Introduction
This page outlines how Squadora complies with the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA), United Kingdom, and Switzerland.
Squadora acts as both a data controller (for data we collect directly) and a data processor (for data managed on behalf of sports clubs). We are committed to protecting the rights and freedoms of data subjects as defined by the GDPR.
For GDPR-related inquiries, contact our Data Protection team at support@squadora.com.
Lawful Basis for Processing
We process personal data under the following lawful bases as defined by Article 6 of the GDPR:
Consent (Article 6(1)(a)): Where you have given clear consent for us to process your personal data for a specific purpose, such as marketing communications or analytics cookies.
Contract Performance (Article 6(1)(b)): Processing necessary for the performance of a contract with you, including account creation, service delivery, and payment processing.
Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, including service improvement, security, and fraud prevention, provided these interests do not override your fundamental rights.
Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations, such as financial record keeping and responding to law enforcement requests.
For each type of data we collect, the specific lawful basis is documented in our Privacy Policy.
Data Subject Rights
Under the GDPR, you have the following rights:
Right of Access (Article 15): You can request a copy of all personal data we hold about you. We will provide this in a commonly used electronic format within 30 days.
Right to Rectification (Article 16): You can request correction of inaccurate personal data. Most data can be updated directly through your account settings.
Right to Erasure (Article 17): You can request deletion of your personal data ("right to be forgotten"). We will comply unless we have a legal obligation to retain the data.
Right to Restrict Processing (Article 18): You can request that we limit how we process your data while a complaint or dispute is being resolved.
Right to Data Portability (Article 20): You can request your data in a structured, machine-readable format (JSON or CSV) and transfer it to another service.
Right to Object (Article 21): You can object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds.
Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of prior processing.
Rights Related to Automated Decision-Making (Article 22): We do not currently use automated decision-making that produces legal effects. If this changes, we will update this policy.
To exercise any of these rights, email support@squadora.com with the subject line "GDPR Request". We will verify your identity and respond within 30 days.
Data Processing Activities
We maintain a Record of Processing Activities (ROPA) as required by Article 30 of the GDPR. Key processing activities include:
Account Management
- Data: Name, email, phone, date of birth, profile photo
- Purpose: User authentication and profile management
- Lawful basis: Contract performance
- Retention: Duration of account + 30 days
Club Operations
- Data: Team rosters, match results, player statistics, schedules
- Purpose: Core service delivery for sports club management
- Lawful basis: Contract performance
- Retention: Duration of club account + 90 days
Payment Processing
- Data: Transaction amounts, payment method identifiers (tokenized)
- Purpose: Processing club membership fees and event payments
- Lawful basis: Contract performance
- Retention: 7 years (financial regulations)
Communications
- Data: Messages, notifications, chat history
- Purpose: Facilitating club communications
- Lawful basis: Contract performance / Legitimate interest
- Retention: Duration of account
Analytics
- Data: Anonymized usage patterns, feature adoption metrics
- Purpose: Service improvement
- Lawful basis: Legitimate interest
- Retention: Aggregated indefinitely (no personal data)
International Data Transfers
Squadora's infrastructure is hosted on Google Cloud Platform with primary data centers in the United States. For users in the EEA, UK, and Switzerland, this constitutes an international data transfer.
We ensure adequate protection for international transfers through:
Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our data processors, including Google (Firebase) and Stripe.
Data Processing Agreements: We maintain GDPR-compliant Data Processing Agreements with all sub-processors.
Supplementary Measures: In addition to SCCs, we implement supplementary technical measures including:
- Encryption in transit and at rest
- Access controls and audit logging
- Regular security assessments
- Data minimization practices
Sub-processors who access personal data from EEA users:
- Google LLC (Firebase) - United States - Cloud infrastructure, authentication, database
- Stripe Inc - United States - Payment processing
- Cloud messaging providers - Various - Push notification delivery
We will notify users of any changes to our sub-processor list and provide an opportunity to object.
Data Protection Contact
For all GDPR-related inquiries, data subject requests, or complaints:
Data Protection Contact
Email: support@squadora.com
Subject line: "GDPR Inquiry"
Response times:
- Data subject access requests: Within 30 days
- Data deletion requests: Within 30 days
- General inquiries: Within 5 business days
If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at the European Data Protection Board website.
Data Breach Notification
In accordance with Articles 33 and 34 of the GDPR, we have procedures in place to handle personal data breaches:
Supervisory Authority Notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
Data Subject Notification: If a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected data subjects without undue delay.
Our breach response procedures include:
- Immediate containment and assessment
- Documentation of the breach and its effects
- Notification to relevant authorities and affected individuals
- Implementation of remedial measures
- Post-incident review and process improvement
We maintain detailed logs of all security incidents and breach responses.
Processing of Minors Data
Sports clubs frequently include minor participants. We take additional care when processing data of children under 16 (or the applicable age in your member state):
- Parental consent is required for processing personal data of children under 16
- Club administrators act as authorized agents for the limited purpose of managing sports activities
- We collect only the minimum data necessary for participation
- Children's data is subject to the same security measures as all personal data
- Parents and guardians can exercise data subject rights on behalf of their children at any time
For clubs operating in jurisdictions with different age thresholds (e.g., UK uses 13), we respect the local requirement.
Changes to This Policy
We review this GDPR compliance page regularly and update it to reflect changes in our practices, technology, or applicable law.
Material changes will be communicated through the Service and via email to affected users at least 30 days before they take effect.
Last review date: April 1, 2026
Next scheduled review: October 1, 2026
For questions about this policy, contact support@squadora.com.