Privacy Policy

Version 1.0  ·  Effective date: June 2026  ·  Data controller: RugbyGo (KVK 82520313)

1. Who we are Controller

CoachCraft is operated by:

RugbyGo
Groninger Meeuwlaan 89, Barneveld, Netherlands
KVK registration: 82520313
Data protection contact: admin@rugbycraft.com

RugbyGo is the data controller for all personal data processed through the CoachCraft platform.

2. What data we collect

CategoryExamplesSource
Account dataName, email address, role, club affiliationProvided by the user on registration
Coaching contentSession plans, drills, team structures, attendanceEntered by coaches within the platform
Player recordsPlayer name, position, performance notesEntered by club administrators or coaches
Health & injury dataWellness scores, injury details, rehabilitation notesEntered by authorised coaches only, with explicit player consent
Usage dataLogin timestamps, feature access logs, IP addressCollected automatically by the platform

3. Legal basis for processing

Processing activityLegal basisGDPR article
Account management and core platform accessContract — necessary to provide the service you signed up forArt. 6(1)(b)
Player performance records and coaching toolsContract — core functionality of the platformArt. 6(1)(b)
Health and injury data recordingExplicit consent — required separately from the player before recordingArt. 9(2)(a)
AI-assisted session planningLegitimate interest — coaching assistance tools; no personal player data transmittedArt. 6(1)(f)
Security audit logsLegal obligation — maintaining records of data accessArt. 6(1)(c)
Responding to data subject rights requestsLegal obligationArt. 6(1)(c)

4. How we use your data

We use the data we collect to:

We do not use your data for advertising, profiling for commercial purposes, or any purpose incompatible with those listed above.

5. Data sharing and sub-processors

We share personal data only with the sub-processors listed below, each engaged under a written Data Processing Agreement:

Sub-processorPurposeLocationTransfer mechanism
Google LLC (Firebase / Google Cloud) Platform infrastructure, database, authentication, file storage EU (europe-west4 — Netherlands) EU–US Data Privacy Framework; Google Cloud DPA
Anthropic PBC AI-assisted coaching session plan generation USA Standard Contractual Clauses (SCCs); Anthropic Data Processing Addendum (effective 24 Feb 2025). No personal player data or Special Category data is transmitted.

We do not sell personal data. We do not share data with third parties for their own marketing purposes.

6. International transfers

Your data is stored primarily within the EU (Google Cloud europe-west4, Netherlands). AI-assisted features involve processing by Anthropic in the United States. This transfer is covered by Standard Contractual Clauses (EU Commission Decision 2021/914, Module Two: controller to processor), incorporated into the Anthropic Data Processing Addendum.

No Special Category (health or injury) data is included in requests to Anthropic.

7. Data retention

Data typeRetention periodReason
Account dataDuration of account + 2 yearsContractual and legal basis
Coaching session recordsDuration of club subscription + 2 yearsOperational necessity
Player records (non-health)Duration of active membership + 2 yearsOperational necessity
Health & injury recordsDuration of active membership + 3 yearsWelfare duty of care; legal claims window
Security audit logs3 yearsGDPR Art. 5(2) accountability; incident investigation
Consent recordsDuration of processing + 6 yearsEvidentiary record of lawful processing
AI session plan dataNot retained by Anthropic beyond immediate responseZero-retention API configuration

When data reaches the end of its retention period, it is deleted automatically from production systems. Backup copies are purged within 90 days of the deletion date.

8. Your rights

Under GDPR, you have the following rights in relation to your personal data:

Access (Art. 15)

Request a copy of the personal data we hold about you.

Rectification (Art. 16)

Request correction of inaccurate or incomplete data.

Erasure (Art. 17)

Request deletion of your data where there is no overriding legal basis to retain it.

Restriction (Art. 18)

Request that we limit processing while a dispute is resolved.

Portability (Art. 20)

Receive your data in a structured, machine-readable format.

Objection (Art. 21)

Object to processing based on legitimate interest.

Withdraw consent

Where processing is based on consent, withdraw it at any time without affecting prior processing.

Complaint (Art. 77)

Lodge a complaint with your national supervisory authority.

To exercise any right, contact us at admin@rugbycraft.com. We will respond within one month.

9. Youth players (under 16)

CoachCraft does not currently permit onboarding of clubs with players under 16 without a prior written arrangement with RugbyGo. If your club includes youth players, contact us at admin@rugbycraft.com before adding any player data for those individuals.

Where youth player data is processed under a prior arrangement, parental or guardian consent is required for all data collection, and a specific DPIA must be completed before onboarding. Processing of youth player wellness or health data requires explicit parental consent.

10. AI and automated processing

CoachCraft uses Anthropic's Claude AI to provide coaching session plan suggestions. When a coach uses this feature:

Some clubs and unions using CoachCraft may optionally connect their own third-party AI services by configuring a club-owned API key within the platform settings. Where a club does this, CoachCraft (RugbyGo) is not the data controller or processor for the personal data submitted to that club's AI service — the club is. Clubs are solely responsible for the data protection compliance of their own AI integrations, including entering into appropriate agreements with their AI provider and ensuring data subjects are informed. RugbyGo does not access, store, or process any data submitted by a club through its own AI integration.

11. Data security

We implement the following technical and organisational security measures:

In the event of a personal data breach, we will notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware, and notify affected individuals without undue delay where the breach poses a high risk to their rights and freedoms.

12. Changes to this policy

We will notify all registered users of material changes to this Privacy Policy via email and in-app notification at least 14 days before changes take effect. The current version number and effective date are shown at the top of this page.

For non-material changes (formatting, typo corrections), we will update the page without advance notice. The version number will not change for non-material edits.

13. How to make a complaint

Contact us first

If you have concerns about how we handle your data, please contact us — we aim to resolve all queries within one month.

admin@rugbycraft.com

If you remain dissatisfied, you have the right to lodge a complaint with your national supervisory authority:

CountryAuthorityWebsite
NetherlandsAutoriteit Persoonsgegevensautoriteitpersoonsgegevens.nl
BelgiumGegevensbeschermingsautoriteitgegevensbeschermingsautoriteit.be
IrelandData Protection Commissiondataprotection.ie
United KingdomInformation Commissioner's Officeico.org.uk
FranceCNILcnil.fr