Privacy Policy

This Privacy Policy explains how Klubbio ("we", "us", or "our") collects, uses, stores, and shares personal data when you use our website and membership management platform (the "Service"). It applies to club administrators, club members, applicants, and site visitors.

1. Data controller

The data controller is Klubbio, located at Sarajevo, Bosna i Hercegovina. For privacy-related questions contact us at [email protected].

When a club uses Klubbio to manage its members, the club is the controller of its members' data, and Klubbio acts as a processor on the club's behalf.

2. What data we collect

2.1 Data you provide directly

• Account data: first name, last name, email, password (hashed), phone number, profile picture.
• Club data: name, logo, contact details, membership plans, pricing.
• Member data: date of birth, gender, citizenship, address (street, municipality, city, country), parent names, additional contact phone numbers, membership group. Health notes (e.g. blood type, medical alerts such as allergies or chronic conditions) are entered by the club only with the member's or parent's explicit consent — these are sensitive data used strictly for the member's safety during club activities.
• Payments: payment history, statuses, references. We do not store card details — they are handled by our payment partners.
• Communications: messages you send us via email or the support form.

2.2 Data collected automatically

• Technical data: IP address, device type, browser, language, operating system version.
• Usage data and telemetry: screens opened, actions and interactions inside the app, access times, diagnostics, error logs, and crash reports. This data is sent to Azure Application Insights for debugging and stability improvements, and is associated with your internal user ID (not your email address). We do not use it for advertising and do not share it with advertisers.
• Cookies and similar technologies: see section 8.

3. Purposes and legal basis

• Providing the Service (contract performance) — account creation, processing applications, managing memberships, sending notifications.
• Billing and invoicing (contract, legal obligation) — processing payments and issuing invoices.
• Customer support (legitimate interest) — responding to inquiries and resolving issues.
• Service improvement (legitimate interest) — usage analysis, debugging, feature development.
• Security (legitimate interest, legal obligation) — abuse prevention, fraud detection, legal compliance.
• Marketing (consent) — newsletters or product updates, only if you have opted in.

4. Data sharing

We do not sell your data. We share it only in the following cases:

• Service providers (processors): all of our processors are bound by written data processing agreements that meet GDPR Article 28. We currently use:
  • Microsoft Azure (Ireland, EU) — application hosting, database, file storage, and telemetry / error monitoring through Application Insights.
  • Cloudflare (US/EU) — DNS, CDN, DDoS protection, and static website hosting.
  • Postmark (US) — transactional email delivery (account confirmations, notifications, password resets).
  Data transferred to processors outside the EU is covered by Standard Contractual Clauses (SCCs) in line with GDPR Chapter V.
• The club you belong to: your club's administrators have access to your member profile, payment status, and platform activity.
• Legal requests: when required by law, court, or a competent authority.
• Business transactions: in case of merger, acquisition, or asset sale, with prior notice to users.

5. Retention periods

We retain data only as long as necessary for the stated purposes:

• Active account data — while the account is active.
• After account deletion — up to 30 days in active systems, up to 90 days in backups.
• Financial records (invoices, payments) — up to 11 years, in line with applicable law.
• Logs and security records — up to 12 months.

6. Your rights

Under GDPR and applicable law, you have the right to:

• access the data we hold about you;
• rectify inaccurate data;
• erasure ("right to be forgotten");
• restrict or object to processing;
• data portability;
• withdraw consent at any time;
• lodge a complaint with the competent data protection authority.

Send requests to [email protected]. We respond within 30 days.

If you are a club member and want deletion or correction, contact your club's administrator first, as the club is the controller of your data.

7. Security

We apply technical and organizational safeguards: encryption in transit (TLS), password hashing, access controls, regular backups, access logging, and restricting access to authorized personnel. No system is 100% secure, and we cannot guarantee absolute security.

8. Cookies

We use necessary cookies for the app to function (session, authentication) and analytics cookies to understand usage (only with consent where legally required). You can block or delete cookies via your browser settings.

9. Children

Klubbio is used by clubs where children train and learn (for example, youth football, basketball, dance, chess, and other clubs). We comply with Google Play's Families policy and apply additional safeguards for the data of young members.

How parental consent is collected:

• Minors cannot register themselves in Klubbio — an account is created only by the club administrator after the club receives a signed enrollment form or another contractual document.
• Before entering a child's data into Klubbio, the club is required to obtain written or electronic consent from the parent or guardian. That consent covers basic data (name, date of birth, address, contact) as well as any sensitive data (blood type, medical alerts) that the child or parent voluntarily provides for safety during club activities.
• The club retains proof of consent (signed enrollment form, email confirmation, or a record in the club's system) and must produce it on request by us or by a competent authority.
• Parents can withdraw consent, correct, or request deletion of their child's data at any time by contacting the club, emailing [email protected], or using the form at /en/delete-account.
• We do not use children's data for advertising, we do not profile them, and we do not share it with advertisers.

For members over 16, the standard processing described in this policy applies. In jurisdictions where local law sets a different age of consent (for example, 13 or 14), we apply whichever threshold is more favorable to the user.

10. Changes to this policy

We may update this policy from time to time. We'll notify you of material changes via the app or email. The "last updated" date at the top always shows the current version.

11. Contact

For any questions about this policy or your data, reach us at [email protected].