Privacy Policy

Last updated: May 2, 2026

1. Introduction

12 Points ("the App", available at 12points.science and as native iOS and Android applications) is a Eurovision Song Contest rating and citizen-science platform. Some users also choose to participate in an academic research study run by the University of Southern Denmark ("SDU"). This Privacy Policy explains what personal data we collect, on what legal basis, how we use and share it, how long we keep it, and what rights you have.

Please read this Policy together with our Terms of Service and, if you are a research participant, the Informed Consent Form you accepted at onboarding.

2. Who We Are — Data Controllers

There are two distinct data controllers, depending on the data in question:

Operation of the App (account, login, basic service): the 12 Points team. Contact: privacy@12points.science.
Research data (only collected if you grant research consent): the University of Southern Denmark, Campusvej 55, 5230 Odense, Denmark. The Consent Form names the principal investigator and Data Protection Officer.

3. The Three Research States

Your privacy footprint depends on whether you have granted research consent. Every account is in one of three states at any given time:

Never consented. You have not granted research consent. The App operates in local-only mode: ratings, top 12, preference rankings, and any demographic answers you provide are saved on your device only and are never uploaded to our servers. Commenting and the friend-network features are unavailable.
Currently consenting. You have granted research consent. Your ratings, top 12, demographic answers, comments, and friend-network activity are stored on our servers and may be processed for research as described in the Consent Form.
Withdrawn (terminal). You previously consented and have since withdrawn. New activity is stored on your device only. You cannot grant research consent again on the same account. Existing server-side data is anonymised or deleted as described in Section 9.

Users under the age of 18 are automatically placed in local-only mode regardless of any consent selection, so no research data is ever collected from accounts identified as under 18.

4. Information We Collect

4.1 Always (all users)

For all users with an account, regardless of research consent, we store the following on our servers because it is necessary to provide the service:

Account information: email address, username, hashed password (or a reference to your Google or Apple sign-in identity), display name, optional profile picture and bio.
Authentication and session data: session tokens, login timestamps, IP address at login (for security and abuse prevention), email-verification status.
Bot-protection signals: Cloudflare Turnstile tokens collected during sign-up and login.
Device push token (if you opt in to notifications), via OneSignal.

4.2 Only if you grant research consent

If — and only if — you grant research consent, we additionally collect on our servers:

Song ratings and preferences: numerical ratings on a 1–10 scale, top 12 / scorecard ordering, preference ranking across rated songs, written feedback if any.
Comments: public comments you post on songs, including replies to other users' comments, and your votes on comments.
Friend-network activity: friend connections, including which other participants you send and accept friend requests from.
Demographic information: any of the following you choose to provide — age range, country of residence, gender, national identity, first language, music-genre preferences, education level, creative experience, and other demographic variables specific to a competition.
Technical research metadata: timestamps of ratings and comments, the competition each rating belongs to, basic device-type information used by the platform.

4.3 Local-only data (never uploaded)

For non-consenting users (including users under 18 and users who have withdrawn), the categories listed in 4.2 are stored only on the device you are using, in the App's local storage. We do not transmit, receive, or store this data on our servers. We have no access to it. You can clear it at any time by uninstalling the App or clearing site data in your browser.

About local storage. Local-only data can be lost without warning if you uninstall the App, clear browser data, switch browsers or devices, use a private browsing window, or if your operating system reclaims storage from inactive sites (Safari may clear site data after about a week of inactivity). Local-only data also does not synchronise between your devices.

5. Legal Basis for Processing (GDPR Article 6)

We rely on the following lawful bases under the GDPR:

Contract / service performance (Article 6(1)(b)): account information, authentication and session data, push tokens (if opted in). We need this data to provide the App you are signing up for.
Explicit consent (Article 6(1)(a)): all research data described in Section 4.2. You can withdraw this consent at any time (Section 9), with the irreversibility caveat described there.
Legitimate interests (Article 6(1)(f)): bot-protection signals, fraud-prevention logging, and the security IP/user-agent records associated with login. Our legitimate interest is keeping the App secure and protecting users; you may object to this processing under Section 11.
Legal obligation (Article 6(1)(c)): where we are required by law to retain or disclose specific data (for example, in response to a valid court order).

Where the data is treated as research data, the further legal basis under GDPR Article 9 (where applicable) is your explicit consent (Article 9(2)(a)) and scientific research in the public interest (Article 9(2)(j)) read together with Article 89(1).

6. How We Use Your Information

To provide and operate the App (display ratings, leaderboards, social features, push notifications you opted in to).
To generate aggregated, anonymised statistics that are visible to all users (for example, country averages or community top lists).
To communicate with you about your account — email verification, password resets, security notices, and material changes to these policies.
If you have consented, to conduct academic research on music preferences, social influence on rating behaviour, and cultural phenomena, and to publish research findings as described in Section 7.
To detect, prevent, and respond to abuse, fraud, or violations of our Terms of Service.

We do not use your data for advertising, profiling, or automated decision-making that has legal or similarly significant effects on you.

7. Data Sharing and Open Science

We do not sell your personal information. We share data only in the following limited circumstances:

Service providers processing data on our behalf under written contracts: Convex (database), Firebase (hosting), SendGrid (email), Cloudflare (bot protection), Google and Apple (sign-in), OneSignal (push notifications). See Section 10.
Aggregated, anonymised research outputs may be included in academic publications, presentations, and educational materials.
Open-science dataset releases. If you have granted research consent, the SDU research team may include data attributable to you — with direct identifiers (name, email, account ID) removed — in datasets published in open-access repositories such as the Open Science Framework or Zenodo. Once published, these datasets cannot be recalled. The Consent Form describes this in detail.
Re-identification risk in published datasets. Direct identifiers are removed before publication, but the combination of demographic information and rating patterns may, in some cases, allow re-identification — especially for rare demographic combinations. We classify the published dataset as pseudonymous rather than strictly anonymous under the GDPR. We will take reasonable measures (aggregation, suppression of small subgroups) to mitigate this risk before any release.
Legal obligations: where required by law, or to protect our or others' rights, safety, or property.

8. Third-Party Services and International Transfers

We use the following third-party services to operate the App. Each processes only the minimum data necessary for its function. Please refer to their respective privacy policies for details.

Convex: real-time database and backend infrastructure.
Firebase: web hosting and performance monitoring.
Google Sign-In: optional social login. We request only the openid, email, and profile OAuth scopes — this gives us your Google email address, basic profile information (name), and profile picture URL. We do not access Gmail, Google Drive, Contacts, Calendar, or any other Google services.
Apple Sign-In: optional social login. We receive your email address (or a private Apple relay address) and, on first sign-in only, your name.
SendGrid: transactional emails (verification, password resets).
Cloudflare Turnstile: bot protection during sign-up and login.
OneSignal: push notifications, only if you opt in.

Some of these providers (notably Convex, Firebase, SendGrid, Cloudflare, and OneSignal) are based in the United States or operate global infrastructure. To the extent your personal data is transferred outside the European Economic Area, we rely on the providers' Standard Contractual Clauses or equivalent transfer mechanisms permitted by GDPR Chapter V.

9. Research Participation and Withdrawal

This section summarises the privacy implications of joining, staying in, or leaving the research study. The full mechanics are described in our Terms of Service (Section 7) and the Consent Form.

9.1 Granting consent

You can grant consent during onboarding or later from your profile settings, provided you are not in the withdrawn state. When you grant consent later, any locally-stored ratings, top 12, preference ranking, and demographic answers from the device you are using are uploaded to our servers in a single transaction.

9.2 Withdrawing consent — one-shot and permanent

You can withdraw research consent at any time, from your profile settings or by emailing the contact in the Consent Form. Withdrawal is irreversible — once you withdraw, you cannot grant consent again on the same account. This protects the integrity of the research dataset against repeated cycling. You will be asked to confirm your understanding of this irreversibility before withdrawal is processed.

When you withdraw, the following happens on our servers, in a single transaction:

Demographic answers, top 12 / scorecards, and preference rankings are permanently deleted.
Ratings and friendship history are anonymised: a fresh pseudonymous identifier replaces your account reference, the rating scores are discarded, and only the timestamps and items you rated are retained as exposure stubs (used to study the timing of social influence). The mapping between this pseudonymous identifier and your account is destroyed at the moment of withdrawal — we keep no copy of it in our database, application code, or backups, so re-linking is internally impossible.
Comments are scrubbed in place: text replaced with "[deleted]", displayed name replaced with "[Withdrawn user]"; reply chains stay intact. Comment votes and follows are deleted.
Profile is anonymised: display name becomes "[Withdrawn user]", avatar and bio are cleared, and you are removed from user search.
Your account itself is preserved (email and login still work), so you can keep using the App in local-only mode.

The legal basis for retaining anonymised exposure stubs and friendship-history rows after withdrawal is the GDPR research exception (Article 17(3)(d) read with Article 89(1)). Anonymised data that has already been included in a public dataset release cannot be recalled.

9.3 Withdrawing research vs. deleting your account

These are two distinct actions. Withdrawing research consent ends your participation in the study but keeps your account in local-only mode. Deleting your account terminates your relationship with the App entirely (Section 13).

10. Data Storage and Security

Server-side data is stored using Convex (database) and Firebase (hosting). We use HTTPS in transit, access controls, and authentication via BetterAuth with secure session management. The pseudonymisation cascade described in Section 9.2 is performed automatically and cannot be reversed by any administrator with database access, because no mapping between pseudonymous identifiers and real accounts is retained anywhere in our systems.

Local-only data lives in your device's standard browser or app storage, protected by the security model of your operating system and browser. We have no visibility into it.

11. Data Retention

Account information. Retained for as long as your account exists. If you delete your account, account data is removed in accordance with Section 13.
Authentication and security logs. Retained for up to 90 days for abuse-prevention purposes, unless we are required to keep them longer to investigate a specific incident.
Research data (consenting users). Retained for the duration of the study or until you withdraw, whichever comes first.
Anonymised exposure stubs and friendship-history rows (post-withdrawal). Retained indefinitely for research purposes under Article 17(3)(d) / 89(1). They cannot be deleted because no mapping back to your account exists.
Published dataset records. Once anonymised data has been included in a public release, it cannot be deleted from copies that have already been distributed.
Comments. Comments remain visible until you withdraw research consent or delete your account, after which the text is replaced with "[deleted]" but the row stays in place to preserve reply chains.

12. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right of access. You can view much of your data directly through the App (profile, ratings, top 12, comments). You may also request a copy of all personal data we hold about you.
Right to rectification. You can correct profile and demographic information directly in the App; for anything you cannot edit yourself, contact us.
Right to erasure ("right to be forgotten"). You can delete your account at any time (Section 13). For research data specifically, the withdrawal flow described in Section 9.2 anonymises data rather than deleting it, in reliance on the GDPR research exception — this is what makes your withdrawal compatible with continued research integrity.
Right to restriction of processing. You can ask us to limit how we process your data while a question about it is being resolved.
Right to data portability. You can request your data in a machine-readable format.
Right to object. You can object to processing based on legitimate interests (Section 5).
Right to withdraw consent. Where processing is based on your consent, you can withdraw it at any time, subject to the one-shot rule for research consent (Section 9.2). Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Right to lodge a complaint with your national data-protection authority. In Denmark this is the Datatilsynet (datatilsynet.dk); in other EU member states it is the equivalent national authority.

To exercise any of these rights, contact privacy@12points.science. For research-data questions specifically, contact the principal investigator named in the Consent Form.

13. Account Deletion

You can delete your account at any time from Settings → Delete Account in the App, or via our account deletion page. When you delete your account, we permanently remove:

Your profile and account information (email, username, display name, avatar, bio).
Your session data and authentication records.
Your demographic survey responses, top 12 / scorecards, and preference rankings.
Your comment votes, friend connections, and follows.

If research consent is active at the time of deletion, the withdrawal cascade in Section 9.2 also applies: your ratings and friendship history are converted to anonymised stubs, and your comments are scrubbed in place ("[deleted]" text, "[Withdrawn user]" displayed name) so that reply chains remain intact. Anonymised stubs and any data already released in a public dataset cannot be recalled.

14. Children's Privacy

The App is not intended for children under 13, and we do not knowingly collect personal information from children under 13. Research participation is restricted to users aged 18 and over — if you indicate that you are under 18 in the demographic questionnaire, the App will automatically place you in local-only mode and no research data will be collected from your account.

15. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates the most recent revision. We will notify users of significant changes through the App or by email. Continued use of the App after a change becomes effective constitutes acceptance of the updated Policy.

16. Contact Us

For privacy questions or to exercise your rights, contact privacy@12points.science. For Terms-of-Service questions, contact contact@12points.science. Research-related questions should be directed to the principal investigator named in the Consent Form. If you are not satisfied with our response, you can lodge a complaint with your national data-protection authority.

17. Related Policies

Please also review our Terms of Service and, if you participate in research, the Informed Consent Form you accepted at onboarding.