Vector Football ("we", "us", "our") is a strength & conditioning app for footballers. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights — wherever in the world you are using the app.
By using Vector Football you acknowledge that you have read this policy. If you do not agree, please do not use the app.
Vector Football is operated as an independent software product. For all privacy-related enquiries — including exercising any right under applicable law — please contact:
Email: vectorfootball@gmail.com
Website: vectorfootball.co.uk
We will acknowledge your request within 5 business days and respond fully within 30 days (extendable to 90 days for complex requests, with prior notice to you).
| Category | Examples | Why we collect it |
|---|---|---|
| Account data | Name, email address | Creating and securing your account |
| Profile data | Playing position, experience, gym access, gender (optional) | Personalising your training programme |
| Body metrics (optional) | Height, weight, date of birth, body weight log | Training load calculations and progress tracking |
| Training data | Workout sessions, sets, reps, weights, RIR scores, templates | Tracking performance and adapting programmes |
| Health & fitness data (special category) | Sprint times, jump height, Yo-Yo results, readiness scores, injury history, session RPE | Fitness profiling, injury risk management, periodisation |
| Match & load data | Match dates, session intensity, minutes played | Load management around fixtures |
| Usage data | Screen views, feature events (anonymised, no raw content) | App improvement via PostHog analytics (opt-out available) |
| Payment data | Subscription status, plan type, Stripe customer ID, transaction reference | Managing premium subscriptions and billing |
| Technical data | Device type, OS, app version, session identifiers | Bug fixing, compatibility, security |
| Profile photo (optional) | A photo you choose to upload | Displayed on your in-app profile — stored locally only, never uploaded to our servers |
| Referral & promo data | Referral code you generated or used; promo codes redeemed | Awarding referral bonuses and preventing duplicate redemptions |
| Consent records | Timestamp of when you accepted the Terms of Use and Privacy Policy; date of birth (for age verification) | Legal compliance — demonstrating informed consent |
Data we do not collect: We do not collect racial or ethnic origin, political opinions, religious beliefs, trade union membership, biometric identity data, criminal record data, or GPS location. We do not read your contacts, messages, or photos beyond the profile photo you explicitly select.
You may withdraw consent for health data processing at any time by deleting your account (Profile → Delete Account & All Data). We will erase all such data from our servers within 30 days. Note that deleting health data means we can no longer provide personalised training features.
If you connect Apple Health, raw sleep, heart-rate variability, and resting-heart-rate values are processed on your device to calculate readiness and are not uploaded to our servers. Your saved readiness score and the manual ratings you enter may be included in cloud sync.
| Purpose | GDPR / UK GDPR legal basis | Equivalent basis (other laws) |
|---|---|---|
| Provide the app and its core features | Performance of contract (Art. 6(1)(b)) | Contract / service delivery |
| Process health & fitness data | Explicit consent (Art. 9(2)(a)) | Consent (LGPD Art. 11; PIPEDA Principle 3) |
| Anonymous product analytics | Legitimate interests (Art. 6(1)(f)) — opt-out available | Legitimate interests / opt-out for CCPA, LGPD etc. |
| Subscription management & payments | Contract + legal obligation (Art. 6(1)(b),(c)) | Contract / legal obligation |
| Retain billing records | Legal obligation (Art. 6(1)(c)) — UK HMRC requires 6 years | Legal obligation worldwide |
| Fraud prevention and security | Legitimate interests (Art. 6(1)(f)) | Legitimate interests / security exception |
| App improvement and debugging | Legitimate interests (Art. 6(1)(f)) | Legitimate interests |
| Push notification training reminders | Consent (Art. 6(1)(a)) — opt-in via Profile settings | Consent |
Vector Football uses automated algorithms to generate personalised training programmes based on your profile, test results, playing position, and readiness data. Consistent with GDPR Article 22 and equivalent global transparency obligations, we disclose that:
You have the right to request human review of any automated recommendation by emailing vectorfootball@gmail.com.
Each processor below is contractually bound to process your data only under our instructions.
Your account, training history, and app data are stored in Supabase-managed databases on AWS infrastructure (EU region: eu-west-1 / Ireland). Supabase has executed Standard Contractual Clauses (SCCs) for international transfers. Supabase Privacy Policy →
Stripe processes web subscriptions and payments. Stripe handles all card data directly — we never see or store your card number, CVV, or full billing address. Stripe is PCI-DSS Level 1 certified and uses SCCs for international transfers. Stripe Privacy Policy →
If you choose social sign-in, Apple or Google authenticates you and supplies an identity token plus the name and email details you permit. Apple also processes iOS in-app purchases. Apple Privacy Policy → Google Privacy Policy →
RevenueCat receives your app user ID and subscription status to manage iOS entitlements. RevenueCat is SOC 2 Type II certified and operates under SCCs for EU/UK users. RevenueCat Privacy Policy →
We send pseudonymous product-interaction events to PostHog (e.g. "workout_completed"). We do not send your name, email, raw workout content, or health metrics. PostHog receives an account-derived pseudonymous identifier and may receive broad traits such as playing position. You can opt out at any time via Profile → Privacy → Usage Analytics. PostHog Privacy Policy →
Sentry receives crash reports, app performance diagnostics, device and app-version information, and a user ID so we can diagnose failures. We do not intentionally send names, email addresses, raw workout content, or Apple Health values. Sentry Privacy Policy →
hCaptcha processes technical and interaction data needed to distinguish legitimate authentication attempts from automated abuse. hCaptcha Privacy Policy →
We are based in the United Kingdom. Your data may be processed in countries outside the UK and EU/EEA — including services operated by Supabase, RevenueCat, PostHog, Sentry, hCaptcha, Google, Apple, and Stripe. Where transfers occur, we rely on:
You may request copies of the SCCs by emailing vectorfootball@gmail.com.
| Data type | Retention period |
|---|---|
| Account & training data | Until account deletion, then within 30 days |
| Billing / transaction records | 7 years from transaction date (UK HMRC legal obligation) |
| Analytics event data (PostHog) | 12 months (anonymised aggregates retained indefinitely) |
| Server access logs | 90 days (Supabase default) |
| Backup data | Deleted within 30 days of account deletion |
To delete your account: Profile → Delete Account & All Data. This is permanent and erases all personal data from our systems within 30 days.
| Right | What it means | How to exercise it |
|---|---|---|
| Access | Obtain a copy of data we hold about you | Profile → Export my data; or email us |
| Rectification | Correct inaccurate or incomplete data | Edit in Profile screen; or email us |
| Erasure | Have your data permanently deleted | Profile → Delete Account; or email us |
| Portability | Receive data in machine-readable format | Profile → Export my data (JSON) |
| Object | Object to processing on legitimate interests (e.g. analytics) | Profile → Privacy; or email us |
| Restrict processing | Limit how we use your data | Email us |
| Withdraw consent | Withdraw consent for health data or analytics | Profile → Privacy; or delete account |
| Opt out of sale | We do not sell data — see Section 14 | N/A |
See Section 15 for rights specific to your country.
You can disable analytics at any time without affecting any other feature:
When opted out, no usage events are sent to PostHog. This preference is saved to your account, syncs across devices, and applies immediately.
Vector Football is not directed at children. Minimum age requirements:
| Region | Minimum age | Legal basis |
|---|---|---|
| United Kingdom | 13 | UK GDPR / Age Appropriate Design Code |
| European Union / EEA | 16 (or 13–15 with verified parental consent) | GDPR Article 8 (varies by member state) |
| United States | 13 | COPPA |
| Brazil | 12 (parental consent required under 18) | LGPD / ECA |
| Canada | 13 | PIPEDA / CASL |
| Australia | 15 (recommended guidance) | Privacy Act 1988 |
| South Korea | 14 | PIPA |
| All other regions | 13, or local minimum age if higher | Local law |
If you believe a child has provided us with personal data, email vectorfootball@gmail.com and we will delete it promptly.
To report a vulnerability responsibly: vectorfootball@gmail.com
In the event of a data breach likely to affect your rights and freedoms, we will:
We do not sell, rent, or share your personal information with third parties for their own marketing or advertising purposes — ever.
Under CCPA / CPRA (California):
Because we do not sell or share data, no opt-out mechanism for sale/sharing is required. You may still opt out of analytics at any time (Section 10).
California residents have the right to: Know, Access, Delete, Correct, Opt-out of sale (not applicable here), Limit use of sensitive personal information, and Non-discrimination. Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other US states with comprehensive privacy laws provide similar rights. All are exercisable via Section 9 mechanisms or by emailing vectorfootball@gmail.com. COPPA: We do not knowingly collect personal information from children under 13.
EU residents have full rights under GDPR Articles 15–22. You may lodge a complaint with your national DPA. A list of EU DPAs: edpb.europa.eu. Age of digital consent varies by EU member state (13 in some, 16 in others) — minors between 13 and the applicable national age require verified parental consent.
UK residents have the same rights as EU residents under retained UK GDPR. Minimum age: 13. Complaints: ICO — ico.org.uk/make-a-complaint · Tel: 0303 123 1113
Brazilian users have rights under LGPD Articles 17–22 including: confirmation, access, correction, anonymisation, deletion, portability, information about sharing, and consent revocation. Complaints: ANPD — gov.br/anpd
Canadian users have rights to access, correction, and withdrawal of consent under PIPEDA. Quebec residents additionally have portability rights under Law 25. Complaints: OPC — priv.gc.ca
Australian users have rights to access (APP 12) and correction (APP 13) of personal information. Complaints: OAIC — oaic.gov.au
South African data subjects have rights to know, access, correct, delete, and object to processing. Complaints: Information Regulator — justice.gov.za/inforeg
Singapore users may request access, correction, and withdrawal of consent. Complaints: PDPC — pdpc.gov.sg
Japanese users have the right to request disclosure, correction, deletion, or cessation of use of their personal information. Contact: vectorfootball@gmail.com
Swiss residents have GDPR-equivalent rights. Complaints: FDPIC — edoeb.admin.ch
We honour reasonable data access, correction, and deletion requests from all users worldwide, regardless of jurisdiction. Contact: vectorfootball@gmail.com
When we update this policy:
Vector Football
vectorfootball@gmail.com
vectorfootball.co.uk
| Region | Authority | Website |
|---|---|---|
| United Kingdom | ICO | ico.org.uk |
| EU / EEA | Your national DPA | edpb.europa.eu |
| United States | FTC / state AG | ftc.gov |
| Brazil | ANPD | gov.br/anpd |
| Canada | OPC | priv.gc.ca |
| Australia | OAIC | oaic.gov.au |
| South Africa | Information Regulator | justice.gov.za/inforeg |
| Singapore | PDPC | pdpc.gov.sg |
| Japan | PPC | ppc.go.jp |
| Switzerland | FDPIC | edoeb.admin.ch |