Privacy Policy

Last updated: 31 May 2025  ·  GDPR UK GDPR CCPA/CPRA LGPD PIPEDA APPs

Vector Football ("we", "us", "our") is a strength & conditioning app for footballers. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights — wherever in the world you are using the app.

By using Vector Football you acknowledge that you have read this policy. If you do not agree, please do not use the app.

Contents

  1. Who we are & how to contact us
  2. Data we collect
  3. Special category data (health & fitness)
  4. How we use your data & legal bases
  5. Automated decisions & programme generation
  6. Third-party processors
  7. International data transfers
  8. Data retention
  9. Your rights — global overview
  10. Analytics opt-out
  11. Children's privacy
  12. Security
  13. Data breach notification
  14. Do Not Sell or Share (CCPA/CPRA)
  15. Region-specific supplements
  16. Changes to this policy
  17. Contact & supervisory authorities

1. Who we are & how to contact us

Vector Football is operated as an independent software product. For all privacy-related enquiries — including exercising any right under applicable law — please contact:

Email: vectorfootball@gmail.com
Website: vectorfootball.co.uk

We will acknowledge your request within 5 business days and respond fully within 30 days (extendable to 90 days for complex requests, with prior notice to you).

2. Data we collect

CategoryExamplesWhy we collect it
Account dataName, email addressCreating and securing your account
Profile dataPlaying position, experience, gym access, gender (optional)Personalising your training programme
Body metrics (optional)Height, weight, date of birth, body weight logTraining load calculations and progress tracking
Training dataWorkout sessions, sets, reps, weights, RIR scores, templatesTracking performance and adapting programmes
Health & fitness data (special category)Sprint times, jump height, Yo-Yo results, readiness scores, injury history, session RPEFitness profiling, injury risk management, periodisation
Match & load dataMatch dates, session intensity, minutes playedLoad management around fixtures
Usage dataScreen views, feature events (anonymised, no raw content)App improvement via PostHog analytics (opt-out available)
Payment dataSubscription status, plan type, Stripe customer ID, transaction referenceManaging premium subscriptions and billing
Technical dataDevice type, OS, app version, session identifiersBug fixing, compatibility, security
Profile photo (optional)A photo you choose to uploadDisplayed on your in-app profile — stored locally only, never uploaded to our servers
Referral & promo dataReferral code you generated or used; promo codes redeemedAwarding referral bonuses and preventing duplicate redemptions
Consent recordsTimestamp of when you accepted the Terms of Use and Privacy Policy; date of birth (for age verification)Legal compliance — demonstrating informed consent

Data we do not collect: We do not collect racial or ethnic origin, political opinions, religious beliefs, trade union membership, biometric identity data, criminal record data, or GPS location. We do not read your contacts, messages, or photos beyond the profile photo you explicitly select.

3. Special category data (health & fitness)

Important: Under GDPR Article 9 and equivalent laws worldwide, data concerning physical health and fitness — including sprint performance, jump results, injury history, and physiological readiness scores — may constitute special category personal data. We process this data under your explicit consent, given when you voluntarily enter it into the app to receive personalised training recommendations.

You may withdraw consent for health data processing at any time by deleting your account (Profile → Delete Account & All Data). We will erase all such data from our servers within 30 days. Note that deleting health data means we can no longer provide personalised training features.

If you connect Apple Health, raw sleep, heart-rate variability, and resting-heart-rate values are processed on your device to calculate readiness and are not uploaded to our servers. Your saved readiness score and the manual ratings you enter may be included in cloud sync.

4. How we use your data & legal bases

PurposeGDPR / UK GDPR legal basisEquivalent basis (other laws)
Provide the app and its core featuresPerformance of contract (Art. 6(1)(b))Contract / service delivery
Process health & fitness dataExplicit consent (Art. 9(2)(a))Consent (LGPD Art. 11; PIPEDA Principle 3)
Anonymous product analyticsLegitimate interests (Art. 6(1)(f)) — opt-out availableLegitimate interests / opt-out for CCPA, LGPD etc.
Subscription management & paymentsContract + legal obligation (Art. 6(1)(b),(c))Contract / legal obligation
Retain billing recordsLegal obligation (Art. 6(1)(c)) — UK HMRC requires 6 yearsLegal obligation worldwide
Fraud prevention and securityLegitimate interests (Art. 6(1)(f))Legitimate interests / security exception
App improvement and debuggingLegitimate interests (Art. 6(1)(f))Legitimate interests
Push notification training remindersConsent (Art. 6(1)(a)) — opt-in via Profile settingsConsent

5. Automated decisions & programme generation

Vector Football uses automated algorithms to generate personalised training programmes based on your profile, test results, playing position, and readiness data. Consistent with GDPR Article 22 and equivalent global transparency obligations, we disclose that:

You have the right to request human review of any automated recommendation by emailing vectorfootball@gmail.com.

6. Third-party processors

Each processor below is contractually bound to process your data only under our instructions.

Supabase — Database, Authentication, Cloud Functions

Your account, training history, and app data are stored in Supabase-managed databases on AWS infrastructure (EU region: eu-west-1 / Ireland). Supabase has executed Standard Contractual Clauses (SCCs) for international transfers. Supabase Privacy Policy →

Stripe — Web Payment Processing

Stripe processes web subscriptions and payments. Stripe handles all card data directly — we never see or store your card number, CVV, or full billing address. Stripe is PCI-DSS Level 1 certified and uses SCCs for international transfers. Stripe Privacy Policy →

Apple and Google — Optional Account Sign-In

If you choose social sign-in, Apple or Google authenticates you and supplies an identity token plus the name and email details you permit. Apple also processes iOS in-app purchases. Apple Privacy Policy → Google Privacy Policy →

RevenueCat — Subscription Management (iOS)

RevenueCat receives your app user ID and subscription status to manage iOS entitlements. RevenueCat is SOC 2 Type II certified and operates under SCCs for EU/UK users. RevenueCat Privacy Policy →

PostHog — Product Analytics

We send pseudonymous product-interaction events to PostHog (e.g. "workout_completed"). We do not send your name, email, raw workout content, or health metrics. PostHog receives an account-derived pseudonymous identifier and may receive broad traits such as playing position. You can opt out at any time via Profile → Privacy → Usage Analytics. PostHog Privacy Policy →

Sentry — Crash and Performance Diagnostics

Sentry receives crash reports, app performance diagnostics, device and app-version information, and a user ID so we can diagnose failures. We do not intentionally send names, email addresses, raw workout content, or Apple Health values. Sentry Privacy Policy →

hCaptcha — Abuse Prevention

hCaptcha processes technical and interaction data needed to distinguish legitimate authentication attempts from automated abuse. hCaptcha Privacy Policy →

7. International data transfers

We are based in the United Kingdom. Your data may be processed in countries outside the UK and EU/EEA — including services operated by Supabase, RevenueCat, PostHog, Sentry, hCaptcha, Google, Apple, and Stripe. Where transfers occur, we rely on:

You may request copies of the SCCs by emailing vectorfootball@gmail.com.

8. Data retention

Data typeRetention period
Account & training dataUntil account deletion, then within 30 days
Billing / transaction records7 years from transaction date (UK HMRC legal obligation)
Analytics event data (PostHog)12 months (anonymised aggregates retained indefinitely)
Server access logs90 days (Supabase default)
Backup dataDeleted within 30 days of account deletion

To delete your account: Profile → Delete Account & All Data. This is permanent and erases all personal data from our systems within 30 days.

9. Your rights — global overview

RightWhat it meansHow to exercise it
AccessObtain a copy of data we hold about youProfile → Export my data; or email us
RectificationCorrect inaccurate or incomplete dataEdit in Profile screen; or email us
ErasureHave your data permanently deletedProfile → Delete Account; or email us
PortabilityReceive data in machine-readable formatProfile → Export my data (JSON)
ObjectObject to processing on legitimate interests (e.g. analytics)Profile → Privacy; or email us
Restrict processingLimit how we use your dataEmail us
Withdraw consentWithdraw consent for health data or analyticsProfile → Privacy; or delete account
Opt out of saleWe do not sell data — see Section 14N/A

See Section 15 for rights specific to your country.

10. Analytics opt-out

You can disable analytics at any time without affecting any other feature:

  1. Open the app and tap Profile (bottom navigation).
  2. Scroll to the Privacy section.
  3. Toggle Usage Analytics off.

When opted out, no usage events are sent to PostHog. This preference is saved to your account, syncs across devices, and applies immediately.

11. Children's privacy

Vector Football is not directed at children. Minimum age requirements:

RegionMinimum ageLegal basis
United Kingdom13UK GDPR / Age Appropriate Design Code
European Union / EEA16 (or 13–15 with verified parental consent)GDPR Article 8 (varies by member state)
United States13COPPA
Brazil12 (parental consent required under 18)LGPD / ECA
Canada13PIPEDA / CASL
Australia15 (recommended guidance)Privacy Act 1988
South Korea14PIPA
All other regions13, or local minimum age if higherLocal law

If you believe a child has provided us with personal data, email vectorfootball@gmail.com and we will delete it promptly.

12. Security

To report a vulnerability responsibly: vectorfootball@gmail.com

13. Data breach notification

In the event of a data breach likely to affect your rights and freedoms, we will:

14. Do Not Sell or Share my personal information

We do not sell, rent, or share your personal information with third parties for their own marketing or advertising purposes — ever.

Under CCPA / CPRA (California):

Because we do not sell or share data, no opt-out mechanism for sale/sharing is required. You may still opt out of analytics at any time (Section 10).

15. Region-specific supplements

🇺🇸 United States — CCPA/CPRA and state privacy laws

California residents have the right to: Know, Access, Delete, Correct, Opt-out of sale (not applicable here), Limit use of sensitive personal information, and Non-discrimination. Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other US states with comprehensive privacy laws provide similar rights. All are exercisable via Section 9 mechanisms or by emailing vectorfootball@gmail.com. COPPA: We do not knowingly collect personal information from children under 13.

🇪🇺 European Union / EEA — GDPR

EU residents have full rights under GDPR Articles 15–22. You may lodge a complaint with your national DPA. A list of EU DPAs: edpb.europa.eu. Age of digital consent varies by EU member state (13 in some, 16 in others) — minors between 13 and the applicable national age require verified parental consent.

🇬🇧 United Kingdom — UK GDPR / DPA 2018

UK residents have the same rights as EU residents under retained UK GDPR. Minimum age: 13. Complaints: ICOico.org.uk/make-a-complaint · Tel: 0303 123 1113

🇧🇷 Brazil — LGPD

Brazilian users have rights under LGPD Articles 17–22 including: confirmation, access, correction, anonymisation, deletion, portability, information about sharing, and consent revocation. Complaints: ANPDgov.br/anpd

🇨🇦 Canada — PIPEDA / Quebec Law 25

Canadian users have rights to access, correction, and withdrawal of consent under PIPEDA. Quebec residents additionally have portability rights under Law 25. Complaints: OPCpriv.gc.ca

🇦🇺 Australia — Privacy Act 1988 (APPs)

Australian users have rights to access (APP 12) and correction (APP 13) of personal information. Complaints: OAICoaic.gov.au

🇿🇦 South Africa — POPIA

South African data subjects have rights to know, access, correct, delete, and object to processing. Complaints: Information Regulatorjustice.gov.za/inforeg

🇸🇬 Singapore — PDPA

Singapore users may request access, correction, and withdrawal of consent. Complaints: PDPCpdpc.gov.sg

🇯🇵 Japan — APPI

Japanese users have the right to request disclosure, correction, deletion, or cessation of use of their personal information. Contact: vectorfootball@gmail.com

🇨🇭 Switzerland — revDSG

Swiss residents have GDPR-equivalent rights. Complaints: FDPICedoeb.admin.ch

🌍 All other countries

We honour reasonable data access, correction, and deletion requests from all users worldwide, regardless of jurisdiction. Contact: vectorfootball@gmail.com

16. Changes to this policy

When we update this policy:

17. Contact & supervisory authorities

Vector Football
vectorfootball@gmail.com
vectorfootball.co.uk

RegionAuthorityWebsite
United KingdomICOico.org.uk
EU / EEAYour national DPAedpb.europa.eu
United StatesFTC / state AGftc.gov
BrazilANPDgov.br/anpd
CanadaOPCpriv.gc.ca
AustraliaOAICoaic.gov.au
South AfricaInformation Regulatorjustice.gov.za/inforeg
SingaporePDPCpdpc.gov.sg
JapanPPCppc.go.jp
SwitzerlandFDPICedoeb.admin.ch