Joute
Informational translation. The French version at /confidentialite is the legally binding reference. This English translation is provided for informational purposes only. UK users: data controller is Klymax LTD (UK), subject to UK GDPR and ICO oversight. EU users: GDPR (EU 2016/679) applies.
Legal

Privacy Policy

Pursuant to the UK General Data Protection Regulation (UK GDPR, as retained by the Data Protection Act 2018) and the EU General Data Protection Regulation (Regulation EU 2016/679 — GDPR).

General Principle

Joute collects the strict minimum necessary to operate the site. No advertising tracking cookies, no sale of data to third parties, no behavioural profiling beyond anonymous audience measurement.

Data Controller

Klymax LTD, United Kingdom.
Contact: hello@joute.io

Data Collected

Newsletter

If you subscribe to the Joute newsletter, your email address is stored with our processor Resend (Resend Inc., Delaware, US; data hosted EU-West Frankfurt). Sole purpose: sending the weekly Friday edition. Legal basis: consent (GDPR Art. 6(1)(a)). One-click unsubscribe in every email; deletion effective within 7 days.

Arena Votes

On the arena page, votes are recorded server-side via Upstash Redis (Frankfurt, eu-west). We store an anonymous hash (truncated SHA-256) of IP + user-agent to prevent spam (1 vote per duel per 30 days). No cookie, no persistent identifier, no raw personally identifiable information. Legal basis: legitimate interest (GDPR Art. 6(1)(f)) in preventing vote manipulation.

Analytics

The site uses Vercel Analytics and Google Analytics 4in IP-anonymised mode. No advertising tracking cookies, no data resale. Data collected (page views, traffic source, session duration) is aggregated and anonymous. Legal basis: consent for GA4 cookies; legitimate interest for Vercel's server-side aggregation.

Cookies

Joute does not use advertising tracking cookies. The cookies present are functional (language preference, consent choice) and analytics (GA4, Vercel) deposited only after explicit consent. See the Cookie Policy for the full breakdown.

Sub-processors and Recipients

The only third parties with access to your data are:

  • Vercel Inc. (United States): site hosting and CDN. DPA executed, Standard Contractual Clauses (SCCs) in place for EU transfers.
  • Resend Inc. (United States, EU-West hosting): newsletter email delivery only.
  • Upstash Inc. (United States, EU-West Frankfurt hosting): anonymous arena vote storage.
  • Google LLC (United States): Google Analytics 4 in IP-anonymised mode + Google Search Console for SEO monitoring. SCCs in place.

No other recipients. No resale, no advertising data sharing.

Retention Periods

  • Newsletter email address: retained until unsubscribe. Deletion effective within 7 days of unsubscribe request.
  • Arena votes: anonymised IP+UA hash retained for 30 days (anti-spam), then automatically deleted.
  • Analytics data: 14 months maximum (GA4 configuration).

International Transfers

Some sub-processors are based in the United States. Transfers are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), which also satisfy UK GDPR requirements via the UK International Data Transfer Agreement (IDTA) or Addendum where applicable.

Your Rights

Under GDPR and UK GDPR, you have the following rights regarding your personal data:

  • Access: obtain a copy of the data held about you.
  • Rectification: correct inaccurate data.
  • Erasure: request deletion of your data.
  • Objection: object to processing (e.g. opt out of the newsletter).
  • Portability: receive your data in a structured format for transfer.
  • Restriction: suspend processing while a query is being resolved.
  • Withdrawal of consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise these rights, write to hello@joute.io. Response within 30 days (usually within 7 days).

UK users may lodge a complaint with the Information Commissioner's Office (ICO).
EU users may lodge a complaint with their national supervisory authority (e.g. CNIL in France, BfDI in Germany, AEPD in Spain).

Security

Data is stored with GDPR-compliant processors, with TLS 1.3 encryption in transit and encryption at rest. Admin access is protected by multi-factor authentication (MFA). No security incidents declared to date.

Affiliate Disclosure

Joute uses affiliate links. No personal data is shared with affiliate partners. Commissions are tracked anonymously by the affiliate platforms via cookies deposited on their own domains when you click a partner link. Joute does not receive any personally identifiable information from these affiliate platforms, only aggregated commission data.

Changes to This Policy

This policy may be updated when a new sub-processor is added or regulations change. Newsletter subscribers will be notified by email in the event of a material change. The last-updated date is displayed at the bottom of the page.

Privacy policy last updated: 24 May 2026. See also the Legal Notice for other legal information.