Data protection & GDPR
Last updated 2 July 2026. This page explains, in plain terms, how Rotate is built to protect personal data, especially data about children and young people. It sits alongside our Privacy Policy and Safeguarding statement.
Most people in Rotate are under 18. We treat their information as sensitive by default and have built specific, verifiable controls around it. This page is written so a club, a Designated Safeguarding Officer, or a parent can see exactly what those controls are.
Where your data lives
- Hosting: the database and application run in the European Union (Germany). Transactional email is sent via Amazon SES in the EU (Ireland).
- No advertising, no data sales: we never sell personal data and never use players' data for advertising or to train third-party AI models.
- Payments: card payments are handled by Stripe; we never see full card numbers.
How access is controlled
- Row-level security at the database: every request is checked in the database itself, not just in the app, so each user can reach only the data they are entitled to. A coach sees only their own club's players.
- Role-based visibility: coaches, players and parents each see a different, appropriate view. Coach-private notes, squad-selection decisions and unshared assessments are never exposed to players or parents.
- Coach-approved parent links: a parent can see a child only after a coach approves the connection.
- Supervised messaging: direct messages always involve a coach; there are no unsupervised private channels between children, or between an adult and a child.
- Encryption: data is encrypted in transit; passwords are stored hashed.
Children's data, specifically
- Data minimisation: we hold only what coaching needs — name, date of birth, gender and development records. We do not collect medical history or emergency contacts in the platform.
- Versioned consent: consents (photo and video, data processing, medical, communications) are recorded and dated, and can be changed.
- AI features are pseudonymised: optional AI drafting (assessment summaries, plan suggestions) never receives a child's name — only their age and scores are sent, under a data-processing agreement, and never used to train the provider's models. Every AI output is a suggestion a coach reviews.
Your rights, and how we meet them
- Access & portability: a coach can export everything held about a player as a data file at any time, to answer a subject-access or portability request.
- Erasure: a player's record and all associated data (assessments, goals, journal, consents, parent links) can be permanently deleted in one action.
- Retention: players removed from a roster are archived and then automatically and permanently purged after a set retention period, rather than kept indefinitely.
- Correction & objection: records can be corrected at any time; contact us to restrict or object to processing.
For player records the coach or club is the data controller, so player and parent requests are directed to them in the first instance; we provide the tools above to help them respond, and we support them directly where needed.
Security of processing & breaches
Access is role-based and enforced at the database, administrative access is restricted, and the platform is kept patched. No system is perfectly secure, but where a personal-data breach occurs we will notify affected controllers and the relevant regulator as the law requires.
Sub-processors
We use a small number of vetted providers, each under contract and appropriate data-protection terms: EU hosting/database, Stripe (payments), Amazon SES (email), and an AI provider for optional drafting features. A current list is available on request.
Contact
For any data-protection question or to exercise your rights: privacy@rotateperformance.com. You can also read the full Privacy Policy, or raise a concern with the ICO (UK) or the Data Protection Commission (Ireland).