Privacy Policy
Last updated: 14 April 2026
penalty.app (“we”, “us”, “our”) operates the penalty.app web application, Chrome extension, and mobile applications (collectively, the “Service”). This policy explains what personal data we collect, why we collect it, and your rights under UK GDPR.
1. Data we collect
Account & authentication
- Email address — used to identify your account and send sign-in links.
- Google account name and profile picture — only if you choose to sign in with Google.
Match & referee data
- Match details: date, competition, league, home and away teams, your role, match fee, payment status, and payment method.
- Venue address — used to calculate round-trip mileage from your home.
- Mileage and travel expense records.
- Cancellation records and lost earnings.
- Tournament entries.
Personal preferences
- Home address or postcode — stored to enable automatic mileage calculation. Never shared or used for any other purpose.
- FA referee level and season configuration.
- Promotion targets and progress data.
- iCal/calendar URL — if you connect a fixture calendar via the Scheduler module.
- Module preferences (which features you have enabled).
Financial & expense data
- Expense records: category, supplier, amount, and date.
- Travel expense method preference (mileage rate or actual cost).
Misconduct reports
- Report details you enter: player name, team, minute, offence type, and your description. This data is stored solely to allow you to retrieve and re-use your own reports.
Laws of the Game (LOTG) quiz
- Quiz results, scores, badges earned, and question history — used to personalise future quiz sessions and track your progress.
Technical data
- A signed, HttpOnly session cookie to keep you logged in.
- Error and crash reports collected by Sentry — these may include browser type, OS version, and a stack trace. No personally identifiable match or financial data is included in error reports.
2. Why we collect it
We collect this data solely to provide and improve the Service. Specifically:
- To authenticate you and keep your account secure.
- To store and display your match records, earnings, and expenses.
- To calculate mileage automatically using Google Maps.
- To generate payment chase messages, misconduct report text, and season summaries.
- To track your promotion progress and LOTG quiz history.
- To diagnose application errors and improve reliability.
We do not use your data for advertising, profiling, or any purpose beyond operating the Service.
3. Third-party services
We use the following third-party providers. Each processes data only as necessary to deliver their service:
| Provider | Purpose | Data shared |
|---|---|---|
| Google Firebase | Authentication and database | Email address, all app data |
| Google Maps | Mileage calculation | Origin and destination addresses |
| Resend | Sending sign-in emails | Email address |
| OpenAI | AI-assisted features (e.g. match import) | Match data submitted for processing |
| Sentry | Error monitoring | Browser/OS info, error stack traces |
| Refsix | Match sync (only if you use the Refsix integration) | Match details you choose to push |
We do not sell your data to any third party.
4. Data retention
Your data is retained for as long as your account is active. If you delete your account, all associated data is permanently deleted from our systems within 30 days. Sentry error logs are retained for 90 days.
5. Your rights (UK GDPR)
Under UK GDPR you have the right to:
- Access — request a copy of all personal data we hold about you.
- Rectification — correct inaccurate data (most data can be edited directly in the app).
- Erasure — request deletion of your account and all associated data.
- Portability — export your match history as a CSV file (Pro plan) or request a full data export.
- Restriction — ask us to restrict processing of your data in certain circumstances.
- Object — object to processing based on legitimate interests.
To exercise any of these rights, email us at privacy@penalty.app. We will respond within 30 days.
6. Cookies
We use a single, signed HttpOnly session cookie to keep you authenticated. This cookie contains no personal data — only an encrypted session identifier. We do not use advertising cookies or third-party tracking cookies.
7. Children
The Service is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
8. Changes to this policy
We may update this policy from time to time. We will notify you of material changes by posting a notice in the app or sending an email. The “Last updated” date at the top of this page always reflects the most recent version.
9. Contact
For any privacy questions or requests, contact us at: privacy@penalty.app.
If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.