SportEvo logo
ENSR

Privacy policy

Last updated: May 5, 2026 · Version: pn-2026-05-05

1. Introduction

SportEvo ("we", "us", or "our") is a sports club management application that lets coaches, parents, players, and club staff organise and track sporting activities efficiently.

This Privacy Policy explains what data we collect, how we use it, who we share it with, and the rights you have regarding your personal data. The policy applies to use of the SportEvo mobile application and the related website.

By using our application you confirm that you have read and understood this Privacy Policy.

2. Data controller

For the purposes of Article 4 of the Personal Data Protection Act of the Republic of Serbia ("ZZPL") and Article 4(7) of the General Data Protection Regulation (GDPR), the controller of your personal data is:

  • Marko Pešić (natural person)
  • Address: 7.JULA 6, Smederevo
  • Email for privacy questions: privacy@sportevo.app

Sports clubs that use SportEvo ("clubs") enter data about their members through the platform. Clubs are responsible for the accuracy of the data they enter and for their relationship with their members and parents/guardians. The platform controller (SportEvo) determines the means and methods of processing at the platform level.

We have not appointed a Data Protection Officer (DPO), as the scope of processing does not exceed the legal threshold that would require one. Any questions regarding data protection can be sent to the email address above.

3. What data we collect

Account data

  • Email address
  • Password (stored in encrypted form)
  • Invitation code (for registration and role assignment within a club)

User personal data

  • First and last name
  • Phone number
  • Address, city, and country
  • Date of birth
  • Gender
  • Profile photo
  • Role in the application (administrator, club owner, coach, parent, staff)

Player data

  • First and last name
  • Date of birth
  • Gender and nationality
  • Contact information (email, phone, address)
  • Photo
  • Jersey number and team position
  • Date of joining the club
  • Membership type and amount

Health and physical data

  • Height and weight
  • Dominant leg
  • Allergies
  • Chronic illnesses
  • Medical examination documents (with expiry dates)

Parent/guardian data

  • First and last name
  • Email address (entered by the club when adding the child)
  • Phone number (optional; used as an emergency contact)

Parental consent data

  • Consent status
  • IP address and user agent (at the moment consent is given)
  • Timestamps (date consent was given/withdrawn)
  • Version of the consent text
  • Reason for withdrawal of consent (if applicable)

Location data

We collect location addresses only for event venues (training sessions, matches, etc.) via a specialised geocoding and address-search provider. We do not track user location and do not collect GPS data from user devices.

Push notifications

  • Push notification token (device identifier for delivering notifications)
  • Notification history (title, content, delivery status, read date)

Events and attendance

  • Event details (name, type, date, location)
  • Player attendance records
  • RSVP status (attendance confirmation)

Membership payment status

  • A monthly flag indicating whether the player's membership for that month is recorded as paid (only a yes/no status, with no amount, invoice, or proof of payment).

Files and attachments

  • Profile photos
  • Medical examination documents
  • Coach certificates and licences

Device data and activity logs

  • User agent (device and browser type)
  • Activity log (action type, user, timestamp)

4. Legal basis for processing

We process your data on the following legal bases:

  • Performance of a contract (Article 6(1)(b) GDPR) — to provide sports-club management services: user registration, membership records, event organisation, attendance, and payment tracking. This includes basic data about the child (first and last name, date of birth, gender, profile photo, jersey number, team position) since this data is necessary for the child's membership in the club.
  • Parent/guardian authorisation for enrolling a minor — the parent or guardian confirms their guardian status and consents to enrolling the child in the club in accordance with the Family Act of the Republic of Serbia. This is not consent in the sense of Article 6(1)(a) GDPR, but rather authorisation required under national law to enter into a contract on behalf of a minor.
  • Explicit consent for health data (Article 9(2)(a) GDPR) — allergies, chronic illnesses, and medical examination documents are processed only with separate, explicit consent given independently of enrolment, which can be withdrawn at any time without consequences for the child's membership.
  • Consent for push notifications — given on first use of the application and revocable through the device settings.
  • Legitimate interest (Article 6(1)(f) GDPR) — to ensure the security of the application, maintain activity records (IP address, user agent at the time consent is given) for legal certainty and an audit trail, and monitor errors in the application.
  • Legal obligation (Article 6(1)(c) GDPR) — when processing is necessary to comply with legal regulations (e.g., responding to a request from a competent authority).

5. Processing data of minors

The SportEvo application collects data about minor players. We pay particular attention to protecting children's data and apply the following measures.

Two separate levels of consent

We distinguish between two different things that are often conflated:

  1. Parent/guardian authorisation to enrol the child — a child cannot enter into a contract with the club on their own, so a parent or guardian confirms they are the legal guardian and accepts enrolment on the child's behalf. This is mandatory for participation in the club and is grounded in contract law, not consent in the sense of Article 6(1)(a) GDPR.
  2. Separate consent for processing health data — separate and optional. A parent can decline this consent and the child can still join the club. If consent is declined, no health data is entered or stored.

Authorisation procedure

  • Authorisation is obtained through a two-step email verification process — the parent first fills in a form, then confirms authorisation via a separate link sent to the email address entered by the club.
  • The parent or guardian can withdraw the authorisation or health-data consent at any time — by contacting the club or via the email address listed in the Contact section. Withdrawal is just as easy as giving consent, and the request is processed within 30 days.
  • We keep records of granted authorisations and consents, including IP address, user agent, and timestamp, for legal certainty. This record is processed on the basis of our legitimate interest in proving the lawfulness of processing.

6. Special categories of data (health data)

The application allows the following health data about a player to be entered:

  • Allergies
  • Chronic illnesses
  • Medical examination documents (PDF, with expiry date)

This data falls within special categories of personal dataunder Article 9 of the GDPR and Article 17 of the ZZPL. It is processed only with explicit, separate consent from the parent/guardian (or the player themselves if of age), for the purpose of monitoring health status and ensuring safe participation in sporting activities.

Declining this consent does not affect the child's membership in the club. If consent is not given, the health data input fields are disabled and no health data is stored.

A player's height and weight are not a special category of data under Article 9 of the GDPR, but they are treated with particular care and are entered only when relevant to sporting work with the player.

Consent for health data can be withdrawn at any time without consequences for membership. Following withdrawal, all of the child's health data (allergies, chronic illnesses, and medical examination documents) is deleted from the system.

7. How we use your data

We use your data for the following purposes:

  • Sports club management and administration
  • Player registration and membership records
  • Communication with users via push notifications and email
  • Organising events (training sessions, matches) and tracking attendance
  • Membership payment records
  • Tracking player health status and reminders for expired medical examinations
  • Error monitoring and improving application performance
  • Ensuring security and preventing abuse

8. Sharing data with third parties

We do not sell or rent your data to third parties. We share data only with service providers necessary for the operation of the application:

  • Infrastructure, database, and file storage (provider with EU-based servers) — storage of user data, authentication, server functions, and storage of profile photos, medical examination documents, and other attached files.
  • Location search (specialised geocoding and address-search provider) — searching for addresses of event venues.
  • Error monitoring (specialised provider with EU-based servers) — automatic reporting of application errors to improve quality. Active only in production, with a limited sampling rate.
  • Email notifications (specialised email service provider) — delivery of email messages for registration, consent confirmation, and notifications.
  • Push notifications (specialised push delivery provider) — delivery of push notifications to user mobile devices.

All listed service providers process data in accordance with their own privacy policies and are bound by contractual data-protection obligations.

9. International data transfers

Your data is primarily processed on servers in the European Union (our infrastructure and database provider, as well as the technical-error monitoring provider, use EU data centres). Some service providers may process data outside the EU, with appropriate safeguards in place such as standard contractual clauses.

10. Data security

We apply appropriate technical and organisational measures to protect your data:

  • Passwords are stored in encrypted (hashed) form
  • All communication is protected with HTTPS encryption
  • Access to data is restricted based on the user's role in the system
  • Database-level security rules (Row Level Security) are applied
  • Records of access and changes to data are maintained

11. Data breach notification

In the event of a data breach (unauthorised access, loss, or disclosure of your personal data), we will take the following measures:

  • We will notify the competent authority — the Commissioner for Information of Public Importance and Personal Data Protection — within 72 hours of becoming aware of the breach, in accordance with legal obligations.
  • If the breach may result in a high risk to your rights and freedoms, we will notify you directly via email or in-app notification, without undue delay.
  • We will take all necessary technical and organisational measures to remedy the consequences of the breach and prevent future incidents.

12. Data retention

We retain your data for as long as necessary for the purposes for which it was collected or as required by law. Specific retention periods:

  • User account data — for as long as you use the account. Following an account deletion request, data is permanently deleted within 30 days.
  • Player data — for as long as the player is an active club member. Following the end of membership, data is deleted within 30 days.
  • Player health data — deleted immediately upon withdrawal of consent or end of membership.
  • Consent and authorisation records — kept for up to 5 years after end of membership, for the purpose of proving the lawfulness of processing and in line with the limitation periods for any claims under the Law on Obligations.
  • Activity records (audit log) — up to 12 months, for security and abuse detection.
  • Push notification and message records — up to 30 days.
  • Membership payment status — the application records only whether the membership for a given month is marked as paid (no amount, invoice, or proof of payment). These records are deleted alongside the player's data when membership ends. The application does not process payments or keep accounting records; clubs maintain their own accounting documentation independently of this application.

You can request deletion of your account through the application (Settings → Delete account), by sending an email request, or by following the instructions on the Account and data deletion page for the detailed procedure.

13. Your rights

In accordance with the Personal Data Protection Act of the Republic of Serbia and the GDPR, you have the following rights:

  • Right of access — you have the right to obtain information about which of your data we process.
  • Right to rectification — you have the right to request correction of inaccurate or incomplete data.
  • Right to erasure — you have the right to request deletion of your personal data.
  • Right to restriction of processing — you have the right to request that processing of your data be restricted.
  • Right to data portability — you have the right to request your data in a structured, commonly used, and machine-readable format.
  • Right to object — you have the right to object to the processing of your data.
  • Right to withdraw consent — you have the right to withdraw given consent for data processing at any time.
  • Right to lodge a complaint — you have the right to lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia (Bulevar kralja Aleksandra 15, 11120 Belgrade; www.poverenik.rs; office@poverenik.rs).

To exercise any of these rights, please contact us via the email listed in the Contact section. We will respond within 30 days.

14. Cookies

Our website uses a minimal number of cookies that are necessary for the site to function. We do not use cookies for tracking or advertising.

The mobile application does not use cookies, but uses tokens for push notifications and local storage to keep session data.

15. Changes to this policy

We reserve the right to update this Privacy Policy from time to time. You will be notified of any significant changes through the application or via email. The last-updated date is always shown at the top of this page.

We recommend that you review this page periodically to stay up to date on how we protect your data.

16. Contact

For any questions regarding the protection of your personal data, exercising your rights, or any concerns about this Privacy Policy, you can contact us at:

We will respond to your request as soon as possible, and no later than 30 days from receipt of the request.