Last updated: 2026-06-02
This policy explains what Touchline Labs (the operator of OURVAR.AI) collects, why, and what you can do about it. If anything is unclear, email hello@ourvar.ai.
Touchline Labs (터치라인 랩스), a Korean sole proprietorship (개인사업자), is the data controller for personal data processed via ourvar.ai.
[MAIL_ORDER_REGISTRATION_NUMBER]Account data — username, email, hashed password, preferred theme and language, favourite team, premium status, age-confirmation timestamp.
Content you submit — video clips (or URLs to clips), incident type, match context (teams, referee, competition, date), your feedback rating on each verdict, comments, and votes.
Usage data — which pages you viewed, monthly analysis count, search count, login attempts (for brute-force protection), IP address of the request (logged by nginx for operational purposes), and rough timestamps.
Anonymous interaction tracking (votes cast without an account). When you cast a vote on a verdict before creating an account, we record a non-reversible device fingerprint to enforce one-vote-per-device and to optionally merge those votes into your account if you later sign up. The fingerprint is the SHA-256 hash of:
localStorage on
first vote attempt (the primary uniqueness signal — resilient to
IP changes from mobile carriers and routers),203.0.x.x) —
not the full address,chrome_android,
safari_ios) — not your full User-Agent string,The output is a 64-character opaque hash. We do not store the raw
inputs alongside it, and the hash cannot be reversed to recover your IP
or User-Agent. Salt rotation makes the hash unrecoverable after the 90-
day window. You can erase your anonymous voting history at any time by
clearing your browser's localStorage for ourvar.ai (Browser → Settings
→ Privacy → Clear site data). After that, your next vote starts a fresh
fingerprint with no link to the prior one.
Anonymous votes are display-only. They count toward the public vote tally shown on each case page, but they do not count toward the threshold that promotes a case verdict into our precedent library, the Hall of Fame, or any AI training signal. Only verified signed-in votes feed those downstream systems.
Anonymous votes stay anonymous. We do not automatically associate your anonymous votes with an account you later create. Creating an account starts a fresh, verified voting history. Your earlier anonymous votes continue to count in the public tally exactly as they did before you signed up, with no link back to your account.
Payment data — if you subscribe, Lemon Squeezy (our Merchant of Record) collects your card and billing details directly. Lemon Squeezy is the legal seller of record for your purchase and is responsible for tax compliance globally; OURVAR.AI receives only the wholesale revenue and metadata necessary to grant your subscription. We store your Lemon Squeezy customer ID, subscription ID, plan code, and the fact that you're premium — never your card number.
We do not collect: card numbers, location beyond what IP implies, contacts, microphone or camera data outside the video you explicitly upload.
EU / UK residents (GDPR / UK GDPR). - Performance of contract — running your account, analysing your clips, processing payments, providing premium features. - Legitimate interests — preventing abuse (rate limits, brute-force protection), moderating content, improving model prompts from confirmed verdicts. - Legal obligation — tax records on payments, responding to valid takedown or law-enforcement requests. - Consent — only where required (non-essential cookies, future marketing emails if any). You can withdraw consent any time.
Korean residents (PIPA, 개인정보보호법). - Consent (Art. 15(1)(1)) — for the core processing of your account and submitted content; given when you create the account. - Necessary for performance of a contract you are a party to (Art. 15(1)(4)) — for billing, premium-feature delivery, and the precedent library that is part of the service description. - Legitimate interests of the controller (Art. 15(1)(6)) — for abuse prevention, rate-limiting, security logs, and the anonymous vote fingerprint described in §2 above, where the clear, narrow purpose (one-vote-per-device enforcement on a public engagement feature) and the limited fingerprint composition (no raw IP, no raw UA, 90-day salt rotation) outweigh the limited privacy impact. An explicit notice is presented before your first anonymous vote so you can decline by not voting; merging into an account is a separate opt-in step. - Legal obligation (Art. 15(1)(2)) — for tax records and lawful government requests.
When you submit a clip we: (a) extract still frames for AI analysis, (b) run a lightweight AI pre-screening pass to detect non-football or explicit content, (c) send the frames and your context to our analysis AI for the verdict, (d) store a small thumbnail (< 50 KB JPEG) in the database alongside the verdict.
The raw video file or stream is deleted from our servers within 24 hours of successful analysis (or immediately on failed pre-screening). Only the thumbnail and metadata persist.
| Recipient | Country | Purpose |
|---|---|---|
| Anthropic, Inc. | United States | AI inference (frame analysis, content pre-screening). No training on your content. |
| Lemon Squeezy (Lemon Squeezy LLC) | United States | Payment processing as Merchant of Record — LS is the seller of record for your subscription, handles global tax compliance (VAT/GST/sales tax), and is the controller for payment data. |
| Hetzner Online GmbH | Germany (Nuremberg) | Web hosting and database. |
[EMAIL_PROVIDER] |
[EMAIL_REGION] |
Transactional email (welcome, password reset, billing). |
We do not sell personal data. We do not share it with advertisers. An up-to-date subprocessor list is available on request.
See the separate Cookie Policy for detail. In short: we use strictly necessary cookies for login sessions and CSRF protection. We do not use advertising or cross-site-tracking cookies.
EU / UK residents (GDPR / UK GDPR). You have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to processing based on legitimate interests. Email hello@ourvar.ai — we aim to respond within 30 days. You may also complain to the UK Information Commissioner's Office (ico.org.uk) or to your local EU supervisory authority.
Korean residents (PIPA). You have the right to: - request access to your personal information (Art. 35) - request correction or deletion (Art. 36) - request suspension of processing (Art. 37) - withdraw consent at any time (Art. 22)
Email hello@ourvar.ai to exercise any of these. We respond within 10 days under PIPA.
You may also lodge a complaint with the Personal Information Protection Commission (개인정보보호위원회 / PIPC) at pipc.go.kr, call the KISA privacy hotline at 118, or use the privacy dispute mediation committee (개인정보분쟁조정위원회) at kopico.go.kr.
We process your data primarily in the Republic of Korea (or the region of our hosting provider). Some processing happens outside Korea.
Cross-border transfer notice (PIPA Art. 28-8) — for Korean residents:
| Recipient | Country | Items transferred | Purpose | Retention | Method |
|---|---|---|---|---|---|
| Anthropic, Inc. | United States | Video frames (base64), incident context, account user ID | AI inference for verdict generation | Per Anthropic policy: not used for foundation-model training; standard logs ≤ 30 days | TLS 1.3, API key auth |
| Lemon Squeezy LLC | United States | Email, billing address, transaction metadata, subscription state | Payment processing (Merchant of Record) — LS is the seller; we receive wholesale settlement + webhooks. Tax data filed by LS, not us. | Per Lemon Squeezy policy | TLS 1.3, API key auth |
You may refuse this transfer by closing your account; the service cannot operate without it.
For EU / UK residents the same transfers are covered by the EU Standard Contractual Clauses and the UK International Data Transfer Addendum where applicable.
Passwords are hashed with PBKDF2-HMAC-SHA256 (600,000 iterations, NIST 2023 recommendation). Sessions are short-lived tokens (24 hours) carried in URL parameters for shareable links and rotated server-side. TLS is enforced in transit. Payment pages are hosted by Lemon Squeezy (Merchant of Record) — no card data ever touches our servers. Brute-force lockouts and SSRF guards on URL ingest are in place. No security is absolute — if you notice a vulnerability please email hello@ourvar.ai responsibly.
OURVAR is not intended for children under 14, in line with PIPA Article 22-2 (parental consent threshold for processing children's personal data) and above the US COPPA threshold of 13. We do not knowingly collect data from children under 14. Contact hello@ourvar.ai if you believe a minor has registered and we will delete the account.
Material changes will be notified by email or in-app banner at least 14 days before the effective date.