Who we are
CentreKick is a grassroots football platform run by CentreKick Ltd. We help coaches, players, and families keep training and match records in one place. If you have questions about privacy, contact us at privacy@centrekick.app.
Company details
- Legal name: CentreKick Ltd
- Companies House number: [TODO: company number]
- Registered office: [TODO: registered office address]
- Data controller contact: privacy@centrekick.app
Quick summary
- We collect what we need to run grassroots football tools — accounts, sessions, matches, and assessments.
- We never sell your data and we never use it for advertising.
- Your data is stored in the EU (Supabase, Frankfurt region).
- You can export or delete your data any time from Account Settings.
- Children under 16 always have a linked parent or guardian on the platform.
- If you're a parent, you have full rights over your child's data.
What data we collect
From you (when you sign up or use the platform)
- Name, email, and role (coach, player, parent, scout, club staff, referee, agent, or analyst).
- Date of birth — used for age-group rules and what each role can see; it isn't shown publicly on profiles by default.
- Optional profile photo.
- For coaches: FA coaching qualifications you choose to add.
- For agents: FA / FIFA agent licence numbers for verification; shown on your agent profile only if you choose.
- Football activity: attendance, match stats, season assessments, clips you upload, and fixtures you create.
- Payments go through Stripe. We never see or store your card number — only a customer reference and subscription status from Stripe.
From things you connect
Strava: if you connect Strava, we sync activity totals (distance, duration, type) daily. You can disconnect any time and syncing stops.
Automatically
- Push notification tokens — only if you allow notifications on your device.
- Server logs: requests, errors, and abuse signals — kept 30 days for security.
- We don't run analytics scripts, ad pixels, or third-party trackers on our pages.
Why we use your data and the lawful basis
| Data | Purpose | Lawful basis (UK GDPR) |
|---|---|---|
| Account (name, email, role) | Run the platform | Contract (Art. 6(1)(b)) |
| Date of birth | Age-appropriate features and Children's Code gates | Legal obligation (Art. 6(1)(c)) and legitimate interests — safeguarding (Art. 6(1)(f)) |
| Football activity | Core product features | Contract (Art. 6(1)(b)) |
| Guardian links | Parent oversight of children's accounts | Legal obligation (Art. 6(1)(c)) |
| Payment info (Stripe refs) | Subscriptions | Contract (Art. 6(1)(b)) |
| Strava data | Show training load you've chosen to share | Consent (Art. 6(1)(a)) |
| Push tokens | Send notifications you've opted into | Consent (Art. 6(1)(a)) |
| Server logs | Abuse detection, debugging | Legitimate interests (Art. 6(1)(f)) |
If we ever change a lawful basis or rely on a new one, we'll update this policy and tell you.
Children and family accounts
Who counts as a child. Anyone under 18. We apply extra protection for under-13s.
Parent or guardian.Players under 16 can't register alone. A parent or guardian creates the account, links it through our guardian flow, and stays responsible until the child turns 16.
Age checks.We collect date of birth at sign-up. We don't ask for documents, but server-side rules limit what under-13 profiles show to scouts and what scouts can do.
What scouts can see.Scouts can't view player profiles for children under 13. They can't message a child directly. For under-16s, contact goes through a moderated step with controls on our side.
Assessment visibility (by age).Under 9: parents see a warm message unless the coach assigns a tier label. Ages 9–11: parents see the tier label only — no scores. Ages 12–15: players and parents see the label, the seven scores, and the written summary. 16+: players and parents also see the coach's personal letter.
Profiling.We assign talent-tier labels (emerging / recognised / exceptional) for scout-facing views. Children don't see their own tier label and don't see scout view counts on their profile until they're at least 13. Free players stay anonymised in agent directories regardless of age.
Your rights as a parent.You can access, correct, export, or delete your child's data. You can withdraw consent for things like clip visibility or Strava without losing the rest of the account.
Children's Code. We follow the ICO Age Appropriate Design Code, including the best interests of the child.
Marketing to children.We don't market to children — no marketing emails or upsells aimed at them.
Who we share your data with
These organisations process data on our instructions. We don't sell, rent, or share your data with advertisers, brokers, or analytics companies.
| Processor | What they do | Location | Transfer safeguards |
|---|---|---|---|
| Supabase | Database, auth, file storage | EU (Frankfurt) | None needed |
| Vercel | Hosting, edge delivery | Global edge; data at rest EU | Standard Contractual Clauses |
| Stripe | Payments | UK / Ireland / US | SCCs; EU-US Data Privacy Framework where certified |
| Resend | Transactional email | US | Standard Contractual Clauses |
| Strava | Optional activity sync | US | Only what you opt to send; not resold by us |
| Apple / Google | Push delivery | US | Token-based; payloads avoid personal content where possible |
If we add or remove a processor, we'll update this list and, for material changes, notify you.
International data transfers
Most of your data stays in the EU. Some processors (Stripe, Resend, Apple and Google for pushes) are US-based. We use the EU-US Data Privacy Framework where the processor is certified, Standard Contractual Clauses where they aren't, and we assess risk for each transfer.
For a copy of our transfer impact assessments, email privacy@centrekick.app.
How long we keep your data
- Active accounts: while your account is active.
- Deleted accounts: soft-deleted straight away; permanently erased after 30 days. Some financial records (invoices, receipts) are kept 7 years for HMRC — stored separately from your profile.
- Match stats and assessments: kept while the player account exists. On deletion, we remove identifying details; aggregate league or opposition stats may remain.
- Server logs: 30 days.
- Backups: rolling 30-day database backups. Live data is deleted on request immediately; copies in backups age out within 30 days.
- Compensation pool records: where money is owed under the platform transfer pool, we keep records for the legal retention period (typically 7 years — confirm with your accountant).
Your rights under UK GDPR
- Access — get a copy of everything we hold about you.
- Rectification— fix anything that's wrong.
- Erasure — delete your account and associated data.
- Restriction — ask us to limit use while something is disputed.
- Portability — receive your data in a structured, machine-readable form.
- Object — object where we rely on legitimate interests.
- Withdraw consent — where consent is the basis (e.g. Strava, notifications).
- Complain — to the ICO at ico.org.uk/make-a-complaint.
Most rights can be handled in Account Settings → Data & Privacy. For anything else, email privacy@centrekick.app — we'll respond within 30 days.
Cookies and similar technologies
We only use cookies needed to run the site:
- Supabase auth cookies (names like
sb-*-auth-token) — keep you signed in. - Locale — remembers language preference.
- Site gate — used only during pre-launch gated access.
We don't use tracking cookies, ad cookies, or social pixels. Stripe sets its own cookies on checkout.stripe.com — those are covered by Stripe's policy. You can clear cookies in your browser; clearing auth cookies signs you out.
Push notifications
If you enable notifications, your device sends us a token. We use it only for things you've opted into, for example:
- Match invites and confirmations
- Assessment publications
- Friendly Finder responses
- Analyst, coaching, and pitch-hire booking updates
- Fixture marketplace match alerts
Turn channels off in account settings or revoke permission in your phone settings.
Security
We use TLS for connections, encryption at rest where our providers support it, and row-level security in the database so people only see data they're allowed to see. We don't store card numbers. If we suffer a breach that affects your personal data, we'll tell you and the ICO within 72 hours when the law requires it.
Changes to this policy
When we make material changes, we'll update this page and email you. Small wording fixes only change the "Last updated" date.
Contact
Privacy questions: privacy@centrekick.app. We don't have a statutory DPO yet (below threshold), but ask for one if you need a dedicated contact and we'll route you.