Privacy Policy
Last updated: May 2026
This Privacy Policy explains how Ball or Bench, operated by SVMS Consultancy Limited ("Company", "we", "us", or "our"), collects, uses, shares, and protects your personal data.
Ball or Bench is a football accountability platform for players of all ages. Because some of our players are under 18, we have built the account model to protect them from the start. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the ICO's Age Appropriate Design Code (the Children's Code).
1. Data Controller
SVMS Consultancy Limited
Company Number: SC514512 (Scotland)
Trading as: 360TFT / Ball or Bench
Registered Office: 11 Dudhope Terrace, Dundee, Scotland, DD3 6TS
Data Protection Contact: admin@360tft.com
SVMS Consultancy Limited is the data controller responsible for your personal data processed through Ball or Bench.
2. Personal Data We Collect
2.1 Waitlist (current)
- Name
- Email address
- The source link you arrived from (e.g. a campaign tag), and basic technical data such as IP address and browser type
2.2 Account information (when the app launches)
- Email address (yours, or a parent's for under-13 accounts)
- Display name or player handle
- Age band (18+, 13-17, or under 13), confirmed at the first signup screen
- For 13-17 accounts: a parent or guardian's email address, used solely to confirm consent and to send safeguarding notifications
- Authentication identifier (e.g. your Google account ID if you sign in with Google)
2.3 Activity and evidence data
- Training logs and the daily evidence you submit (text notes, photos, or video)
- Your card stats, overall rating (OVR), tier, and streak
- Crew membership and the reactions you give or receive
- Usage data: session timestamps, feature usage, device and browser information, IP address
2.4 Payment data (when paid tiers launch)
- Stripe customer ID
- Purchase and subscription status and history
Full payment card details are processed and stored securely by Stripe. We never see or store your complete card number.
3. How We Use Your Data
| Purpose | Legal basis |
|---|---|
| Reserving your waitlist place and telling you when we launch | Consent (given when you join the waitlist) |
| Creating and running your account, card, and crew | Contract performance |
| Storing and displaying the evidence you submit | Contract performance |
| Confirming parental consent for under-18 accounts | Legal obligation / contract performance |
| Sending safeguarding notifications to a linked parent | Legal obligation (child protection) |
| Processing payments for paid tiers | Contract performance |
| Sending service emails (confirmations, account notices) | Contract performance |
| Preventing fraud, abuse, and referral gaming | Legitimate interest |
| Service improvement and analytics | Legitimate interest (and consent where cookies are involved) |
| Legal compliance and disputes | Legal obligation |
4. Children's Data and Safeguarding
Ball or Bench is for players of all ages, and some of them are under 18. We take protecting younger players seriously, and we have designed the account model around that from the start.
4.1 Minimum age and age bands
The first thing anyone does when signing up is tell us their age band. We use this to decide what an account can and cannot do:
| Age | Account type | Video upload | Crew feed | Public feed |
|---|---|---|---|---|
| 18+ | Self-managed | Yes | Yes | Yes (opt-in) |
| 13-17 | Self-managed, parent linked | Yes | Yes (private by default) | Locked, even with parent consent |
| Under 13 | Parent-managed (the account belongs to the parent; the child is a player on it) | Goes to a parent moderation queue first | Visible only after the parent approves each post | Locked permanently |
4.2 Parental consent flow
- 13-17: we ask for a parent or guardian's email at signup. They receive a one-time message confirming the signup. The young person can post evidence to their private crew, but never to a public feed.
- Under 13: the account is set up and held by the parent. The child is added as a player on the parent's account. We do not create a standalone account for a child under 13.
- Until a parent confirms (via a single-click signed link), an under-18 account is held in a pending state: no card is created, no crew is joined, and no evidence can be uploaded.
4.3 Safeguarding notifications
When an under-18 player's tier drops (for example, after missing training), we notify the linked parent by email. This is a private message to the parent, never a public post or a crew broadcast. It mirrors how a school notifies a parent, not how a social network notifies followers.
5. Data Sharing and Third Parties
We share personal data with the following service providers, only as needed to run the service:
- Supabase (USA): database hosting and authentication
- Coolify on Hetzner (Germany, EU): application hosting
- Stripe (USA): payment processing (paid tiers)
- 360TFT Hub / Resend (USA): email delivery for service and waitlist messages
- Google (USA): sign-in, if you choose to sign in with Google, and analytics (only with your cookie consent)
We do not sell your personal data. We do not share a child's data with any advertising platform. We may disclose data if required by law, court order, or to protect the safety of a user, particularly where a child's welfare is at risk.
6. International Data Transfers
Some of our providers are based in the United States. Where data is transferred outside the UK, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, Standard Contractual Clauses, and the UK extension to the EU-US Data Privacy Framework. You can ask us for more detail at any time.
7. Data Retention
- Waitlist data: kept until launch and for a reasonable period after, or until you ask us to remove you
- Account data: kept until you delete your account, plus up to 30 days in backups
- Evidence media (photos/video): kept while your account is active; deleted when you delete the post or your account
- Payment records: 7 years (legal requirement)
After the retention period, data is securely deleted or anonymised.
8. Your Rights
Under UK GDPR you have the right to access, correct, delete, restrict, or port your data, and to object to certain processing or withdraw consent. For a child's account, a parent or guardian can exercise these rights on the child's behalf. To exercise any right, email admin@360tft.com and we will respond within one month.
You can also complain to the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk · Helpline: 0303 123 1113
9. Data Security
- Encryption in transit (TLS/HTTPS) and at rest
- Access controls and authentication
- Row-level security on our database
- Regular security reviews
No method of transmission over the internet is completely secure, so we cannot guarantee absolute security, but we take the protection of your data seriously.
10. Data Breach Notification
If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, and will tell you directly without undue delay if the risk to you is high.
11. Cookies and Tracking
At the waitlist stage we use only essential cookies needed to run the site. When the full app launches we will add analytics (Google Analytics 4) and any other non-essential cookies behind a consent banner, so they only load if you accept them. You can change your choice at any time.
12. Changes to This Policy
We may update this policy from time to time. If we make material changes we will update the "Last updated" date and, where appropriate, notify you by email or with a notice on the site.
13. Contact Us
SVMS Consultancy Limited
Company Number: SC514512 (Scotland)
Trading as: 360TFT / Ball or Bench
Registered Office: 11 Dudhope Terrace, Dundee, Scotland, DD3 6TS
Email: admin@360tft.com