How we collect, use and protect your personal data
S2D, Sport data Decision, Lda, with registered office at Estrada Municipal 506 Ubimedical 6200-284 Covilhã, VAT number 518063097, is the entity responsible for processing personal data collected through the IndoorData platform. For any questions regarding the privacy of your data, you can contact us at: support@indoordata.pt No Data Protection Officer (DPO) has been formally appointed, as our processing activities do not require one under GDPR. The internal person responsible for data protection matters is available at the email address above.
We collect only the data strictly necessary for the provision of our service: • Account and authentication data (email, hashed password, name, role) — required for platform access. Legal basis: contract execution (Art. 6(1)(b) GDPR). • User profile data (phone, date of birth, gender, photo) — for account personalisation. Legal basis: contract execution. • Player/athlete data (name, contact, address, date of birth, federation licence, sports history, photo) — for sports management by the club. Legal basis: contract execution and data subject consent. • Biometric and health data (height, weight, physical capacity, clinical and psychological history) — for sports development tracking, only with explicit consent. Legal basis: explicit consent (Art. 9(2)(a) GDPR). • Minors' data — require explicit consent from the legal guardian. • Security logs (access attempts, timestamps) — to protect systems against unauthorised access. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Retention: 7 days. • Audience measurement data (first-party) — a short-lived session identifier (our own cookie, 24h), page visited, approximate region/country, language and device type (mobile/tablet/desktop). We do NOT collect the IP address or the full user-agent, and this data is not shared with third parties nor does it leave the EU. It is used solely to measure the performance of our site. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). • Marketing and third-party analytics data (email submitted through the quiz, quiz answers, Google Analytics and Meta Pixel) — for marketing communication and campaign measurement. Legal basis: consent (Art. 6(1)(a) GDPR); third-party cookies are only activated after explicit consent in the banner, which you can withdraw at any time.
Your data is shared only with the following subprocessors, strictly within the scope of service delivery, all subject to Data Processing Agreements (DPA) under Art. 28 GDPR: • Amazon Web Services (AWS) — database (RDS), transactional email delivery (SES), file and image storage (S3) and infrastructure monitoring (CloudWatch). Servers located exclusively within the European Union (Paris, France). Subject to your consent (cookie banner), we also use the following measurement and marketing services: • Google Ireland Ltd. (Google Analytics) — measurement of website audience and performance. • Meta Platforms Ireland Ltd. (Meta Pixel) — measurement and optimisation of our advertising campaigns. These services may involve transferring data to the United States, under adequate safeguards recognised by the European Commission (Standard Contractual Clauses and the EU-US Data Privacy Framework). Their cookies are only activated after your explicit consent and can be refused or withdrawn at any time. We do not sell your personal data, nor do we share it with third parties for purposes not described in this policy. Data processed for the platform (account, profile and sports data) is hosted exclusively within the European Union. Only the analytics and marketing data referred to above may, with your consent, be processed outside the EU under the safeguards indicated.
We retain your data only for as long as necessary for the purposes for which it was collected: • Account and user profile data: for the duration of the active account + 2 years after deletion or inactivity. • Player/athlete data: for the duration of the club subscription + 2 years after the end of the contractual relationship. • Biometric and health data: same conditions as player data. • Security logs (access attempts): 7 days, with automatic deletion. Regarding security, we implement the following technical and organisational measures: • Encryption in transit — TLS/HTTPS on all platform access, certificates managed via AWS Certificate Manager. • Encryption at rest — database and files stored with AWS KMS encryption. • Access control — role-based system (ADMIN, MANAGER, COACH) with granular permissions per club. • Brute-force protection — automatic lockout after failed access attempts. • Automatic backups — with point-in-time recovery capability via AWS RDS.
Under the General Data Protection Regulation (GDPR), you have the following rights over your personal data: • Access (Art. 15) — know what personal data we process about you. • Rectification (Art. 16) — correct inaccurate or incomplete data. Available directly in the platform for profile and player data. • Erasure (Art. 17) — request deletion of your personal data. • Portability (Art. 20) — receive your data in a structured, machine-readable format (JSON/CSV). • Objection (Art. 21) — object to processing based on legitimate interest. • Restriction (Art. 18) — restrict processing under certain circumstances. To drill any of these rights, contact us at: support@indoordata.pt Maximum response time: 30 days (extendable by 60 days in complex cases, with prior notice). You also have the right to lodge a complaint with the competent supervisory authority: CNPD — Comissão Nacional de Proteção de Dados www.cnpd.pt
Last updated: Fevereiro 2025