Privacy Policy
Last updated: 2026-04-26
This Privacy Policy explains how [Company OÜ, Tallinn, Estonia] ("we", "us") collects and uses personal data when you use footballevents.eu (the "Service"). We act as a data controller for the data described below. Contact: legal@footballevents.eu.
1. Data We Collect
Account data. When you register, we collect your email, name, password hash, role (USER, ORGANIZER, ADMIN), language preference, and account timestamps.
Organizer profile data. Organizers also provide organization name, country, contact details, logo, descriptions, links, and (where applicable) VAT or registration numbers.
Listing and application data. Organizers submit event details and media. Users submit applications which may include name, age category, contact details, position, and free-text fields requested by the organizer.
Payment data. Payments are processed by Stripe. We receive transaction metadata (amount, currency, status, last 4 digits, country) but we do not store full card numbers. Stripe is the controller of card data.
Communications. Emails sent through the Service via Resend, support messages, and notification preferences.
Technical data. IP address, user agent, device info, error logs (via Sentry), and aggregated, cookie-less analytics (via Plausible).
We do not intentionally collect special-category data. Please do not include health, religious, or similarly sensitive details in free-text fields.
2. Legal Bases (GDPR Art. 6)
- Contract — to create and operate your account, publish listings, process applications, and take payment.
- Legitimate interests — to keep the Service secure, prevent fraud and abuse, debug errors, measure aggregate usage, and improve features. We balance these interests against your rights.
- Consent — for optional marketing emails and any non-essential cookies (currently none).
- Legal obligation — to keep accounting, tax, and KYC records.
You can withdraw consent at any time without affecting prior processing.
3. How We Use Data
We use personal data to: provide and maintain the Service; authenticate you; display listings; route applications to organizers; process subscriptions and boosts; send transactional and (with consent) marketing emails; respond to support; comply with law; investigate misuse.
We do not sell personal data and do not use it for automated decision-making with legal effects.
4. Retention
- Account data — kept while your account is active and for up to 12 months after closure to handle disputes and re-activation.
- Accounting and tax records (invoices, payment receipts) — 6 years, as required under Estonian accounting law.
- Application data — kept for the duration of the event plus 24 months, unless the organizer or user requests earlier deletion.
- Server logs — typically 30–90 days.
- Backups — rotated within 35 days.
After these periods, data is deleted or fully anonymized.
5. Sharing and Sub-processors
We share data only with vetted providers under written data processing agreements (DPAs). Current sub-processors:
| Provider | Purpose | Region |
|---|---|---|
| Stripe Payments Europe Ltd. | Payment processing | Ireland / EU |
| Resend, Inc. | Transactional email delivery | EU / US |
| Cloudflare, Inc. (R2) | Object storage for media | EU / global |
| Vercel Inc. | Application hosting and CDN | EU / global |
| Sentry (Functional Software, Inc.) | Error monitoring | EU region |
| Plausible Insights OÜ | Cookie-less web analytics | Estonia / EU |
Where data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses and supplementary measures. Up-to-date sub-processor list available on request.
We may also disclose data to authorities where required by law, to enforce our Terms, or to protect rights, property, and safety.
To organizers, we share only what users submit through application forms and the public profile information users have chosen to display.
6. Your Rights
Under the GDPR you have the right to:
- Access — request a copy of your personal data.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion ("right to be forgotten").
- Restriction — limit processing in certain cases.
- Portability — receive your data in a structured, machine-readable format.
- Object — to processing based on legitimate interests, including profiling.
- Withdraw consent — at any time.
- Complain — to your local supervisory authority. The Estonian authority is the Andmekaitse Inspektsioon (aki.ee).
To exercise these rights, email legal@footballevents.eu. We respond within one month.
7. Security
We use TLS in transit, encryption at rest for databases and object storage, hashed passwords (bcrypt/argon2), least-privilege access, audit logs, and regular dependency updates. No system is perfectly secure; please use a strong, unique password and enable any available account protections.
8. Children
The Service is not directed to children under 16. Organizers running youth events must collect parental consent themselves and may only submit minors' data through forms that comply with applicable child-protection rules.
9. Data Protection Officer
We have designated a contact for data protection matters:
DPO — [Company OÜ, Tallinn, Estonia] Email: legal@footballevents.eu Postal: [Address placeholder], Tallinn, Estonia
(A formal DPO appointment under GDPR Art. 37 may not be mandatory for our processing; we still maintain this contact as your single point of contact.)
10. Cookies
We use a small number of strictly necessary cookies and no advertising cookies. See our Cookie Policy for details.
11. Changes
We may update this Policy from time to time. The "Last updated" date at the top will reflect the most recent revision. Material changes will be announced by email or in-app notice.
12. Contact
Privacy questions: legal@footballevents.eu — [Company OÜ, Tallinn, Estonia].