Privacy Policy

ConnEasy ("we", "us", "our") is a football networking platform operated from Ireland. We are committed to protecting your privacy and handling your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Irish Data Protection Act 2018, and all applicable data protection legislation.

1. Data Controller

The data controller for your personal data is ConnEasy, based in Ireland. For all data protection enquiries and requests, please contact us at conneasyofficial@gmail.com.

2. Data We Collect

We collect and process the following categories of personal data:

• Account information: name, email address, password (hashed and salted — we never store your password in plain text), date of birth, nationality, county and sub-area location.
• Profile data: avatar photo, bio, football position, play style, preferred foot, height, weight, coaching qualifications, club history, achievements, and traits.
• Football statistics: goals, assists, games played, clean sheets, man of the match awards, years coaching, players coached, sessions per week, trophies, and other performance metrics.
• Communications: messages sent and received through the ConnEasy chat system, including message content and read receipts.
• Media: video clips uploaded via YouTube integration and profile photos stored in our file storage.
• Location data: county and sub-area (town/area) for profile discoverability on the map. For clubs, an optional street address is geocoded to map coordinates.
• Connection data: endorsements, references, chat requests, and parent/guardian-player account links.
• Usage data: authentication sessions, notification preferences, visibility settings, and theme preferences.

3. Lawful Basis for Processing

We process your data on the following legal bases under GDPR Article 6:

• Consent (Article 6(1)(a)): You provide consent when you create an account and agree to these terms. You may withdraw consent at any time by deleting your account.
• Contractual necessity (Article 6(1)(b)): Processing is necessary to provide the ConnEasy platform and its features — profile display, messaging, discovery, and notifications.
• Legitimate interest (Article 6(1)(f)): We process certain data for platform safety, safeguarding minors, preventing abuse, and maintaining platform integrity.

For users under 16, we rely on verifiable parental/guardian consent in accordance with GDPR Article 8 and the Irish Data Protection Act 2018 (Section 31), which sets the digital age of consent at 16 in Ireland.

4. Under-18 Data Handling

ConnEasy handles children's data with extra care, in compliance with GDPR Article 8 and Ireland's Data Protection Act 2018. We operate a parent/guardian paired account system for all users under 18:

Users Under 16

• Registration requires a parent/guardian email address.
• A parent/guardian must create their own ConnEasy account and verify the link before the child's profile becomes visible to coaches or clubs.
• Contact details (email, Instagram, TikTok, Facebook) are masked from coaches and clubs at the database level — they cannot be accessed even via the API.
• The child cannot send or receive messages directly. All messaging is handled by their parent/guardian on their behalf.
• The parent/guardian must initiate contact with coaches before any communication can take place.

Users Aged 16–17

• Profiles are visible on the platform but display an under-18 badge.
• Contact details remain hidden from coaches and clubs at the database level.
• Safeguarding notices are displayed to coaches viewing the profile.
• Messaging is disabled on their account — their parent/guardian handles all communications.

Parent/Guardian Rights

Parents/guardians of users under 18 can manage their child's communications through the Parent/Guardian Dashboard, including approving or declining chat requests, messaging coaches and clubs on behalf of their child, and viewing linked profiles. Parents/guardians may request access to, correction of, or deletion of their child's data at any time by contacting conneasyofficial@gmail.com.

5. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access (Article 15): You can request a copy of all personal data we hold about you.
• Right to Rectification (Article 16): You can edit your profile information at any time from your Profile page, or request corrections by contacting us.
• Right to Erasure (Article 17): You can permanently delete your account and all associated data from Settings > Danger Zone. This removes all profile data, messages, endorsements, references, media, and authentication records.
• Right to Data Portability (Article 20): You can request your data in a machine-readable format by contacting us.
• Right to Restrict Processing (Article 18): You can request that we limit how we use your data while a complaint or request is being resolved.
• Right to Object (Article 21): You can control your profile visibility (public/private), map visibility, age display, and who can message you from the Settings page.
• Right to Withdraw Consent: You may withdraw your consent at any time by deleting your account or adjusting your privacy settings.

To exercise any of these rights, email conneasyofficial@gmail.com. We will respond within 30 days as required by GDPR. If you are not satisfied with our response, you have the right to lodge a complaint with the Irish Data Protection Commission (DPC) at www.dataprotection.ie.

6. Data Retention

• Active accounts: Your personal data is retained for as long as your account is active on ConnEasy.
• Deleted accounts: When you delete your account (via Settings > Danger Zone), all personal data is permanently removed from our databases and file storage. This includes your profile, messages, endorsements, references, chat requests, video clips, avatar images, notification records, and authentication data. Deletion is irreversible.
• Parent/guardian verification tokens: Expire after 72 hours and are marked as used or deleted upon expiry.
• Session cookies: Expire after 7 days of inactivity.

7. Third-Party Processors

We use the following third-party services to operate ConnEasy. Each acts as a data processor under GDPR:

• Supabase (database, authentication, file storage) — your data is stored in Supabase's EU-region infrastructure. Supabase processes data on our behalf under a Data Processing Agreement. See Supabase Privacy Policy.
• Vercel (web hosting and serverless functions) — serves the ConnEasy website and runs server-side logic. See Vercel Privacy Policy.
• Resend (transactional email) — used to send parent/guardian verification emails. Only the recipient email address and email content are shared. See Resend Privacy Policy.
• YouTube / Google (video hosting) — game clips are uploaded as unlisted videos to YouTube via their API. Video content and metadata are subject to Google's policies. See Google Privacy Policy.
• OpenStreetMap / Nominatim (geocoding) — club addresses are geocoded to map coordinates. No personal user data is sent to this service.

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.

8. Cookies

ConnEasy uses only essential cookies required for authentication and session management. We do not use tracking cookies, advertising cookies, or analytics cookies. The session cookie (sb-*-auth-token) is set with Secure, SameSite=Lax, and a 7-day expiry. Theme preference (light/dark mode) is stored in localStorage, not as a cookie.

9. International Data Transfers

Your primary data is stored in Supabase's EU infrastructure. However, some of our processors (Vercel, YouTube/Google) may process data outside the European Economic Area (EEA). Where data is transferred outside the EEA, it is protected by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V. We only use processors that provide adequate data protection guarantees.

10. Data Security

We implement the following security measures to protect your data:

• Row Level Security (RLS) on all database tables, ensuring users can only access data they are authorised to see.
• Database triggers that enforce safeguarding rules and prevent unauthorised data modification.
• Encrypted connections (HTTPS/TLS) for all data transmission.
• Security headers including HSTS, X-Frame-Options, X-Content-Type-Options, and Content Security Policy.
• Server-side authentication middleware protecting all private routes.
• Password hashing via Supabase Auth (bcrypt).
• File upload validation (type and size restrictions) to prevent malicious uploads.

11. Changes to This Policy

We may update this privacy policy from time to time. Significant changes will be communicated via a notice on the platform. The "Last updated" date at the top of this page indicates when the policy was last revised. We encourage you to review this policy periodically.

12. Contact

If you have any questions about this privacy policy, wish to exercise your data protection rights, or have concerns about how your data is handled, please contact:

ConnEasy
Email: conneasyofficial@gmail.com
Ireland

You also have the right to lodge a complaint with the Irish Data Protection Commission:
www.dataprotection.ie