Privacy Policy

Effective 26 May 2026 · Last updated 29 May 2026

Plain-English summary.LevelUp360HQ tracks your child's football development for your club. We collect what we need to do that — names, dates of birth, match stats, optional photos. We don't sell your data, we don't use it for advertising, and you can download or delete it at any time from your account settings.

1. Who we are

"LevelUp360HQ", "LU360", "we", "us", and "our" refer to Levelup360HQ Ltd, a company registered in the United Kingdom, contactable at privacy@levelup360hq.com. We are the data controller for personal data we collect via our platform at app.levelup360hq.com.

2. What we collect

We collect three categories of personal data:

Parent / guardian account data

  • Name (display name you choose)
  • Email address (for login, transactional emails, push notifications)
  • Password or sign-in tokens (we never store passwords in plain text; magic-link tokens are short-lived)
  • Role (parent, coach, club admin) and the club organisation you belong to
  • Web push subscription endpoints (per device, when you opt in)
  • Audit log of significant actions (e.g. you reset your password)

Child (athlete) data — provided by you or your child's club

  • First name, last name, optional display name (what shows on their card)
  • Date of birth (to compute age group and progression)
  • Optional: position, preferred foot, country, height
  • Optional: photograph (if you or the club uploads one)
  • Match appearances and stats: minutes, goals, assists, cards, clean sheets, MOTM, coach notes
  • XP earned, tier and level (derived from gameplay)
  • RSVPs and attendance records for club events
  • Badges / traits earned automatically based on gameplay milestones

Technical / analytics data

  • IP address (only at the moment of a request — not stored long-term as personal data)
  • Browser type and version (User-Agent), device type
  • Page views and feature usage, identified only by a UUID — never by email or name (PostHog, see Section 5)
  • Error reports when something breaks (Sentry, see Section 5) — we deliberately strip email from these

3. Why we collect it — lawful basis

Under the UK GDPR / EU GDPR we rely on the following lawful bases:

  • Contract (Article 6(1)(b))— most processing happens because you signed up to use the platform. We can't track your kid's development if we can't store their stats.
  • Legitimate interests (Article 6(1)(f)) — service health (error monitoring, anonymous analytics, abuse prevention). You can object to legitimate-interest processing at any time via privacy@levelup360hq.com.
  • Consent (Article 6(1)(a)) — optional push notifications, marketing emails (if we ever send them), and non-essential cookies. You can withdraw consent at any time without affecting your ability to use the service.

For data about children under 13, we rely on parental consent as required by Article 8 GDPR / the UK Age Appropriate Design Code. Only a parent or guardian can create an athlete record for a child.

4. Children's data — extra care

LevelUp360HQ is built primarily to track the development of young athletes. We follow the ICO's Age Appropriate Design Code:

  • We never use children's data for marketing or targeted advertising
  • We never sell children's data to anyone
  • Athlete profiles default to private, visible only inside their club
  • Parents can delete a child's account at any time from settings
  • Shareable athlete cards are opt-in by the parent — sharing never happens automatically
  • We don't track location, contacts, or any device data beyond what's needed to render the app

5. Who we share data with — subprocessors

We use a small set of vendors to run the service. Each is contractually bound to process data only on our instructions, under UK / EU adequacy rules. We never share your data with anyone outside this list (except your own club's coaches and admins, who need to see it to do their job).

  • Supabase (EU, Frankfurt) — database, authentication, file storage. All data lives here.
  • Vercel(US, EU edge) — application hosting. Processes requests but doesn't store personal data long-term.
  • Resend (US) — transactional email delivery (welcome emails, tier alerts, RSVP reminders, invite codes).
  • PostHog (EU, self-hosted region available) — anonymous product analytics. We identify you only by a UUID, never by email or name.
  • Sentry (EU) — error monitoring. We deliberately strip email and other PII before sending error reports.
  • Web Push services(Google, Apple, Mozilla, Microsoft) — when you opt in to push notifications, encrypted payloads are routed via your browser vendor's push service. They receive the encrypted notification, not the contents.

We do not transfer data outside the UK / EEA except where covered by Standard Contractual Clauses (Resend, Vercel US edge nodes). Supabase, our primary data store, is in Frankfurt.

6. How long we keep it

  • Active account data — for as long as you have an account with us.
  • After you delete your account — personal identifiers (profile, email, parent-child links, RSVPs, notifications, push subscriptions) are removed within 24 hours. Authoring of news posts, comments, and match records is anonymised but the content stays so the club retains its history.
  • Backups — Supabase retains automated database backups for up to 7 days. Your deleted data may persist there before rolling off.
  • Audit logs — significant actions (account changes, data exports, deletions) are kept for 12 months for security and compliance.

7. Your rights

Under the UK GDPR you have the right to:

  • Accessa copy of your data — use the "Download my data (JSON)" button in your account settings, available 24/7.
  • Rectifyinaccurate data — edit it directly in the app, or email us if you can't.
  • Eraseyour account and personal data — use the "Delete my account" button in settings.
  • Restrict or object to processing — email privacy@levelup360hq.com.
  • Withdraw consent for optional processing (push, marketing, non-essential cookies) at any time.
  • Complain to a supervisory authority. In the UK that's the Information Commissioner's Office: ico.org.uk/make-a-complaint.

We aim to respond to all rights requests within 30 days, usually much faster.

8. Security

Data is encrypted in transit (TLS) and at rest (Supabase Postgres). Passwords are hashed with bcrypt by Supabase Auth. Access to production systems is limited and audited. We use Sentry to monitor for anomalies. No system is perfectly secure, but we treat children's data as the high bar it deserves to be.

9. Cookies

We use a small number of essential cookies to keep you signed in and to hold your push-notification subscription. We do not use third-party advertising cookies.

Optional analytics (PostHog) only runs after you accept it via the consent banner. We identify you only by an internal UUID — never by email or name. You can change your choice any time under Settings → Cookies & analytics.

Error monitoring (Sentry) runs by default under our legitimate-interest basis for security and stability. We deliberately strip personal data (email, names) from error reports before they leave your browser.

10. Changes to this policy

If we make a material change we'll notify you by email and update the "Last updated" date above. Continuing to use the service after a change means you accept the new version.

11. Contact

Email privacy@levelup360hq.com for any privacy question, complaint, or data request. For UK GDPR-specific matters this address reaches our Data Protection contact at Levelup360HQ Ltd.