Privacy Policy

ConnEasy is a football networking platform operated from Ireland. We are committed to protecting your privacy and handling your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Irish Data Protection Act 2018, and all applicable data protection legislation.

1. Data Controller

The data controller for your personal data is:

ConnEasy
Operated by Tom O'Donovan
Ireland
Email: contact@conneasy.ie

ConnEasy has not appointed a Data Protection Officer (DPO) at this time. For all data protection enquiries, rights requests, or complaints, please contact us at the email address above.

2. Data We Collect

We collect and process the following categories of personal data:

• Account information: name, email address, password (hashed and salted — we never store your password in plain text), date of birth, countries you are eligible to play for, county and sub-area location.
• Profile data: avatar photo, bio, football position, play style, preferred foot, height, weight, coaching qualifications, club history, achievements, and traits.
• Football statistics: goals, assists, games played, clean sheets, man of the match awards, years coaching, players coached, sessions per week, trophies, and other performance metrics.
• Communications: messages sent and received through the ConnEasy chat system, including message content and read receipts.
• Media: video clips uploaded via YouTube integration and profile photos stored in our file storage.
• Location data: county and sub-area (town/area) for profile discoverability on the map. For clubs, an optional street address is geocoded to map coordinates.
• Connection data: endorsements, references, chat requests, and parent/guardian-player account links.
• Technical data: IP address, browser type, device information, and access logs collected automatically by our hosting provider (Vercel) and database provider (Supabase).
• Usage data: authentication sessions, notification preferences, visibility settings, and theme preferences.

Special Category Data

Height and weight data collected for player profiles may be considered health-related data under GDPR Article 9. We process this data on the basis of your explicit consent, given when you voluntarily provide it during profile creation. You are not required to enter height or weight — these fields are optional. You may remove them at any time by editing your profile.

3. Lawful Basis for Processing

We process your data on the following legal bases under GDPR Article 6:

• Consent (Article 6(1)(a)): You provide consent when you create an account and agree to these terms. You may withdraw consent at any time by deleting your account or adjusting your privacy settings.
• Contractual necessity (Article 6(1)(b)): Processing is necessary to provide the ConnEasy platform and its features — profile display, messaging, discovery, and notifications.
• Legitimate interest (Article 6(1)(f)): We process certain data for platform safety, safeguarding minors, preventing abuse, and maintaining platform integrity.

For users under 18, we rely on verifiable parental/guardian consent in accordance with GDPR Article 8 and the Irish Data Protection Act 2018 (Section 31), which sets the digital age of consent at 16 in Ireland. ConnEasy exceeds the legal minimum by requiring parental/guardian consent for all users under the age of 18.

4. Under-18 Data Handling

ConnEasy treats all users under the age of 18 as minors, exceeding the legal minimum age of digital consent (16) set by the Irish Data Protection Act 2018. We handle children's data with extra care, in compliance with GDPR Article 8 and Sections 29–33 of the Data Protection Act 2018.

We operate a parent/guardian paired account system for all users under 18:

What Data We Collect from Minors

We collect the same categories of data from minors as from adults (name, date of birth, county, position, stats, etc.), with the following differences:

• A parent/guardian email address is collected during registration.
• Contact details (email, Instagram, TikTok, Facebook) are collected but masked from coaches and clubs at the database level.

How Parental Consent Is Obtained

• During registration, under-18 players must provide a parent/guardian email address.
• A verification email containing a unique, time-limited token (72-hour expiry) is sent to the parent/guardian.
• The parent/guardian must create their own ConnEasy account and verify the link before any coach can initiate a conversation involving the child. Unverified minor accounts can browse the platform but cannot be contacted.

How Minors' Data Is Protected

• Contact details (email, Instagram, TikTok, Facebook) are never stored for minor accounts and are masked from all viewers at the database level — even the child's own account cannot display them. This is enforced by a database trigger, a view, and the user interface (three independent layers).
• Under-18 players cannot send or receive messages directly. All messaging is handled by their parent/guardian on their behalf.
• Messages to an unverified minor are blocked at the database level. Once a parent/guardian has verified the link, any coach-initiated conversation must still be approved by the parent/guardian before it reaches the child.
• Parents/guardians can toggle whether the child can read an approved conversation at all.
• Safeguarding rules are enforced by database triggers that cannot be bypassed by the application layer.

Parent/Guardian Rights

Parents/guardians of users under 18 have the right to:

• Access all data held about their child by contacting contact@conneasy.ie.
• Request correction of their child's data.
• Request deletion of their child's account and all associated data (see Section 5, Right to Erasure).
• Manage their child's communications through the Parent/Guardian Dashboard, including approving or declining chat requests.
• Control whether their child can view conversations (child_can_view toggle).

Under Section 33 of the Data Protection Act 2018, individuals have a specific right to request the erasure of personal data collected about them during childhood. ConnEasy fully supports this right — account deletion permanently removes all data.

5. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data. For each right, we have listed the simplest way to exercise it.

5.1 Right of Access (Article 15)

You can request a copy of all personal data we hold about you.

How to exercise: Sign in and go to Settings > Danger Zone > Download My Data. You will receive a machine-readable JSON file containing every row we hold that belongs to you. Or email contact@conneasy.ie.

5.2 Right to Rectification (Article 16)

You can correct any inaccurate or incomplete personal data.

How to exercise: Edit your profile directly from the Profile page. Your date of birth is locked after it is first set, to protect safeguarding age checks — if it is wrong, email contact@conneasy.ie and an administrator will correct it (every such change is audit-logged).

5.3 Right to Erasure (Article 17)

You can permanently delete your account and all associated data.

How to exercise: Sign in and go to Settings > Danger Zone > Delete Account. Deletion is irreversible and atomic — profile data, messages, endorsements, references, media, YouTube clips, and authentication records are all removed. Under Section 33 of the Data Protection Act 2018, this right applies specifically to data collected during childhood.

5.4 Right to Data Portability (Article 20)

You can receive your data in a structured, commonly used, machine-readable format, and have the right to transmit that data to another controller.

How to exercise: Use Settings > Danger Zone > Download My Data. The JSON export satisfies Article 20 requirements. Limited to one export every 24 hours to prevent abuse.

5.5 Right to Restrict Processing (Article 18)

You can request that we limit how we use your data while a complaint or request is being resolved.

How to exercise: Email contact@conneasy.ie. In the meantime, you can tighten your own processing footprint from Settings > Profile Visibility (hide profile, disable map, restrict who can message you).

5.6 Right to Object (Article 21)

You can object to processing of your personal data.

How to exercise: Use the visibility controls in Settings > Profile Visibility to disable discovery/map/public profile, or email contact@conneasy.ie for anything not covered by the self-service controls.

Other rights

• Right Not to Be Subject to Automated Decision-Making (Article 22): ConnEasy does not use automated decision-making or profiling that produces legal or similarly significant effects. Age-based access controls are rule-based safeguarding measures, not profiling.
• Right to Withdraw Consent: You may withdraw your consent at any time by deleting your account or adjusting your privacy settings. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

We will respond to any rights request within 30 days as required by GDPR. If you are not satisfied with our response, you have the right to lodge a complaint with the Irish Data Protection Commission (DPC):
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, D02 RD28
Ireland
www.dataprotection.ie

6. Data Retention

We retain each category of data only for as long as it is needed for the purpose it was collected, or as required by law:

Deletion is immediate and irreversible once initiated from Settings > Danger Zone. We do not currently operate a soft-delete or 30-day recovery window.

7. Third-Party Processors

We use the following third-party services to operate ConnEasy. Each acts as a data processor under GDPR, covered by a Data Processing Agreement (DPA). Transfers outside the EEA rely on Standard Contractual Clauses (SCCs) or an equivalent adequacy mechanism.

• Supabase (database, authentication, file storage) — data stored in Supabase's EU-region infrastructure. DPA in place; transfers covered by SCCs. See Supabase Privacy Policy.
• Vercel (web hosting and serverless functions) — IP addresses and access logs processed for service delivery. DPA in place; transfers covered by SCCs. See Vercel Privacy Policy.
• Resend (transactional email) — used for parent/guardian verification, deletion confirmation, and parent notification emails. Only recipient address + email content are shared. DPA in place; transfers covered by SCCs. See Resend Privacy Policy.
• YouTube / Google (video hosting) — game clips uploaded as unlisted videos via the YouTube Data API. Google acts as a sub-processor subject to Google's policies and SCCs. See Google Privacy Policy.
• OpenStreetMap / Nominatim (geocoding) — only club addresses (no user personal data) are sent, and only at the moment an owner saves a club address.

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.

8. Cookies

ConnEasy uses only essential cookies required for authentication and session management. We do not use tracking cookies, advertising cookies, or analytics cookies of any kind.

• Authentication cookie (sb-*-auth-token): Strictly necessary for keeping you logged in. Set with Secure, SameSite=Lax, and a 7-day expiry. This cookie is exempt from consent requirements under ePR Article 5(3) as it is strictly necessary for the service.
• Theme preference: Stored in localStorage (not a cookie).
• Cookie consent status: Stored in localStorage (not a cookie), refreshed every 6 months.

Because ConnEasy uses only strictly necessary cookies, no non-essential cookies are ever set — regardless of whether you accept or decline on the cookie banner. You may change your cookie preferences at any time via the "Cookie Preferences" link on the homepage.

9. International Data Transfers

Your primary data is stored in Supabase's EU infrastructure. However, some of our processors (Vercel, YouTube/Google) may process data outside the European Economic Area (EEA). Where data is transferred outside the EEA, it is protected by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V. We only use processors that provide adequate data protection guarantees.

10. Data Security

We implement the following security measures to protect your data:

• Row Level Security (RLS) on all database tables, ensuring users can only access data they are authorised to see.
• Database triggers that enforce safeguarding rules and prevent unauthorised data modification.
• Encrypted connections (HTTPS/TLS) for all data transmission.
• Security headers including HSTS, X-Frame-Options, X-Content-Type-Options, and Content Security Policy.
• Server-side authentication middleware protecting all private routes.
• Password hashing via Supabase Auth (bcrypt).
• File upload validation (type and size restrictions) to prevent malicious uploads.

11. Data Minimisation

ConnEasy collects only the personal data necessary to provide its football networking features. Most profile fields (bio, stats, height, weight, social links) are optional — you are not required to complete them. We do not collect data beyond what is needed for the platform's stated purpose.

12. Changes to This Policy

We may update this privacy policy from time to time. Significant changes will be communicated via a notice on the platform. The "Last updated" date at the top of this page indicates when the policy was last revised. We encourage you to review this policy periodically.

13. Contact & Complaints

If you have any questions about this privacy policy, wish to exercise your data protection rights, or have concerns about how your data is handled, please contact:

ConnEasy
Tom O'Donovan
Email: contact@conneasy.ie
Ireland

You also have the right to lodge a complaint with the Irish Data Protection Commission:
Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
www.dataprotection.ie