Legal

Privacy Policy

Last updated: 2 April 2026

HandLit ("we", "our", or "us") is a club management platform built specifically for handball clubs. This Privacy Policy explains what personal data we collect, why we collect it, how long we keep it, and what rights you have under the General Data Protection Regulation (GDPR).

By using HandLit, you agree to the practices described in this policy. If you do not agree, please do not use the service.

1. What data we collect

Account data

  • Full name and email address (provided on registration)
  • Profile information such as position, jersey number, throwing hand, date of birth
  • Account credentials (passwords are hashed and never stored in plain text)

Performance and activity data

  • Training attendance records (present, absent, late, excused)
  • Match ratings (1–10 scale) and notes assigned by coaches
  • Match statistics: goals, assists, shots, suspensions, goalkeeper saves, minutes played
  • Performance metrics (Presence, Sharpness, Creativity, Discipline, Consistency, Impact) derived from the above
  • Session streaks, MVP awards, and earned badges

Health-adjacent data

  • Injury records: body part, injury type, date of occurrence, expected return date, clearance date
  • This data is treated with heightened care as it may constitute health data under GDPR Article 9

Club and team data

  • Club name, team names, age groups, gender, season labels
  • Match schedules, training schedules, locations, notes
  • Posts, announcements, and messages posted on the platform

Technical data

  • IP address and browser/device type (collected automatically by our infrastructure provider)
  • Session tokens used for authentication

2. Why we collect it

We collect data for the following purposes:

  • Service delivery — to provide squad management, attendance tracking, match protocol, and communication features
  • Performance insight — to generate player profiles, leaderboards, and radar charts that coaches and players rely on
  • Safety — to track injuries so coaches do not accidentally select injured or suspended players
  • Communication — to send transactional emails (invites, password resets) via our email provider
  • Legal compliance — to meet our obligations under applicable law

We do not use your data for advertising, profiling for marketing purposes, or sale to third parties. Future services that involve additional data processing will require your explicit consent before activation.

3. How long we keep your data

We retain personal data for as long as your account is active. If you delete your account, we will permanently delete your personal data within 30 days, except where we are required to retain it by law (for example, for tax or accounting purposes, retention may be up to 7 years for transaction records).

Performance data (ratings, stats, attendance) is tied to your player profile. If a coach removes a player from a squad, their historical data is retained in the system linked to their profile — it is not deleted automatically. Players may request deletion of their data at any time (see Section 7).

4. Who can see your data

  • Coaches see all data for their team: attendance, ratings, stats, injuries, and player profiles for every player in their squad
  • Players see their own profile, stats, ratings, and attendance. They also see the team leaderboard, which includes aggregated stats for all squad members
  • Other players can see leaderboard rankings and aggregate stats but cannot access another player's detailed injury records or individual match notes
  • HandLit staff may access data only for technical support purposes, with access strictly limited and logged
  • Data is never shared with other clubs, federations, or third parties except as described in Section 5

5. Third-party services

We use the following third-party services to operate HandLit:

Supabase (database and authentication)

All user data is stored in Supabase, a PostgreSQL-based backend-as-a-service. Supabase operates data centres in the EU. Data is protected with row-level security policies ensuring each club can only access its own data. Supabase's privacy policy applies to infrastructure-level processing.

Resend (transactional email)

We use Resend to deliver invitation emails and password reset emails. Resend receives the recipient's email address and name for this purpose only. Resend's privacy policy governs their handling of this data.

We do not use analytics trackers, advertising pixels, or social media SDKs. If we introduce any additional third-party services in the future, this policy will be updated and users notified.

6. Minor data (U12–U18)

HandLit supports youth teams across age groups from U12 to U18. Players who are under the age of 16 at the time of registration are considered minors under GDPR. For minor players:

  • A parent or legal guardian must provide consent before the minor's account is created
  • Clubs are responsible for obtaining and documenting parental consent before inviting minor players
  • Injury records for minors are treated as sensitive health data and are only visible to the coach of that team
  • Parents or guardians may request access to, correction of, or deletion of their child's data at any time by contacting us at the address below

7. Your rights under GDPR

If you are in the European Economic Area, you have the following rights:

  • Right of access — you can request a copy of all personal data we hold about you
  • Right to rectification — you can ask us to correct inaccurate or incomplete data
  • Right to erasure — you can request deletion of your personal data ("right to be forgotten")
  • Right to portability — you can request your data in a structured, machine-readable format (JSON or CSV)
  • Right to restrict processing — you can ask us to pause processing your data while a complaint is resolved
  • Right to object — you can object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, email us at privacy@handlit.eu. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

8. Data security

All connections to HandLit are encrypted via HTTPS/TLS. Database access is protected by row-level security policies. Passwords are hashed using bcrypt. We conduct periodic reviews of access controls and security practices.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33.

9. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify users via email or an in-app notice at least 14 days before the changes take effect. Continued use of HandLit after that date constitutes acceptance of the updated policy.

10. Contact

For any privacy-related questions, data requests, or concerns, contact us at:

HandLit

Email: privacy@handlit.eu