Privacy Policy

1. Data Controller

The data controller responsible under the GDPR:

Stefan Dworak

Berggasse 12

8200 Gleisdorf

Österreich

Email: info@hockeyflow.app

Full provider identification is available in the imprint.

2. Purposes of Processing

Stat-tracking for ice hockey players and goalies (entry, storage, analysis)
Account management (magic-link sign-in, account deletion and export functions, optional avatar handling)
Optional premium subscription via Stripe (tier management, billing)
Platform operation (web server, sync engine, technical logs)

3. Legal Bases

Art. 6(1)(b) GDPR (contract) — account creation and platform use as a self-tracker or parental guardian
Art. 6(1)(a) GDPR + Art. 8 GDPR (consent of the parental guardian for minors)
Art. 6(1)(f) GDPR (legitimate interest) — technical server logs for security and troubleshooting

4. Categories of Personal Data

We process only the categories listed below (data minimisation per Art. 5(1)(c) GDPR).

Account data

Email address (magic-link recipient)
Display name (optional)
Avatar photo (optional — see section 4a)
Locale (de or en)
Role (self-tracker or parental guardian)
Consent timestamp

Consent evidence

IP address and user-agent at the time of the magic-link click
Snapshot of the displayed consent text (version + full wording)
Consent grant date

Player data (1..N per account)

Tracked by the account owner — either own stats or those of one’s own child:

First name, last name
Position (G — goalie, F — forward, D — defender)
Jersey number (optional)
Avatar photo (optional — see section 4a)

Game metadata (account-private)

Date
Location (free text, no GPS)
Event name (optional, for tournaments)
Tournament flag
Team A name, Team B name (free text)
Age class (U7, U10, U13, U15, U17, U20 or Senior)

Tracking stats (account-private, per player per game)

Goals (G), Saves (SV), Save percentage (SV%)
Assists (AS)
Powerplay goals (PP), Penalty kill (PK)
Time on ice (TOI)
Optional: Shot events with coordinates (x/y), period, time and outcome (save or goal) for goalie heatmaps

Session data

Session cookie (HttpOnly, Secure, SameSite=Lax, max. 30 days rolling)

Reality anchor: Game and statistics data for players from age class U13 in Austria and Germany are already publicly accessible via official federation statistics (ÖEHV, DEB) — we mirror an existing public profile and are not the primary identification vector.

4a. Avatar Photo (Special-Category Note per Art. 9 GDPR for minors)

Avatar uploads are optional. For minor player avatars, image data is biometric-adjacent under Art. 9 GDPR (special categories of personal data). Mitigations:

Opt-out default: account and player creation work without an avatar. Avatars are not required.
Encryption at rest: a separate Supabase Storage bucket with its own access policies and signed-URL default (avatars are not served from public URLs).
Delete cascade: on account or player deletion, the avatar object is automatically removed.
No third-party sharing: avatars only leave the platform through user-initiated PNG export downloads by the account owner themselves.

5. Recipients / Processors

The following processors support platform operations. Each has signed a Data Processing Agreement (DPA) per Art. 28 GDPR.

Hetzner Cloud (Helsinki HEL1, Finland — EU) — server hosting for the application and database
Supabase (eu-central-1 Frankfurt, Germany) — database, authentication, avatar storage, realtime
PowerSync Open Edition (self-hosted on our own Hetzner server) — offline sync engine; no data flow to an external vendor
Stripe Payments Europe Ltd. (Ireland — EU) — subscription processing (only when the premium tier is enabled)
Mailjet (EU region, French/Sinch — EU) — magic-link email delivery
Cloudflare (DPA via ToS) — DNS resolution and reverse proxy (no PII caching)
Google Fonts — no runtime requests; fonts are self-hosted at build time (no personal data flow to Google on page load)

6. Third-Country Transfers

None. All processors listed in section 5 store and process data exclusively within the European Union. No third-country transfer within the meaning of Art. 44 GDPR takes place. Should a non-EU processor ever become necessary, we will update this privacy policy and publicly document the required safeguards (e.g. EU Standard Contractual Clauses).

7. Retention Periods

Account and player data: until the account is deleted by the parental guardian or the adult self-tracker, plus 30 days grace period (protection against accidental deletion).
Consent records: three years after the end of the account lifetime (regulatory evidence obligation).
Server logs: 7 days (rolling, automatic rotation by the application container).
Stripe receipts: 10 years (statutory retention per § 147 AO / § 212 UGB).
Session cookie: 30 days rolling; invalidated immediately on logout.
Backup snapshots: 7 days point-in-time recovery (Supabase default configuration).

8. Data-Subject Rights

As a data subject you have:

The right to access your stored data (Art. 15)
The right to rectification of inaccurate data (Art. 16)
The right to erasure (“right to be forgotten”) — self-service button in account settings from the Account-Foundation release (Art. 17)
The right to restriction of processing (Art. 18)
The right to data portability — machine-readable JSON export of all your data as an account-settings function from the Account-Foundation release (Art. 20)
The right to object to processing (Art. 21)
The right to withdraw a given consent at any time (Art. 7(3))

Right to lodge a complaint (Art. 77)

Competent supervisory authority:

Österreichische Datenschutzbehörde

Barichgasse 40-42, 1030 Wien

https://www.dsb.gv.at

9. Cookies and Local Storage

Essential session cookie (Supabase auth, HttpOnly, Secure, SameSite=Lax, max. 30 days rolling) — strictly necessary for the logged-in session, no consent banner required (ePrivacy exception).
PowerSync IndexedDB (local offline cache for stat-tracking inside the arena) — activated from the first tracker feature.
No non-essential cookies — no tracking, no analytics, no advertising.

10. Magic-Link Sign-In

Instead of password authentication we use magic-link email authentication with the following security parameters:

Token validity: max. 15 minutes
Single-use — the magic-link is invalidated after the first click
Rate limit: max. 3 magic-link requests per email address per hour
HTTPS-only, never transmitted unencrypted

11. Account Creation for Minors

The platform supports two account modes:

Self-tracker (18+)

Adult players or goalies track their own stats. Consent per Art. 6(1)(b) GDPR (contractual relationship with the platform).

Parental guardian for minor players

Parents/guardians create an account for their own minor child. Legal basis: Art. 8 GDPR (consent of the holder of parental responsibility) and § 25 BDSG (for German residence). Flow A:

The parent fills the signup form with their own email address and the child’s first and last name
Checkbox confirmation: “I have parental responsibility for the named child and consent to the processing of the data above for the purpose of stat-tracking (Art. 6 + Art. 8 GDPR).”
Magic-link email to the parent’s address — the click activates the account
We store as evidence: parent email, IP address at click time, user-agent and a snapshot of the displayed consent text (version + wording)

No tracking of unrelated third parties in v1. Tracking by friends, club staff or other third parties is not part of the current scope and requires the upcoming club module (post v1).

Withdrawal at any time: Parents can fully delete the account or individual players at any time via account settings. All dependent data (stats, games, shot events, avatars) is removed in the cascade.

12. Data Breach Notification

In the event of a personal data breach with risk to data subjects, we report the incident to the competent supervisory authority within 72 hours (Art. 33 GDPR) and notify affected users directly by email per Art. 34 GDPR.

13. Changes to this Privacy Policy

We reserve the right to update this privacy policy — for example when new functionality is added or legal bases change. Material changes will be communicated to registered account owners by email. The current version is always available at this URL. As of: 2026-05-19 (version v0.1.0).