Privacy Policy

This Privacy Policy explains how we process personal data in connection with the app “Kleinfeldliga Lavanttal” (iOS and Android). The app is available worldwide.

1. Controller

2. Scope

This policy applies to the app and related services. Based on the current setup, the primary storage and hosting locations are configured in the European Economic Area (EEA). Certain providers may operate globally.

3. Personal data we process

• Account data: email address; password (authentication handled via Supabase; passwords are not stored in plain text).
• Contact and organization data: phone number (if provided), club name, club logo.
• League/team data: team rosters and match/result data in a football league context.
• Push notification data: Firebase Cloud Messaging (FCM) registration token (a device-specific identifier issued by Google) and your topic subscriptions (e.g., teams you follow). The token is required to deliver push notifications to your device. Notifications are only sent if you have granted the notification permission on your device.
• Usage and device data: analytics events (Firebase Analytics) and crash/diagnostic information (Firebase Crashlytics), such as device/app version, OS information, timestamps, and technical identifiers.

4. Purposes

• Provide core app features (login, league tables, match schedules/results, roster management for team managers).
• Operate, maintain, and secure the app (including abuse prevention).
• Debugging, crash analysis, and product improvement.
• Usage analytics (if enabled and legally permissible).
• Send push notifications about app news, match updates, and content from teams you choose to follow (only after you have granted notification permission on your device).
• Customer support and communications.

5. Legal bases (GDPR)

• Contract performance (Art. 6(1)(b) GDPR): account/login and delivery of core app features.
• Legitimate interests (Art. 6(1)(f) GDPR): security, fraud/abuse prevention, service stability and error analysis.
• Consent (Art. 6(1)(a) GDPR): where required (notably for analytics depending on jurisdiction/platform configuration, and for sending push notifications, which requires explicit notification permission granted via your device's operating system).

If processing is based on consent, you may withdraw consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing before withdrawal.

6. Processors and service providers

• Supabase (authentication and database; configured for Europe/EEA according to your setup).
• Render (hosting of server/backend components; configured for Europe/EEA according to your setup).
• Google Firebase (provided by Google Ireland Ltd. / Google LLC):
  • Firebase Cloud Messaging (FCM) — delivery of push notifications to your device using a device-specific registration token
  • Firebase Analytics (usage analysis)
  • Firebase Crashlytics (crash reporting and diagnostics)

Where required, we enter into data processing agreements (GDPR Art. 28) with processors.

7. Push notifications

We use Firebase Cloud Messaging (FCM) to deliver push notifications. When you grant the notification permission on your device, your device generates an FCM registration token (a non-resettable, device-specific identifier issued by Google). This token is sent to our backend so we can address notifications to your device. If you follow specific teams in the app, the corresponding topic subscriptions are stored together with your token.

You can withdraw your consent and disable push notifications at any time:

• via the system settings of your device (iOS: Settings → Notifications → KFL Lavanttal; Android: Settings → Apps → KFL Lavanttal → Notifications);
• by changing your team-follow preferences inside the app.

For information on how Google processes data in connection with FCM, see Google's privacy resources at firebase.google.com/support/privacy and the Google Privacy Policy.

8. International transfers

Depending on provider infrastructure and configuration (in particular for Firebase/Google services), personal data may be transferred to countries outside the EEA (e.g., the United States). Where applicable, such transfers rely on appropriate safeguards (e.g., Standard Contractual Clauses) and additional measures as required by law.

9. Retention

• Account and app data: stored for as long as your account is active and as needed for the purposes described above.
• Support communications: retained as long as necessary to handle the request and for reasonable follow-up.
• Analytics and crash data: retained according to our configuration and provider retention settings, subject to legal requirements.

10. Security

We implement appropriate technical and organizational measures to protect personal data (e.g., transport encryption, access controls, role-based permissions).

11. Your rights

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to withdraw consent at any time (Art. 7 GDPR), where processing is based on consent

To exercise your rights, contact us at support@a-double-p.com. Account deletion is currently handled via email request.

12. Complaints

You have the right to lodge a complaint with a supervisory authority. In Austria, this is in particular the Austrian Data Protection Authority (Datenschutzbehoerde / DSB).

13. Changes

We may update this Privacy Policy from time to time (e.g., new features or legal changes). The latest version will be published on this page and/or in the app.