Privacy Policy

The data controller is vAInz, contactable at vainzsportanalysis@gmail.com. For all matters concerning the processing of your personal data and the exercise of the rights described in §7, please write to that address.

When you use the Service we process the following categories of personal data:

• Account data — email address, password (hashed), agency name, contact name, plan tier, billing cadence, registration date, account status.
• Usage and content data — logs of every meaningful action you take on the platform: searches performed (including names of players and teams queried), Player Analysis reports opened, Player Finder filter sets, Team Fit / League Fit checks, PDF reports generated, tokens consumed, timestamps. We also log the plan in effect at the time of each action (plan_at_time) for billing audit purposes.
• Device and technical data — device identifier, browser user-agent, IP address, last-seen timestamp, registered devices list. These are used to enforce per-plan device limits and to detect fraud.
• Payment data — billing address, last 4 digits and brand of the card used, payment status, invoices. Card numbers and CVVs are never seen or stored by us; they are processed entirely by our payment processor Stripe Payments Europe Ltd. (Ireland).
• Communications — emails, support requests, feedback you voluntarily send us.

We process the above data for the following purposes, under the indicated GDPR legal bases:

• Performance of contract (Art. 6(1)(b) GDPR) — creating and managing your account, providing the Service, enforcing plan limits, charging subscription fees, issuing invoices, handling support.
• Legitimate interest (Art. 6(1)(f) GDPR) — improving the Service, preventing abuse and fraud, securing the platform, producing aggregated and anonymized analytics, and conducting internal research on usage patterns. Our legitimate interests do not override your fundamental rights; you may always object as described in §7.
• Legal obligation (Art. 6(1)(c) GDPR) — keeping accounting records, fiscal documents and other records required by Italian and EU law.
• Consent (Art. 6(1)(a) GDPR) — sending optional marketing communications about new features, when you have given specific consent. You may withdraw consent at any time without affecting prior processing.

We attach particular importance to one category of processing: logs of searches and reports requested through the Service. For example: "Agency X opened a Player Analysis report for Player Y at time T". This information is necessary for billing (we charge tokens per action), for enforcing plan limits, and for product analytics.

We may produce aggregated and anonymized insights from this data — for example, statistics on the most-searched positions, most-tracked age brackets, geographical demand patterns — and use, publish or share such aggregated insights with third parties (e.g. industry partners, media). Aggregated data does not allow identification of individual users or their specific searches and therefore falls outside the scope of GDPR.

We will not share, sell or otherwise disclose your identifiable searches (i.e. "Agency X searched Player Y") to any third party without your specific prior consent, except where required by law or court order.

We share personal data only with the following categories of recipients, all of whom act as data processors under written agreements that comply with Art. 28 GDPR:

• Supabase Inc. (United States, EU SCCs in place) — authentication and database hosting.
• Stripe Payments Europe Ltd. (Ireland) — payment processing and invoicing.
• Databricks Inc. (United States, EU SCCs in place) — analytical data warehouse for player and team metrics.
• Amazon Web Services EMEA SARL (Luxembourg / Ireland) — cloud hosting of the web frontend and the backend API.
• Public authorities, courts and law-enforcement bodies, only where required by law or to defend our rights.

Note: third-party football-data providers (SofaScore and similar) are upstream sources we read public match data from — they are not recipients of user data and therefore not listed above.

Some processors are located outside the European Economic Area. Where this is the case, transfers occur under the European Commission's Standard Contractual Clauses (Decision 2021/914/EU) or, where applicable, under an adequacy decision. You may request a copy of the safeguards in place by writing to vainzsportanalysis@gmail.com.

Under Articles 15–22 GDPR you have the right to:

• access your personal data and obtain a copy;
• rectify inaccurate or incomplete data;
• erase your data ("right to be forgotten"), subject to legal retention obligations;
• restrict processing in defined circumstances;
• portability — receive your data in a structured, commonly used, machine-readable format;
• object to processing based on legitimate interest;
• withdraw consent at any time, where consent is the legal basis;
• lodge a complaint with the Italian Data Protection Authority — Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Roma — garanteprivacy.it.

To exercise these rights, please email vainzsportanalysis@gmail.com. We will respond within 30 days.

We retain your data only as long as necessary for the purposes described above. Specifically: account and usage data are kept for the duration of your subscription and for 24 months after account closure for analytics, security and audit purposes; billing and tax records are kept for 10 years as required by Italian law (Art. 2220 Codice Civile); support communications for 24 months after the last interaction; aggregated and anonymized data may be retained indefinitely.

We apply technical and organizational measures consistent with industry standards: encryption in transit (TLS 1.3) and at rest, hashed passwords (Argon2), role-based access control, per-device authorization, periodic backups, monitoring and audit logging, and least-privilege access by our staff. No security measure is perfect; you are required to keep your credentials confidential and to notify us promptly of any suspected breach.

The Service is not directed to individuals under the age of 18 and we do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor we will delete it without delay.

Information on the cookies and similar technologies we use is provided in our separate Cookie Policy.

We may amend this Privacy Policy from time to time to reflect changes in our practices or in the law. Material changes will be notified by email at least 30 days before the effective date. The "Last updated" date at the top of this page reflects the most recent revision.