Privacy Policy

1. Introduction

SportAgenda ("we," "us," "our," or "Company") operates a club management, scheduling, and family communication platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services.

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our Service. If you have questions, contact us at privacy@sportagenda.com.

2. Information We Collect

a) Information You Provide Directly

• Registration & account data: First name, last name, email, password, gender, date of birth, nationality, avatar.
• Profile information: Address, family relationships (parent/child links), team memberships, roles.
• Communications: Messages, feedback, support requests you send us.
• Payment information: Stripe handles billing; we store subscription plan choices, invoice history (not card details).
• Third-party integrations: Fitness app OAuth metadata (provider, athlete ID; not raw credentials).
• Event & training data: Event attendance, RSVP, training stats, media uploads.

b) Information Collected Automatically

• Device & browser: IP address, user-agent, device type, OS (via standard HTTP headers).
• Usage data: Pages visited, time spent, features used (via application logs).
• Cookies & identifiers: Session authentication (HttpOnly), layout preferences, analytics (if opted in).

3. Legal Basis for Processing (GDPR)

4. How We Use Your Information

• Service delivery: Manage accounts, process subscriptions, send transactional emails (confirmations, invitations).
• Product improvement: Analyze usage patterns, identify bugs, enhance features.
• Communication: Respond to inquiries, send service updates (only transactional unless you opt in to marketing).
• Compliance: Fulfill legal obligations, respond to requests from authorities.
• Error reporting: Optional Sentry integration logs errors to improve reliability (detailed in §6).

5. Data Retention

• Active accounts: Retained as long as your account is active.
• After deletion: Profile data is deleted within 30 days of approval. Historical event records and child account links may be retained for billing/legal compliance as determined by club admins and applicable law.
• Backups: Encrypted database backups may retain deleted data for up to 30 days for disaster recovery.
• Logs: Application and security logs are retained for 90 days.

6. Subprocessors & Third Parties

• Stripe: Payment processing; subject to Stripe's privacy policy.
• Email provider: Transactional email delivery (SendGrid or similar); no marketing data without explicit consent.
• Mapbox: Maps API (if location features enabled); subject to Mapbox's privacy policy.
• Hosting & infrastructure: Cloud VPS provider; infrastructure-level encryption and security measures.
• Sentry (optional): Error monitoring; only enabled if NUXT_PUBLIC_SENTRY_DSN is configured. See §6a for details.
• Fitness API integrations: Strava, Garmin (if connected); we store only aggregated metadata, not raw OAuth tokens.

§6a. Sentry Error Reporting (Optional)

If your administrator has enabled Sentry error monitoring, we collect crash reports and performance data. This is considered a legitimate interest for debugging production issues. You can opt out by disabling browser error reporting in your browser settings, or we will support an account-level preference to disable Sentry reporting for your sessions.

7. Your Rights (GDPR, CCPA-equivalent)

• Access (Article 15): Request a copy of your personal data at any time via your account's "Download my data" feature or by contacting us.
• Correction: Update your profile information directly in account settings.
• Deletion (Article 17): Request account deletion via "Request account deletion" in privacy settings. We review requests within 30 days.
• Portability (Article 20): Export your data in JSON format via "Download my data."
• Withdraw consent: You may withdraw consent to receive marketing emails by clicking "Unsubscribe" on any email.
• Lodge a complaint: Contact your local data protection authority (e.g., CNIL in France, ICO in the UK, EDPB in EU).

8. International Data Transfers

Your data is processed and stored in the region(s) where our infrastructure is hosted. If we transfer data outside the EU/EEA, we ensure appropriate safeguards (e.g., Standard Contractual Clauses, adequacy decisions). Contact us for details on specific transfer mechanisms.

9. Children's Privacy

SportAgenda supports family accounts with parent-managed child profiles (no email required). Parents are responsible for child accounts and consent. We do not knowingly collect personal data from children without explicit parental or legal guardian consent. If you believe we have collected data from a child without consent, contact us immediately.

10. Security

We implement industry-standard security measures:

• HTTPS / TLS encryption in transit (mandatory)
• Role-based access control (RBAC) within the application
• HttpOnly, Secure authentication cookies
• Encrypted backups
• Regular security monitoring and patching

No system is 100% secure. We cannot guarantee absolute security of data, though we strive to protect it to the best of our ability.

11. Cookies

See our Cookies Policy for details on essential and optional cookies.

12. Contact & Privacy Inquiries

If you have questions about this Privacy Policy or your data:

13. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated to you via email or a prominent notice on our website. Your continued use of the Service after changes constitutes acceptance of the updated policy.