Privacy policy
Last updated: 3 July 2026
Touchline is a football tournament platform. Because youth football is at its heart, much of the personal data on Touchline belongs to children — so this policy is written to be read by the parents, coaches and organizers who put that data here. If anything is unclear, write to us at privacy@gettouchline.app.
What we collect
- Account data — your name, email address, role (organizer, coach or player), an optional profile photo, and a hashed password. We never store passwords in plain text.
- Team and player data — entered by organizers and coaches: player names, dates of birth, positions, shirt numbers and optional headshot photos; team names, crests, colours, photos and descriptions; coach names.
- Match data — results, goals, assists, cards and player-of-the-match awards, recorded against named players.
- Consent records — when a parent or guardian signs a consent form, we store their name, the signature, the player it covers and the time it was signed.
- Operational data — emails we send (and their delivery status) and standard server logs from our hosting providers.
We use a player’s date of birth for one purpose: verifying age-group eligibility. It is never shown on public pages.
Children's data
Children do not sign themselves up to Touchline. A child’s details are entered by their club coach or the event organizer, who must already have the authority to do so and must obtain parental consent — Touchline provides the consent-form flow for exactly this.
- A parent or guardian signs a consent form (sent by link) before a player takes part in an event; organizers can see which players are covered.
- A parent or guardian can withdraw consent at any time by telling the organizer or coach, or by writing to us at privacy@gettouchline.app. We will remove or anonymize the player’s data as described under data retention & deletion.
- We collect the minimum we need to run a tournament: name, date of birth (for eligibility), position, shirt number and — only if a coach or organizer adds one — a photo.
What is public
Touchline’s value is the shareable event page — and public means public. When an organizer takes an event live, anyone with the link (including search engines) can see:
- Event pages: fixtures, results, standings and honours.
- Team pages: team identity, coach name, and the squad list with names, shirt numbers, positions, photos and per-event stats.
- Match pages: line-ups, scorers, cards and player of the match.
- Player profiles: name, photo, position and playing record.
Dates of birth, email addresses, consent signatures and account details are nevershown publicly. If you don’t want a player to appear on public pages, tell the organizer before the event goes live, or contact us.
How we use data
- To run tournaments: fixtures, scheduling, results, standings, awards and eligibility checks.
- To publish the public pages the organizer chooses to share.
- To send transactional email: invitations, consent requests, password resets and event notifications. We do not send marketing email.
- To keep the service secure and debug problems.
We do not sell personal data, show advertising, or use third-party analytics or tracking cookies. The only cookies we set are the sign-in session and your light/dark theme preference.
Where data lives
Touchline runs on a small set of infrastructure providers, each processing data on our instructions:
- Vercel — application hosting and serving of pages.
- Supabase (AWS, Singapore region) — the database where all of the data above is stored.
- Resend — outbound transactional email.
Data is encrypted in transit (TLS). Passwords are hashed with bcrypt; password-reset links are stored only as one-way hashes.
Data retention & deletion
Our default is that event history — results, standings, honours — has lasting value to the people who played in it, so we keep it while the organizing account remains active. But anyone can ask for personal data to be removed:
- Players & parents: ask the organizer, or email privacy@gettouchline.appwith the player’s name and event. We will delete the player’s profile (name, date of birth, photo) within 30 days. Where match records reference the player, we anonymize rather than falsify history: the record stays, the identity goes.
- Account holders: email privacy@gettouchline.app from your account address to delete your account. Organizer accounts should first hand over or close their events; deleting an account removes its personal data within 30 days.
- Consent records are kept for as long as the consent they evidence is relied on, and for any period the law requires afterwards.
- Backups containing deleted data expire on a rolling basis within 30 days of deletion.
Your rights
Depending on where you live (including under Singapore’s PDPA and the EU/UK GDPR), you have the right to access, correct, export and delete personal data about you or a child in your care, and to withdraw consent you have given. Exercise any of these by emailing privacy@gettouchline.app — we respond within 30 days.
Changes to this policy
If this policy changes in a way that matters — especially anything touching children’s data — we will note it here with a new “last updated” date and, for significant changes, email account holders.
Questions, requests or complaints: privacy@gettouchline.app. See also our terms of service.