Sphaira Tech
Legal

Privacy Policy

Last updated: March 7, 2026

1. Data controller

In compliance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD), we inform you that the data controller is:

  • Controller: Alejandro Espinosa López
  • Tax ID (NIF): 48649484E
  • Registered address: Calle Federico García Lorca 3, 30009, Murcia, Spain
  • Email: info@sphairatech.com
  • Website: https://sphairatech.com

For data protection queries, write to info@sphairatech.com (subject: “Data Protection / GDPR”).

2. Personal data we collect

Depending on the user's relationship with Sphaira Tech and how they use the platform, we may collect the following categories of data:

2.1. Identification and contact data

  • Full name
  • Email address
  • Phone number
  • Residential address
  • National ID / Passport (when required for federation procedures)
  • Date of birth
  • Profile photo

2.2. Data relating to minors

  • Minor's full name
  • Date of birth
  • Sports data (team, position, squad number)
  • Photos
  • Sports health data (medical check-ups, injuries, allergies)
  • Sports performance data (statistics, assessments, attendance)
  • Legal guardian data (name, contact, relationship with minor)

2.3. Health data

  • Medical certificates and fitness reports
  • Injury records and progress
  • Allergies and intolerances
  • Medically relevant information for sports practice

2.4. Biometric data

  • Fingerprint and/or facial recognition data used exclusively for unlocking the mobile app on the user's device
  • This data is processed and stored locally on the device (iOS Keychain / Android Keystore) and is never transmitted to our servers

2.5. Financial and payment data

  • Payment history for fees
  • Bank card data (processed directly by Stripe; Sphaira Tech does not store full card numbers)
  • Billing data (name, tax address, tax ID)
  • Subscription status and plan

2.6. Sports and performance data

  • Individual and team statistics
  • Coach assessments and evaluations
  • Training and match attendance
  • Squad calls and confirmations
  • GPS training data (coordinates, distance, speed) when the user voluntarily enables this feature

2.7. Audiovisual data

  • Match and training videos
  • Live broadcasts (YouTube Live, Twitch)
  • Photos of players, teams and events

2.8. Technical and browsing data

  • IP address
  • Device type, operating system and browser
  • Push notification tokens
  • App and web usage data
  • Cookies (detailed in our Cookie Policy)

3. Purposes of processing

We process your personal data for the following purposes:

PurposeLegal basis (GDPR)Data processed
User account management and platform accessArt. 6.1.b) Contract performanceIdentification, contact, credentials
Sports management: teams, squads, training, matches, call-ups, calendarArt. 6.1.b) Contract performanceSports, identification, attendance
Fee management, payments and invoicingArt. 6.1.b) Contract performanceFinancial, identification
Communications between club, coaches, players and legal guardiansArt. 6.1.b) Contract performanceContact, message content
Sending push notifications about events, call-ups, payments and updatesArt. 6.1.b) / Art. 6.1.a) ConsentDevice tokens, notification content
Processing health data for injury management, medical check-ups and fitnessArt. 9.2.a) Explicit consentHealth data
Management of sports and federation documentationArt. 6.1.b) / Art. 6.1.c) Legal obligationDocuments, identification, federation data
Recording and storing match and training videosArt. 6.1.a) Consent / Art. 6.1.f) Legitimate interestAudiovisual, sports
Live streaming to external platforms (YouTube, Twitch)Art. 6.1.a) Explicit consentAudiovisual, third-party accounts
GPS tracking during individual training sessionsArt. 6.1.a) Explicit consentGeolocation, performance
Report generation and analysis using AIArt. 6.1.b) / Art. 6.1.a) ConsentSports, statistical, tactical
Biometric authentication (fingerprint/Face ID) in the mobile appArt. 6.1.a) Consent (voluntary activation)Biometric (stored locally)
Sending commercial communications and newslettersArt. 6.1.a) ConsentContact, preferences
Compliance with legal obligations (tax, commercial, child protection)Art. 6.1.c) Legal obligationIdentification, financial, documentation
Statistical analysis of platform usage (web analytics)Art. 6.1.a) ConsentAnonymised technical data, browsing behaviour
Service improvement, bug fixes and new feature developmentArt. 6.1.f) Legitimate interestTechnical, platform usage

4. Processing of minors' data

Sphaira Tech applies the following enhanced safeguards for data relating to minor athletes:

4.1. Mandatory parental consent

  • Under-18s may not register on Sphaira Tech. Parents or legal guardians always register and enter minors' data into the platform.
  • The sports club must obtain and retain explicit consent from the parent or legal guardian before entering the minor's data into the platform.
  • Sphaira Tech provides mechanisms for clubs to document and record such consent within the platform.

4.2. Data minimisation principle

  • Only data strictly necessary for the minor's sports management is collected.
  • The minor's health data is only processed with the legal guardian's explicit consent.
  • The minor's photos are only used for identification within the platform, unless additional specific consent is given.

4.3. Legal guardians' rights

  • Parents or legal guardians may exercise the rights in section 8 on behalf of the minor at any time.
  • They may request access, rectification, erasure or portability of their child's data.
  • They may withdraw consent at any time, which will result in deletion of the minor's data from the platform within a maximum of 30 days.

4.4. Additional protection measures

  • Minors' data is subject to enhanced access controls within the platform.
  • Only authorised club staff have access to minors' data within their teams.
  • Videos and photos of minors are stored on EU-based servers with encryption at rest.
  • No automated decision-making or profiling is performed on minors' data without human oversight.

5. Joint responsibility with sports clubs

Sphaira Tech acts as a data processor (Art. 28 GDPR) with respect to personal data entered by sports clubs into the platform. The sports club is the data controller for the data of its players, coaches, staff and families.

Sphaira Tech makes available to clubs a Data Processing Agreement (DPA) governing each party's obligations. Clubs using the platform accept the terms of this agreement, available upon request at info@sphairatech.com.

5.1. Sports club obligations

The sports club, as data controller, undertakes to:

  • Obtain informed consent from those concerned (or their legal guardians) before entering their data into Sphaira Tech.
  • Inform data subjects about the processing of their data in accordance with the GDPR and LOPDGDD.
  • Ensure that only authorised personnel can access data on the platform.
  • Not use data stored in Sphaira Tech for purposes other than the club's sports management.

6. Recipients and data processors

Your data may be shared with the following recipients or data processors:

6.1. Data processors (technology providers)

ProviderPurposeData locationData processed
Stripe, Inc.Payment processing, fee collection, subscriptionsEU (with guarantees for US — EU-US Data Privacy Framework)Payment data, email, name
Firebase / Google LLCPush notification delivery (Firebase Cloud Messaging)EU (with guarantees for US)Device tokens, notification content
OpenAI, Inc.AI assistant, tactical analysis, report generation. Data is pseudonymised before sending (PLAYER_1, TEAM_1, etc.)US (EU-US Data Privacy Framework)Pseudonymised sports data. No real identifiable names are ever sent
Backblaze, Inc.Storage of match and training videosEU (eu-central)Video files
Google (Gmail SMTP)Email delivery (verification, password recovery, notifications)EU (with guarantees for US)Recipient email, message content
Resend, Inc.Transactional email delivery (confirmations, alerts, system communications)US (EU-US Data Privacy Framework)Recipient email, message content
Google Analytics 4 / Google LLCStatistical analysis of website usage. Only activated with express consent. IP anonymised, Consent Mode v2 enabledEU (with guarantees for US)Anonymised technical data (IP, device, browser, pages visited)
Microsoft Clarity / Microsoft Corp.Visual analysis of website usage (heatmaps, anonymised session recordings). Only activated with express consentUS (Standard Contractual Clauses — SCC)Anonymised technical data (browsing behaviour, clicks, scrolling)
Activa Network (Hosting)Hosting of the main databaseEuropean Union (France)All data stored on the platform

6.2. Third-party services voluntarily activated by the user

The following services only process data when the user expressly enables them from the app:

  • YouTube Live / Twitch: for live streaming. Requires an OAuth connection voluntarily initiated by the user.
  • Google Drive: for video import. Requires explicit OAuth authorisation.
  • GPS: for individual tracking sessions. Requires express activation for each session.
  • Voice recognition: processed locally by the device's operating system. No audio is sent to Sphaira Tech servers.
  • Biometric authentication: processed and stored locally on the device. Sphaira Tech has no access to biometric data.

6.3. Data sharing under legal obligation

We may share your data with:

  • Public authorities and official bodies where a legal obligation exists.
  • Sports federations where necessary to meet the club's federation obligations.
  • Law enforcement agencies upon judicial order.

7. International data transfers

Sphaira Tech's main database is hosted on servers within the European Union. However, some data processors are based in the United States.

In all cases, international transfers are carried out under one of the following safeguards:

  • EU-US Data Privacy Framework: Stripe, Google, OpenAI, Resend and other providers have joined this framework, recognised as adequate by the European Commission.
  • Standard Contractual Clauses (SCC): where a provider is not covered by the above framework, the SCCs approved by the European Commission (Decision 2021/914) apply.
  • Explicit consent: for optional integrations (YouTube, Twitch, Google Drive), the user expressly authorises the transfer by enabling the connection.

You may request additional information about the safeguards applicable to each transfer by writing to info@sphairatech.com.

8. Your rights

Under the GDPR, you have the following rights:

RightDescription
AccessTo obtain confirmation of whether your data is being processed and, if so, to access it.
RectificationTo request correction of inaccurate or incomplete data.
ErasureTo request deletion of your data when it is no longer necessary for the purpose for which it was collected.
ObjectionTo object to the processing of your data in certain circumstances.
PortabilityTo receive your data in a structured, commonly used format and to transmit it to another controller.
RestrictionTo request restriction of processing in the cases provided for in the GDPR.
Withdrawal of consentTo withdraw your consent at any time, without affecting the lawfulness of processing based on consent given before withdrawal.
Not to be subject to automated decisionsNot to be subject to decisions based solely on automated processing, including profiling, that produces legal effects or significantly affects you.

To exercise any of these rights, send an email to info@sphairatech.com (subject: “GDPR Rights Request”) stating the right you wish to exercise and enclosing a copy of your identity document. We will respond within a maximum of 30 days.

If you consider that the processing of your data does not comply with the regulations, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es, or with the supervisory authority in your country of residence.

9. Data retention

Personal data will be retained for the following periods:

Data typeRetention period
User account dataWhile the account is active. After cancellation, blocked for 5 years to comply with legal obligations.
Minors' dataWhile the minor belongs to the club. After leaving, deleted within 30 days, except where legally required to retain.
Health dataWhile necessary for sports management. Deleted within 30 days of the player leaving or consent being withdrawn.
Financial data5 years in accordance with tax and commercial regulations.
Videos and audiovisual materialWhile the club maintains an active subscription. The club may delete them at any time from the platform.
Browsing data and cookiesAs stated in the Cookie Policy.
Commercial communicationsUntil consent is withdrawn.

Once retention periods expire, data will be securely deleted or, where possible, irreversibly anonymised for statistical purposes.

10. Security measures

Sphaira Tech implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR:

10.1. Technical measures

  • Encryption in transit: all communications use HTTPS/TLS.
  • Encryption at rest: data stored uses AES-256 encryption.
  • Secure authentication: passwords stored with bcrypt hashing. Biometric authentication supported as a second factor.
  • JWT tokens: sessions managed via JWT tokens with configurable expiry and secure signing.
  • Role-based access control (RBAC): each user only accesses data corresponding to their role.
  • Payment data tokenisation: card data processed exclusively by Stripe via PCI-DSS Level 1 tokenisation.
  • Local biometric storage: biometric data stored exclusively on the user's device.

10.2. Organisational measures

  • Minimum access policy: staff access only data strictly necessary for their role.
  • Regular team training on data protection.
  • Security breach management procedures in accordance with Article 33 GDPR.
  • Data Protection Impact Assessments (DPIAs) for high-risk processing (minors' or health data).
  • Confidentiality agreements with all staff and data processors.

11. Use of artificial intelligence

Sphaira Tech uses AI services (OpenAI) for advanced features such as tactical analysis, report generation and coaching assistance.

  • All data sent to AI services is automatically pseudonymised before sending: player names are replaced by codes (PLAYER_1), teams by TEAM_1, coaches by COACH_1, etc.
  • Clinical and health texts undergo the same pseudonymisation process.
  • OpenAI acts as a data processor under its DPA, committing to not use data to train its models (API Data Usage Policy).
  • No automated decisions with legal effects are made based solely on AI output.
  • Minors' data sent to AI services is processed with enhanced pseudonymisation and data minimisation. No real identifiable names of minors are ever sent to external AI services.

12. Cookie policy (summary)

Sphaira Tech uses cookies and similar technologies for basic website operation and user experience improvement. For detailed information, see our full Cookie Policy.

  • Essential cookies: necessary for the platform to function.
  • Functional cookies: improve user experience.
  • Analytics cookies: generate anonymous usage statistics (Google Analytics 4, Microsoft Clarity). Only activated with your express consent.
  • Third-party cookies: generated by integrated services (Stripe, Google Fonts). You can manage your consent from the cookie banner.

13. Amendments to this privacy policy

Sphaira Tech reserves the right to amend this policy to adapt it to legislative, jurisprudential or industry practice developments. In case of substantial changes, we will notify you via:

  • A prominent notice on the platform.
  • An email notification to registered users.
  • A push notification in the mobile app.

We recommend reviewing this policy periodically. The date of the latest update is indicated at the top of the document.

14. Rights specific to your country or territory

In addition to the rights recognised by the GDPR (section 8), users located outside the European Union may have additional rights under their local legislation:

14.1. United Kingdom (UK GDPR)

UK residents are protected by the UK GDPR and the Data Protection Act 2018. The supervisory authority is the Information Commissioner's Office (ICO).

14.2. California, USA (CCPA / CPRA)

California residents have additional rights under the CCPA and CPRA. Sphaira Tech does not sell personal data. To exercise your CCPA rights, contact info@sphairatech.com (subject: “CCPA Rights Request”).

14.3. Brazil (LGPD)

Brazilian residents are protected by the Lei Geral de Proteção de Dados (LGPD). The supervisory authority is the Autoridade Nacional de Proteção de Dados (ANPD).

14.4. Canada (PIPEDA)

Canadian residents are protected by the Personal Information Protection and Electronic Documents Act (PIPEDA). The supervisory authority is the Office of the Privacy Commissioner of Canada (OPC).

14.5. Australia (Privacy Act 1988)

Australian residents are protected by the Privacy Act 1988 and the Australian Privacy Principles (APPs). The supervisory authority is the Office of the Australian Information Commissioner (OAIC).

To exercise any right derived from your local legislation, contact us at info@sphairatech.com indicating your country of residence and the right you wish to exercise.

15. Contact

For any query or request relating to this privacy policy or to the processing of your personal data:

  • Contact email: info@sphairatech.com
  • Data protection / GDPR email: info@sphairatech.com (subject: “Data Protection”)
  • Phone/WhatsApp: +34 623 91 17 72

Spanish Data Protection Agency (AEPD): you may lodge a complaint at www.aepd.es or at C/ Jorge Juan, 6, 28001 Madrid.