Privacy Policy

1. Data Controller

SVMS Consultancy Limited is the data controller responsible for your personal data processed through FootballGPT.

2. Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Account Information

• Email address (required for account creation)
• Password (stored in hashed form only)
• Name (if provided)
• Date of birth (to verify age eligibility)
• User mode preference (Coach, Player, or Football Manager)

2.2 Profile Information (Optional)

You may optionally provide additional profile information to personalize your experience:

• Coach Profile: Age group coached, team format, club name, preferred formation, coaching qualifications, experience level, coaching priorities
• Player Profile: Position, playing level, age group, development goals
• Football Manager Profile: Current save details, team, league
• X (Twitter) handle (optional): Used only to mention you in a one-time public welcome message from @footballgpt. You can disable public welcomes any time in settings.

Profile information is entirely optional and can be deleted at any time via Settings.

2.3 Conversation Data

• Messages you send to FootballGPT
• AI-generated responses
• Chat history (Pro subscribers only)
• Feedback ratings you provide on responses

2.5 Usage Data

• Daily message counts and streaks
• Feature usage patterns
• Session timestamps
• Device and browser information
• IP address
• Badges and achievements earned
• Advertising identifiers (Meta Pixel _fbp / _fbc cookie values), only when you have accepted advertising cookies in the cookie banner

2.6 Payment Data

• Stripe customer ID
• Subscription status and history
• Billing dates

Note: Full payment card details are processed and stored securely by Stripe. We do not have access to your complete card number.

3. How We Use Your Data

We process your personal data for the following purposes:

4. AI Processing and Third-Party AI Providers

Important: FootballGPT uses artificial intelligence to generate responses to your coaching questions. This involves sharing your conversation data with third-party AI service providers.

4.1 OpenAI

Your messages are sent to OpenAI's API to generate AI responses. When you use FootballGPT:

• Your message content is transmitted to OpenAI's servers in the United States
• OpenAI processes your data according to their Privacy Policy
• We use OpenAI's API which does not use your data to train their models
• OpenAI retains API data for up to 30 days for abuse monitoring purposes

4.2 Automated Decision-Making

The AI responses you receive are generated automatically without human review. These responses are informational only and should not be treated as professional advice. You have the right to request human review of any AI-generated content by contacting us.

5. Data Sharing and Third Parties

We share your personal data with the following categories of recipients:

5.1 Service Providers

• OpenAI (USA): AI model provider for generating responses
• Supabase (USA): Database hosting and authentication services
• Stripe (USA): Payment processing
• Vercel (USA): Application hosting
• Resend (USA): Email delivery services
• Meta Platforms Inc (USA): Conversion tracking, advertising audience-building, and lookalike-audience modelling for FootballGPT marketing. Only hashed (SHA-256) contact data is shared, and only for users who have not opted out — see section 5.3.

5.2 Legal Requirements

We may disclose your data if required by law, court order, or to protect our legal rights, or the safety of our users or the public.

5.3 Advertising and Audience-Building

We use Meta's advertising tools (Meta Pixel and Custom Audiences / Lookalike Audiences) to find people who are likely to be interested in FootballGPT.

What we share with Meta:

• Hashed (SHA-256) versions of your email, first name, last name, and country, for the purpose of matching you in Meta's user base and building "lookalike" audiences of similar people. We never share plaintext contact details with Meta.
• Browser-side events from the Meta Pixel (page views, sign-up, subscription) — only if you have accepted advertising cookies in the cookie banner.

Our lawful basis:

• For the Pixel browser-side events: your consent, given via the cookie banner.
• For server-side hashed-contact audience-building: our legitimate interest in marketing FootballGPT to similar audiences, balanced against your right to object under Article 21 UK GDPR.

Your right to opt out:

• You can opt out of advertising cookies at any time by clearing your browser's local storage and declining the cookie banner the next time it appears.
• You can opt out of having your hashed contact data shared with Meta at any time by emailing [email protected]. We will remove you from all Meta Custom Audiences within 30 days, and your email will be added to a permanent suppression list to prevent re-upload.
• Every Meta Custom Audience we maintain expires automatically after 180 days unless it is refreshed, so even without a request your data will not persist with Meta indefinitely.

We do not sell your personal data. We share hashed pseudonymous data with Meta for the purposes described in section 5.3, and only for users who have not opted out. We do not share your plaintext contact details with any advertising platform, and we do not allow any third party to use your data for their own advertising purposes.

6. International Data Transfers

Your personal data is transferred to and processed in the United States by our service providers. These transfers are necessary to provide the FootballGPT service.

We ensure appropriate safeguards are in place for these transfers, including:

• Standard Contractual Clauses (SCCs) approved by relevant authorities
• Service providers' compliance with relevant data protection frameworks
• Additional technical and organisational measures to protect your data

You can request more information about international transfers and the safeguards in place by contacting us.

7. Data Retention

We retain your personal data for the following periods:

• Account data: Until you delete your account, plus up to 30 days for backup purposes
• Chat history (Pro users): Until you delete conversations or your account
• Free user conversations: Not stored beyond the current session
• Usage data: 12 months from collection
• Payment records: 7 years (legal requirement)
• Feedback data: Until you delete your account or request deletion

After the retention period, data is securely deleted or anonymised.

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access: Request a copy of your personal data
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion of your data ("right to be forgotten")
• Right to restrict processing: Request limitation of how we use your data
• Right to data portability: Receive your data in a machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent
• Right not to be subject to automated decision-making: Request human review of AI decisions

To exercise any of these rights, contact us at [email protected]. We will respond within one month of receiving your request.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption in transit (TLS/HTTPS) and at rest
• Secure password hashing (bcrypt)
• Access controls and authentication
• Regular security reviews and updates
• Secure hosting infrastructure with our service providers

While we take reasonable steps to protect your data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
• Notify you directly without undue delay if the breach is likely to result in a high risk to your rights
• Provide details of the nature of the breach, likely consequences, and measures taken or proposed

We maintain incident response procedures to detect, report, and investigate personal data breaches promptly.

11. Cookies and Tracking

FootballGPT uses the following cookies:

Essential Cookies (always active)

• Authentication cookies: Keep you logged into your account
• Session cookies: Maintain your session state
• Security cookies: Protect against cross-site request forgery
• Consent cookie: Remembers your cookie preference

Analytics Cookies (require consent)

• Google Analytics: Helps us understand how coaches use FootballGPT (pages visited, session duration). Data is anonymised.
• FirstPromoter: Tracks affiliate referrals so partners are credited correctly.

Advertising Cookies (require consent)

• Meta Pixel (_fbp, _fbc): Used by Meta to measure FootballGPT advertising and to build similar audiences for our future Meta campaigns. Only loaded if you accept advertising cookies in the cookie banner. The Pixel does not see your messages, conversation content, or coaching profile — only that a browser-with-this-cookie loaded a particular page or completed a particular action (sign-up, subscription).

Advertising and analytics cookies are only loaded after you give consent via the cookie banner. You can change your preference at any time by clearing your browser's local storage. We share cookie-derived data only with the named processors listed in section 5.1, and only for the purposes described in section 5.3.

12. Children's Privacy

FootballGPT is designed for users aged 13 and over. We collect date of birth at signup to verify age eligibility, in compliance with UK GDPR (which sets the age of digital consent at 13).

We do not knowingly collect personal data from individuals under 13 years of age. If you believe we have inadvertently collected data from a child under 13, please contact us immediately and we will take steps to delete the information.

For users aged 13-17, we recommend parental awareness of the service. Our Player Mode includes age-appropriate content and advisors designed for young footballers.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:

• Email notification to your registered email address
• Prominent notice on the FootballGPT website
• Updating the "Last updated" date at the top of this policy

We encourage you to review this policy periodically. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

14. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: