Privacy policy

What this policy covers

Föreningsdomare is a web service where amateur sports clubs administer matches, referee assignment and compensation. This policy describes how we process personal data in the signed-in app at new.foreningsdomare.se (and the future app.foreningsdomare.se). Information about the expression-of-interest form and anonymous web analytics on our landing page is covered by a separate policy at foreningsdomare.se/integritetspolicy.

Data controller

The service is currently operated as an individual project. The data controller is the project's author, reachable via support@foreningsdomare.se. When the service is transferred to a company this policy will be updated here.

Which personal data we process

When you or your club use the app we process the following:

• Account: name, e-mail address, phone number, which club you belong to and your roles (e.g. referee, team manager, club admin).
• Bank account details for compensation payouts, encrypted at rest with envelope encryption. The app shows only the last four digits; we cannot read the full value.
• Match information: matches you have refereed or administered, dates, teams, venue and the associated compensation.
• Supporting documents and receipts: files you upload as compensation documentation.
• Messages between users in the app.
• Club logo uploaded by the club.
• Change logs (audit log) for certain sensitive actions (e.g. role changes, deletions).
• Consent choices: if you have chosen to accept/decline cookies, that is stored per user.

Legal basis and purpose

• Account, sign-in, match management, messages: contract. We need the data in order to deliver the service you or your club ordered (GDPR art. 6.1 b).
• Compensation documentation and audit log: legal obligation. As accounting records, certain data must be retained under the Swedish Bookkeeping Act (GDPR art. 6.1 c).
• Error reporting to Sentry: legitimate interest. We need to be able to detect and fix technical errors in the app (GDPR art. 6.1 f). Personal identifiers are scrubbed before the event is sent, and a smaller portion of performance data is sampled in production to keep down the amount of data forwarded.

Who we share data with (subprocessors)

We do not share any data with marketers or other clubs. To operate the service we engage the following technical subprocessors:

• Supabase (EU, Stockholm): stores the database, authentication and uploaded files (receipts, club logos).
• Resend (EU): sends transactional e-mail (invitations, password resets, notifications).
• Vercel: hosts the web app and runs the server-side functions.
• Sentry (EU, Frankfurt): receives error reports with personal identifiers removed.

With each subprocessor there is a data processing agreement (DPA) binding them to GDPR level. No data is intentionally transferred outside the EU/EEA.

See the full list of subprocessors →

How long we keep data

• Account data: for as long as your account is active. When you or the club requests deletion the account is anonymised immediately; the anonymised tombstone row (without your personal data) remains for 2 years so that we can preserve coherent historical references on matches and logs, and is then purged automatically.
• Messages in the app: up to 2 years, then purged automatically.
• Match history: archived matches are kept for 5 years after the match date. Matches that form part of accounting records follow the retention for documentation (see below), however.
• Accounting records (compensation, receipts, invoices): 7 years under the Swedish Bookkeeping Act.
• Audit log: 5 years.
• Error reports (Sentry): 90 days.

Purging is based on statutory requirements and the principle of data minimisation (GDPR art. 5.1.e) and runs weekly in production. For minor referees a shorter retention applies where we are able to register age.

Security measures

• All traffic between your device and the server goes over encrypted HTTPS/TLS.
• Authorization is enforced at the database level: every query is limited to the data your role and your club are allowed to read.
• Passwords are never stored in plain text but as encrypted hashes; not even we can read them.
• Bank account details are encrypted at rest with envelope encryption. The full number cannot be retrieved by us; only the last four digits are shown.
• Sensitive actions (role changes, deletions, account handover) are recorded in an audit log.

Cookies and local storage

We use the following:

• Session cookies from Supabase Auth: strictly necessary to keep you signed in. You cannot turn these off without also signing out.
• fd_samtycke in local storage: stores your cookie choice. It is written only after we have saved it server-side so that the setting follows you across devices.

We do not use tracking cookies or cookies from advertising providers. Anonymous web analytics is prepared but not yet enabled; when we enable it this policy will be updated first.

Your rights

As a data subject you have the right to:

• request a copy of the data we hold about you (subject access request),
• have inaccurate data corrected,
• request erasure. The app has a self-service under Settings → Privacy that lets you download and anonymise your account. Accounting records are retained as required by law even after erasure, but personal fields are anonymised.
• object to processing we base on legitimate interest,
• lodge a complaint with the Swedish Authority for Privacy Protection (IMY) if you believe we are in breach of the GDPR: imy.se.

Children and young people

Föreningsdomare is aimed at club administrators, referees and team managers, typically adults. We do not intentionally collect data about players or other minors.

Contact

Questions about personal data, or a request to exercise any of the rights above, are sent to support@foreningsdomare.se.

Changes to the policy

If we make a material change, signed-in users are informed via the cookie/consent banner and, where needed, by e-mail. Minor wording adjustments are updated without separate notice; the latest version is always the one shown here.