Privacy Policy

1. Who We Are

Sports Control Hub operates tournament management and display software for sports organizations. Our registered contact address is:

2. Data We Collect

Sports Control TV (Android TV app)

Tournaments@Sports Control Hub Web Platform

3. How We Use Your Data

Legitimate Interest Assessment

For processing based on legitimate interest, we have conducted a balancing test to ensure our interests do not override your rights:

• TV Display Operation: Necessity: Device identification required for tournament linking and real-time score synchronization. Safeguards: Device registration deleted upon unlink or tournament completion. User benefit: Live tournament visibility at venues. Risk assessment: Minimal; data never shared externally.
• Device Authentication: Necessity: Secure device pairing prevents unauthorized tournament access. Safeguards: Device IDs are one-way hashed, temporary linking codes expire in 15 minutes, admin approval required. User benefit: Venue security, prevention of score manipulation. Risk assessment: Minimal; authentication is essential for service function.
• Support Requests: Necessity: Email and device data needed to troubleshoot and resolve issues. Safeguards: Data retained only while troubleshooting (max 30 days unless ongoing issue), then deleted. User benefit: Faster technical support. Risk assessment: Minimal; data only retained as long as necessary for resolution.

We do not use your data for advertising, profiling, or any purpose beyond operating our services. Analytics collection is opt-in via explicit consent dialog shown on app first launch.

4. Data Sharing & Processors

No Data Sale

We do NOT sell, rent, or lease your personal data to third parties.

Third-Party Service Processors

We use the following service providers (data processors) to operate our services:

All processors are bound by Data Processing Agreements (DPAs) incorporating Standard Contractual Clauses (SCCs) for GDPR and RA 10173 compliance.

Sub-Processors

Google may engage additional sub-processors for cloud services (networking, backup, disaster recovery). We provide 30 days' notice before adding new sub-processors; you may object within this period by contacting privacy@sportscontrolhub.com.

Legal Disclosure

We may disclose data if required by applicable law, court order, or governmental request, only to the extent legally required. We will attempt to notify you of such requests unless legally prohibited from doing so.

5. Data Retention

Automated Deletion Confirmation

You can request confirmation that your data has been deleted. Email privacy@sportscontrolhub.com with "Deletion Confirmation Request" and we will respond within 14 days with proof of deletion.

Retention Exceptions

Data may be retained longer than above in the following circumstances:

• If required by applicable law (tax law, audit requirements, dispute resolution)
• If you request extended retention (e.g., tournament organizers archiving historical records)
• If data is anonymized (we may retain anonymized tournament statistics indefinitely)
• If a legal claim or dispute is pending (data retained until claim is resolved)

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data. We provide specific procedures below for exercising each right.

Right of Access (GDPR Article 15 / RA 10173 Section 12)

What: Request a copy of all personal data we hold about you.

How: Email privacy@sportscontrolhub.com with "Data Access Request" in the subject line and your registered email address or device ID.

Timeline: We will respond within 30 days with your data in CSV or JSON format (your choice).

Right of Rectification (GDPR Article 16 / RA 10173 Section 12)

What: Request correction of inaccurate personal data.

How: For Tournaments@Sports Control Hub accounts, log in and edit your profile. For TV devices, contact us at privacy@sportscontrolhub.com with your device ID and requested corrections.

Timeline: We will confirm corrections within 14 days.

Right of Erasure / Right to Be Forgotten (GDPR Article 17 / RA 10173 Section 12)

What: Request deletion of your personal data (with exceptions for legal obligations).

How: Email privacy@sportscontrolhub.com with "Data Deletion Request" in the subject line. Specify what data to delete.

What we can delete: Account information, tournament records, player contact data, registration records.

What we cannot delete: Payment proof (12 months for tax compliance), device registration if tournament is ongoing.

Timeline: We will process deletion within 30 days and confirm completion.

Right to Restrict Processing (GDPR Article 18)

What: Request that we limit processing of your data (e.g., during a dispute resolution).

How: Email privacy@sportscontrolhub.com with "Restrict Processing Request" and your reason.

Timeline: We will confirm restrictions within 14 days.

Right to Data Portability (GDPR Article 20 / RA 10173 Section 12)

What: Receive your personal data in a machine-readable format (CSV, JSON) to transfer to another service.

How: Email privacy@sportscontrolhub.com with "Data Portability Request" and specify desired format.

Timeline: We will provide your data within 30 days. Includes: account info, tournament records, player data, registration history.

Right to Object (GDPR Article 21)

What: Object to processing based on legitimate interest.

How: Email privacy@sportscontrolhub.com with "Objection to Processing" and specify which processing.

Timeline: We will review your objection within 30 days. If valid, processing will cease unless we demonstrate compelling legitimate interests that override your rights.

Right to Withdraw Consent (GDPR Article 7)

What: Opt out of analytics and performance monitoring at any time.

How:

• Sports Control TV app: Go to Settings > Privacy > Analytics and toggle OFF. Or select "Reset Setup" to clear all settings.
• Tournaments@Sports Control Hub: Go to Account Settings > Privacy > Disable Analytics, or contact us at privacy@sportscontrolhub.com.
• General: Email privacy@sportscontrolhub.com to withdraw consent.

Effect: Withdrawal takes effect immediately. No future analytics data will be collected. Previously collected data (within 2-month retention window) will be deleted upon withdrawal.

Rights Related to Automated Decision-Making (GDPR Article 22)

What: Right to obtain manual review if an automated decision significantly affects you.

How: Device revocation is a manual process and does not qualify as fully automated decision-making. However, if you believe revocation was in error, email privacy@sportscontrolhub.com to request a manual review.

Timeline: We will respond within 7 days with a decision and explanation.

How to Exercise Your Rights — Summary

EU/EEA and UK users (GDPR)

If you are located in the European Economic Area or United Kingdom, you have rights under the General Data Protection Regulation (GDPR). You also have the right to lodge a complaint with your local data protection authority.

Southeast Asia users

Our primary user base is in Southeast Asia. We comply with applicable data protection laws in the Philippines (Republic Act 10173 — Data Privacy Act of 2012) and other SEA jurisdictions where we operate.

7. Cross-Border Data Transfers

Data Transfer Locations

Our services use cloud infrastructure (Google Cloud) which stores and processes data in the United States and potentially other countries. Your personal data may be transferred to and processed in countries outside your country of residence, including:

• United States (primary: Google Cloud Platform regions)
• Other countries where Google maintains backup and disaster recovery infrastructure

Legal Safeguards for Transfers

We ensure adequate protection for international data transfers through:

1. Standard Contractual Clauses (SCCs)

Our Data Processing Agreement with Google incorporates Standard Contractual Clauses (Module Two: Controller-Processor) approved by the European Commission. These clauses create binding legal obligations for data processors to protect personal data transferred to countries without adequacy decisions.

2. Schrems II Compliance & Supplementary Measures

Following the CJEU Schrems II decision, we implement the following supplementary measures:

• Data Minimization: We minimize personal data transferred (device IDs are hashed, sensitive fields encrypted)
• Encryption in Transit: All data transmitted to Google Cloud uses TLS 1.2+ encryption
• Encryption at Rest: Data stored on Google servers is encrypted at rest using Google-managed or customer-managed keys
• Access Controls: Access to data is restricted to authorized personnel and monitored via audit logs
• Data Transfer Impact Assessment (DTIA): We have conducted a DTIA evaluating US surveillance laws and determined that risk mitigations are adequate for our use case
• Monitoring & Review: We monitor for changes in US law or Google's practices and update safeguards if risks increase

3. Data Subject Rights Across Borders

If you are an EU/EEA resident, you have additional rights regarding cross-border transfers. You can:

• Request confirmation of safeguards in place (we will provide SCC documentation)
• Lodge a complaint with your national Data Protection Authority (DPA) if you believe transfers are unsafe
• Request localized processing if available (contact privacy@sportscontrolhub.com to discuss options)

Philippines Data Localization (RA 10173)

Sports Control Hub acknowledges RA 10173 requirements and processes Philippine resident data in compliance with applicable localization rules. Data may be transferred to the US for processing as permitted under RA 10173 if adequate security measures and contractual protections are in place (see SCCs and supplementary measures above).

8. Children's Privacy

Age Restrictions

Our services are not directed at children under 13 years of age (or the applicable minimum age in your jurisdiction, such as 16 in the EU under GDPR Article 8). We do not knowingly collect personal information from children under these age thresholds.

Parental Consent for Young Athletes

Tournament organizers may collect data from athletes under the age threshold (e.g., youth sports tournaments). In such cases:

For US Users (COPPA Compliance, under 13)

Tournament organizers are responsible for:

• Obtaining verifiable parental consent before collecting any child's data
• Providing parents with a copy of this privacy policy
• Notifying parents of what specific data will be collected (player names, team assignments, match check-ins)

Sports Control Hub's responsibilities:

• Limit child data collection to what is necessary for tournament participation (no third-party marketing)
• Not use child data for advertising or behavioral profiling
• Delete child data upon organizer's request or tournament completion
• Provide parents with the ability to review, correct, and delete their child's data

For EU/EEA Users (GDPR Article 8 Compliance, under 16)

For users under 16: Parental consent is required for information society services. Tournament organizers must:

• Obtain verifiable parental consent (email, signed form, or equivalent)
• Document consent for audit purposes (retain for 12 months)
• Provide parents with this privacy policy and data processing information

Sports Control Hub processes child data only:

• With documented parental consent
• For legitimate tournament purposes
• With appropriate security and deletion timelines

What to Do If Your Child's Data Is Collected

Parents: If your child's data has been collected without your consent, or if you wish to review, correct, or delete your child's data, contact the tournament organizer first. If the organizer does not respond within 7 days, contact us at privacy@sportscontrolhub.com and we will assist.

Unauthorized Child Data Collection

If we become aware that a child's personal data has been collected without required parental consent, we will:

• Notify the parent/guardian immediately
• Delete the child's data within 7 days (unless legally obligated to retain)
• Take steps to prevent future unauthorized collection

Report unauthorized child data collection to privacy@sportscontrolhub.com immediately.

9. Security

Technical & Organizational Measures

We implement the following security measures to protect your personal data:

In Transit (Encryption)

• All data transmitted between our apps and servers uses TLS 1.2+ encryption
• HTTPS enforced for all web platform connections
• Device pairing codes are sent only over encrypted channels

At Rest (Encryption)

• Data stored on cloud servers is encrypted at rest using AES-256 or equivalent
• Sensitive identifiers (device IDs, account credentials) are hashed or encrypted with separate keys
• Encryption keys are managed by cloud provider with access restricted to authorized personnel

Access Controls

• Access to tournament data is role-based and restricted — devices can only access authorized tournaments
• Device linking requires physical 6-digit code entry and admin approval, preventing unauthorized remote access
• TV devices use secure authentication with no plaintext passwords stored locally
• API requests require authentication tokens that expire after 24 hours
• Admin access is logged and monitored for suspicious activity

Infrastructure Security

• Cloud infrastructure provided by Google Cloud with SOC 2 Type II certification
• Regular security audits and penetration testing (performed annually)
• Backup and disaster recovery procedures in place with regular testing
• DDoS protection and intrusion detection enabled

Limitations & Disclaimer

No method of electronic storage or transmission is 100% secure. While we take comprehensive precautions, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and should immediately notify us of any unauthorized access.

10. Analytics Consent Mechanism

How We Document Consent

Sports Control TV App (Android TV):

• First-launch dialog: On app first launch, a consent dialog appears asking "Help Us Improve — Enable analytics for crash reports and performance monitoring?" with ALLOW / DENY buttons.
• Storage: Your choice is stored locally in Android DataStore (encrypted local storage) with two preferences: analytics_consent (true/false) and analytics_consent_shown (confirmation flag).
• Transparency: The dialog text clearly explains what data is collected and that you can withdraw anytime.
• Revocation: You can withdraw consent anytime via Settings > Privacy > Analytics Toggle OFF, or by selecting "Reset Setup" to clear all data.

Tournaments@Sports Control Hub Web Platform:

• Initial consent: On first login, users see a consent prompt for analytics collection.
• Storage: Consent preference stored in your account settings.
• Revocation: Manage consent preferences in Account Settings > Privacy > Analytics, or contact us at privacy@sportscontrolhub.com.

Consent Withdrawal Confirmation

When you withdraw consent, we will:

• Stop collecting new analytics data immediately
• Delete analytics data collected within the last 2 months (Google's retention period)
• Older analytics data (beyond 2 months) is deleted by Google per standard retention policy
• Retain a record that you withdrew consent (for legal compliance)

Your withdrawal takes effect immediately. You will not receive another consent dialog unless you reinstall the app or reset account settings.

11. Automated Decision-Making & Device Revocation

Device Revocation Process

Tournament administrators may revoke access for a linked TV device. This is NOT a fully automated decision — it requires manual action by a tournament organizer or administrator.

How It Works:

1. Admin initiates revocation (manual action in Tournaments@Sports Control Hub dashboard)
2. Device receives revocation flag (within seconds of admin action)
3. Device logs out immediately and returns to setup screen
4. User is notified via app message that the device has been revoked

Your Rights if Revoked

If your device is revoked, you have the right to:

• Request explanation: Contact us at privacy@sportscontrolhub.com to understand why your device was revoked.
• Request manual review: If you believe revocation was in error, we will review the decision within 7 days.
• Appeal to tournament organizer: Contact the tournament organizer directly to request re-approval of your device.

12. Data Protection Officer & Compliance

Data Protection Officer

Sports Control Hub has appointed a Data Protection Officer (DPO) responsible for overseeing data protection compliance.

• DPO Contact: dpo@sportscontrolhub.com
• Role: The DPO is responsible for monitoring GDPR/RA 10173 compliance, handling data subject requests, managing Data Processing Agreements, and conducting Data Protection Impact Assessments.
• Confidentiality: You can contact the DPO in confidence. Your complaint will not result in retaliation.

Regulatory Compliance

Sports Control Hub complies with the following data protection frameworks:

• EU/EEA: General Data Protection Regulation (GDPR) — EU 2016/679
• United Kingdom: UK Data Protection Act 2018 and UK GDPR
• Philippines: Republic Act 10173 (Data Privacy Act of 2012) and implementing guidelines
• California, USA: California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

13. Data Breach Notification

Our Commitment

In the event of a personal data breach (unauthorized access, loss, or disclosure), we are committed to:

European Union / EEA / United Kingdom (GDPR)

• Notify the relevant Data Protection Authority within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay if there is a high risk to their rights or freedoms
• Provide details of the breach, affected data types, and recommended actions

Philippines (RA 10173)

• Report the breach to the National Privacy Commission (NPC) within 72 hours
• Notify affected data subjects of the breach, mitigating measures, and remedies available
• Provide contact information for further inquiries

California (CCPA/CPRA)

• Notify affected California residents without unreasonable delay
• Notify the California Attorney General if more than 100 residents are affected

Report a Breach

If you suspect a security incident affecting your data, please contact us immediately:

14. Changes to This Policy

Policy Updates

We may update this policy from time to time as our services evolve, laws change, or we improve our practices. The "Last updated" date at the top reflects the most recent revision.

What Constitutes a "Significant Change"

A significant change is one that:

• Alters your legal basis for processing (e.g., from "contract" to "consent")
• Introduces new data collection, sharing, or retention practices
• Expands data sharing to new third parties
• Lengthens retention periods
• Affects your rights or choices regarding your data

How We Notify You

Significant changes: We will notify affected users via:

• Email: For Tournaments@Sports Control Hub account holders (to registered email address)
• In-app notification: For Sports Control TV app users (display prominent notice on app launch)
• Timeline: 30 days' notice before changes take effect, unless required by law to implement immediately

Minor changes: Non-material updates (e.g., contact info, grammar) may be posted without advance notice.

Your Rights Upon Policy Changes

If you do not agree with a significant policy change, you have the right to:

• Opt out: Contact us at privacy@sportscontrolhub.com within 30 days of notification to object to the change.
• Request data deletion: You may request we delete your data if the change materially affects your rights (subject to legal retention obligations).
• Discontinue use: If you cannot accept the changes, you may discontinue use of our services and request account deletion.

Continued use of our services after 30 days of notification constitutes acceptance of the updated policy.

15. Contact Us

Privacy Inquiries & Data Requests

For questions about this policy, to exercise your rights, or to report privacy concerns:

Data Protection Officer

For data protection compliance inquiries:

Security Incidents

To report a suspected data breach or security vulnerability:

Regulatory Complaints

If you believe we have violated data protection laws, you have the right to lodge a complaint with the relevant regulatory authority:

• EU/EEA residents: Your national Data Protection Authority (DPA)
• UK residents: Information Commissioner's Office (ICO)
• Philippines residents: National Privacy Commission (NPC)
• California residents: California Privacy Protection Agency (CPPA)