Privacy Policy — Eerlijke Corvee
⚠️ DRAFT — requires legal review by a Dutch lawyer before publication. This is not legal advice. Placeholders marked
<...>must be filled before publication. Verify all legal references (GDPR articles, Dutch DPA procedures, company registration) before going live. The Dutch version (privacy-policy-nl.md) is the primary; this English version is provided for non-Dutch-speaking users and is a translation only.
Version: 0.1 (draft) — 2026-05-02
1. Who we are
Eerlijke Corvee (hereafter: “we”, “us”, or the “Service”) is a software service helping Dutch youth sports teams automatically and fairly distribute volunteer duties (corvee), and automate match and training management.
Data controller:
- Name:
<COMPANY NAME — e.g. Eerlijke Corvee B.V. or <Founder Name> sole-trader> - Address:
<BUSINESS ADDRESS> - Chamber of Commerce (KvK) number:
<KVK NUMBER> - VAT (BTW) number:
<VAT NUMBER> - Contact:
privacy@<domain>.nl
For privacy questions, contact us via the email above. We have not appointed a Data Protection Officer (DPO) as we are not legally required to do so at our scale.
2. What data we process and why
2.1 Account data (required to use the Service)
- Name and email address of team managers, trainers, coaches, parents/caretakers and (older) players
- Role within the team (manager, trainer, coach, parent, etc.)
- Language preference (NL/EN) per user
- Session information (cookies, login tokens) — strictly necessary for authentication
Purpose: providing the Service (account creation, magic-link login, team communication). Legal basis: performance of a contract (Article 6(1)(b) GDPR).
2.2 Player data (entered by team managers / caretakers)
- Player name
- Age category (e.g. JO13, MO11)
- Caretaker relationships: which parent/caretaker belongs to which player
- Availability for matches and trainings (entered by caretakers / players themselves)
We do not directly process contact details of underage players — communication always runs through registered caretakers with their own account. Players aged 13+ can optionally create their own account; in that case we only process their name and email with caretaker consent.
Purpose: roster planning, fair duty distribution, and match communication. Legal basis: performance of a contract.
2.3 Activity and audit data
- Duty assignments (who gets which task on which date) and history thereof
- Audit log: who changes what, when
- Authentication logs: login attempts, IP address, browser user-agent
Purpose: service delivery, fraud prevention, dispute resolution. Legal basis: performance of a contract and legitimate interest (Article 6(1)(f) GDPR).
2.4 Payment data
- Payment status per team per season (paid / unpaid)
- Amount and date of payment
We do not process credit-card or bank-account details ourselves. Payments are processed by external payment providers (Tikkie, Mollie). See “Sub-processors” below.
Purpose: billing and access control (locked teams). Legal basis: performance of a contract and legal obligation (accounting retention).
2.5 Marketing communications (optional, only with consent)
- Email address for opt-in newsletters and Service updates
Purpose: marketing and user communication. Legal basis: consent (Article 6(1)(a) GDPR). You can withdraw this consent at any time via the unsubscribe link in every email.
3. Who we share data with (sub-processors)
We use the following sub-processors. We have a Data Processing Agreement (DPA) with each of them under Article 28 GDPR.
| Sub-processor | Purpose | Processing location | Privacy |
|---|---|---|---|
| Microsoft Azure (Container Apps + PostgreSQL) | Hosting, database | EU (North Europe — Ireland) | Azure Trust Center |
| Resend | Transactional email (magic-links, duty notifications) | <VERIFY REGION> | <LINK> |
| Cloudflare | DNS, static marketing site, DDoS mitigation | Global edge network | <LINK> |
| Tikkie / ABN AMRO (interim) | Payment processing | Netherlands / EU | <LINK> |
| Mollie (after 50+ paying teams) | Payment processing (iDEAL/SEPA) | EU (Netherlands) | Mollie privacy |
| Plausible Analytics (optional) | Anonymous visitor analytics on marketing site | EU (Germany) | Plausible privacy |
We do not share data with third parties for marketing purposes. We do not sell data.
3.1 International transfers
We aim to process data within the European Economic Area (EEA). If transfers outside the EEA are necessary, they only happen on the basis of:
- An adequacy decision by the European Commission, or
- Standard Contractual Clauses (SCCs).
Cloudflare’s global edge network may temporarily cache content at locations outside the EEA; this only concerns static marketing content, not personal data.
4. Retention periods
| Data type | Retention period |
|---|---|
| Active account and team data | As long as the account / team is active |
| Deleted accounts | 30 days after deletion, then irreversibly erased |
| Audit logs | 12 months |
| Authentication logs | 12 months |
| Magic-link tokens | 15 minutes (60 minutes in dev mode) |
| Session cookies | Up to 90 days |
| Payment data (accounting) | 7 years (Dutch fiscal retention obligation) |
| Marketing opt-in | Until consent is withdrawn |
After the retention period expires, data is irreversibly deleted or anonymised.
5. Your rights under GDPR
Under the GDPR you have the following rights:
- Access (Article 15) — a copy of the data we process about you
- Rectification (Article 16) — correct inaccurate data
- Erasure (Article 17, “right to be forgotten”) — request deletion
- Restriction (Article 18) — pause processing during a dispute
- Data portability (Article 20) — receive your data in machine-readable form
- Object (Article 21) — object to processing on grounds of legitimate interest or marketing
- Withdraw consent — for processing based on consent
Submit requests to privacy@<domain>.nl. We respond within 30 days (extendable by 60 days in complex cases, with reasons).
5.1 Complaint to the supervisory authority
You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP):
- Website: https://autoriteitpersoonsgegevens.nl
- Address: Postbus 93374, 2509 AJ The Hague, the Netherlands
6. Security
We take reasonable technical and organisational measures to protect your data:
- Encryption in transit: all connections via HTTPS (TLS 1.2+)
- Encryption at rest: database files encrypted at rest by Azure
- Access control: minimal access to production data, audit-logging of admin actions
- Magic-link authentication: tokens stored as SHA-256 hashes
- Session security: httpOnly + secure cookies, CSRF protection
- Secrets: stored in Azure Key Vault or equivalent
- Data breach procedure: in the event of a breach we notify the AP within 72 hours and inform affected data subjects, in accordance with Articles 33 and 34 GDPR
No service is 100% secure. We follow industry-standard practices.
7. Cookies
The application (app.<domain>.nl) uses only strictly necessary cookies for authentication and session management:
| Cookie | Purpose | Retention |
|---|---|---|
session_token | Login / session | 1–90 days |
locale | Remember language preference | 1 year |
player_switcher | Which child you are currently viewing | Session |
The marketing site (<domain>.nl) uses:
- Plausible Analytics (cookieless, GDPR-compliant — no consent required)
- Possibly Meta Pixel for advertising (only after explicit opt-in via cookie banner)
A separate cookie notice appears on first visit to the marketing site if optional cookies are active.
8. Children under 16
We address ourselves to team managers and parents/caretakers, not children directly. We do not collect contact details of players under 16 without consent from a parent/caretaker.
Player names and age categories are entered by caretakers based on team-organisation needs. This data is not used for marketing and not shared with third parties for commercial purposes.
Players aged 13 and over can, with caretaker consent, create their own account; in that case their name and email are protected under this privacy policy and the GDPR.
9. Changes to this policy
We may update this policy from time to time. The latest version is always on this page with a date. For substantive changes, we inform users by email or via a banner in the Service at least 30 days before the change takes effect.
10. Contact
Privacy questions or want to exercise your rights?
- Email:
privacy@<domain>.nl - Post:
<BUSINESS ADDRESS>
Last updated: 2026-05-02 (draft) Version: 0.1