Privacy Policy
Last updated: March 8, 2026
The short version: Teams own their fan data. Vonga processes it on their behalf. Fans can request deletion at any time. We don't sell data to anyone.
1. Who We Are
Vonga Inc. ("Vonga," "we," "our," or "us") operates the Vonga Fan Intelligence Platform — a SaaS platform that enables sports teams and universities to build first-party fan profiles through NFC-enabled merchandise. Our website is vonga.io and our platform dashboard is at dashboard.vonga.io.
For questions about this policy, contact us at: privacy@vonga.io
2. Data We Collect
We collect different types of data depending on your relationship with Vonga:
If you are a Team (our customer):
- Account information: name, email address, organization name, billing information
- Usage data: dashboard activity, content configurations, feature usage
- Payment data: processed by Stripe; Vonga does not store full card numbers
If you are a Fan (end user who taps NFC-enabled merchandise):
- Tap events: timestamp, approximate location (city/region), device type
- Behavioral data: which products are tapped, tap frequency, session patterns
- Identity data (only if you voluntarily provide it): name, email, social handle
If you visit vonga.io:
- Standard web analytics via Google Analytics 4: page views, referral source, approximate location, device/browser type
- Contact form submissions: name, email, organization, message
3. How We Use Data
- To operate and improve the Vonga platform
- To generate fan profiles and analytics for teams (our customers)
- To process payments and manage subscriptions
- To send service notifications, invoices, and product updates
- To respond to inquiries and support requests
- To comply with legal obligations
We do not sell fan data to third parties. We do not use fan behavioral data for advertising targeting outside the team's own platform.
4. Data Ownership
Teams are the data controllers for their fans' data. Vonga acts as a data processor on behalf of teams. This means:
- Teams decide what data is collected and how it is used
- Teams are responsible for communicating data practices to their fans
- Vonga processes data only as instructed by the team and as described in this policy
- Upon contract termination, teams may export their data; Vonga deletes it within 90 days
5. GDPR Compliance (European Users)
For users in the European Economic Area (EEA), UK, or Switzerland, Vonga processes personal data under the following legal bases:
- Contract performance: Processing necessary to deliver our services to customers
- Legitimate interests: Platform security, fraud prevention, product improvement
- Consent: Marketing communications (you can withdraw at any time)
Your rights under GDPR:
- Right to access your personal data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to data portability
- Right to object to processing
- Right to lodge a complaint with your supervisory authority
To exercise any of these rights, email privacy@vonga.io. We respond within 30 days.
6. Fan Data Deletion
Fans can request deletion of their profile and tap history at any time. Requests can be submitted through the team's fan experience page or directly to privacy@vonga.io. We process deletion requests within 30 days.
7. Cookies and Tracking
We use:
- Essential cookies: Authentication sessions, security tokens. Required for the platform to function.
- Analytics cookies: Google Analytics 4 for web traffic measurement. You can opt out via browser settings or the Google Analytics opt-out extension.
The fan tap experience (NFC-triggered web page) does not use persistent cookies. Tap events are logged server-side.
8. Data Retention
- Account data: retained for the duration of the contract plus 90 days
- Fan tap events: retained per the team's configuration (default: 2 years)
- Web analytics: retained per Google Analytics default settings (14 months)
- Contact form submissions: retained for 12 months unless a business relationship is established
9. Data Security
Vonga uses industry-standard security measures:
- TLS encryption for all data in transit
- Data at rest encrypted via Supabase (PostgreSQL with AES-256)
- Role-based access controls — each team's data is isolated from other teams
- Regular security reviews
10. Third-Party Services
Vonga uses the following third-party processors:
- Supabase — Database and authentication (US-West-2, AWS)
- Vercel — Hosting and edge delivery
- Stripe — Payment processing (PCI DSS compliant)
- Resend — Transactional email delivery
- Google Analytics — Website analytics
11. Children's Privacy
The Vonga platform is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@vonga.io and we will delete it promptly.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be notified to active customers via email. The "Last updated" date at the top of this page reflects the most recent revision.
13. Contact
For privacy questions, data requests, or concerns:
- Email: privacy@vonga.io
- Mailing address: Vonga Inc., [Address on file]