Privacy Policy
Last updated: 16 April 2026
Statty ("we", "us", "our") is a grassroots sports team management platform operated from the United Kingdom. We take your privacy seriously and are committed to protecting the personal data of our users — including the young players whose clubs use this platform.
This policy explains what data we collect, why we collect it, how we protect it, and what rights you have. It applies to all Statty services: the web app, mobile apps, and this website (statty.club).
1. Who is responsible for your data?
The data controller is Statty, contactable at [email protected]. We are based in the United Kingdom and subject to the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR).
2. What data we collect
Account data
| Data | Why |
|---|---|
| Name | Display in the app & team roster |
| Email address | Login, password resets, optional email notifications |
| Password | Stored as a one-way bcrypt hash — we never see or store your actual password |
| Phone number (optional) | Only if you choose to add it to your profile |
| Profile photo (optional) | Displayed on your profile within the team |
Team & squad data
| Data | Why |
|---|---|
| Team membership & role | Access control (admin, staff, player, parent) |
| Player position & shirt number | Lineups and squad display |
| Parent-child links | Parents see only their linked child's profile |
| Player statistics | Goals, assists, appearances, MOTM, cards — displayed in player profiles |
Activity data
| Data | Why |
|---|---|
| RSVP responses | Attendance planning for matches & training |
| Chat messages & DMs | Team communication |
| Feed posts, comments & reactions | Team news and social features |
| Photos & captions | Team photo gallery |
| Lineup assignments | Match preparation |
| Match events (goals, cards, subs) | Live match tracking |
| Fundraising contributions | Tracking team fundraiser progress |
Technical data
| Data | Why |
|---|---|
| IP address | Processed by Cloudflare for security & DDoS protection — not logged by us |
| Notification preferences | Respecting your choice of how to be notified |
What we do NOT collect
- We do not use analytics or tracking tools (no Google Analytics, no tracking pixels)
- We do not set any first-party cookies — authentication uses tokens stored in your browser's local storage
- We do not collect device fingerprints, advertising IDs, or location data
- We do not monitor your browsing behaviour outside of Statty
3. Children's data
Statty is used by youth football clubs, which means some data relates to children (typically aged 10–16). We take this responsibility seriously:
- Children do not create their own accounts. Player accounts are created and managed by club administrators (coaches, managers).
- Parents see only their own linked child's data. The parent-child link is set by an admin, and parents cannot browse other children's profiles.
- Player statistics are visible only within the team — they are not public or indexed by search engines.
- Photos uploaded to the gallery are visible only to authenticated team members. They are not publicly accessible.
- We collect the minimum data needed: name, position, shirt number, and match statistics. No date of birth, home address, school, or other sensitive data is collected.
If you are a parent and wish to have your child's data reviewed or removed, contact us at [email protected].
4. Legal basis for processing
Under UK GDPR, we process personal data on the following bases:
| Basis | Applies to |
|---|---|
| Legitimate interest | Running the platform: account management, team features, match tracking, squad stats. Our legitimate interest is providing the service your club signed up for. |
| Consent | Optional features: email notifications, push notifications, photo uploads. You can withdraw consent at any time via your notification preferences or by contacting us. |
| Contract performance | Providing the service as described when you create an account and join a team. |
5. Who has access to your data
Within your club
- Admins (coaches, managers) can see all team data: squad, stats, lineups, RSVPs, chat, gallery.
- Staff can create events, post to the feed, and manage lineups.
- Players can see team data, their own stats, and participate in chat.
- Parents can see their linked child's stats, RSVP to events, and participate in chat.
Third-party processors
We use a small number of trusted services to operate the platform:
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Hetzner | Server hosting | All platform data (encrypted in transit) | Germany (EU) |
| Cloudflare | DNS, SSL, DDoS protection | IP addresses, request metadata | Global edge network |
| Resend | Transactional email delivery | Email address, notification content | USA |
| Hetzner Storage Box | Encrypted file backup | Uploaded photos and attachments | Germany (EU) |
We do not share, sell, or provide your data to any advertisers, data brokers, social media platforms, or AI training services.
6. Cookies
Statty does not set any first-party cookies. We use token-based authentication stored in your browser's local storage (not cookies), which is not subject to cookie consent regulations.
Cloudflare may set strictly necessary cookies (__cf_bm) for bot protection. These are classified as essential under PECR and do not require consent.
We do not use any analytics, marketing, or preference cookies. No cookie consent banner is needed because there are no optional cookies to consent to.
7. Data security
- Encryption in transit: All connections use TLS/HTTPS. No unencrypted access is possible.
- Password hashing: bcrypt with automatic salting. We cannot see or recover your password.
- Authentication tokens: JWT with 24-hour expiry, signed with a server-side secret.
- QR login tokens: Cryptographically random, single-use, expire after 5 minutes.
- File uploads: Stored with UUID filenames (unguessable). Type and size validated server-side.
- Access control: Role-based permissions enforced on every API request. Membership checks prevent cross-team data access.
- Rate limiting: API requests are rate-limited to prevent abuse.
8. Data retention
- Account data is kept for as long as your account is active.
- Chat messages are soft-deleted (hidden but recoverable) when deleted by users, and permanently purged when a team is deleted.
- Photos are deleted from both primary storage and backups when removed by an admin.
- If you or your club admin requests account deletion, we will remove all personal data within 30 days.
- We do not retain data "just in case" — when it's no longer needed, it's deleted.
9. Your rights
Under UK GDPR, you have the right to:
- Access — Request a copy of all personal data we hold about you.
- Rectification — Correct any inaccurate data (or ask an admin to update it).
- Erasure — Request deletion of your account and all associated data.
- Portability — Receive your data in a machine-readable format.
- Restrict processing — Ask us to limit how we use your data.
- Object — Object to processing based on legitimate interest.
- Withdraw consent — For optional features, at any time, without affecting prior processing.
To exercise any of these rights, email [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have not handled your data correctly.
10. International transfers
Your data is primarily stored on servers in Germany (EU), which has equivalent data protection standards to the UK under the UK adequacy decision.
Cloudflare processes request metadata at global edge locations. Resend processes email delivery from the USA. Both operate under appropriate safeguards (Standard Contractual Clauses).
11. Changes to this policy
We may update this policy from time to time. If we make significant changes, we will notify active users via the platform. The "last updated" date at the top will always reflect the current version.
12. Contact
Email: [email protected]
Website: statty.club