1. Who we are Controller
CoachCraft is operated by:
Groninger Meeuwlaan 89, Barneveld, Netherlands
KVK registration: 82520313
Data protection contact: admin@rugbycraft.com
RugbyGo is the data controller for all personal data processed through the CoachCraft platform.
2. What data we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, role, club affiliation | Provided by the user on registration |
| Coaching content | Session plans, drills, team structures, attendance | Entered by coaches within the platform |
| Player records | Player name, position, performance notes | Entered by club administrators or coaches |
| Health & injury data | Wellness scores, injury details, rehabilitation notes | Entered by authorised coaches only, with explicit player consent |
| Usage data | Login timestamps, feature access logs, IP address | Collected automatically by the platform |
3. Legal basis for processing
| Processing activity | Legal basis | GDPR article |
|---|---|---|
| Account management and core platform access | Contract — necessary to provide the service you signed up for | Art. 6(1)(b) |
| Player performance records and coaching tools | Contract — core functionality of the platform | Art. 6(1)(b) |
| Health and injury data recording | Explicit consent — required separately from the player before recording | Art. 9(2)(a) |
| AI-assisted session planning | Legitimate interest — coaching assistance tools; no personal player data transmitted | Art. 6(1)(f) |
| Security audit logs | Legal obligation — maintaining records of data access | Art. 6(1)(c) |
| Responding to data subject rights requests | Legal obligation | Art. 6(1)(c) |
4. How we use your data
We use the data we collect to:
- Provide, maintain, and improve the CoachCraft platform
- Enable clubs to manage coaching sessions, player rosters, and team administration
- Support coaches in tracking player wellness and injury recovery (with player consent)
- Generate AI-assisted session plan suggestions (coaching context only — no personal player data)
- Maintain security audit logs and comply with legal obligations
- Communicate with you about your account and material changes to this policy
We do not use your data for advertising, profiling for commercial purposes, or any purpose incompatible with those listed above.
5. Data sharing and sub-processors
We share personal data only with the sub-processors listed below, each engaged under a written Data Processing Agreement:
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Google LLC (Firebase / Google Cloud) | Platform infrastructure, database, authentication, file storage | EU (europe-west4 — Netherlands) | EU–US Data Privacy Framework; Google Cloud DPA |
| Anthropic PBC | AI-assisted coaching session plan generation | USA | Standard Contractual Clauses (SCCs); Anthropic Data Processing Addendum (effective 24 Feb 2025). No personal player data or Special Category data is transmitted. |
We do not sell personal data. We do not share data with third parties for their own marketing purposes.
6. International transfers
Your data is stored primarily within the EU (Google Cloud europe-west4, Netherlands). AI-assisted features involve processing by Anthropic in the United States. This transfer is covered by Standard Contractual Clauses (EU Commission Decision 2021/914, Module Two: controller to processor), incorporated into the Anthropic Data Processing Addendum.
No Special Category (health or injury) data is included in requests to Anthropic.
7. Data retention
| Data type | Retention period | Reason |
|---|---|---|
| Account data | Duration of account + 2 years | Contractual and legal basis |
| Coaching session records | Duration of club subscription + 2 years | Operational necessity |
| Player records (non-health) | Duration of active membership + 2 years | Operational necessity |
| Health & injury records | Duration of active membership + 3 years | Welfare duty of care; legal claims window |
| Security audit logs | 3 years | GDPR Art. 5(2) accountability; incident investigation |
| Consent records | Duration of processing + 6 years | Evidentiary record of lawful processing |
| AI session plan data | Not retained by Anthropic beyond immediate response | Zero-retention API configuration |
When data reaches the end of its retention period, it is deleted automatically from production systems. Backup copies are purged within 90 days of the deletion date.
8. Your rights
Under GDPR, you have the following rights in relation to your personal data:
Access (Art. 15)
Request a copy of the personal data we hold about you.
Rectification (Art. 16)
Request correction of inaccurate or incomplete data.
Erasure (Art. 17)
Request deletion of your data where there is no overriding legal basis to retain it.
Restriction (Art. 18)
Request that we limit processing while a dispute is resolved.
Portability (Art. 20)
Receive your data in a structured, machine-readable format.
Objection (Art. 21)
Object to processing based on legitimate interest.
Withdraw consent
Where processing is based on consent, withdraw it at any time without affecting prior processing.
Complaint (Art. 77)
Lodge a complaint with your national supervisory authority.
To exercise any right, contact us at admin@rugbycraft.com. We will respond within one month.
9. Youth players (under 16)
Where youth player data is processed under a prior arrangement, parental or guardian consent is required for all data collection, and a specific DPIA must be completed before onboarding. Processing of youth player wellness or health data requires explicit parental consent.
10. AI and automated processing
CoachCraft uses Anthropic's Claude AI to provide coaching session plan suggestions. When a coach uses this feature:
- Only coaching context is sent to the AI — session objectives, drill types, team structure. No player names, health records, or personal information are transmitted.
- No automated decisions with legal or significant individual effects are made.
- All AI-generated suggestions are advisory only — coaching staff make all final decisions.
- Anthropic does not retain API query data beyond the immediate response.
Some clubs and unions using CoachCraft may optionally connect their own third-party AI services by configuring a club-owned API key within the platform settings. Where a club does this, CoachCraft (RugbyGo) is not the data controller or processor for the personal data submitted to that club's AI service — the club is. Clubs are solely responsible for the data protection compliance of their own AI integrations, including entering into appropriate agreements with their AI provider and ensuring data subjects are informed. RugbyGo does not access, store, or process any data submitted by a club through its own AI integration.
11. Data security
We implement the following technical and organisational security measures:
- All data encrypted in transit (TLS) and at rest (Google Cloud hardware-level encryption)
- Role-based access control enforced at the database level, not just the user interface
- Firebase App Check: every API request is verified as originating from a legitimate CoachCraft application
- Deny-by-default database rules: every data path is explicitly permitted or blocked
- Immutable server-side audit logs recording all access to sensitive and Special Category data
- Club workspace isolation: no cross-club data access is architecturally possible
In the event of a personal data breach, we will notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware, and notify affected individuals without undue delay where the breach poses a high risk to their rights and freedoms.
12. Changes to this policy
We will notify all registered users of material changes to this Privacy Policy via email and in-app notification at least 14 days before changes take effect. The current version number and effective date are shown at the top of this page.
For non-material changes (formatting, typo corrections), we will update the page without advance notice. The version number will not change for non-material edits.
13. How to make a complaint
Contact us first
If you have concerns about how we handle your data, please contact us — we aim to resolve all queries within one month.
If you remain dissatisfied, you have the right to lodge a complaint with your national supervisory authority:
| Country | Authority | Website |
|---|---|---|
| Netherlands | Autoriteit Persoonsgegevens | autoriteitpersoonsgegevens.nl |
| Belgium | Gegevensbeschermingsautoriteit | gegevensbeschermingsautoriteit.be |
| Ireland | Data Protection Commission | dataprotection.ie |
| United Kingdom | Information Commissioner's Office | ico.org.uk |
| France | CNIL | cnil.fr |