Privacy Policy
How we collect, use and protect your personal data
1. Data Controller
S2D, Sport data Decision, Lda, with registered office at Estrada Municipal 506 Ubimedical 6200-284 Covilhã, VAT number 518063097, is the entity responsible for processing personal data collected through the IndoorData platform. For any questions regarding the privacy of your data, you can contact us at: support@indoordata.pt No Data Protection Officer (DPO) has been formally appointed, as our processing activities do not require one under GDPR. The internal person responsible for data protection matters is available at the email address above.
2. Data We Collect and Why
We collect only the data strictly necessary for the provision of our service: • Account and authentication data (email, hashed password, name, role) — required for platform access. Legal basis: contract execution (Art. 6(1)(b) GDPR). • User profile data (phone, date of birth, gender, photo) — for account personalisation. Legal basis: contract execution. • Player/athlete data (name, contact, address, date of birth, federation licence, sports history, photo) — for sports management by the club. Legal basis: contract execution and data subject consent. • Biometric and health data (height, weight, physical capacity, clinical and psychological history) — for sports development tracking, only with explicit consent. Legal basis: explicit consent (Art. 9(2)(a) GDPR). • Minors' data — require explicit consent from the legal guardian. • Security logs (access attempts, timestamps) — to protect systems against unauthorised access. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Retention: 7 days.
3. Data Sharing and Subprocessors
Your data is shared only with the following subprocessors, strictly within the scope of service delivery, all subject to Data Processing Agreements (DPA) under Art. 28 GDPR: • Amazon Web Services (AWS) — database (RDS), transactional email delivery (SES), file and image storage (S3) and infrastructure monitoring (CloudWatch). Servers located exclusively within the European Union (Frankfurt / Ireland). We do not sell, transfer or share your personal data with third parties for commercial, marketing or any other purposes not described in this policy. Your data is never transferred to countries outside the European Union.
4. Data Retention and Security
We retain your data only for as long as necessary for the purposes for which it was collected: • Account and user profile data: for the duration of the active account + 2 years after deletion or inactivity. • Player/athlete data: for the duration of the club subscription + 2 years after the end of the contractual relationship. • Biometric and health data: same conditions as player data. • Security logs (access attempts): 7 days, with automatic deletion. Regarding security, we implement the following technical and organisational measures: • Encryption in transit — TLS/HTTPS on all platform access, certificates managed via AWS Certificate Manager. • Encryption at rest — database and files stored with AWS KMS encryption. • Access control — role-based system (ADMIN, MANAGER, COACH) with granular permissions per club. • Brute-force protection — automatic lockout after failed access attempts. • Automatic backups — with point-in-time recovery capability via AWS RDS.
5. Your Rights and Contact
Under the General Data Protection Regulation (GDPR), you have the following rights over your personal data: • Access (Art. 15) — know what personal data we process about you. • Rectification (Art. 16) — correct inaccurate or incomplete data. Available directly in the platform for profile and player data. • Erasure (Art. 17) — request deletion of your personal data. • Portability (Art. 20) — receive your data in a structured, machine-readable format (JSON/CSV). • Objection (Art. 21) — object to processing based on legitimate interest. • Restriction (Art. 18) — restrict processing under certain circumstances. To exercise any of these rights, contact us at: support@indoordata.pt Maximum response time: 30 days (extendable by 60 days in complex cases, with prior notice). You also have the right to lodge a complaint with the competent supervisory authority: CNPD — Comissão Nacional de Proteção de Dados www.cnpd.pt
Last updated: June 2025