Privacy Policy
Effective date: 26 February 2026
1. Data Controller
The data controller for OpenMatchDay is:
POISE AB
VAT ID: SE556773092301
Email: hello@openmatchday.com
Website: openmatchday.com
2. What Data We Collect
2.1 Account Data
When you create an account, we collect:
- Full name
- Email address
- Password (stored as a cryptographic hash, never in plain text)
- Language preference
2.2 Tournament Data
When you create and manage tournaments, the following data is stored:
- Tournament details (name, venue, date, rules, format)
- Team information (team name, short name, logo, colors, group)
- Player information (name, shirt number)
- Match data (scores, events, timers, status)
- Live feed posts and announcements
- Sponsor information (name, logo, URL) if provided
2.3 Usage Data
When you use the platform, we automatically collect:
- IP address
- Browser type and version
- Device type and screen size
- Pages visited and actions taken
- Date and time of access
2.4 Spectator Data
Spectators viewing public tournament pages do not need an account. We collect minimal usage data (IP address, browser type) from spectators through standard server logs.
3. Why We Collect Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide the tournament management service | Account data, tournament data | Contract performance |
| Authenticate users and protect accounts | Email, password hash, IP address | Contract performance |
| Display public tournament pages | Tournament data, team/player names | Legitimate interest |
| Send service-related emails (account, license) | Email address | Contract performance |
| Improve platform performance and fix errors | Usage data, server logs | Legitimate interest |
| Set language and theme preferences | Cookies (functional) | Consent |
4. Cookies
We use a minimal set of cookies. For full details, see our Cookie Policy.
- Session cookie (strictly necessary) — maintains your login session
- CSRF token (strictly necessary) — protects against cross-site request forgery
- Language/theme preferences (functional) — remembers your display settings
We do not use advertising or third-party tracking cookies.
5. Third-Party Services
We use the following third-party services that may process data:
| Service | Purpose | Location |
|---|---|---|
| EU hosting provider | Server infrastructure | European Union |
| Lettermint | Transactional email delivery | European Union |
All fonts, icons, and scripts are self-hosted on our EU servers. No external CDNs (such as Google Fonts or Cloudflare) are used. Your browser communicates only with our infrastructure — no data is sent to third-party services during normal use.
6. Data Retention
- Account data: Retained while your account is active. Deleted upon request or after 12 months of inactivity.
- Tournament data: Active tournaments are retained indefinitely. Completed tournaments are retained for 60 days after completion, then automatically deleted.
- Server logs: Retained for 90 days, then automatically purged.
- Draft tournaments: Abandoned drafts are automatically deleted after 24 hours.
7. Data Security
We implement appropriate technical and organizational measures to protect your data:
- All data transmitted via HTTPS (TLS encryption in transit)
- Passwords stored using cryptographic hashing (bcrypt)
- CSRF protection on all state-changing operations
- Content Security Policy (CSP) headers
- Role-based access control for administrative functions
- Regular security updates and monitoring
8. Your Rights
Under the General Data Protection Regulation (GDPR), you have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your personal data ("right to be forgotten").
- Portability: Request your data in a structured, machine-readable format.
- Restriction: Request that we limit processing of your data.
- Objection: Object to processing based on legitimate interest.
- Withdraw consent: Withdraw consent for cookie-based processing at any time.
To exercise any of these rights, contact us at hello@openmatchday.com. We will respond within 30 days.
9. International Transfers
Your data is stored and processed exclusively within the European Union. All assets (fonts, icons, scripts) are self-hosted on our EU servers. No data is transferred to or processed in countries outside the EU/EEA.
10. Children's Privacy
OpenMatchDay accounts are intended for users aged 18 and older. Tournament organizers are responsible for ensuring appropriate consent when entering personal data of minors (such as player names) into the platform.
11. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Swedish supervisory authority:
Integritetsskyddsmyndigheten (IMY)
Website: www.imy.se
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 30 days before they take effect. The effective date at the top of this page will always reflect the latest version.
13. Contact
For questions or requests regarding this Privacy Policy or your personal data, contact:
POISE AB
Email: hello@openmatchday.com
VAT ID: SE556773092301