🔒 Privacy Policy

Last updated: 1 June 2026  ·  Version 1.0

1. Who we are

SoccerWork ("we", "us", "our") operates the website soccerwork.com — a global football transfer marketplace.
[TO COMPLETE: Legal entity name, registration number, registered address, VAT number, DPO contact if applicable]

We act as the data controller for personal data processed through this platform, except where stated otherwise.

2. What data we collect

We collect the following categories of personal data:

• Account data: email address, password (hashed), account role, registration date.
• Profile data: name, date of birth, nationality, physical attributes, career history, profile photo, bio, social/video links.
• Club / agent data: club name, location, league, website, logo.
• Transaction data: credit purchases, payment reference (Stripe session ID), amount, date.
• Usage data: profile views (anonymised per 24-hour window), search queries, applications sent/received.
• Communication data: messages sent via contact form.
• Technical data: IP address (in server logs), browser type, referring URL.
• Minor player data: name, birth year, position — collected by the parent/guardian account holder. No direct contact with minors.

We do not collect payment card details directly. Card processing is handled by Stripe, Inc.

3. How we use your data

• To create and manage your account.
• To display your profile to other users (players, clubs, agents) in accordance with your visibility settings.
• To process credit purchases and maintain transaction records.
• To send platform notifications (new applications, career verifications, credit alerts).
• To prevent fraud, abuse and unauthorised access.
• To improve the platform through aggregated, anonymised analytics.
• To comply with legal obligations.
• [TO COMPLETE: marketing communications — opt-in basis only]

4. Legal basis for processing (GDPR Art. 6)

• Contract performance (Art. 6(1)(b)): processing necessary to provide the service you signed up for.
• Legitimate interests (Art. 6(1)(f)): fraud prevention, platform security, analytics.
• Legal obligation (Art. 6(1)(c)): tax records, accounting.
• Consent (Art. 6(1)(a)): marketing emails, non-essential cookies. You may withdraw consent at any time.

5. Data sharing & third parties

We share data only as necessary:

• Stripe, Inc. — payment processing. Stripe's privacy policy: stripe.com/privacy
• CyberFolks / hosting provider — server infrastructure for staging and production environments.
• [TO COMPLETE: email provider, analytics provider if any]

We do not sell, rent or trade your personal data to third parties for marketing purposes.

Public profile information (name, position, nationality, career history) is visible to all logged-in users as part of the platform's core function.

6. Data retention

• Account data: retained for the duration of your account plus 3 years after deletion request, to meet legal and accounting obligations.
• Transaction records: 10 years (tax/accounting obligations).
• Server logs: 90 days.
• Contact form messages: 2 years.
• [TO COMPLETE: review and confirm all retention periods with legal counsel]

7. Your rights under GDPR

You have the following rights regarding your personal data:

• Access: request a copy of the data we hold about you.
• Rectification: correct inaccurate data — most data can be updated directly in your profile.
• Erasure ("right to be forgotten"): request deletion of your account and data, subject to legal retention obligations.
• Restriction: ask us to limit processing in certain circumstances.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at privacy@soccerwork.com. We will respond within 30 days. You also have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) at dataprotection.ro.

8. Cookies

We use the following cookies:

• Session cookie (PHPSESSID): strictly necessary — maintains your login session. Expires when you close your browser.
• Language cookie (lang): remembers your language preference for 1 year.
• [TO COMPLETE: analytics and marketing cookies — require explicit consent banner]

You can control cookies through your browser settings. Disabling session cookies will prevent login.

9. Data security

We implement appropriate technical and organisational measures including: password hashing (bcrypt), HTTPS encryption in transit, SQL injection prevention via prepared statements, CSRF token protection, and role-based access controls.
[TO COMPLETE: penetration testing schedule, incident response procedure, breach notification process]

10. Children's data

SoccerWork allows parent/guardian accounts to create profiles for minor players (under 18). Minors do not have direct access to the platform and cannot be contacted directly. All data for minors is managed by the parent/guardian account holder. At age 18, ownership can be transferred to the player via a verified transfer process.

We do not knowingly allow minors to create independent accounts. If you believe a minor has done so, contact us immediately.

11. International data transfers

Your data is stored on servers within the European Union (CyberFolks, Romania). Stripe, Inc. may process payment data in the United States under Standard Contractual Clauses (SCCs). [TO COMPLETE: confirm adequacy decisions / SCCs for all processors]

12. Changes to this policy

We may update this policy periodically. When we make material changes, we will notify you by email or a prominent notice on the platform. The "last updated" date at the top of this page reflects the most recent revision.

13. Contact & complaints

For privacy-related questions or to exercise your rights:
📧 privacy@soccerwork.com
[TO COMPLETE: postal address, DPO name if applicable]

For general enquiries: Contact form