Privacy & data.

01Data we collect

• Account dataLast name, first name, email, password (encrypted), optional profile photo.
• Team dataSquad name, members, events, messages in team chats.
• Technical dataDevice type, OS, app version, anonymous technical identifiers for push notifications.
• LocationOnly if you enable geolocation to find nearby events. You can disable it anytime in settings.

02Payment data (Stripe)

All payments are processed by Stripe, a PCI DSS Level 1 certified payment provider (the highest security standard in the industry).

• What SquadUp doesn't seeFull card number, CVV, expiration date. This data never passes through our servers.
• What SquadUp does seeThe amount, the status (succeeded, failed, refunded), the last 4 digits of the card and the Stripe transaction ID.
• For organisersIf you collect payments, Stripe asks you for identity information (name, date of birth, address, IBAN) directly, to comply with anti-money laundering rules. SquadUp does not store this information.
• Stripe policyCheck Stripe's privacy policy at stripe.com/privacy to understand their data processing.

03How we use data

• Provide the serviceCreate your account, organise your squads, process payments, send notifications.
• Improve the appAnonymised usage statistics to understand which features are used.
• SecurityDetect fraud, prevent abuse, protect accounts.
• CommunicationContact you for important service-related information. No marketing emails without your explicit consent.

04Sharing data

We never sell your data. We share it only with the sub-processors below, selected for their security level and GDPR compliance. All operate under a GDPR Art. 28 Data Processing Addendum (DPA):

• Stripe Payments Europe, Limited (Ireland)Payment processing and management of organisers' connected accounts. Stripe is PCI DSS Level 1, acts as joint controller for payment data and as a processor for other data. DPA incorporated into the Stripe Services Agreement — see stripe.com/legal/dpa and stripe.com/privacy.stripe.com/legal/dpa et stripe.com/privacy.
• OVH SAS (France / Belgium)Hosting provider for server infrastructure (VPS), database, and transactional email delivery (SMTP). All data stored in EU datacenters (Roubaix / Strasbourg / Gravelines). OVH DPA available in the OVH customer area. See ovhcloud.com.ovhcloud.com.
• Google Ireland Limited — Firebase / Google Cloud (Ireland)User authentication (Firebase Authentication) and Android push notification delivery (Firebase Cloud Messaging). Google Cloud DPA incorporated into the Google Cloud Terms.cloud.google.com/terms/data-processing-addendum.
• Functional Software, Inc. — Sentry (USA / EU)Technical error monitoring to improve app reliability. May receive a user identifier and a screenshot of the app at the moment of an error (passwords and payment data are automatically filtered out). DPA signed. See sentry.io/legal/dpa.sentry.io/legal/dpa.
• Cloudflare, Inc. (USA / EU)Edge CDN in front of the squadup.be, api.squadup.be and admin.squadup.be domains (TLS decrypted at edge), R2 object storage for periodic database and user file backups (file backups are server-side encrypted via Restic before transfer), and Cloudflare Access protecting the admin dashboard via email allow-list. GDPR DPA auto-incorporated into Cloudflare Customer Terms — see cloudflare.com/cloudflare-customer-dpa.cloudflare.com/cloudflare-customer-dpa.
• Public authoritiesOnly if required by law (judicial request) or under DAC7 reporting to the Belgian FPS Finance for organisers above legal thresholds (30 transactions or €2,000/year).
• Members of your squadYour name, avatar and messages are visible to other members of your squads, as in any group chat.

05Retention

• Active accountAs long as your account exists, your data is kept to operate the service.
• After deletionPersonal data is deleted within 30 days. Transaction data is kept for 7 years for accounting and tax obligations.
• Technical logsKept for 90 days maximum for security and debugging.

06Cookies & trackers

The mobile app does not use cookies in the web sense. We only use technical identifiers necessary for the service to work (session token, push identifier). No third-party advertising trackers.

07Your GDPR rights

As a resident of the European Union, you have the following rights:

• AccessObtain a copy of the data we hold about you.
• RectificationCorrect inaccurate information (most can be edited directly in the app).
• ErasureRequest deletion of your account and data.
• PortabilityReceive your data in a reusable format.
• ObjectionObject to the processing of your data in certain cases.
• ComplaintFile a complaint with the Belgian Data Protection Authority (autoriteprotectiondonnees.be).

To exercise these rights, write to [email protected]. We respond within 30 days.[email protected]. Nous répondons sous 30 jours.

08Security

• Encryption in transitAll communications use HTTPS / TLS 1.3.
• Encryption at restDatabases are encrypted. Passwords are hashed with bcrypt.
• Limited accessOnly authorised members of the SquadUp team can access systems, and only for support or maintenance reasons.

09Minors

SquadUp is open to users aged 13 and over. For payments and organiser accounts, the minimum age is 18 (or parental consent).

10Changes

We may update this policy. You will be notified via the app or by email of significant changes.

11Contact

Data controller: ITsGenius SRL, Avenue de l'Héliport 104/1, 1000 Brussels, Belgium — BCE BE 0801.788.241. To exercise your GDPR rights or any data-related question: [email protected].ITsGenius SRL, Avenue de l'Héliport 104/1, 1000 Bruxelles, Belgique — BCE BE 0801.788.241. Pour exercer tes droits RGPD ou toute question données : [email protected].