SportZentra Security & GDPR

Our Commitment

Sportzentra is built with security and privacy at its core. We are committed to protecting the personal data of every user on our platform and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Infrastructure & Hosting

  • All data is hosted in the European Union (Frankfurt, eu-central-1)
  • We use Supabase (PostgreSQL) for database and authentication, hosted in the EU
  • Application services run on AWS ECS with Fargate in the EU
  • All traffic is encrypted in transit using TLS 1.2+
  • Database encryption at rest using AES-256

Access Control

  • Role-based access control (RBAC) with four distinct roles: platform admin, tenant admin, manager, and customer
  • Row-Level Security (RLS) policies enforced at the database level
  • JWT-based authentication with HMAC-SHA256 signature verification
  • All admin actions are recorded in an audit log

Data Protection

  • Data minimisation: we only collect data necessary to provide the service
  • Purpose limitation: personal data is used only for the purposes stated in our Privacy Policy
  • Storage limitation: configurable retention policies with automated cleanup
  • Integrity: all mutations are logged and auditable

Your GDPR Rights

As a data subject, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing
  • Data portability — export your data in a machine-readable format
  • Object to certain types of processing
  • Withdraw consent at any time

These rights can be exercised through the in-app Privacy Center or by contacting privacy@sportzentra.com.

Data Processing Agreements

Service Providers (tenants) using Sportzentra act as data controllers for their customers' data. Sportzentra acts as a data processor. A Data Processing Agreement (DPA) governs this relationship in accordance with GDPR Article 28.

Sub-Processors

We maintain a transparent list of third-party sub-processors. Tenants are notified 30 days before any new sub-processor is added. See our Sub-Processors page for the current list.

Breach Notification

In the event of a personal data breach:

  • We detect breaches via automated monitoring and staff reports
  • The competent supervisory authority is notified within 72 hours (Art. 33)
  • Affected users are notified directly when there is a high risk to their rights (Art. 34)
  • All incidents are documented and retained for 6 years

Cookie Policy

We use only essential cookies required for authentication and session management. Analytics cookies require explicit consent via our cookie banner. See our Cookie Policy for details.

Contact

For security concerns or GDPR inquiries:

Privacy: privacy@sportzentra.com Legal: legal@sportzentra.com Address: Alfred Kowalke Str. 20, 10315 Berlin