Apex Track ("we", "us", "Apex Track") provides a football performance and squad management platform. This policy explains what data we process, why, and your rights — especially where UK GDPR and EU GDPR apply to your club or players.
1. Who we are
Apex Track is operated as a software service for football clubs and organisations. For data protection enquiries, contact privacy@apextrack.app.
2. Data we collect
Depending on how your club uses the platform, we may process:
- Account data: name, email, username, role, club affiliation, authentication logs.
- Athlete records: identity, position, physical metrics, contract notes, scouting data.
- Health & injury data: injury reports, treatment notes, recovery timelines, return-to-play status (special category data where applicable).
- Performance data: match stats, training sessions, analytics (e.g. xG/xA), reports.
- Club assets: logos and documents you upload.
- Technical data: IP address, browser type, session identifiers, and usage necessary to operate and secure the service.
3. Why we use your data
- To provide and maintain the platform (contract / legitimate interests).
- To authenticate users and enforce club-scoped access controls.
- To support injury tracking, performance analysis, and reporting requested by your club.
- To send service emails (e.g. account verification, security notices).
- To improve reliability, prevent abuse, and meet legal obligations.
Where we process health-related data, your club is typically the data controller for athlete information; Apex Track acts as a data processoron the club's instructions. Clubs must ensure they have a lawful basis (e.g. consent, employment/contract, or legitimate interests with appropriate safeguards) before entering sensitive data.
4. Sub-processors
We use trusted infrastructure providers, including:
- Supabase — database, authentication, and file storage (EU West region, London).
- Vercel — application hosting and analytics.
- Resend — transactional email delivery.
These providers process data only to deliver the service and under contractual terms consistent with GDPR requirements. See our Security & Data Protection page for more detail.
5. International transfers
Primary hosting is in the United Kingdom / EU where configured. If data is transferred outside the UK/EEA, we rely on appropriate safeguards (e.g. Standard Contractual Clauses or UK International Data Transfer Agreement mechanisms) offered by our sub-processors.
6. Retention
We retain data while your club's account is active and as needed to provide the service. After account closure, we delete or anonymise data within a reasonable period unless law requires longer retention. Clubs may export reports before closure. Backup copies may persist for a limited period per our provider's backup schedule (see Security page).
7. Security
We apply encryption in transit (TLS), role-based access, and database row-level security so each club's users only access their organisation's records. No system is perfectly secure; we continuously improve controls and respond to incidents.
8. Your rights (UK / EU GDPR)
Where GDPR applies, individuals may have the right to:
- Access, rectify, or erase personal data.
- Restrict or object to certain processing.
- Data portability (where processing is automated and based on consent or contract).
- Withdraw consent where processing is consent-based.
- Lodge a complaint with the ICO (UK) or your local supervisory authority.
Athletes and staff should contact their club administrator first for data held on behalf of the club. You may also email privacy@apextrack.app and we will assist or redirect to the controller as appropriate.
9. Children
The platform may hold data on youth players managed by clubs. Clubs are responsible for parental/guardian consent and safeguarding policies.
10. Changes
We may update this policy. Material changes will be reflected on this page with an updated date. Continued use after changes constitutes notice.