Privacy Policy

This Privacy Policy explains how SquadTracker ("we", "us", "our") collects, uses, discloses, and protects your information when you use our web and mobile applications (iOS/Android via Capacitor) and related services (collectively, the "Service"). We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable UK data protection laws.

By using the Service, you agree to this Policy and our Terms of Use.

1. Who We Are and How to Contact Us

Controller: HitQuill (provider of SquadTracker)

Privacy contact email: privacy@squadtracker.co.uk

We do not list a postal address in this Policy. Please contact us via email for privacy matters.

2. Scope

This Policy applies to all users, including coaches, team administrators, players, and invited participants who access or use the Service.

3. Categories of Personal Data We Process

Account/User Data:

• First name, last name
• Email address
• Password (hashed/salted)
• Email verification status
• Password reset tokens (time‑limited)
• Authentication/session tokens (e.g., NextAuth sessions)

Team & Role Data:

• Team name, colours, description, founded date
• Role assignments (Head Coach, Assistant Coach, Admin)
• Team invitations (invited email, status)
• Feature flags (e.g., cards tracking, minutes tracking)

Player Data:

• First/last name
• Jersey number, position
• Active/inactive status

Match & Training Data:

• Match date, venue, referee
• Home/away teams and scores
• Player participation and minutes played
• Goals (minute, assists, clean sheets
• Yellow/red cards (if enabled)
• Player of the Game awards (coach & player voting)
• Match notes
• Training date, venue, description
• Attendance records
• Trainer of the Week awards

Technical/Usage Data:

• Device and browser information
• Log data (timestamps, IP address, actions) for security/troubleshooting
• Cookies/local storage for authentication and session continuity

Special category data: We do not intentionally collect special category data under UK GDPR (e.g., health, biometric, political opinions). Please do not input such data.

Children's data: If minors' data is added, coaches must ensure a lawful basis (e.g., appropriate authority or parental consent where required). See Lawful Bases.

4. Lawful Bases for Processing (UK GDPR Art. 6)

• Contract: To provide the Service and core features (accounts, team/player management, scheduling, stats/analytics).
• Legitimate Interests: To secure the Service, prevent abuse, improve features, and perform aggregated analytics, balanced against your rights.
• Consent: For optional features, non‑essential cookies, or marketing communications. You may withdraw consent at any time.
• Legal Obligation: To comply with applicable laws and regulatory requirements.

For minors' data, coaches/admins are responsible for ensuring a valid basis (including parental consent where required by law).

5. How We Use Your Information

• Operate and deliver the Service (authentication, roles, team/player management, scheduling, analytics).
• Maintain security and integrity (fraud prevention, access controls, auditing).
• Improve the Service (bug fixes, performance tuning, feature development).
• Communicate with you (account notices, service updates, invitations).
• Comply with legal obligations and enforce our terms.

We do not sell personal data.

6. Where We Store and Process Data

Hosting: Railway infrastructure with primary data storage in the Netherlands (EU/EEA).

International transfers: If limited transfers occur (e.g., support tools, content delivery), we use safeguards recognised under UK GDPR (e.g., UK International Data Transfer Agreement or UK Addendum to EU SCCs), or rely on UK adequacy regulations where applicable.

7. Data Sharing and Disclosure

• Service Providers/Processors: Hosting (Railway), authentication (e.g., NextAuth), storage, logging/monitoring, email delivery, subscription/billing syncing (Adapty). These providers act under data processing agreements and only per our instructions.
• Team visibility: Coaches/admins can see team-related data according to role-based permissions.
• Legal/Compliance: Where required by law or to protect rights, safety, and security.
• Business transfers: In a merger/acquisition, data may be transferred with appropriate safeguards and notice.

We do not allow third parties to use personal data for their own marketing.

8. Retention

• General: We retain personal data only as long as necessary for the purposes described.
• Inactive accounts: Accounts and associated personal data are deleted after 6 months of inactivity or following your deletion request, subject to legal obligations and backup cycles.
• Team and player records: Retained for active seasons and legitimate interests (e.g., historical stats) where allowed. Admins can delete specific records via in-product controls.
• Logs/security data: Retained for a limited period, then deleted or anonymised.

Backup copies may persist temporarily and are purged on a rolling basis.

9. Your Rights (UK GDPR)

Subject to conditions and exceptions, you have the right to:

• Access your data
• Rectify inaccurate data
• Erase data ("right to be forgotten")
• Restrict processing
• Object to processing based on legitimate interests
• Data portability (structured, commonly used, machine‑readable format)
• Withdraw consent (where processing relies on consent)
• Lodge a complaint with the UK Information Commissioner's Office (ICO): https://ico.org.uk

Contact us at privacy@squadtracker.co.uk to exercise your rights if in‑app tools are not sufficient.

10. Self‑Serve Data Export and Deletion Options

• Self‑serve export: Export your data directly in‑app.
• Account deletion: Delete your account in‑app; we delete or anonymise associated data per the Retention section.
• Player and team records: Coaches/admins can delete player profiles, attendance, match/training entries, notes, and teams.
• Emails: Unsubscribe links are provided for non‑essential emails.

For assistance, email privacy@squadtracker.co.uk.

11. Security

We implement appropriate technical and organisational measures, including:

• HTTPS/TLS encryption in transit
• Password hashing (never plaintext)
• Role-based access and session controls
• Environment hardening, monitoring, and least‑privilege access

Incident response and breach notification: Our preferred contact method is email. We aim to notify the ICO (where legally required) without undue delay and, where feasible, within 72 hours after becoming aware of a personal data breach, and to notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

12. Cookies and Similar Technologies

We use cookies/local storage for:

• Authentication and session continuity
• Security (e.g., CSRF)
• Basic analytics to improve the Service (used only with consent where required)

You can manage cookies via your browser settings. Non‑essential cookies are used only with consent where required.

13. Player Statistics, Awards, and Tracking Features

• Feature flags: Certain tracking (e.g., cards) can be toggled at the team level.
• Purpose: Provide team management insights and season analytics.
• Transparency: Team admins should inform players (and parents/guardians for minors) about the nature and purpose of tracking.
• Minimisation: Only enter data relevant to team management and performance.

14. Adapty and Subscription Data

We use Adapty to manage and synchronise subscription status across our apps and website. Adapty receives limited identifiers and purchase metadata necessary to validate entitlements and renewals. For purchases via app stores, Apple and Google may process your payment information under their own terms and privacy policies.

We do not store your full payment card details on our systems for in‑app purchases; payment data is handled by the relevant platform/store or payment processor.

15. Third‑Party Links

The Service may link to third‑party websites or services. Their privacy practices are their own; please review their policies.

16. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated via the Service or by email. Continued use after changes indicates acceptance.

17. Contact Us

Privacy email: privacy@squadtracker.co.uk

This Privacy Policy is aligned with our Terms of Use, including:

• Use of Adapty for subscription/billing synchronisation
• Monthly "cancel anytime" approach and yearly refund window policy (handled by the relevant stores/processors)
• No postal address listed in this Policy
• Incident response timelines consistent with UK GDPR breach notification expectations