Privacy Policy (SquadUp)

1) Who We Are (Controller Identity) Data Controller: OD SquadUp Registered address: Not publicly disclosed Contact email: icengic@squadupapp.com Controller vs. Admins: Certain organizations (e.g., clubs, venues) may use admin features inside the App. For some data (e.g., membership and attendance), those organizations may act as separate controllers for their own purposes. We describe these relationships in Section 6. 2) Scope and Applicable Services This Policy applies to: - The SquadUp iOS and Android App built with Flutter. - Backend services operated via Supabase (authentication, database, storage, realtime, RPC, and Edge Functions). - Push notifications via OneSignal. - Social authentication via Google Sign-In and Sign in with Apple. - Location and maps via Google Maps SDK and device geolocation/reverse geocoding. - Weather lookups via OpenWeather API. This Policy does not cover third-party services you access via links or integrations (e.g., opening WhatsApp/Viber, phone dialer, or a browser). See Section 14. Supported jurisdictions/markets: Bosnia and Herzegovina. 3) Information We Collect (by Category) A. Account and Authentication Data - Email address and password (processed via Supabase Auth). - OAuth identity data from Google/Apple (e.g., provider identifiers). - Auth/session identifiers and tokens. - Password reset / OTP-related data (for password reset flows). B. Profile Data - Username. - Avatar URL (profile image). - Role (e.g., user/admin role values as used in the App). - Optional: gender. - Optional: date of birth. - Optional: full name fields returned by Apple Sign in (if provided/selected during Apple auth). - City and country code. C. Preferences and Local App Data (Device Storage) Stored locally (e.g., SharedPreferences): - Language selection. - Theme preference. - Onboarding status. - Cached city/country. - Cached latitude/longitude (local cache). D. Sports Profile Data - Selected sports. - Skill levels per sport. E. Social Graph and Community Data - Friends and friend requests. - Squads, squad members, squad invites. - Organization invites. - Location/organization memberships. F. Match and Competition Data - Match creation/joining details, match code. - Match participants and invites/requests. - Team allocations. - Scores. - Match reviews/ratings/comments. - Competition participation data (teams/squads, entries) as used in the App. G. Reservation and Venue Data - Reservations, timeslots, courts. - Booking status and approvals. - Cancellation reasons. Admin-entered manual reservation customer data (admin flow): - customer_name - Optional customer_phone H. Club/Organization Admin Data - Organization memberships. - Membership status (e.g., paid/pending/unpaid). - Membership IDs. - Role, approval status. - Expiry/session credits. I. Attendance/Training and Related Commerce-Like Totals - Attendance status and details. - Ride assignments. - RSVP items/products. - Attendance-related financial totals (e.g., totals associated with attendance flows). J. Activity Form Data (Attendance Forms) Hiking flow may collect: - Full name, phone number - Transport info, seats available - Home location text, pickup location text - Arrival time Shooting flow may collect: - Experience years - License number - Safety acknowledgement K. User-Generated Content and Communications - Chat messages and chat metadata (e.g., participants, timestamps). - Club posts, post comments. - Polls/votes. - Feedback submissions. - Abuse/user reports and moderation-related data. L. Files and Uploads Stored using Supabase Storage buckets: - Avatars bucket. - Club logos bucket. - Club post gallery images bucket. - Product images bucket. - Member report PDFs bucket (member-files path structure). Access controls note: Some files use public URLs; member report access may use signed URLs. M. Push Notification Data - Notification permission choice (device-level). - OneSignal push subscription ID. - Backend linkage of OneSignal push subscription ID to your user (via backend RPC). - Notification payload interactions (e.g., click/deep-link events that route you to app screens). N. Location Data - When you grant location permission, the App may access device location to derive city and country and personalize nearby content. - City/country are saved to your profile. - Latitude/longitude may be used in specific flows (e.g., custom match location) and may be cached locally. 4) Sources of Information We collect information from: 1. You directly (account registration, profile edits, chat/messages, bookings, forms, feedback, reports). 2. Your device (app settings stored locally; location when permitted; notification permission state). 3. Third-party authentication providers (Google, Apple) when you use social sign-in. 4. Organizations and admins (e.g., club/venue admins may enter reservation customer info, manage memberships/attendance, export reports). 5. Third-party service providers used to deliver functionality (Supabase, OneSignal, Google Maps, OpenWeather). 5) Why We Process Data (Purposes + Legal Bases) Legal bases vary by jurisdiction. Where GDPR/UK GDPR applies, we rely on the following bases: A. Provide and Operate the App (Contract / Legitimate Interests) - Create and manage accounts; authenticate users. - Enable core functionality: matches, squads, competitions, clubs, venues, reservations, attendance, and chat. - Maintain user profiles and sports preferences. - Support admin workflows (membership management, approvals, exports). Legal basis: Performance of a contract (Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f)). B. Personalization and Location-Based Features (Consent / Contract / Legitimate Interests) - Use device location (when permitted) to derive city/country and personalize nearby content. - Save city/country to your profile. - Use lat/lng in custom location flows and local cache. Legal basis: Consent where required for device location permissions (Art. 6(1)(a)); otherwise contract/legitimate interests depending on feature context. C. Communications and Notifications (Consent / Legitimate Interests) - Send push notifications (e.g., updates, reminders, transactional/admin events) via OneSignal. - Deep-link you to relevant screens when you interact with a notification. Legal basis: Consent where required for device notification permissions; legitimate interests for essential service communications (subject to local law). D. Safety, Integrity, and Abuse Prevention (Legitimate Interests / Legal Obligation) - Handle abuse reports, user reports, and moderation. - Investigate misuse, enforce rules, and protect users and the platform. Legal basis: Legitimate interests; legal obligation where applicable. E. Support, Troubleshooting, and Feature Improvement (Legitimate Interests) - Respond to requests and feedback. - Maintain service reliability. Legal basis: Legitimate interests. We do not use analytics, crash reporting, or advertising SDKs in production based on current implementation. F. Legal Compliance (Legal Obligation) - Comply with lawful requests and applicable laws. Legal basis: Legal obligation. 6) How We Share Information We share personal data only as needed to operate the App, provide features you request, and comply with law. A. Service Providers (Processors) We use third parties to provide infrastructure and features: - Supabase (Auth, Postgres database, Storage, Realtime, RPC, Edge Functions including account deletion). - OneSignal (push notifications). - Google (Google Sign-In; Google Maps SDK). - Apple (Sign in with Apple). - OpenWeather (weather API requests). B. Sharing With Other Users (Social/Community Features) When you use social features, certain information is shared with other users depending on context: - Your username, avatar, and city/country may be visible to other users in matches, squads, clubs, or chats as part of core functionality. - Content you submit (messages, comments, posts, ratings) is shared with the relevant recipients (e.g., chat participants; club members where posts are visible). Public visibility note: Some uploaded media may be accessible via public URLs. C. Sharing With Clubs/Venues/Organization Admins If you join a club/organization or make a reservation, relevant data is shared with the organization and its admins to run those activities: - Membership status, attendance details, approvals, and related operational data. - Reservation information and any admin-entered customer details. Admin exports: Admins can export attendance/reservation CSV/PDF that may include names, phone numbers, status, and pricing totals. Admins are responsible for handling exported files securely and lawfully. (See Section 14 for share/export behavior.) D. Legal and Safety Disclosures We may disclose information if we reasonably believe it is necessary to: - Comply with law or legal process. - Protect rights, safety, and security of users, the public, or our services. - Prevent fraud, abuse, or security incidents. E. Business Transfers If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal data may be transferred as part of that transaction, subject to appropriate safeguards. 7) International Transfers Our service providers may process data in countries other than where you live. Transfer mechanisms depend on provider locations and your jurisdiction. Transfers under GDPR/UK GDPR: We will rely on recognized safeguards such as Standard Contractual Clauses and supplementary measures where required. We do not publicly disclose specific hosting/processing regions in this Policy. 8) Data Retention (Table Format) We retain personal data only as long as necessary for the purposes described, unless a longer period is required or permitted by law. Retention periods are not fully specified in this Policy. The table below describes retention criteria.

9) Security Measures We implement technical and organizational measures designed to protect personal data, including: - Authentication and access control: Accounts are authenticated via Supabase Auth; access to backend resources is restricted to authorized users. - Row Level Security (RLS): RLS is implemented on core flows to limit access to data based on the authenticated user and applicable roles. - In-app message encryption prior to storage: Chat messages are encrypted in the App using app-level AES logic before being stored. Chat encryption statement (no overclaim): We do not describe this as end-to-end encryption because we have not confirmed the full key management model and whether any server-side components could decrypt content. - File access controls: Some files may be served using signed URLs for controlled access; however, some files use public URLs. No system is perfectly secure. You are responsible for keeping your credentials confidential and using device-level protections. 10) Children's Privacy SquadUp is intended for users interested in recreational sports and is not designed for young children. - The App UI restricts selecting a date of birth below 15+ in certain flows; however, date of birth may be optional in some signup/edit flows and we have not confirmed robust backend age verification. If you believe a child has provided personal data without appropriate authorization, contact us at icengic@squadupapp.com. 11) User Rights by Region Rights vary depending on where you live. A. EEA/UK (GDPR / UK GDPR) If GDPR/UK GDPR applies, you may have the right to: - Access your personal data. - Rectify inaccurate or incomplete data. - Erase your data ("right to be forgotten"), subject to legal exceptions. - Restrict processing in certain cases. - Data portability (receive data in a structured, commonly used format). - Object to processing based on legitimate interests. - Withdraw consent at any time for processing based on consent (does not affect prior processing). - Lodge a complaint with your supervisory authority. B. United States (including California CCPA/CPRA) If you are a California resident and SquadUp qualifies as a "business" under CCPA/CPRA, you may have rights to: - Know what personal information is collected, used, disclosed, and (if applicable) sold/shared. - Delete personal information, with exceptions. - Correct inaccurate personal information. - Opt out of "sale" or "sharing" of personal information (as those terms are defined under CPRA). - Limit the use/disclosure of sensitive personal information (if applicable). - Non-discrimination for exercising your rights. Sale/Sharing status: We do not sell personal information and we do not share personal information for cross-context behavioral advertising. C. Other Regions SquadUp is currently focused on Bosnia and Herzegovina. If you are located in another region, your rights may vary. Contact us at icengic@squadupapp.com. 12) Account Deletion and Data Requests A. In-App Account Deletion You can initiate account deletion inside the App. The App triggers the backend Edge Function delete-account. Deletion timeline: Deletion is initiated immediately when you confirm deletion in the App. Deletion scope: Based on current implementation, we delete your user data when you initiate account deletion from our active systems. We may retain limited data if required by law, or if reasonably necessary to resolve disputes, enforce terms, or comply with lawful requests. B. Data Access/Requests To request access, correction, deletion, or other rights, contact: icengic@squadupapp.com. We may need to verify your identity before processing requests. 13) Cookies / Tracking Technologies (Mobile-Specific) and App Permissions Cookies/Tracking (mobile-specific): The App does not use browser cookies in the traditional sense. It uses: - Local device storage (SharedPreferences) for language, theme, onboarding status, and cached location values. - SDK identifiers required for core functions: - OneSignal push subscription ID (linked to your user via backend RPC). - Authentication/session identifiers via Supabase. We do not use analytics, crash reporting, advertising, or cross-app tracking SDKs in production based on current implementation. App permissions (explicit disclosures): The App may request the following device permissions: 1. Location (when needed) - Used to derive city/country for nearby content personalization and to support location-based flows (e.g., custom match location). - You can deny or revoke location permission in your device settings; some features may be limited. 2. Notifications - Used to deliver push notifications via OneSignal. - You can disable notifications in device settings; in-app notification-related functionality may be reduced. 3. Photos/Files - Used to upload avatars, club logos, gallery images, product images, or PDFs where supported by the feature. - You can control access via device permission prompts and settings. Camera: The App does not use the camera and does not request camera permission based on current implementation. 14) Third-Party Links and External Services The App may allow you to open external links or apps (e.g., browser, phone dialer, WhatsApp, Viber) or share files via the OS share sheet. When you do so: - That third party's privacy practices apply. - Exported files (CSV/PDF) may contain personal data (names, phone numbers, status, and pricing). You should share and store exports carefully. 15) Changes to This Policy We may update this Policy from time to time. If we make material changes, we will provide notice in the App and/or by other appropriate means. 16) Contact Information For privacy questions or requests, contact: Email: icengic@squadupapp.com Address: Not publicly disclosed Compliance Matrix (Compact)