Privacy Policy

SquadHub ("SquadHub," "we," "our," or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains:

• What personal data we collect
• How we use your data
• Who we share your data with
• Your rights under UAE PDPL and GDPR
• How we protect children's data

This Policy applies to:

• Our website (squadhub.me)
• Our mobile applications (iOS and Android)
• Our web platform (academy portals and parent portals)

Regulatory Compliance: This Privacy Policy complies with:

• UAE Personal Data Protection Law (PDPL) - Federal Decree-Law No. 45 of 2021
• EU General Data Protection Regulation (GDPR) - for EU users
• Apple App Store privacy requirements
• Google Play Store privacy requirements

2.1 Academy Admin Data

When an Academy Admin creates an account, we collect:

• Account information: Name, email address, phone number, job title
• Academy information: Academy name, address, logo, branding colours
• Payment information: Billing address, payment method (processed by Stripe)
• Login credentials: Email and hashed password

2.2 Player Data (Children)

With parental consent, Academy Admins provide:

• Basic information: Full name, date of birth, gender
• Contact information: Email (optional), phone (optional)
• Performance data: Attendance records, skill assessments, progress notes
• Photos/videos: Training photos, match videos (with parental consent)
• Health information: Medical conditions, allergies (optional, with consent)

2.3 Parent Data

We collect from Parents:

• Account information: Name, email address, phone number
• Relationship to Player: Parent, guardian, emergency contact
• Communication preferences: Email, SMS, WhatsApp, push notifications

2.4 Automatically Collected Data

When you use our Services, we automatically collect:

• Usage data: Pages visited, features used, time spent
• Device information: IP address, browser type, operating system, device ID
• Location data: Approximate location (city/country) based on IP address
• Cookies: See our Cookie Policy

We use your personal data to:

3.1 Provide Our Services

• Create and manage user accounts
• Process subscription payments
• Enable communication between academies and parents
• Track player attendance and performance
• Send notifications about training sessions and events

3.2 Improve Our Services

• Analyse usage patterns to improve features
• Conduct customer satisfaction surveys
• Test new features and functionality
• Monitor platform performance and uptime

3.3 Marketing & Communications

• Send promotional emails about new features (with consent)
• Provide customer support and respond to enquiries
• Send important service updates (subscription renewals, etc.)

3.4 Legal & Security

• Comply with legal obligations (tax records, etc.)
• Prevent fraud and abuse
• Enforce our Terms of Service
• Protect the security of our platform

Under GDPR, we process your data based on:

We share your data with the following third parties:

5.1 Service Providers

• Supabase: Database and authentication (data stored in AWS Middle East region)
• Stripe: Payment processing (PCI-DSS compliant)
• Resend: Transactional email delivery
• AWS: Cloud hosting and storage (Middle East region)
• Vercel: Website hosting and deployment

5.2 Data Processing Agreements

All third-party service providers:

• Are bound by data processing agreements (DPAs)
• Comply with UAE PDPL and GDPR requirements
• Only process data as instructed by SquadHub
• Maintain appropriate security measures

5.3 Legal Disclosures

We may disclose data when required by:

• UAE law enforcement or regulatory authorities
• Court orders or legal processes
• Protection of our rights or the safety of users

5.4 No Data Sales

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

Important: We take children's privacy very seriously. We only collect and process data about children under 18 with verifiable parental consent.

6.1 Age Requirements

• Users must be 18+ to create Academy Admin or Parent accounts
• Parents/guardians create accounts on behalf of Players under 18
• Children under 18 cannot create accounts independently

6.2 Parental Consent

Before collecting Player data, Academy Admins must:

1. Obtain written consent from Parents/guardians
2. Explain what data will be collected (name, DOB, photos, performance data)
3. Explain how data will be used (attendance tracking, progress reports)
4. Provide SquadHub Privacy Policy to Parents

6.3 Parental Rights

Parents/guardians have the right to:

• Access: Request a copy of all data about their child
• Rectify: Correct inaccurate or incomplete data
• Delete: Request deletion of child's data at any time
• Restrict: Limit how data is used (e.g., no photos)
• Revoke consent: Withdraw consent at any time

6.4 Child Data Safeguards

We protect children's data by:

• Strict access controls: Only academy staff with legitimate need can access
• No marketing to children: We never send marketing to Players
• No third-party sharing: Child data is never shared without parental consent
• Data minimisation: We collect only necessary information
• Encryption: All child data is encrypted at rest and in transit

6.5 Photos and Videos

For photos and videos of Players:

• Separate parental consent required
• Parents can opt-out at any time
• Photos/videos used only within academy portal (not publicly shared)
• Parents can request deletion of specific photos/videos

6.6 Contact for Child Data Requests

Parents can exercise rights regarding child data by contacting:

• Email: privacy@squadhub.me
• Subject line: "Child Data Request - [Child Name]"
• Response time: Within 7 days

We retain your data for as long as necessary to provide Services and comply with legal obligations.

After retention periods expire, data is securely deleted or anonymised.

Under UAE PDPL and GDPR, you have the following rights:

8.1 Right to Access

You can request a copy of all personal data we hold about you. We will provide this within 30 days.

8.2 Right to Rectification

You can correct inaccurate or incomplete data via your account settings or by contacting us.

8.3 Right to Deletion ("Right to be Forgotten")

You can request deletion of your data when:

• Data is no longer necessary for the purposes it was collected
• You withdraw consent (where processing is based on consent)
• You object to processing and there are no overriding legitimate grounds

8.4 Right to Restriction

You can restrict how we process your data in certain circumstances (e.g., while we verify accuracy).

8.5 Right to Data Portability

You can receive your data in a structured, machine-readable format (CSV or JSON) to transfer to another service.

8.6 Right to Object

You can object to processing based on legitimate interests (e.g., marketing, analytics).

8.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time (e.g., unsubscribe from marketing emails).

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with:

• UAE: UAE Telecommunications and Digital Government Regulatory Authority (TDRA)
• EU: Your local data protection authority (for EU residents)

8.9 How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: privacy@squadhub.me
• Subject line: "Data Rights Request - [Your Name]"
• Response time: Within 30 days (or 7 days for child data requests)

We implement industry-standard security measures to protect your data:

9.1 Technical Safeguards

• Encryption: All data encrypted at rest (AES-256) and in transit (TLS 1.3)
• Hashing: Passwords hashed with bcrypt (salted, 12 rounds)
• Access controls: Role-based access control (RBAC) with least privilege
• Multi-factor authentication: Available for all admin accounts
• Firewalls: Network-level security with AWS security groups

9.2 Organisational Safeguards

• Employee training: All staff trained on data protection
• Background checks: Conducted for employees with data access
• Confidentiality agreements: All staff sign NDAs
• Incident response plan: 24-hour breach notification protocol

9.3 Data Breach Notification

In the event of a data breach:

• We will notify affected users within 72 hours
• We will notify UAE TDRA (if legally required)
• We will notify EU supervisory authorities (if EU users affected)
• We will provide details of the breach and remediation steps

10.1 Data Localisation

Your data is primarily stored in:

• Primary region: AWS Middle East (Bahrain) - ap-south-1
• Backup region: AWS Middle East (UAE) - when available

10.2 Cross-Border Transfers

In limited cases, data may be transferred outside the UAE:

• Stripe: Payment data processed in EU/US (PCI-DSS compliant)
• Resend: Email infrastructure in US (GDPR-compliant)
• Vercel: Website hosting in global CDN (edge caching)

10.3 Transfer Safeguards

For transfers outside the UAE, we ensure:

• Standard Contractual Clauses (SCCs) with all processors
• Adequacy decisions (where applicable)
• Binding Corporate Rules (BCRs) for group companies

We use cookies and similar tracking technologies. For full details, see our Cookie Policy.

11.1 Types of Cookies

• Essential cookies: Required for platform functionality (authentication, session)
• Analytics cookies: Measure usage and performance (Vercel Analytics)
• Preference cookies: Remember your settings (language, theme)

11.2 Cookie Consent

You can manage cookie preferences via our cookie consent banner or browser settings.

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Email notification to registered users
• In-app notification (mobile apps)
• Prominent notice on our website
• Updated "Last Updated" date at the top of this page

Continued use of the Services after changes constitutes acceptance of the updated Policy.

For questions about this Privacy Policy or to exercise your data rights, contact us: