Privacy Policy · Field to Play

Field to Play ("we", "us", "our") is an independent sports platform based in Lisbon, Portugal. This policy explains what personal data we collect, how we use it, and the rights you have under the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), Portuguese data-protection law (Lei n.º 58/2019), and, where applicable, the Brazilian Lei Geral de Proteção de Dados (LGPD, Lei n.º 13.709/2018).

Who is the data controller

The data controller is the team operating Field to Play, based in Lisbon, Portugal. Contact for privacy matters: [email protected]. For general questions: [email protected].

What personal data we collect

Account data, the email you sign in with, your name (from Google/Apple or typed at signup), profile photo, preferred language, and approximate city. Collected when you register or update your profile.
Player data, sports you play, self-assessed player card stats, match results you record, teams you join, tournaments you enter, and achievements you earn on the platform.
Booking data, the facilities you book, dates and times, prices, and the payment metadata Stripe returns (but never card numbers, see Payments below). Retained as long as your account is active + 6 years for tax and accounting reasons (Portuguese law).
Technical data, IP address, user-agent, device type, approximate geographic location derived from the IP, session tokens (in cookies), and timestamps of logins. Needed to deliver the service and detect abuse.

Why we process it

Service delivery, running your account, letting you book, matchmake, message, and get paid by other users (legal basis: performance of a contract with you, GDPR Art. 6(1)(b)).
Transactional email, sign-in links, booking confirmations, payment receipts, and service notices, sent via Resend (legal basis: performance of a contract).
Fraud and abuse detection, rate-limiting, IP checks, review of flagged accounts (legal basis: our legitimate interest in protecting the platform, GDPR Art. 6(1)(f)).
Product improvement, aggregated usage analytics via PostHog, only after you accept cookies (legal basis: your consent, GDPR Art. 6(1)(a)).

Legal basis summary

Where we rely on consent (analytics cookies, newsletter, notifications), you can withdraw it at any time from the Cookies settings at the bottom of the page or by unsubscribing from emails. Withdrawing consent doesn't retroactively affect processing that was lawful at the time.

Sub-processors we use

We use these vetted third-party services to run Field to Play. Each has its own privacy policy and, for EU users, appropriate safeguards under GDPR Chapter V:

Railway (USA / EU regions), hosts our servers and database. https://railway.app/legal/privacy
Stripe (IE / USA), payment processing for bookings, Premium, and Connect payouts. https://stripe.com/privacy
Resend (USA), transactional email delivery. https://resend.com/legal/privacy-policy
PostHog (EU cloud, Frankfurt), product analytics. Only loads if you accept optional cookies. https://posthog.com/privacy
Sentry (USA), application error monitoring (no personal data intentionally sent). https://sentry.io/privacy/
Google (IE / USA), Sign in with Google (we receive only your name, email, avatar, and Google sub). https://policies.google.com/privacy
Apple (IE / USA), Sign in with Apple (we receive only your email, optional name on first consent, and the opaque sub). https://www.apple.com/legal/privacy/

How long we keep your data

Account and player data are kept while your account is active and for up to 90 days after deletion, so we can restore a mistakenly-deleted account. Booking records are kept for 6 years (Portuguese tax law, Decreto-Lei n.º 28/2019). Server logs are rotated after 30 days. Analytics events are auto-deleted by PostHog after 12 months.

Your rights

Under GDPR (and analogous provisions in LGPD), you have the following rights, free of charge and answered within 30 days:

Right of access, request a copy of the personal data we hold about you.
Right to rectification, correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten"), delete your account and personal data, subject to the legal retention periods above.
Right to data portability, receive your data in a structured, machine-readable format.
Right to object, object to processing based on legitimate interest, including direct marketing.
Right to complain, lodge a complaint with your supervisory authority. In Portugal: Comissão Nacional de Proteção de Dados (CNPD, https://www.cnpd.pt). In Brazil: Autoridade Nacional de Proteção de Dados (ANPD). In Spain: Agencia Española de Protección de Datos (AEPD).

Payments

All payments are processed by Stripe. We never see or store your card number, Stripe tokenises card data and we only receive a payment reference and metadata (amount, currency, status, last four digits). Stripe is PCI DSS Level 1 certified. You can review Stripe's data practices at https://stripe.com/privacy.

Age restrictions

Players must be 16 or older to create an account without parental consent. Users aged 13-15 require verifiable parental consent per GDPR Art. 8 (and Brazilian LGPD Art. 14). We do not knowingly collect data from children under 13. If you believe a minor has created an account, email [email protected] and we will remove it.

International data transfers

Some of our sub-processors operate outside the EU/EEA (notably Stripe, Resend, Sentry, Google and Apple in the USA). Transfers are covered by Standard Contractual Clauses (GDPR Art. 46) and, for US services, Data Privacy Framework certification where available.

How to contact us

For any privacy request, access, correction, deletion, portability, or a complaint, email [email protected]. Identify yourself with the email address on your account so we can verify the request. We respond within 30 days per GDPR Art. 12(3).

Changes to this policy

Material changes will be announced by email to active users at least 30 days before taking effect. Minor clarifications (fixing a typo, adding a sub-processor) update this page with a new "Last updated" date.