← Back

Privacy Policy

Last updated: March 2026

1. Introduction

Player Portal ("we", "us", "our") is a UK-based SaaS platform that provides management tools for sports academies. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform. We are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

By using Player Portal, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Service.

2. Data We Collect

We collect the following categories of personal data:

  • Account information: name, email address, phone number, and password (hashed).
  • Player information: child's name, date of birth, medical conditions, allergies, emergency contact details, and development records.
  • Payment information: billing address and payment method details (processed and stored securely by Stripe; we do not store full card numbers).
  • Usage data: IP address, browser type, device information, pages visited, and interaction data collected through cookies and analytics.
  • Communication data: messages sent through the platform, email correspondence, and notification preferences.
  • Media: photographs uploaded to the gallery by academy staff or coaches.

3. How We Use Your Data

We process your personal data for the following purposes:

  • To create and manage your account and provide access to the platform.
  • To facilitate player registration, scheduling, attendance tracking, and progress reviews.
  • To process payments, subscriptions, and invoicing.
  • To send transactional emails (e.g. payment confirmations, session reminders, progress reports).
  • To improve our platform through anonymised usage analytics.
  • To respond to your enquiries and provide customer support.
  • To comply with legal obligations and enforce our Terms & Conditions.

4. Legal Basis for Processing

We process your data under the following lawful bases:

  • Contract: processing is necessary to perform our contract with you (e.g. providing the Service, processing payments).
  • Consent: where you have given explicit consent (e.g. marketing communications, photography consent).
  • Legitimate interests: to improve our platform, prevent fraud, and ensure security.
  • Legal obligation: to comply with applicable laws and regulations.

5. Cookies

We use cookies and similar technologies to:

  • Essential cookies: maintain your session, authentication state, and security tokens. These are strictly necessary for the platform to function.
  • Analytics cookies: understand how users interact with the platform so we can improve the experience. These are anonymised where possible.
  • Preference cookies: remember your settings and preferences (e.g. notification preferences, theme).

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using certain features of the platform.

6. Data Storage & Security

Your data is stored securely using Supabase, with databases hosted in the European Union (EU). All data is encrypted in transit (TLS 1.2+) and at rest. We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including:

  • Row-level security policies on all database tables.
  • Hashed and salted password storage.
  • Regular security audits and vulnerability assessments.
  • Access controls limiting data access to authorised personnel only.

7. Third-Party Services

We share your data with the following trusted third parties, solely for the purposes described:

  • Stripe (stripe.com) — payment processing. Stripe is PCI DSS Level 1 certified. We share billing details necessary to process your payments. Stripe's privacy policy governs their handling of your payment data.
  • Resend (resend.com) — transactional email delivery. We share your email address and name to send account notifications, payment receipts, and session reminders.
  • Supabase (supabase.com) — database hosting and authentication infrastructure, hosted within the EU.

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

8. Children's Data (GDPR Article 8)

Player Portal processes data relating to children as part of academy player management. We take the protection of children's data extremely seriously.

  • All player accounts for children under 18 must be created by a parent or legal guardian.
  • In accordance with GDPR Article 8 and the UK Age Appropriate Design Code, we require verifiable parental consent before processing any child's personal data.
  • Children's data is limited to what is strictly necessary for academy operations: name, date of birth, medical information, attendance, and progress records.
  • We do not serve targeted advertising to children or use children's data for profiling purposes.
  • Parents and guardians may request access to, correction of, or deletion of their child's data at any time.
  • Photographs of children are only shared within the secure, authenticated academy gallery and are not publicly accessible.

9. Your Data Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to erasure: request deletion of your personal data (subject to legal retention requirements).
  • Right to data portability: receive your data in a structured, commonly used, machine-readable format (e.g. JSON or CSV).
  • Right to restrict processing: request that we limit how we use your data.
  • Right to object: object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent: withdraw consent at any time where processing is based on consent.

To exercise any of these rights, please contact us using the details in Section 12 below. We will respond to your request within 30 days.

10. Data Retention

  • Active account data is retained for as long as your account remains active.
  • Upon account closure, we retain your data for 12 months to allow for account recovery and to comply with legal obligations (e.g. financial record-keeping requirements).
  • Payment records are retained for 7 years in accordance with HMRC requirements.
  • After the retention period, your data is securely deleted or irreversibly anonymised.
  • You may request early deletion of your data at any time, subject to legal retention obligations.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through a notice on the platform. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

12. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or need to raise a concern about how your data is being handled, please contact us:

  • Via the Player Portal messaging system within your academy dashboard.
  • Via email at the address provided on your academy's booking page.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Sign Up Now