Privacy Policy
mygooly.com · Effective 1 June 2025 · EU Regulation 2016/679 (GDPR) · Version 2.0
1. Data Controller
The data controller within the meaning of Art. 4(7) GDPR is:
We are not required to appoint a Data Protection Officer (DPO) under Art. 37 GDPR as our processing does not meet the criteria in para. 1(a), (b) or (c).
2. What data we process
2.1 Anonymous users
We do not store any personal data for anonymous users. Matches and teams are stored without any link to a person's identity.
2.2 Registered users (club members)
- Email address
- Hashed password (we never store passwords in readable form)
- Club name
- Match data and team squad linked to the club
- Player names entered voluntarily by the user for result and statistics tracking
Note: Entering player names for result sheets is permitted under the legitimate interest of a sports club (Art. 6(1)(f) GDPR). For players under 15 we recommend obtaining parental consent for public profiles.
2.3 Technical data
- IP address (server logging, max. 30 days)
- Session cookies (session token, required for login)
- Anonymised traffic analytics (Vercel Analytics)
3. Purpose and legal basis of processing
- Providing the Service and account management — performance of contract (Art. 6(1)(b) GDPR)
- Result sheets and player statistics — legitimate interest (Art. 6(1)(f) GDPR)
- Security and abuse prevention — legitimate interest
- Anonymised traffic analytics — legitimate interest
3a. Two-layer processing — player data entered by users
mygooly.com distinguishes two categories of personal data with different legal regimes:
- Platform user data (email, password, account) — PPC Pohotovost s.r.o. acts as controller.
- Player data entered by users (names, results) — the user (coach/club) acts as controller, PPC Pohotovost s.r.o. acts as processor.
How to exercise a player's rights
Requests for access, correction or deletion of a specific player's data should be directed to the club or coach who entered the data. Contact us at info@mygooly.com if you do not know who the controller is.
4. Recipients of personal data
Your data is not sold or shared with third parties for commercial purposes. We use:
- Supabase Inc. — database and authentication (USA; EU standard contractual clauses)
- Vercel Inc. — hosting and analytics (USA; EU standard contractual clauses)
5. Camera and motion detection
The penalty game uses the camera exclusively on-device — all processing happens in the user's browser. Video is never sent to a server or stored.
6. Data retention
- Match and team data — for the lifetime of the account + 30 days after deletion
- Anonymous matches — 90 days from last access
- Session cookies — until logout or max. 30 days
- Server logs (IP address) — 30 days
- Backups — max. 7 days
7. Your rights
- Access (Art. 15) — copy of your personal data
- Rectification (Art. 16) — correction of inaccurate data
- Erasure (Art. 17) — deletion of account and all data
- Portability (Art. 20) — your data in JSON/CSV format
- Objection (Art. 21) — objection to legitimate-interest processing
Requests: info@mygooly.com. We respond within 30 days.
8. Cookies
We use only technically necessary cookies (session token). We do not use third-party marketing or tracking cookies.
9. Data security
- Passwords are hashed (bcrypt)
- Communication encrypted via HTTPS/TLS
- Access to data restricted to authorised persons
- Regular security updates
10. Complaints and supervisory authority
You have the right to lodge a complaint with a supervisory authority. For users in the EU, you may contact the authority in your country of residence, or in the Czech Republic:
Please contact us at info@mygooly.com before filing a complaint — we can resolve most issues directly and faster.
11. Changes to this document
We will notify registered users of material changes by email or in-app notice at least 14 days before they take effect. The current version is always available at www.mygooly.com/gdpr.
GDPR contact: info@mygooly.com
Terms & Conditions