Last Updated: 12 May 2025
This Privacy Policy explains how 4JQ Limited ("SquadTracker", "we", "us", or "our") collects, uses, stores, and protects your personal data when you use the SquadTracker app (iOS and Android) or website at squadtracker.co.uk. We are the data controller for all personal data described in this policy and are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Company: 4JQ Limited
Company Number: 16841559
Registered Office: 16 Hulme Grove, Highfield, Wigan WN3 6GS, United Kingdom
Contact: support@squadtracker.co.uk
When you create a SquadTracker account we collect your first name, last name, email address, and a password. Passwords are stored as a one-way cryptographic hash — we cannot read or recover your password. We also store whether your email address has been verified and security metadata such as the date your password was last changed (used to invalidate old sessions) and the date of any account suspension.
Legal basis: Contract performance — this data is necessary to provide your account.
If you enable two-factor authentication, we store an encrypted one-time password (TOTP) secret and a set of hashed backup codes. The TOTP secret is encrypted using AES-256 before being stored and cannot be read in plaintext. 2FA is mandatory for club owners and administrators.
Legal basis: Legitimate interests (account security).
When you use SquadTracker to manage teams and clubs, you provide and we store:
Legal basis: Contract performance — this is the core service you have contracted us to provide.
Coaches enter player records containing first name, last name, jersey number, position, and optionally a player photo. Players are associated with teams and their match statistics are recorded against their records.
Where players are minors, SquadTracker includes a consent management system. Coaches can request parental or guardian consent before storing a player's data. We record whether consent is required, the consent type (parental or self), the consent status, the name of the person who gave or declined consent, and the date consent was given or declined.
Legal basis: Legitimate interests of the club / consent where required for minors' data.
The digital teamsheet feature allows home coaches, away coaches, and referees to sign match teamsheets within the app. These signatures are captured as image data and stored securely. Completed teamsheets are exported as PDF documents and stored in our private cloud storage, accessible only to the relevant club.
Legal basis: Legitimate interests (record-keeping for league and competition purposes).
Club administrators may add parent or guardian contact details — specifically first name, last name, email address, and optionally a phone number — in order to send payment requests, manage player subscriptions, and request data consent. This information is stored securely and is only accessible to authorised administrators of the club that added it.
Legal basis: Legitimate interests of the club (managing payments and consent).
When you upload a team logo, club logo, player photo, or training drill diagram, the app requests access to your camera or photo library. We only access the specific image you choose to upload — we do not scan, index, or store any other content on your device. Logos and drill diagrams are stored in our cloud storage with public read access (they are accessible via a direct URL). Uploaded images are automatically resized and converted to WebP format before storage.
Legal basis: Contract performance / Consent (permission requested at point of use).
If you grant permission for push notifications, we store a device push token issued by Apple (APNs) or Google (Firebase Cloud Messaging) against your account. This token is used solely to deliver notifications about your teams, including:
You can disable push notifications at any time in your device settings or within the app. Stale tokens that can no longer receive notifications are automatically removed from our systems.
Legal basis: Consent.
We do not store full payment card details. Payments are processed by Stripe (for web subscriptions and club payment collection) and by Apple or Google (for in-app purchases). We store the identifiers these payment processors assign to you (Stripe customer ID, Stripe subscription ID, Adapty profile ID), your subscription status, tier, and expiry date, and payment request records including amounts, descriptions, and payment status. These records are necessary to grant you access to paid features and to maintain accurate financial records.
Stripe Connect: Clubs that enable the payments feature connect a Stripe Express account to receive payments from parents and guardians. In this case, Stripe collects identity and banking information directly from the club as part of their Know Your Customer (KYC) process. We store only the Stripe Connect account ID and onboarding status.
Legal basis: Contract performance / Legal obligation (financial record-keeping).
If you submit a contact enquiry through our website, we collect your name, club name, email address, phone number, and your message. This information is used solely to respond to your enquiry.
Legal basis: Legitimate interests.
We use Sentry to automatically capture error reports and crash logs when the app encounters a problem. Sentry may capture:
We also log your approximate IP address for security purposes such as detecting unusual login activity. We do not collect GPS location or any other geolocation data.
Legal basis: Legitimate interests (service reliability and security).
We record whether you have opted out of marketing emails. Every marketing email contains a one-click unsubscribe link. Unsubscribing does not affect transactional emails such as password resets, security alerts, payment confirmations, and team invitations.
Legal basis: Legitimate interests (with opt-out).
We send the following types of email. Transactional emails are sent regardless of marketing preferences as they are necessary to operate your account or complete a transaction you have initiated.
| Type | Trigger | |
|---|---|---|
| Email verification | Transactional | Account creation |
| Password reset | Transactional | Password reset request |
| Security alert | Transactional | 5 consecutive failed login attempts |
| Team invitation | Transactional | Coach invited to a team |
| Team access granted | Transactional | Added to a team or club |
| Coach account created | Transactional | Club admin creates a coach account |
| Payment request | Transactional | Club sends a payment request to a parent |
| Payment reminder | Transactional | Overdue payment reminder |
| Payment confirmation | Transactional | Successful payment received |
| Player subscription setup | Transactional | Club sets up recurring payment for a player |
| Data consent request | Transactional | Coach requests consent for a player's data |
| Product updates and news | Marketing | Sent to opted-in users only |
We use the following third-party services to operate SquadTracker. Each is subject to its own privacy policy and, where required, we have data processing agreements in place.
| Service | Purpose | Data involved |
|---|---|---|
| Railway | Application hosting, PostgreSQL database, and file storage | All app data is stored on Railway infrastructure |
| Google Firebase (FCM) | Push notification delivery to iOS and Android devices | Device push token and notification content |
| Stripe | Coach and club subscription payments (web); club payment collection from parents via Stripe Connect | Email address, subscription details, payment records. Card data held by Stripe only. |
| Adapty | In-app subscription management for iOS and Android purchases | User ID and subscription status |
| Apple (App Store) | iOS in-app purchases | Transaction data held by Apple subject to Apple's privacy policy |
| Google (Play Store) | Android in-app purchases | Transaction data held by Google subject to Google's privacy policy |
| Sentry | Crash reporting, error tracking, and limited session replay for bug diagnosis | Error logs, browser/device info, masked session replays (no readable text) |
| SMTP email provider | Delivery of all transactional and marketing emails | Email address, name, email content |
We do not sell your personal data. We do not share your data with any other third parties except as described above or where required by law.
SquadTracker uses a single session cookie to keep you signed in. This cookie:
We do not use advertising cookies, analytics tracking cookies, or any third-party cookies for marketing purposes.
SquadTracker accounts are for coaches, club administrators, and parents or guardians aged 16 and over. We do not knowingly provide accounts directly to children under 16.
Coaches may enter the names, positions, jersey numbers, and match statistics of players who are minors as part of managing their teams. This data is used solely for team management purposes and is not used to create profiles of individual children beyond what the coach enters.
SquadTracker includes a built-in consent management system. Coaches can be required to obtain verifiable parental or guardian consent before a player's data is stored. Consent requests are sent by email, and consent status (given, declined, or pending) is recorded alongside the name of the consenting person and the date consent was given. Coaches can withdraw or update consent at any time.
If you believe we have received data relating to a child without appropriate consent, please contact us immediately at support@squadtracker.co.uk.
| Data | Retention period |
|---|---|
| Account data (name, email, settings) | Retained while account is active. Deleted within 30 days of a verified deletion request. |
| Team, club, match, and training data | Retained while the account or club subscription is active. |
| Player data and consent records | Retained while the team is active. Deletion follows account or club deletion. |
| Payment records and invoices | Retained for 7 years to comply with UK financial record-keeping requirements. |
| Push notification tokens (FCM) | Removed on logout, when notifications are disabled, or automatically when the token becomes invalid. |
| Teamsheet PDFs | Retained while the club is active. Accessible via time-limited signed URLs. |
| Sentry crash logs and session replays | Automatically deleted by Sentry after 90 days. |
| Contact enquiries | Retained for 2 years then deleted. |
You have the following rights regarding your personal data:
To exercise any of these rights, contact support@squadtracker.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
Your data is primarily stored on Railway infrastructure. Some third-party services we use — including Google Firebase and Sentry — may process data on servers in the United States. Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the Information Commissioner's Office.
We may update this Privacy Policy from time to time to reflect changes in the app or legal requirements. When we make significant changes, we will notify you by email and update the “Last Updated” date above. Continued use of SquadTracker after changes are posted means you accept the updated policy.
For questions, data access requests, or deletion requests relating to this Privacy Policy or your personal data, please contact us:
Email: support@squadtracker.co.uk
Company: 4JQ Limited (Company Number: 16841559)
Registered Office: 16 Hulme Grove, Highfield, Wigan WN3 6GS, United Kingdom