Privacy Policy

1. Data Controller

SVMS Consultancy Limited is the data controller responsible for your personal data processed through FootballGPT.

2. Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Account Information

• Email address (required for account creation)
• Password (stored in hashed form only)
• Name (if provided)
• Date of birth (to verify age eligibility)
• User mode preference (Coach, Player, or Football Manager)

2.2 Profile Information (Optional)

You may optionally provide additional profile information to personalize your experience:

• Coach Profile: Age group coached, team format, club name, preferred formation, coaching qualifications, experience level, coaching priorities
• Player Profile: Position, playing level, age group, development goals
• Football Manager Profile: Current save details, team, league

Profile information is entirely optional and can be deleted at any time via Settings.

2.3 Conversation Data

• Messages you send to FootballGPT
• AI-generated responses
• Chat history (Pro subscribers only)
• Feedback ratings you provide on responses

2.5 Usage Data

• Daily message counts and streaks
• Feature usage patterns
• Session timestamps
• Device and browser information
• IP address
• Badges and achievements earned

2.6 Payment Data

• Stripe customer ID
• Subscription status and history
• Billing dates

Note: Full payment card details are processed and stored securely by Stripe. We do not have access to your complete card number.

3. How We Use Your Data

We process your personal data for the following purposes:

4. AI Processing and Third-Party AI Providers

Important: FootballGPT uses artificial intelligence to generate responses to your coaching questions. This involves sharing your conversation data with third-party AI service providers.

4.1 OpenAI

Your messages are sent to OpenAI's API to generate AI responses. When you use FootballGPT:

• Your message content is transmitted to OpenAI's servers in the United States
• OpenAI processes your data according to their Privacy Policy
• We use OpenAI's API which does not use your data to train their models
• OpenAI retains API data for up to 30 days for abuse monitoring purposes

4.2 Automated Decision-Making

The AI responses you receive are generated automatically without human review. These responses are informational only and should not be treated as professional advice. You have the right to request human review of any AI-generated content by contacting us.

5. Data Sharing and Third Parties

We share your personal data with the following categories of recipients:

5.1 Service Providers

• OpenAI (USA): AI model provider for generating responses
• Supabase (USA): Database hosting and authentication services
• Stripe (USA): Payment processing
• Vercel (USA): Application hosting
• Resend (USA): Email delivery services

5.2 Legal Requirements

We may disclose your data if required by law, court order, or to protect our legal rights, or the safety of our users or the public.

We do not sell your personal data to third parties or use it for third-party advertising.

6. International Data Transfers

Your personal data is transferred to and processed in the United States by our service providers. These transfers are necessary to provide the FootballGPT service.

We ensure appropriate safeguards are in place for these transfers, including:

• Standard Contractual Clauses (SCCs) approved by relevant authorities
• Service providers' compliance with relevant data protection frameworks
• Additional technical and organisational measures to protect your data

You can request more information about international transfers and the safeguards in place by contacting us.

7. Data Retention

We retain your personal data for the following periods:

• Account data: Until you delete your account, plus up to 30 days for backup purposes
• Chat history (Pro users): Until you delete conversations or your account
• Free user conversations: Not stored beyond the current session
• Usage data: 12 months from collection
• Payment records: 7 years (legal requirement)
• Feedback data: Until you delete your account or request deletion

After the retention period, data is securely deleted or anonymised.

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access: Request a copy of your personal data
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion of your data ("right to be forgotten")
• Right to restrict processing: Request limitation of how we use your data
• Right to data portability: Receive your data in a machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent
• Right not to be subject to automated decision-making: Request human review of AI decisions

To exercise any of these rights, contact us at admin@360tft.com. We will respond within one month of receiving your request.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption in transit (TLS/HTTPS) and at rest
• Secure password hashing (bcrypt)
• Access controls and authentication
• Regular security reviews and updates
• Secure hosting infrastructure with our service providers

While we take reasonable steps to protect your data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
• Notify you directly without undue delay if the breach is likely to result in a high risk to your rights
• Provide details of the nature of the breach, likely consequences, and measures taken or proposed

We maintain incident response procedures to detect, report, and investigate personal data breaches promptly.

11. Cookies and Tracking

FootballGPT uses the following cookies:

Essential Cookies

• Authentication cookies: Keep you logged into your account
• Session cookies: Maintain your session state
• Security cookies: Protect against cross-site request forgery

We do not use third-party advertising or tracking cookies. We do not share cookie data with advertisers.

12. Children's Privacy

FootballGPT is designed for users aged 13 and over. We collect date of birth at signup to verify age eligibility, in compliance with UK GDPR (which sets the age of digital consent at 13).

We do not knowingly collect personal data from individuals under 13 years of age. If you believe we have inadvertently collected data from a child under 13, please contact us immediately and we will take steps to delete the information.

For users aged 13-17, we recommend parental awareness of the service. Our Player Mode includes age-appropriate content and advisors designed for young footballers.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:

• Email notification to your registered email address
• Prominent notice on the FootballGPT website
• Updating the "Last updated" date at the top of this policy

We encourage you to review this policy periodically. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

14. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: