Who We Are (Data Controller)
PlyrHQ is a SaaS platform for sports club management, accessible at plyrhq.com. PlyrHQ is a company registered in Romania, an EU member state, and acts as Data Controller under Regulation (EU) 2016/679 (GDPR).
As an EU-based controller, GDPR is our primary applicable framework. We also comply with applicable data protection laws in all jurisdictions where our services are used, including UK GDPR, CCPA/CPRA (California), LGPD (Brazil), PIPEDA (Canada), and the Australian Privacy Act 1988.
- Entity: PlyrHQ
- Registered in: Romania (EU member state)
- Privacy contact: privacy@plyrhq.com
- General contact: hello@plyrhq.com
- Website: https://plyrhq.com
Data We Collect
We collect the following categories of personal data, depending on how you use PlyrHQ:
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email, profile photo | Registration / Google OAuth / Apple Sign-In |
| Organization data | Club name, sport type, member lists, groups | Created by administrators |
| Member & athlete data | Names, email/phone, attendance records, payment history | Added by club administrators |
| Children's data | Names, attendance, performance data (minors under 16/13) | Added by club admins with parental consent |
| Payment data | Invoice details, subscription status (card details handled by Stripe) | Subscription flow |
| Technical data | IP address, browser type, device info, session logs, error reports | Automatically collected |
| Analytics data | Page views, feature usage, session duration | PostHog (anonymized) |
| Communications | Messages, announcements, push notification content | Created by users |
Passwords are stored exclusively as bcrypt hashes — we never have access to plaintext passwords.
Legal Bases for Processing (GDPR Article 6)
We process your personal data on one or more of the following legal bases under GDPR Article 6:
| Processing Activity | Legal Basis | Details |
|---|---|---|
| Operating the platform | Art. 6(1)(b) — Contract | Necessary to provide the service you signed up for |
| Authentication | Art. 6(1)(b) — Contract | Account management and session security |
| Subscription billing | Art. 6(1)(b) — Contract | Processing payments for PRO/LEGENDARY plans |
| Analytics | Art. 6(1)(f) — Legitimate Interest | Product improvement; you can opt out at any time |
| Marketing emails | Art. 6(1)(a) — Consent | Only sent with explicit opt-in |
| Security monitoring | Art. 6(1)(f) — Legitimate Interest | Fraud prevention and system integrity |
| Legal compliance | Art. 6(1)(c) — Legal Obligation | Tax, accounting records (10-year retention) |
| Children's data | Art. 6(1)(a) + Art. 8 — Consent | Parental/guardian consent required |
How We Use Your Data
We use personal data exclusively for the following purposes:
- Service operation: Operate and improve the PlyrHQ platform
- Authentication: Authenticate users and manage accounts
- Transactional emails: Send confirmation, password reset, and payment receipt emails
- Product updates: Send feature announcements and product news (with consent)
- Payments: Process subscription payments via Stripe
- Analytics: Generate product analytics to improve the platform
- Security: Detect and prevent fraud and abuse
- Legal compliance: Comply with applicable legal obligations
We do not sell your data
We do not sell your personal data to third parties. We do not use your data for advertising or build advertising profiles of our users.
Data Processors & Third Parties
We work with the following sub-processors to deliver the service. We have signed Data Processing Agreements (DPAs) with each:
| Service | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Authentication, database, file storage | EU (Frankfurt) | GDPR compliant, DPA signed |
| Vercel | Web hosting, edge CDN | Global (EU region primary) | GDPR compliant, SCCs for US transfers |
| PostHog | Product analytics | EU (EU Cloud) | GDPR compliant, IP anonymization enabled |
| Google OAuth | Optional sign-in | USA/Global | GDPR compliant, SCCs |
| Stripe | Payment processing | USA | SCCs (2021), PCI-DSS Level 1 certified |
| Sentry | Error monitoring | EU | GDPR compliant, DPA signed |
| Resend | Transactional email | EU | GDPR compliant, DPA signed |
A complete and up-to-date list of sub-processors is available on request at privacy@plyrhq.com.
International Data Transfers
As an EU-based company, your data is primarily stored and processed within the European Union. When transfers to third countries occur (e.g., Stripe in the USA, Google OAuth), we apply one or more of the following safeguards in accordance with GDPR Chapter V:
- Standard Contractual Clauses (SCCs) — EU Commission-approved clauses under Decision (EU) 2021/914 (the 2021 version)
- Adequacy decisions — where the destination country benefits from a European Commission adequacy decision
- Other appropriate safeguards — such as binding corporate rules or approved codes of conduct where applicable
Note for UK Users
For users in the United Kingdom, international data transfers are governed by UK GDPR and, where applicable, International Data Transfer Agreements (IDTAs) issued by the UK Information Commissioner's Office (ICO).
You may request a copy of the applicable transfer mechanisms by emailing privacy@plyrhq.com.
Data Retention Schedule
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law:
| Data Category | Retention Period | Reason |
|---|---|---|
| Active account data | Duration of subscription + 30 days | Service provision |
| Deleted account data | Deleted within 30 days of request | GDPR erasure right |
| Billing / invoice records | 10 years | Legal accounting obligation |
| Security / audit logs | 90 days | Security monitoring |
| Analytics data (PostHog) | 12 months | Product improvement |
| Support communications | 2 years | Dispute resolution |
| Backup data | Up to 90 days after deletion | Disaster recovery |
Upon expiry of retention periods, data is securely deleted or irreversibly anonymized. A deletion request from the user immediately triggers the erasure process, except for data subject to a legal retention obligation.
Your Rights
A. EU/EEA Rights (GDPR)
Under GDPR, you have the following rights:
- Access (Art. 15) — obtain a copy of your personal data
- Rectification (Art. 16) — correct inaccurate data
- Erasure (Art. 17) — “right to be forgotten”
- Restriction (Art. 18) — limit processing in certain circumstances
- Data portability (Art. 20) — receive your data in a machine-readable format (JSON/CSV)
- Object (Art. 21) — object to processing based on legitimate interests
- Automated decisions (Art. 22) — not be subject to solely automated decisions with legal effect
- Withdraw consent (Art. 7(3)) — without affecting prior processing
- Lodge a complaint — with your national supervisory authority
EU Supervisory Authorities
Primary authority (Romania): ANSPDCP — Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal — www.dataprotection.ro. You may also contact the supervisory authority in your own EU member state of residence.
B. UK Rights (UK GDPR)
UK users have equivalent rights under the UK GDPR and Data Protection Act 2018. Supervisory authority: Information Commissioner's Office (ICO) — ico.org.uk
C. California Rights (CCPA/CPRA)
California residents have the right to:
- Know what personal information is collected, used, shared or sold
- Delete personal information (with exceptions)
- Correct inaccurate personal information
- Opt-out of the “sale” or “sharing” of personal information
- Limit use of sensitive personal information
- Non-discrimination for exercising CCPA rights
Do Not Sell or Share
We do not sell or share personal information as defined by CCPA/CPRA. To exercise CCPA rights, email privacy@plyrhq.com with “CCPA Request” in the subject line.
D. Brazilian Rights (LGPD)
Brazilian users have rights under the Lei Geral de Proteção de Dados (LGPD), including the right to access, correct, anonymize, port, delete, and receive information about data sharing. Contact: privacy@plyrhq.com
E. Canadian Rights (PIPEDA)
Canadian users have rights under PIPEDA (Personal Information Protection and Electronic Documents Act), including the right to access personal information and request corrections. Contact: privacy@plyrhq.com
F. Australian Rights (Privacy Act 1988)
Australian users have rights under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), including access and correction rights. Contact: privacy@plyrhq.com
How to exercise your rights
Contact privacy@plyrhq.com — we respond within 30 calendar days. For GDPR data breach notifications, we notify the supervisory authority within 72 hours (Art. 33 GDPR) and affected users without undue delay where there is a high risk to their rights.
Children's Data
PlyrHQ is a professional platform for sports club management and is not directed at minors. However, we understand that sports activities frequently involve minors, and club administrators will manage athlete data for individuals under 18.
- EU/EEA (GDPR Art. 8): Processing of children's data (under 16) for online services requires parental or guardian consent. Club administrators are responsible for obtaining and documenting this consent before adding minors to the platform.
- USA (COPPA): We do not knowingly collect personal information from children under 13 without verifiable parental consent. Club administrators in the USA must obtain parental consent for athletes under 13.
- UK: UK GDPR applies a similar standard (under 13 in some contexts per the Age Appropriate Design Code).
- Brazil (LGPD): Processing of children's data requires specific parental or guardian consent.
PlyrHQ does not directly contact minors. All communications go through club administrators.
Report unauthorized child data
If you believe a child's data was collected without proper consent, contact privacy@plyrhq.com immediately. We will delete the data without undue delay.
Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, accidental loss, alteration, or disclosure:
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest (Supabase / AWS)
- Row-Level Security (RLS) on all PostgreSQL database tables — each organization can only access its own data
- Multi-factor authentication available for all accounts
- Regular security audits and penetration testing
- Audit logs for all administrative and sensitive actions
- Incident response plan with 72-hour breach notification to the supervisory authority (GDPR Art. 33)
Passwords are stored exclusively as bcrypt hashes. We never store or transmit plaintext passwords.
Policy Changes
We may update this Privacy Policy periodically to reflect changes in our data processing practices, legal requirements, or service functionality.
- Material changes (new processing purposes, new data categories, new processors outside the EEA) will be communicated via email with at least 30 days' notice before taking effect.
- Minor changes (clarifications, contact updates, reformulations) will be published on this page with an updated “Last Updated” date.
- Continued use of the service after the effective date of material changes constitutes acceptance of the updated policy.
The current version is always available at plyrhq.com/privacy. Previous versions are available on request.
Contact & DPO
For any questions about this Privacy Policy, to exercise your rights, or to submit a data-related request:
- Privacy requests: privacy@plyrhq.com
- General enquiries: hello@plyrhq.com
- Response time: Within 30 calendar days
We do not currently have a formally appointed Data Protection Officer (DPO), but all privacy matters are handled by our privacy team. Enterprise customers may request a Data Processing Agreement (DPA) at privacy@plyrhq.com.
Supervisory Authority — EU
If you are not satisfied with our response, you have the right to lodge a complaint with ANSPDCP (Romania): www.dataprotection.ro, Domnești, Ilfov, 077090, Romania. UK users may contact the ICO.