Privacy Policy

We built Soccer Club to be the calm, trustworthy alternative to the bloated incumbents — and that means we have to be boringly careful with your data. This policy explains what we collect, what we don't, where it lives, how long it stays, and exactly how you control it.

1. What we collect

We collect only what is needed to run a soccer club. For account holders (coaches, admins, parents), we collect the name and email you give us, the password hash you create, and the events your browser or app generates as you use the Service — sign-ins, the page you opened, the message you sent. For players added to a club, the club collects name, date of birth, team, jersey number, optional photo, and an emergency contact. If your club uses our payment features, we receive payment metadata from Stripe — the amount, the status, the last four digits of the card, the brand — but never the card number itself.

2. What we don't collect

We do not see card numbers, CVVs, or full bank-account numbers. Those are entered into Stripe-hosted fields and never reach our servers. We do not read the contents of your team chats or direct messages for any advertising or profiling purpose; we never have, and we never will. We do not track you across other websites with third-party advertising cookies. We do not sell, rent, or barter your data — there is no “data partner” in our architecture because there is no business model that would ever let us add one.

3. How we store it

Account and roster data live in a Neon Postgres database hosted in the United States, encrypted at rest and in transit. Every row is tagged with a club identifier, and every query is filtered by it at the database layer — not just in application code. Photos, uploaded documents, and other binary attachments are stored in Amazon S3 with server-side encryption using AWS KMS-managed keys (SSE-KMS). S3 objects are private by default and only accessible through signed URLs that expire quickly.

4. How long we keep it

We retain your club's data for as long as your account is active. If you cancel, we keep the data available for a ninety (90) day grace period so an admin can export anything they need or change their mind. After that, the data is deleted from active systems and purged from backups within a further sixty (60) days. Payment records that we are required by law to retain (typically seven years for accounting purposes) are retained for that period and only that period.

5. Third parties

We use a small number of vendors to run the Service. Payments are processed by Stripe (Stripe, Inc., United States). Files are stored by Amazon Web Services (AWS S3 and KMS). Sign-in can optionally use Google OAuth for authentication; we receive your name, email, and profile photo from Google when you choose that path, and nothing else. We do not share data with any other third party for their own marketing purposes. Each vendor is bound by a data-processing agreement that obligates them to use your data only to provide their service to us.

6. Children's data

Many players using Soccer Club are under thirteen. We treat their profiles as parent-managed and follow our COPPA policy. We never advertise to children, never profile them, and never share their data with any third party except as required to provide the Service (for example, a coach on their team can see their roster entry).

7. Your rights

You can access and edit your account information from your profile settings. You can export your club's rosters, schedules, messages, and financial records as CSV or JSON from the admin console at any time, at no charge. You can delete your account from settings; deletion is honored within thirty (30) days, subject to retention obligations described in Section 4. If you are a resident of the European Economic Area, the United Kingdom, or California, you also have rights of access, rectification, erasure, portability, restriction, and objection under GDPR or CCPA; we honor those rights regardless of where you live, because the same controls are baked into the product.

8. International transfers

Our servers are in the United States. If you are accessing the Service from outside the U.S., your information will be transferred to and processed in the U.S. We rely on the European Commission's standard contractual clauses for transfers from the EEA and U.K. to the U.S., and our sub-processors do the same.

9. Security

Read the security page for the operational details. The short version: PCI-DSS SAQ-A via Stripe, HTTPS-only with HSTS, KMS-encrypted storage, least-privilege access for engineers, and a written secret-rotation policy.

10. Changes

If we change this policy in a way that materially affects you, we'll email account owners and post a notice in the app at least thirty (30) days before the change takes effect.

11. Contact

Privacy questions, access requests, and deletion requests can be sent through our contact form. We respond in plain English, usually within one business day.