Privacy Policy

BallonRank (“we”, “us”) is the data controller for personal data processed through the BallonRank platform. We operate in the United Kingdom and South Africa and are committed to compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the South African Protection of Personal Information Act (POPIA).

Account Information: When you register, we collect your name, email address, password (hashed by our auth provider), and role (Player, Parent, Coach, or Scout).

Player Profile Data: If you submit a player profile, we collect personal details including name, date of birth, physical measurements, club/academy affiliation, region, and profile image.

Performance Data: Match statistics, physical benchmarks, scout evaluations, and highlight video links submitted to the platform.

Usage Data (with consent): If you allow analytics cookies, we collect anonymised usage events (page views, feature interactions) via our analytics processor to improve the product.

Payment Data: If you subscribe to a paid tier, we collect a subscription identifier and billing metadata. Card details are handled entirely by Stripe — we never see or store them.

We process personal data on the following lawful bases:

• Contract: to provide the service you sign up for.
• Legitimate interest: to secure the platform, prevent fraud, and maintain rankings.
• Consent: for analytics cookies and for processing the data of players under 16.
• Legal obligation: where we must retain records for tax, accounting, or regulatory reasons.

• Create and maintain player profiles and rankings
• Calculate composite scores and star ratings
• Enable verified scouts to discover talent
• Send notifications about profile updates, rankings, and scout activity
• Verify player identities and submitted statistics
• Provide subscription billing and account support
• Improve the platform via aggregated, anonymised usage analytics (with consent)

Player profiles marked as published are visible to all authenticated users and appear in public rankings. This includes name, position, age group, region, club, rankings, and statistics.

We use the following trusted processors to run the platform. Each is bound by data processing agreements:

• Supabase — authentication and database hosting (EU region).
• Vercel — application hosting and content delivery.
• Stripe — subscription payments (card data handled entirely by Stripe).
• Brevo — transactional email delivery (EU region).
• PostHog (EU) — product analytics, only if you have granted analytics consent.
• Sentry — error monitoring (no personal data intentionally sent).
• Cloudflare — bot mitigation for sign-up and contact forms.

We do not sell personal data. Anonymised, aggregated data may be used for research, partnership, or marketing purposes.

BallonRank serves youth football players aged 11–19. Under UK GDPR Article 8 and POPIA Section 35, a child under 16 cannot consent to the processing of their personal data — a parent or guardian must consent on their behalf.

When a profile is submitted for a player under 16, we require the parent or guardian’s email address and an explicit consent confirmation. We record the timestamp of that consent.

A parent or guardian may withdraw consent, request erasure, or export their child’s data at any time by contacting us or using the tools on the Privacy & Data settings page.

We use industry-standard security measures: TLS everywhere, secure authentication with password hashing and OAuth via Supabase, role-based access controls, application-level security headers (CSP, HSTS, frame-denial), and regular dependency updates. Admin actions are audit-logged.

You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. You can:

• Export all data we hold on you as a JSON file
• Permanently delete your account and all associated data
• Update your profile and notification preferences
• Withdraw analytics consent at any time

Most of these actions are self-service on the Privacy & Data settings page. For anything else, email hello@ballonrank.comwith “Privacy Request” in the subject line. We respond within 30 days.

If you are unhappy with how we handle your data, you may complain to your supervisory authority — the Information Commissioner’s Office (UK) or the Information Regulator (South Africa).

We use three categories of cookies and local storage:

• Necessary: authentication, session, CSRF, and your consent preferences. Always on — required for the site to function.
• Analytics (optional): PostHog analytics cookies, only loaded after you opt in.
• Functionality (optional): reserved for future UX-enhancement features. Currently unused.

You can change your choices at any time via the “Manage cookie preferences” link in the footer.

We retain account and profile data while your account is active. If you delete your account, we remove or anonymise all personal data within 30 days, except where we are legally required to retain records (e.g. payment receipts for tax purposes — kept for up to 7 years).