Privacy Policy

1. Introduction

This Privacy Policy describes how LineupDesigner (operated by LMCE Sweden AB, org. nr 559XXX-XXXX, Sweden) collects, uses, and protects your personal data. We comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and the US Children's Online Privacy Protection Act (COPPA).

2. Data Controller

LMCE Sweden AB is the data controller for the processing of your personal data. Contact: privacy@lineupdesigner.com. Our registered address is in Sweden.

3. What Data We Collect

We collect the following categories of personal data:

Account Data

• Name and email address (provided at registration or via Google OAuth)
• Profile picture (if signing in with Google)
• Organization or club name (optional)
• Payment and billing information (processed and stored by Stripe; we do not store card numbers)

Application Data

• Player information you enter (first name, last name, jersey number, birth year, position, handedness)
• Lineup formations, training groups, and match rosters
• Pairing statistics and saved lineups

Technical Data

• IP address, browser type, and device information (collected automatically by our hosting provider)
• Session cookies and authentication tokens
• Error logs for service reliability (no personal identifiers stored in logs)

4. How We Use Your Data

• Provide, maintain, and improve the service
• Manage your account, authentication, and subscription
• Send transactional emails (account verification, password reset, billing receipts)
• Analyze anonymized usage patterns to improve the product (no personal data is used for analytics)
• Provide AI-powered support and process feedback you submit to improve the service

5. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal bases under GDPR Article 6:

• Performance of contract (Art. 6(1)(b)): To provide the service you have subscribed to
• Legitimate interest (Art. 6(1)(f)): To maintain security, prevent fraud, and improve the service
• Consent (Art. 6(1)(a)): For optional marketing communications (can be withdrawn at any time)

6. Third-Party Services

We use the following third-party services that may process personal data as data processors on our behalf. We have Data Processing Agreements (DPAs) in place with each provider to ensure your data is handled in accordance with GDPR:

• Supabase - Database, authentication, and storage (servers in EU, SOC 2 Type II certified)
• Stripe - Payment processing (PCI DSS Level 1 certified, no card data reaches our servers)
• Vercel - Hosting, CDN, and serverless functions (global edge network)
• Resend - Transactional email delivery
• Google - OAuth authentication (if you choose to sign in with Google)
• Anthropic - AI-powered support chat (conversations are processed by Anthropic's Claude API; no personal account data is sent — only the messages you type in the support chat)

7. International Data Transfers

Your data is primarily stored in EU-based servers (Supabase). Some processing occurs in the US through Vercel (hosting), Stripe (payments), and Resend (email). These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, and each provider maintains appropriate certifications (SOC 2, PCI DSS). By using the service from outside the EU, you consent to the transfer of your data to Sweden and the EU.

8. Data Retention

We store your data as long as your account is active. Upon account deletion, personal data is removed within 30 days. Exceptions: billing records are retained for 7 years as required by Swedish accounting law (Bokföringslagen), and anonymized aggregate data may be retained indefinitely. Stripe retains payment data according to their own retention policy.

9. Your Rights (GDPR)

Under GDPR, you have the following rights. To exercise them, contact privacy@lineupdesigner.com. We will respond within 30 days.

• Access (Art. 15) - Request a copy of all personal data we hold about you
• Rectification (Art. 16) - Correct inaccurate or incomplete data
• Erasure (Art. 17) - Request deletion of your personal data ("right to be forgotten")
• Data portability (Art. 20) - Receive your data in a structured, machine-readable format (JSON)
• Objection (Art. 21) - Object to processing based on legitimate interest

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know what personal information we collect, use, and disclose
• Right to delete your personal information
• Right to opt-out of the sale or sharing of personal information
• Right to non-discrimination for exercising your privacy rights

We do not sell or share your personal information as defined by the CCPA/CPRA. We do not use your data for cross-context behavioral advertising. To exercise your rights, contact privacy@lineupdesigner.com.

11. Canadian Privacy Rights (PIPEDA)

If you are a Canadian resident, you have rights under PIPEDA including the right to access your personal information, challenge its accuracy, and withdraw consent for its collection and use. We collect, use, and disclose personal information only for purposes a reasonable person would consider appropriate. To file a complaint, contact the Office of the Privacy Commissioner of Canada (priv.gc.ca).

12. Children's Privacy

LineupDesigner accounts are intended for adult coaches and team managers (18+). The service is not directed at children. We do not knowingly collect personal information directly from children under 13 (COPPA) or under 16 (GDPR).

Coaches may enter player data for minors (names, birth years, jersey numbers) as part of team management. The coach, as the account holder, is responsible for obtaining verifiable parental consent before entering such data. If we learn that a child under 13 has created an account, we will promptly delete it. Parents can contact privacy@lineupdesigner.com to request access to or deletion of their child's data.

13. Cookies

We use only essential cookies required for the service to function:

• Authentication cookies - Maintain your login session (Supabase auth token)
• Preference cookies - Store your theme (dark/light) and language setting
• Remember me - Keeps you signed in across browser sessions (set when you check "Keep me signed in")

We use only strictly necessary cookies as listed above. We do not use analytics cookies, advertising cookies, or third-party tracking cookies. We do not participate in any ad networks or tracking frameworks. Because all our cookies are strictly necessary for the service to function, no cookie consent banner is required under the ePrivacy Directive.

14. Security

We implement industry-standard security measures including: encrypted data transfer (TLS/HTTPS), encrypted data at rest, row-level security (RLS) in our database ensuring users can only access their own data, secure authentication via Supabase Auth, and regular security audits. Payment data is handled exclusively by Stripe (PCI DSS Level 1). Despite these measures, no system is 100% secure. If you discover a security vulnerability, please report it to security@lineupdesigner.com.

15. Changes

We may update this policy as needed. For material changes, we will notify you via email at least 30 days before they take effect and publish the updated policy here with a new effective date. Continued use of the service after the effective date constitutes acceptance of the updated policy.

16. Contact

For questions about how we handle your personal data, contact our Data Protection Officer at privacy@lineupdesigner.com

You have the right to file a complaint with your local data protection authority: Integritetsskyddsmyndigheten/IMY (Sweden), your national DPA (EU), the Office of the Privacy Commissioner (Canada), or the California Attorney General (US/California).