Privacy Policy

RugbyRadar ("we", "us") is a rugby team analytics product operated by Andrew Page from South Africa. We can be reached at andrew@nextint.co.za.

• Your name, email, and any optional profile details you enter (date of birth, height, weight, position, jersey number, coaching level, club name, GPS unit serial, boot / wearable brand).
• Authentication tokens issued by Supabase (our auth provider).
• When you connect a third-party fitness integration (Strava, Garmin, Whoop, Fitbit, Oura), we store the OAuth tokens we receive — encrypted at rest using AES-256-GCM — and the activity summaries the third party returns (workout duration, distance, heart rate, etc.).
• Operational telemetry from the hosting platform (IP address, request paths, error traces) for debugging. We don't run third-party analytics or advertising trackers.

• To run the product: log you in, show you your data, render coach dashboards.
• To fetch training data on your behalf from the wearable services you authorize.
• To keep the service running and debug issues.

We don't sell your data. We don't share it with advertisers.

• You — always.
• Coaches you accept an invitation from — they see your roster details and the workouts you've chosen to share via a connected wearable.
• Union administrators in your league — they see roster and team data they are entitled to see for league administration.
• Our infrastructure providers (Supabase, Coolify on Hetzner) under their respective data-processing terms.

Data sits in a Supabase Postgres database hosted in the EU (Stockholm region). OAuth tokens are encrypted at the column level before being written. Row-level security policies enforce that you can only read rows that belong to you, your team, or your league role.

Profile and activity data is kept while your account is active. Disconnecting a wearable revokes the OAuth tokens with the third party and removes the stored access token from our database. Deleting your account removes your profile row and cascades to associated invitations and team memberships; cached third-party activities are removed within 30 days.

• You can ask for a copy of your data.
• You can correct anything that's wrong.
• You can ask us to delete your account.
• You can withdraw consent to any third-party integration at any time.

Email andrew@nextint.co.za and we'll action within 30 days.

We'll update this page when our practices change. The "Last updated" date at the top reflects the most recent revision. Material changes will be announced in-app or by email before they take effect.