GDPR Compliance

General Data Protection Regulation (EU) 2016/679 | Last Updated: November 29, 2025

EvalSports is committed to full compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679, which came into effect on May 25, 2018. This page explains how we comply with GDPR requirements and outlines your rights as a data subject.

What is GDPR? The GDPR is a comprehensive data protection law that applies to all organizations processing personal data of individuals in the European Union (EU) and European Economic Area (EEA), regardless of where the organization is located.

1. Our Commitment to GDPR

EvalSports processes personal data in accordance with GDPR principles:

  • Lawfulness, fairness, and transparency: We process data only for specified, explicit, and legitimate purposes
  • Purpose limitation: We collect data only for the purposes stated in our Privacy Policy
  • Data minimization: We collect only the data necessary for our services
  • Accuracy: We maintain accurate and up-to-date data
  • Storage limitation: We retain data only as long as necessary
  • Integrity and confidentiality: We implement appropriate security measures to protect data
  • Accountability: We maintain records of our data processing activities

2. Legal Basis for Processing

Under GDPR, we process personal data based on the following legal bases:

Contractual Necessity

We process your data to fulfill our contractual obligations to provide the EvalSports platform and services. This includes account management, service delivery, and customer support.

Legitimate Interests

We process data for our legitimate business interests, such as:

  • Improving and developing our services
  • Ensuring platform security and preventing fraud
  • Providing analytics and insights to organizations
  • Marketing our services (with appropriate opt-out mechanisms)

Consent

Where required, we obtain explicit consent before processing personal data. You can withdraw consent at any time through your account settings or by contacting us.

Legal Obligations

We may process data to comply with legal obligations, such as tax requirements, court orders, or regulatory compliance.

3. Your Data Subject Rights

Under GDPR, you have the following rights regarding your personal data:

Right of Access

You have the right to obtain confirmation of whether we process your personal data and access to that data, including copies of your data.

Right to Rectification

You can request correction of inaccurate or incomplete personal data. You can update most information directly through your account settings.

Right to Erasure

You can request deletion of your personal data when it's no longer necessary, you withdraw consent, or processing is unlawful.

Right to Restrict Processing

You can request that we limit how we process your data in certain circumstances, such as when you contest data accuracy.

Right to Data Portability

You can receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of prior processing.

Right to Lodge a Complaint

You have the right to file a complaint with your local data protection authority if you believe we have violated GDPR.

4. How to Exercise Your Rights

To exercise any of your GDPR rights, you can:

  • Use your account settings: Many rights can be exercised directly through your EvalSports account dashboard
  • Contact us directly: Send a request to our Data Protection Officer (DPO) using the contact information below
  • Use our data request form: Complete our standardized data request form for faster processing

Request Processing Time: We will respond to your request within one month (30 days) of receipt. For complex requests, we may extend this period by an additional two months, and we will inform you of the extension and reasons for the delay.

Identity Verification: To protect your privacy, we may request verification of your identity before processing certain requests, especially for sensitive data or account deletion.

5. Data Processing Activities

We process the following categories of personal data:

Account Data

  • Name, email address, phone number
  • Username, password (encrypted)
  • Organization affiliation and role
  • Account preferences and settings

Player Data

  • Player names, birthdates, contact information
  • Team assignments and positions
  • Performance evaluations and assessments
  • Attendance records and training participation
  • Game statistics and event information

Note: Player data for minors is processed with appropriate parental consent and in compliance with both GDPR and COPPA requirements.

Usage Data

  • Log files, IP addresses, device information
  • Pages visited, features used, session duration
  • Browser type and operating system

Communication Data

  • Messages sent through our platform
  • Email communications with support
  • SMS verification codes (temporary)

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

  • Active Accounts: Data is retained while your account is active and for a reasonable period after account closure
  • Player Evaluation Data: Retained to enable historical tracking and progress analysis, as authorized by your organization
  • Legal Requirements: Some data may be retained longer if required by law, regulation, or legitimate business needs
  • Deleted Accounts: Data is deleted or anonymized within 30 days of account deletion, except where retention is legally required

When you request data deletion, we will remove or anonymize your personal data unless we have a legal obligation to retain it.

7. Data Transfers and International Processing

EvalSports may transfer and process personal data outside the EU/EEA. When we do so, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We use EU-approved standard contractual clauses with our service providers
  • Adequacy Decisions: We transfer data to countries with adequacy decisions from the European Commission
  • Binding Corporate Rules: Where applicable, we rely on binding corporate rules for intra-group transfers
  • Consent: In some cases, we may transfer data with your explicit consent

Our primary data processing occurs within secure data centers. We work only with service providers who maintain GDPR-compliant data processing agreements.

8. Data Security Measures

We implement comprehensive technical and organizational measures to protect personal data:

  • Encryption: Data is encrypted in transit (TLS/SSL) and at rest using industry-standard encryption
  • Access Controls: Role-based access ensures users only access data relevant to their permissions
  • Authentication: Multi-factor authentication via SMS verification for account security
  • Regular Security Audits: We conduct regular security assessments and penetration testing
  • Secure Infrastructure: Our servers are hosted in secure, monitored data centers with physical security measures
  • Employee Training: Our staff receive regular GDPR and data protection training
  • Incident Response: We have procedures in place to detect, report, and respond to data breaches

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
  • Inform affected data subjects without undue delay if the breach poses a high risk
  • Provide clear information about the nature of the breach, likely consequences, and measures taken

We maintain an incident response plan and regularly test our breach notification procedures.

10. Data Protection Officer (DPO)

EvalSports has designated a Data Protection Officer to oversee GDPR compliance and handle data protection inquiries. You can contact our DPO using the information provided in the "Contact Us" section below.

11. Third-Party Processors

We work with trusted third-party service providers who process data on our behalf (data processors). All processors are bound by GDPR-compliant data processing agreements. Our key processors include:

  • Twilio: SMS verification and messaging services
  • SendGrid: Email delivery and notification services
  • Cloud Hosting Providers: Secure data storage and infrastructure

These processors are contractually obligated to:

  • Process data only as instructed by EvalSports
  • Implement appropriate security measures
  • Comply with GDPR requirements
  • Notify us of any data breaches

12. Children's Data (Under 16)

Important: For children under 16, we require explicit parental consent before processing their personal data. This consent can be provided by parents or legal guardians through the organization's administrator or directly through our platform.

Parents have the right to:

  • Review their child's personal data
  • Request correction or deletion of their child's data
  • Withdraw consent at any time
  • Object to processing of their child's data

Contact Our Data Protection Officer

To exercise your GDPR rights, request information about our data processing, or file a complaint, please contact our Data Protection Officer:

EvalSports Data Protection Officer
Email: gdpr@evalsports.com
Subject Line: "GDPR Request - [Your Request Type]"
Website: https://evalsports.com

Response Time: We will acknowledge your request within 5 business days and respond within 30 days (or notify you if an extension is needed).

You also have the right to lodge a complaint with your local data protection authority. For EU residents, you can find your authority at edpb.europa.eu.

This GDPR Compliance page was last updated on November 29, 2025.

For more information about our data practices, please see our Privacy Policy.