Privacy Policy

TrainingPad is operated by James Cox (sole trader), United Kingdom. For any privacy enquiry, email james.cox7@proton.me. For the purposes of UK GDPR, we are the data controller for personal data you provide to us as a coach, club admin, or parent.

From coaches and club admins:

• Name and email address (required to create an account)
• Phone number (optional)
• Profile photo (optional)
• Tenant + team details you create (club name, team names, age groups, kit colours, FA affiliation number)
• Match fees you set, payment status of those fees
• Generated AI session content (prompts you supplied + the resulting drills)

From parents:

• Name and email address (required for the parent account)
• Phone number (optional)
• Relationship to the child (parent / guardian / other)
• RSVP responses (yes / no / maybe + optional note)
• Match-fee payment information processed by Stripe (we never store card numbers — Stripe holds these)
• Player-of-the-match votes

About children (entered by their coach or parent):

• Full name
• Date of birth
• Shirt number, position, profile photo (optional)
• Match attendance, goals, assists, cards, minutes played

Technical data:

• IP address, browser/device type, app version (used for security and crash diagnostics)
• Push-notification tokens (Expo / Apple Push) so we can deliver match-related notifications to your device
• Session cookies for authentication

TrainingPad is designed for parent-coaches managing youth football teams. Children aged under 13 do not have direct accounts of their own — only their parent or coach enters their information.

Parents can request that their child's data be deleted at any time by emailing us (see contact above). Coaches can soft-delete a player from the squad in-app, which hides them from team views; full deletion requires a request via email so we can purge stat history correctly.

• Contract: we process coach / club / parent account data to provide the service you signed up for.
• Legitimate interests: we send you in-app and push notifications about your team (new fixture, RSVP reminder, match result, MOTM vote, fee due, coach announcement). You can mute any of these in Notifications → Preferences.
• Legitimate interests of a club: to share fixture / result information with other linked parents and coaches in the same team.
• Consent: for any future marketing email — currently none.
• Legal obligation: for retention of payment records as required by HMRC.

• Supabase (Postgres database, authentication, file storage) — hosted in the EU (eu-west-2 / Ireland).
• Vercel (web app hosting, edge runtime) — global edge with EU data residency where available.
• Anthropic (the “Claude” API, used to generate training session plans) — receives only the structured prompt fields you fill in (age group, focus areas, equipment). It does not receive children's names or any personal data.
• Apple Push Notification Service / Expo Push Service — receives device tokens and the notification payload to deliver pushes.
• Stripe (when match fees are enabled) — payment card details go directly to Stripe; we never see them.
• Resend (when transactional email is enabled) — recipient email address + email content.

We never sell personal data, never use it for advertising, and never share it with other parents or coaches outside your team.

Primary data is stored in the EU (Supabase eu-west-2 / Ireland). Some sub-processors (Vercel, Stripe, Anthropic) operate globally; transfers outside the UK and EEA are covered by Standard Contractual Clauses where required.

• Active accounts: indefinitely while you use the service.
• Cancelled subscriptions: 90 days then permanent deletion, unless legal retention applies.
• Stat history: kept indefinitely as part of the player's season record. Deleted on individual request.
• Payment records: 7 years per HMRC requirements.
• Notification logs: 30 days.

Under UK GDPR you have the right to: access your data, correct it, delete it, restrict its processing, port it to another service, and object to processing. Email us at the address above and we will respond within 30 days.

You also have the right to complain to the Information Commissioner's Office at ico.org.uk.

All data in transit is encrypted (HTTPS / TLS 1.3). Database access is restricted by row-level security and service-role keys held only on our backend. Passwords are hashed by Supabase Auth using bcrypt. We do not store payment card details.

We will update this policy as the service evolves. Material changes will be announced in-app and via email. The date at the top of this page reflects the most recent update.