1. Who we are
Goality Sport Group OÜ (registry code 17232252) is a company registered in Estonia that operates the Goality TMC platform — a tournament management system for sports organisations. Our registered address is Tallinn, Estonia.
2. Data Controllers
Tournament Organiser
Primary data controller for all tournament-related personal data. Responsible for decisions regarding data collected during registration and participation.
Goality Sport Group OÜ (17232252)
Data processor providing the Goality TMC platform. Also an independent data controller for account and authentication data (Google / Facebook OAuth).
3. What data we collect
- Account data: name, email address, profile picture (via Google or Facebook login)
- Club and team data: club name, city, country, contact information
- Tournament data: registrations, match results, standings
- Technical data: IP address, browser type, device information — used for security, fraud prevention and essential service operation only. If analytics cookies are enabled via consent banner, we may collect anonymised usage statistics; by default this is off.
- Player data: first name, last name and date of birth of players registered by a club. This is the minimum data needed to verify age categories and produce match reports. We do not actively solicit or require special category data (health, allergies, religion etc.). If an organiser chooses to collect such data through their own configuration, that organiser — not Goality — is the controller of that data and must obtain the appropriate legal basis independently.
- Payment data: transaction records, invoice data. Full card numbers, CVV and bank account numbers are never stored on our servers — they are handled directly by Stripe (see § 6).
4. Purposes and legal basis
| Purpose | Legal basis |
|---|
| Tournament registration and administration | Contract performance |
| Authentication via Google / Facebook | Legitimate interests / consent |
| Hotel booking and logistics | Contract performance |
| Publishing names in match schedules | Legitimate interests |
| Financial accounting | Legal obligation |
| Marketing communications from Goality | Legitimate interests (opt-out available) |
5. How we use your data
We use your data to provide and improve our services: account authentication, tournament management, communication about your registrations, and platform analytics. We do not sell your personal data to third parties.
6. Third-party processors
We rely on the following processors to run the service. Each has its own privacy policy, which we encourage you to read.
| Processor | Purpose | Location |
|---|
| Stripe Payments Europe, Ltd. | Payment processing | Ireland / USA |
| Google LLC | Social login (OAuth 2.0) | USA |
| Meta Platforms Ireland Ltd. | Social login (OAuth 2.0) | Ireland / USA |
| Our hosting provider (VPS, EU) | Application and database hosting | European Union |
| SMTP email relay (self-hosted) | Transactional email (registrations, invites) | European Union |
We do not run Google Analytics or third-party behavioural tracking by default. If this changes, we will update this policy and require fresh consent through the cookie banner.
7. International data transfers
Some of our processors (Stripe, Google, Meta) are located outside the European Economic Area, including in the United States. Where data is transferred outside the EEA, we rely on one or more of the following safeguards recognised under GDPR Chapter V:
- The EU-US Data Privacy Framework adequacy decision (Commission Decision C(2023) 4745) where the recipient is certified
- Standard Contractual Clauses (2021/914) incorporated in our processor agreements
- Your explicit consent where no other safeguard applies
8. Cookies
We use the minimum set of cookies required for the service. A consent banner is shown on your first visit. You can revisit your choice at any time via the footer link.
| Cookie | Purpose | Duration |
|---|
| Session / JWT auth | Keep you signed in (strictly necessary) | Session / up to 30 days |
| goality_cookie_consent | Record your cookie preferences | 365 days |
| Stripe cookies | Fraud prevention during checkout (set by Stripe) | Varies |
9. Data retention
We retain your personal data for as long as your account is active. If you request deletion, we will remove your personal data without undue delay and in any case within 30 days of receipt. Financial and accounting records (invoices, payment receipts) are retained for 7 years as required by the Estonian Accounting Act (Raamatupidamise seadus § 12).
10. Your rights (GDPR)
- Access the personal data we hold about you (Art. 15)
- Correct inaccurate or incomplete data (Art. 16)
- Request deletion (Art. 17) — see our Data Deletion page
- Object to processing based on legitimate interests (Art. 21)
- Restrict processing (Art. 18)
- Data portability (Art. 20)
- Withdraw consent at any time — this does not affect the lawfulness of processing before withdrawal
- Lodge a complaint with the Estonian Data Protection Inspectorate (aki.ee) or your local supervisory authority