FYNLwhistle

Legal

Privacy Policy

Last updated: May 2026

1. Who We Are

FYNL Whistle (“we”, “us”, “our”) operates the match analysis platform at fynlwhistle.com. We are the data controller for personal data processed through the Service.

This policy explains what personal data we collect, how we use it, and your rights. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Contact: support@fynlwhistle.com

2. Data We Collect

We collect the following categories of personal data:

Account data

Your email address and an encrypted password hash, collected when you register. We do not store your password in plain text.

Team & player data

Names, positions, jersey numbers, and other details you enter about players and staff in your squad. This data belongs to you — we store it on your behalf to provide the Service.

Match & performance data

Tagged match events, player grades, coaching notes, set-piece data, and statistical outputs you create within the platform.

Video files

Match footage you upload. Video files are stored in Cloudflare R2 and are only accessible to members of your team with appropriate permissions.

Voice recordings

Short audio clips captured during voice tagging. These are sent to the Anthropic API for transcription and are not stored by us or by Anthropic after the transcription response is returned.

Usage data

Server-side logs of pages visited and actions taken, used for debugging and service improvement. We do not use third-party analytics services or advertising trackers.

3. Legal Basis for Processing

We rely on the following legal bases under UK GDPR:

  • Contract performance — processing your account data, team data, match data, and video files is necessary to provide the Service you have subscribed to.
  • Legitimate interests — processing usage logs to maintain security, diagnose faults, and improve the Service. Our legitimate interests do not override your rights.
  • Legal obligation — retaining billing records as required by applicable tax and financial regulations.

4. Third Parties We Use

We use the following sub-processors to deliver the Service. Each processes personal data only as instructed by us and is bound by appropriate data protection agreements:

Supabase

Provides database storage and user authentication. Stores account credentials, team data, match data, and player records. Infrastructure located in the EU and US.

Stripe

Processes subscription payments. Stripe collects and stores your payment card details directly; we never see or store full card numbers. Stripe is PCI-DSS Level 1 certified.

Cloudflare R2

Stores video files you upload. Files are encrypted at rest and in transit and are only accessible via authenticated, scoped URLs.

Resend

Delivers transactional emails such as account confirmation, team invitations, and availability reminders. Receives recipient email addresses and message content for delivery purposes only.

Anthropic

Provides AI-powered voice transcription. Short audio clips are sent per request and are not retained by Anthropic after the transcription response is returned, in accordance with Anthropic’s API usage policy.

5. Data Retention

We retain your account and team data for as long as your account is active. If you request deletion of your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain certain records for legal or financial compliance purposes (typically up to 7 years for billing records).

Video files are deleted when you delete them within the app, or within 30 days of your account being closed.

6. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you (Art. 15)
  • Rectification — ask us to correct inaccurate data (Art. 16)
  • Erasure — request deletion of your data where we no longer have a lawful basis to retain it (Art. 17)
  • Restriction — ask us to restrict processing in certain circumstances (Art. 18)
  • Portability — receive your data in a structured, machine-readable format (Art. 20)
  • Objection — object to processing based on legitimate interests (Art. 21)

To exercise any of these rights, email us at support@fynlwhistle.com. We will respond within 30 days.

7. Cookies

We use a single session cookie to keep you logged in. This cookie is strictly necessary for the Service to function and does not track you across other websites.

We do not use advertising cookies, analytics tracking cookies, or any third-party tracking technologies.

8. International Transfers

Some of our sub-processors (including Supabase and Anthropic) may process data in the United States. Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or standard contractual clauses (SCCs) approved by the ICO.

9. Children

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data relating to a child, please contact us immediately at support@fynlwhistle.com and we will delete it promptly.

If your team includes junior players, you are responsible for obtaining appropriate parental or guardian consent before entering their data into the Service.

10. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 14 days before the new policy takes effect. The updated policy will always be available at this URL.

11. Contact & Complaints

For any privacy-related questions or to exercise your rights, contact us at support@fynlwhistle.com.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.