Privacy Policy
Last updated: 29 April 2026
1. Data Controller
The data controller of personal data processed through Footy Finder ("the Platform") is Football & More ("the Operator", "we", "us"). The Operator's full legal name, registered office, VAT number and contact details will be added in the definitive version.
For any privacy-related question or to exercise your rights, contact: privacy@footyfinder.app (placeholder).
2. What data we collect
We collect and process the following categories of personal data:
a) Account data (you provide it at registration and in settings)
- Username, password (stored only as a SHA-256 hash, never in clear).
- Role (agent, club, independent player), tier (free / base / pro / paid).
- Company / agency / club name, country, league, website, phone number, email address.
- Optional logo (image file).
- Language preference.
b) Player data (uploaded by agents / clubs, or by independent players themselves)
- Name, year of birth, nationality, height, foot, EU status, position, secondary positions, level, technical and physical tags, salary and fee indications, agent contact, links to public profiles (Transfermarkt, YouTube), city / province.
- Uploaded PDF documents — which may include sensitive data such as medical certificates, passport copies, contracts and scouting reports.
Important — sensitive data and minors. Some uploaded documents (e.g. medical certificates) qualify as special-category data under Art. 9 GDPR. Some players may be minors (e.g. youth-league players). If you are an agent or club uploading such data, you confirm you have a valid legal basis (Art. 6 GDPR) and, where applicable, an Art. 9 derogation, plus any consent required from the player and — for minors — from a parent or legal guardian. You remain responsible for the lawfulness of the uploads you perform.
c) Activity data (generated by your use of the Platform)
- Requests, proposals, proposal notes, shortlists, claims, notifications.
- Login timestamps, IP address (for security and abuse prevention), basic usage logs.
- Session cookie (essential, no tracking — see Section 8).
d) Billing data (only when paid plans are activated)
- Subscription status, tier, plan, customer reference returned by the payment provider.
- We do not store card numbers, CVC or banking credentials. Payments are handled directly by Stripe, which acts as autonomous data controller for those data — see Stripe's privacy policy at stripe.com/privacy.
3. Why we process your data and on what legal basis
| Purpose | Legal basis (GDPR) |
|---|---|
| Create and manage your account, give you access to the Platform. | Art. 6(1)(b) — performance of a contract. |
| Display your player / request data to other authorised users in line with the role-based access rules of the Platform. | Art. 6(1)(b) — performance of a contract. |
| Send service emails (notifications, password reset, billing). | Art. 6(1)(b) — performance of a contract. |
| Security, anti-fraud, abuse prevention, log retention. | Art. 6(1)(f) — legitimate interest of the Operator in keeping the Service safe. |
| Comply with legal, fiscal and accounting obligations (when paid plans are active). | Art. 6(1)(c) — legal obligation. |
| Marketing and product news (only if you opt in). | Art. 6(1)(a) — consent (you can withdraw at any time). |
| Process special-category data uploaded in player documents (e.g. medical PDFs). | Art. 9(2) GDPR derogation invoked by the uploader (typically Art. 9(2)(a) — explicit consent of the player). The uploader is the data controller of those documents; we act as processor for hosting them. |
4. Who can see your data
Access to your data is strictly governed by the role-based architecture of the Platform:
- Other users — see only what the Platform's role logic exposes. For example: club requests are visible to all agents; player profiles are visible to a club only when an agent has actively proposed that player to one of the club's requests; documents shared with a proposal are visible to the receiving club until the proposal is closed.
- The Operator — limited support and administration personnel, bound by confidentiality.
- Sub-processors we rely on to operate the Service:
- Replit, Inc. — application hosting and managed PostgreSQL database (United States).
- Stripe, Inc. — payment processing (when paid plans are active).
- SendGrid / Twilio — transactional email delivery (when configured).
- OpenAI — automated assistance features (when configured).
- Public authorities — only when we are legally required to disclose data.
We do not sell your personal data and we do not use it for third-party advertising.
5. International data transfers
Some sub-processors (in particular Replit, Stripe and OpenAI) are based in the United States. Where personal data is transferred outside the European Economic Area, the transfer is protected by adequate safeguards under Art. 46 GDPR — typically the European Commission's Standard Contractual Clauses together with supplementary measures where required. A copy of the safeguards used can be requested from the contact email above.
6. How long we keep your data
- Account data: for as long as your account is active, plus up to 24 months after closure for security, dispute resolution and audit reasons (or longer if mandated by tax / accounting law for billing data — typically 10 years in Italy).
- Player data and documents: kept while the account that owns them is active, deleted when the owner deletes the player or closes the account (subject to backup retention windows).
- Activity logs: typically up to 12 months.
- Billing records: retention periods imposed by applicable tax law.
Exact retention periods will be finalised in the definitive version.
7. Your rights
Under the GDPR you have the right to:
- Access your data and obtain a copy.
- Rectify inaccurate or incomplete data.
- Erase your data ("right to be forgotten") — subject to legal retention obligations.
- Restrict or object to processing based on legitimate interest.
- Data portability — receive a structured, machine-readable copy of the data you provided. A self-service "Download my data" function is being built and will be available in your settings shortly.
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with the competent supervisory authority — in Italy, the Garante per la protezione dei dati personali (garanteprivacy.it).
To exercise these rights, write to privacy@footyfinder.app. We respond within one month (extendable by two further months for complex requests).
8. Cookies
We use a single essential session cookie ("session") to keep you logged in. It is HTTP-only, marked Secure and SameSite=Lax, and expires after 24 hours of issuance. We do not use analytics, advertising or third-party tracking cookies. No prior consent is required for essential cookies under Italian and EU law.
9. Security
We apply technical and organisational measures appropriate to the risk:
- Encryption of traffic in transit (HTTPS/TLS).
- Hashed password storage (no plaintext).
- Role-based access control inside the Platform.
- Limited number of administrators with access to production data.
- Regular software updates of the underlying stack.
External off-site backup of the database and a formal incident-response procedure are part of our short-term roadmap and will be documented in the definitive version.
10. Data of minors
The Platform is intended for use by adult professionals (agents, club staff and adult players). Independent player accounts may not be created by anyone under 16 years old. Player profiles uploaded by agents and clubs may relate to minors (e.g. youth-league players); the uploading user is responsible for having obtained any consent required from a parent or legal guardian and for the lawfulness of the upload.
11. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to registered users by email or in-app notice with reasonable advance notice.
© 2026 Football & More. All rights reserved.