Privacy Policy
Plain-language summary
[TO_CONFIRM: trading name] is a football performance platform. We help players record training, get AI-driven feedback, sync health data, and (with the player's permission) connect with coaches and scouts.
To do that, we collect personal information — including sensitive data like health vitals and video of you training. We treat this data carefully, store it securely, only share it with people you've approved, and give you the right to access, correct, or delete it at any time.
If you're under 18, a parent or guardian must give consent before you can use the platform, and additional protections apply to your data.
If you remember three things from this notice:
- You're in control. Coaches and scouts can't see your data unless you (or your guardian) say yes.
- Health data is treated as sensitive. We only use it for the features you've enabled.
- You can ask for your data back, or have it deleted, at any time. Write to
[TO_CONFIRM: privacy email].
1. Who we are
| Legal entity | [TO_CONFIRM: legal entity name] |
|---|---|
| Trading name | [TO_CONFIRM: product name] |
| Registered address | [TO_CONFIRM] |
| Jurisdiction of incorporation | [TO_CONFIRM: Mainland UAE / DIFC / ADGM / other free zone] |
| Website | [TO_CONFIRM: domain] |
| Privacy contact | [TO_CONFIRM: privacy@…] |
| Data Protection Officer | [TO_CONFIRM: name or "to be appointed"] |
| Postal address for legal notices | [TO_CONFIRM] |
This Privacy Policy applies to our website at [TO_CONFIRM: domain] and to our mobile apps on iOS and Android.
2. What data we collect
At a glance
We collect five categories of data: information you give us, your health and biometric data, the videos and content you upload, information collected automatically by your device, and information shared with us by third parties (with your permission).
2.1 Information you give us
- Identity: name, date of birth, gender, nationality, profile photo.
- Contact: email, phone, and optionally a postal address.
- Account: hashed password, login history, device identifiers, authentication tokens.
- Sporting profile: position, dominant foot, height, weight, club affiliation, years played, achievements.
- Payment and billing:
[TO_CONFIRM: only if paid tiers launch]. - Communications: in-app messages, support tickets.
2.2 Sensitive personal data
This data is treated as a special category under UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the PDPL). We only process it with your explicit consent, separately for each type, and you can withdraw that consent at any time.
- Health vitals synced from Apple HealthKit and Google Health Connect: heart rate, heart rate variability (HRV), resting heart rate, blood oxygen, sleep, weight, body composition, menstrual cycle (where applicable), step count, active energy, VO2 max estimates, workouts.
- Biometric and movement data derived from your training videos: pose keypoints, movement signatures, sprint and jump metrics, and — where used — facial detection for identifying you on the pitch.
- Children's data for any player under 18 — see §5.
2.3 Content you upload
- Raw training videos uploaded by you, or by a coach with your consent.
- Annotated and processed videos generated by our analysis pipeline.
- Coach notes, ratings, and tags about your performance.
2.4 Information collected automatically
- Device information: model, operating system version, app version, language, time zone.
- Diagnostics and crash logs.
- IP address and approximate (city-level) location. Precise location only if you grant the permission (for example, to tag a training venue).
- Analytics events: screen views and feature interactions.
- Cookies and SDK identifiers — see the separate Cookie Policy.
2.5 Information from third parties
- Apple HealthKit and Google Health Connect (only with your operating-system permission).
- Identity verification provider, if you sign up for a feature that requires it —
[TO_CONFIRM]. - Sign-in providers (Apple, Google, Facebook) —
[TO_CONFIRM: which are enabled]. - Coaches and scouts who have your accepted connection may submit notes, ratings, or watchlist entries about you. You can see what they have submitted.
3. How we use your data, and our legal basis
| Purpose | Data used | Legal basis under the PDPL |
|---|---|---|
| Create and operate your account | Identity, contact, account | Performance of a contract |
| Sync and display your health vitals | Health data | Explicit consent (sensitive data) |
| Process your training videos and generate AI analysis | Video, biometric-derived data | Explicit consent (biometric-derived) and contract |
| Allow coach and scout discovery and connections | Profile, performance summaries | Explicit consent of the player (and guardian for minors) |
| Generate personalised health and training suggestions | Health and performance data | Explicit consent and contract |
| Protect the service from fraud, abuse, and security threats | Account, device, IP, logs | Legitimate interest |
| Improve the product through analytics | Usage analytics, aggregated metrics | Consent (collected via the analytics opt-in) |
| Send marketing communications | Contact, preferences | Consent — opt-in, separately revocable |
| Comply with legal obligations (tax, anti-money-laundering, court orders) | As required | Legal obligation |
We do not rely on "legitimate interest" for any sensitive category. Health and biometric data require explicit, granular, separately revocable consent.
4. How our AI features work
At a glance
Our AI features take your training videos and your health data and produce annotated video, performance metrics, and short coaching summaries. AI suggestions are informational and are not medical or professional coaching advice.
4.1 What the AI does
- Computer vision runs on your uploaded video to detect players, track movement, estimate pose, and calculate performance metrics. The results are stored against your account.
- Large language models generate textual coaching summaries and personalised health suggestions from your performance and health data.
4.2 What data is sent where
- Computer-vision processing runs on
[TO_CONFIRM: in-region servers / named third-party provider and location]. - Large-language-model processing uses
[TO_CONFIRM: LLM provider]and is processed in[TO_CONFIRM: country]. Where possible, the data we send is de-identified before it leaves our environment. - The LLM provider does not use your data to train their models. We have a contractual commitment to that effect —
[TO_CONFIRM].
4.3 Your control over AI features
- No solely-automated decisions with legal or similarly significant effect are made about you. Where a coach or scout uses AI output, a human is in the loop.
- You can turn off AI coaching and analysis at any time in your settings.
- You can ask for human review of any AI output that you believe is inaccurate. Contact
[TO_CONFIRM: privacy email].
5. How we handle children's data
At a glance
If you're under 18, you need verifiable consent from a parent or guardian before you can use the platform. We apply stricter limits on what data we collect, how long we keep it, who can see it, and who can contact you.
5.1 Age limits
- The minimum age to use the platform independently is 18.
- A player aged
[TO_CONFIRM: minimum age, recommended ≥13]to 17 may use the platform only with verifiable guardian consent. - Below
[TO_CONFIRM: minimum age], the account is operated by the guardian or coach on the minor's behalf. The minor is the data subject but not the account holder.
5.2 Guardian consent
We verify guardian consent through [TO_CONFIRM: e.g. Emirates ID verification of guardian, credit-card check, signed e-form]. We will not activate a minor's account until consent is verified.
5.3 Protections for minors
- Coaches and scouts cannot discover or contact a minor without guardian-approved connection.
- A minor's profile is never publicly discoverable by default.
- We do not send marketing communications to minors.
- We apply reduced retention (see §8) and restricted sharing for minors' data.
5.4 Guardian rights
A guardian can, at any time:
- See what data we hold about their minor.
- Withdraw consent for any processing.
- Request deletion of the minor's account and data.
Contact [TO_CONFIRM: privacy email].
6. How we handle health and biometric data
At a glance
Health and biometric data is the most sensitive data we hold. We only use it for the features you turn on, only share it with people you connect to, and treat it under additional UAE health-data rules.
6.1 Sources
- Apple HealthKit (iOS) — only with your per-data-type permission in iOS.
- Google Health Connect (Android) — only with your per-data-type permission.
- Derived from your training videos by our computer-vision pipeline.
6.2 HealthKit-specific commitments
We comply with Apple's HealthKit terms:
- We do not use HealthKit data for advertising or any similar purpose.
- We do not sell HealthKit data, and we do not share it with third parties for their own purposes.
- We do not use HealthKit data outside of providing the health and fitness functionality of this app.
- You can revoke our HealthKit access at any time in iOS Settings → Health → Data Access & Devices.
6.3 Health Connect-specific commitments
We follow Google's Health Connect requirements, including the corresponding restrictions on use, sharing, and advertising. You can revoke our access at any time in the Health Connect settings on your device.
6.4 UAE health-data rules
Where required by UAE Federal Law No. 2 of 2019 on the Use of ICT in Health Fields, your health data generated in the UAE is stored and processed in the UAE. Where any cross-border processing is necessary, we will rely on your explicit consent or on a safeguard recognised under the PDPL — see §9.
7. Who we share data with
We share your data only with:
- People you've connected with on the platform — the coaches, scouts, guardians, or club administrators you have accepted a connection from.
- Service providers ("sub-processors") who help us run the platform under written data processing agreements. The current list is in the table below.
- Authorities and courts where we are legally required to disclose, or to protect rights, safety, or the integrity of the service.
- Successors in interest if our business is sold or restructured, subject to the same protections.
We do not sell your personal data. [TO_CONFIRM: state position on sharing anonymised/aggregated data with clubs, federations, or research partners].
Sub-processors
| Vendor | Purpose | Categories | Location | Role |
|---|---|---|---|---|
[TO_CONFIRM: cloud provider] | Hosting, video storage, compute | All categories | [TO_CONFIRM: UAE region preferred for health data] | Processor |
| Apple HealthKit | Source of iOS health vitals | Health data | On-device → our servers via your permission | Independent controller |
| Google Health Connect | Source of Android health vitals | Health data | On-device → our servers via your permission | Independent controller |
[TO_CONFIRM: LLM provider] | Generation of coaching and health summaries | Performance and health summaries (de-identified where possible) | [TO_CONFIRM] | Processor |
[TO_CONFIRM: CV model provider] | Video analysis | Video frames or extracted features | [TO_CONFIRM] | Processor |
[TO_CONFIRM: analytics] | Web and app analytics | Usage and device data | [TO_CONFIRM] | Processor |
[TO_CONFIRM: payment processor] | Billing | Payment and identity | [TO_CONFIRM] | Independent controller |
[TO_CONFIRM: email / push] | Transactional and marketing comms | Contact and content | [TO_CONFIRM] | Processor |
[TO_CONFIRM: support tool] | Customer support | Account and ticket content | [TO_CONFIRM] | Processor |
[TO_CONFIRM: auth provider] | Sign-in | Account credentials | [TO_CONFIRM] | Processor |
[TO_CONFIRM: crash reporting] | Diagnostics | Device and crash data | [TO_CONFIRM] | Processor |
We update this list when we change a sub-processor. The current version is always at [TO_CONFIRM: URL].
8. How long we keep your data
| Category | Retention |
|---|---|
| Active account data | While your account is active, plus 90 days after a deletion request |
| Raw uploaded video | [TO_CONFIRM: recommended 12 months from upload unless you pin it] |
| Annotated video and derived metrics | While your account is active |
| Health vitals time series | Default 24 months rolling window; you can request earlier deletion |
| Coach notes about a player | Until the connection is revoked, then 90 days |
| Billing records | 7 years (UAE tax and commercial law) |
| Support tickets | 24 months |
| Security and audit logs | 12 months |
| Anonymised aggregate analytics | Indefinite (the data no longer identifies you) |
Minors' data is held for shorter periods where possible.
9. Cross-border data transfers
Where we transfer your personal data outside the UAE, we rely on one of the following:
- An adequacy decision by the UAE Data Office for the destination country.
- An appropriate safeguard under the PDPL, such as standard contractual clauses with the recipient.
- Your explicit consent, collected separately at signup or in-app.
For health data generated inside the UAE, our default architecture keeps the data in the UAE in line with Federal Law No. 2 of 2019. Where any transfer is required, we will tell you the destination country, the safeguard relied on, and (where applicable) ask for your separate consent.
Where AI coaching summaries are processed by a provider located in [TO_CONFIRM: country], we have contracted that the provider will not retain or use the data to train its own models, and we de-identify the input where feasible. You can opt out of AI features at any time.
10. Your rights
Under the PDPL, you have the right to:
- Access the personal data we hold about you and obtain a copy.
- Rectify inaccurate or incomplete data.
- Erase your data ("right to be forgotten"), subject to legal retention requirements.
- Restrict how we process your data.
- Object to certain types of processing.
- Port your data to another service in a structured, commonly used format.
- Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
- Be informed about automated decisions — see §4.3.
- Lodge a complaint with the UAE Data Office (or with the DIFC Commissioner of Data Protection / ADGM Office of Data Protection, depending on which jurisdiction applies to our entity — see §1).
How to exercise your rights: email [TO_CONFIRM: privacy email] from the address linked to your account, or use the in-app privacy controls.
Our response time: within 30 days. For complex requests we may extend this by a further 30 days and will tell you why.
We will not charge a fee unless your request is manifestly unfounded or excessive.
11. How we keep your data secure
We use, among other measures:
- Encryption in transit (TLS 1.2 or higher) and at rest.
- Role-based access control on a need-to-know basis.
- Logging and monitoring of access to sensitive data.
- Secure software development practices and regular reviews.
- Due diligence and contractual obligations on every sub-processor.
If a personal-data breach is likely to result in risk to you, we will notify the UAE Data Office and affected users without undue delay, as required by Article 9 of the PDPL.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will always show the latest version, and we will keep a changelog at [TO_CONFIRM: URL].
For material changes — for example, a new category of data we collect, a new third-party processor with whom we share sensitive data, or a change to your rights — we will notify you in the app and by email before the change takes effect, and (where the change requires it) we will ask for your consent again.
13. How to contact us
For any privacy question, request, or complaint:
- Email:
[TO_CONFIRM: privacy email] - Postal address:
[TO_CONFIRM] - Data Protection Officer:
[TO_CONFIRM]
For complaints, you may also contact the UAE Data Office at the address published on its website, or the DIFC / ADGM data protection authority if our entity is registered in those free zones.