Privacy Policy

1. Data controller

The data controller within the meaning of EU Regulation 2016/679 (GDPR) is:

Given the scope of processing, the Controller has no legal obligation to appoint a Data Protection Officer (DPO) under Art. 37 GDPR.

2. Role: controller vs. processor

GameStatiq is a tool for managing sports statistics. It acts in two different roles:

• Controller — for data about its own customers (registered users, contact persons of clubs and federations).
• Processor (Art. 28 GDPR) — for player data uploaded by club administrators (Users). In this role, the Provider processes data on behalf of and per instructions of the User.

3. What data we process

3.1 Registered users

• Email (required)
• First and last name (optional)
• Password (stored hashed; we never see the plaintext)
• Role in club/league (admin / staff / viewer)
• IP address and login metadata (logs)

3.2 Players uploaded by Users (club/league)

• First name, last name, jersey number, position
• Player photo (if uploaded by the club)
• Sports statistics from matches (TD, yards, INT, etc.)

These data are uploaded by the club/league administrator who is responsible for ensuring a lawful basis (typically player consent or club membership) — the Provider acts only as a processor here.

3.3 Website visitors

• Anonymous visit statistics (optional — see cookies below)
• IP address in server log (technical necessity, max 30 days)

4. Purpose and legal basis

5. Sub-processors

We use the following third-party providers to operate the Service. All meet GDPR requirements and are bound by data processing agreements (DPA):

Data transfer to third countries (outside EU/EEA) applies only to Vercel and Stripe (partially USA). For this transfer we use Standard Contractual Clauses (SCC) under Commission Decision (EU) 2021/914, or the EU-US Data Privacy Framework.

6. Retention period

• Account and content — for the contract term + 30 days after termination (export window).
• Accounting documents (invoices) — 10 years under Czech accounting law.
• Server logs — 30 days (technical and security purposes).
• Marketing database — until consent withdrawal.

7. Your rights

As a data subject under GDPR you have the right to:

• Access your data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erasure ("right to be forgotten", Art. 17)
• Restrict processing (Art. 18)
• Data portability in machine-readable format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent at any time, where consent is the basis
• Lodge a complaint with the supervisory authority — in the Czech Republic the Office for Personal Data Protection

Send rights requests to hello@gamestatiq.com. We will respond within 30 days.

8. Cookies and similar technologies

gamestatiq.com uses cookies in two categories:

• Essential — technical cookies for login, team selection, language choice. No consent required, needed for the Service to function.
• Analytics — anonymous visit statistics (Plausible Analytics — no profiling, no cross-site tracking). Only with consent.

You can change consent at any time via "Cookie settings" in the website footer.

9. Security

Data is transferred over HTTPS with current TLS versions. Passwords are stored hashed (bcrypt). Database access is restricted by Row-Level Security and service-role keys. Regular daily backups are performed.

10. Changes to this policy

Changes will be notified by email to registered users at least 30 days before the effective date. The current version is always available on this page.

Questions and requests: hello@gamestatiq.com