or operate global infrastructure. To the extent your personal data is transferred outside the European Economic Area, we rely on the providers’ Standard Contractual Clauses or equivalent transfer mechanisms permitted by GDPR Chapter V.

This section summarises the privacy implications of joining, staying in, or leaving the research study. The full mechanics are described in our Terms of Service (Section 7) and the Consent Form.

Server-side data is stored using Convex (database) and Firebase (hosting). We use HTTPS in transit, access controls, and authentication via BetterAuth with secure session management. The pseudonymisation cascade described in Section 9.2 is performed automatically and cannot be reversed by any administrator with database access, because no mapping between pseudonymous identifiers and real accounts is retained anywhere in our systems.

Local-only data lives in your device’s standard browser or app storage, protected by the security model of your operating system and browser. We have no visibility into it.

• Account information. Retained for as long as your account exists. If you delete your account, account data is removed in accordance with Section 13.
• Authentication and security logs. Retained for up to 90 days for abuse-prevention purposes, unless we are required to keep them longer to investigate a specific incident.
• Research data (consenting users). Retained for the duration of the study or until you withdraw, whichever comes first.
• Anonymised exposure stubs and friendship-history rows (post-withdrawal). Retained indefinitely for research purposes under Article 17(3)(d) / 89(1). They cannot be deleted because no mapping back to your account exists.
• Published dataset records. Once anonymised data has been included in a public release, it cannot be deleted from copies that have already been distributed.
• Comments. Comments remain visible until you withdraw research consent or delete your account, after which the text is replaced with “[deleted]” but the row stays in place to preserve reply chains.

You have the following rights regarding your personal data:

• Right of access. You can view much of your data directly through the App (profile, ratings, top 10, comments). You may also request a copy of all personal data we hold about you.
• Right to rectification. You can correct profile and demographic information directly in the App; for anything you cannot edit yourself, contact us.
• Right to erasure (“right to be forgotten”). You can delete your account at any time (Section 13). For research data specifically, the withdrawal flow described in Section 9.2 anonymises data rather than deleting it, in reliance on the GDPR research exception — this is what makes your withdrawal compatible with continued research integrity.
• Right to restriction of processing. You can ask us to limit how we process your data while a question about it is being resolved.
• Right to data portability. You can request your data in a machine-readable format.
• Right to object. You can object to processing based on legitimate interests (Section 5).
• Right to withdraw consent. Where processing is based on your consent, you can withdraw it at any time, subject to the one-shot rule for research consent (Section 9.2). Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Right to lodge a complaint with your national data-protection authority. In Denmark this is the Datatilsynet (datatilsynet.dk); in other EU member states it is the equivalent national authority.

To exercise any of these rights, contact privacy@12points.science, or for any research-data questions, contact Pantelis P. Analytis (pantelis@sam.sdu.dk) the principal investigator of the project.

You can delete your account at any time from Settings → Delete Account in the App, or via our account deletion page at /delete-account. When you delete your account, we permanently remove:

• Your profile and account information (email, username, display name, avatar, bio).
• Your session data and authentication records.
• Your demographic survey responses, top 10 / scorecards, and preference rankings.
• Your comment votes, friend connections, and follows.

If research consent is active at the time of deletion, the withdrawal cascade in Section 9.2 also applies: your ratings and friendship history are converted to anonymised stubs, and your comments are scrubbed in place (“[deleted]” text, “[Withdrawn user]” displayed name) so that reply chains remain intact. Anonymised stubs and any data already released in a public dataset cannot be recalled.

The App is not intended for children under 13, and we do not knowingly collect personal information from children under 13. Research participation is restricted to users aged 18 and over — if you indicate that you are under 18 in the demographic questionnaire, the App will automatically place you in local-only mode and no research data will be collected from your account.

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page indicates the most recent revision. We will notify users of significant changes through the App or by email. Continued use of the App after a change becomes effective constitutes acceptance of the updated Policy.

For privacy questions or to exercise your rights, or for Terms-of-Service questions, contact contact@12points.science. Research-related questions should be directed to Pantelis P. Analytis (pantelis@sam.sdu.dk). If you are not satisfied with our response, you can lodge a complaint with your national data-protection authority.

Please also review our Terms of Service and, if you participate in research, the Informed Consent Form you accepted at onboarding.