Legal
Privacy policy
Last updated: 5 July 2026
Futsy ("we", "us", "our") operates a futsal league management platform used by players, team captains, league administrators and referees in Melbourne, Victoria. This policy explains what personal information we collect through the Futsy web app and website, why we collect it, who we share it with, and the choices you have.
We are an Australian business and we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), regardless of whether we are technically required to. Where you use Futsy from the European Union or the United Kingdom, the GDPR/UK GDPR sections of this policy also apply to you. Where you use Futsy from California, the CCPA section applies.
This policy is written to be read, not skimmed past. If anything is unclear, email us — details are in Section 9.
1. What we collect and why
We only collect information we actually use to run leagues. Specifically:
Account and profile information. When you sign up we collect your email address (used for passwordless magic-link sign-in — we never store a password for you), your full name, and optionally your suburb and playing position. Your name and position appear on team lists and fixtures so teammates and opponents know who is playing. Your suburb helps league admins place you in a geographically sensible league or find-a-sub match.
Contact details. Your email address, and a phone number if you provide one, are stored so your team captain or league admin can reach you about fixtures, cancellations and substitute requests.
Participation data. We record your RSVPs to fixtures, your availability windows, substitute requests you make or accept, your reliability as a substitute (whether you showed up to games you accepted), and match results and statistics for games you played in. This is the core of the product — it is how leagues get scheduled and ladders get calculated.
Payment information. If you or your league pays for Futsy, payment is processed by Stripe. We never see or store your full card number. We receive from Stripe: the last four digits of your card, the card brand, your billing name and email, and the status of your payments and subscription.
Technical and usage information. We collect your IP address and browser type in server logs for security and fraud prevention (for example, detecting someone attempting to abuse magic-link sign-in), and rate-limiting data (a short-lived record of how often your device hits our servers) to protect the service from abuse. We also record product analytics events — for example, that a user RSVP'd to a fixture or opened the substitutes screen — in our own database, tied to your account, so we can see which features are used and fix what isn't working.
Error reports. If the app crashes or errors while you use it, a diagnostic report (the error, the page you were on, your browser version, and an identifier for your session) is sent to our error-monitoring provider, Sentry.
Communications. If you email us, we keep the correspondence so we can resolve your issue and improve support.
What we don't collect: precise device location (GPS), health or biometric information, government identifiers (no licence, passport or Medicare numbers), or advertising profiles. We do not buy data about you from data brokers.
How we collect it
Directly from you (sign-up, profile, RSVPs), from your team captain or league administrator (who may register you into a team with your name and email — we require them to have your consent before doing so), automatically from your device (logs, analytics events), and from Stripe (payment status).
2. How we use your information
We use personal information to:
- Operate leagues: scheduling fixtures, managing teams, matching substitutes to games, recording results and standings.
- Sign you in securely via magic link and protect your account (including detecting suspicious sign-in patterns by IP address).
- Send service messages: fixture reminders, RSVP requests, substitute requests, result notifications, and account or payment notices. These are not marketing — you receive them because they are part of the service you signed up for.
- Process payments and manage subscriptions through Stripe.
- Understand product usage through our first-party analytics so we can prioritise fixes and features.
- Diagnose and fix errors and outages.
- Comply with legal obligations (for example, retaining tax records).
Marketing: If we ever send you marketing email (for example, announcing a new competition), we will only do so in compliance with the Spam Act 2003 (Cth): with your consent, identifying ourselves clearly, and with a working one-click unsubscribe in every message. Unsubscribing from marketing never stops essential service messages like fixture cancellations.
We do not use your personal information for automated decisions that have legal or similarly significant effects on you. We do not sell your personal information to anyone.
3. Who we disclose it to
Other users, by design. Futsal is a team sport: your name, playing position, RSVP status and match statistics are visible to your teammates, your captain, your league admin, and (on fixtures and ladders) opposing teams in your league. Your email and phone number are visible only to your team captain and league administrators — not to the general player base.
Service providers (processors). We use a small set of providers to run the platform. Each processes data only on our instructions under their data processing terms:
| Provider | What they do for us | Data involved |
|---|---|---|
| Supabase | Database and authentication hosting (Sydney, Australia) | All account, profile and participation data |
| Vercel | Web application hosting | Requests to the app, including IP addresses |
| Stripe | Payment processing | Billing name, email, card details (held by Stripe, not us) |
| Resend | Sending transactional email | Your email address and message content |
| Upstash | Rate limiting | Short-lived request counters keyed to IP/user |
| Sentry | Error monitoring | Error diagnostics, browser info, session identifier |
League operators. If your league is run by a venue or club using Futsy, that operator is a joint user of your registration and participation data for running their competition. Their own privacy obligations apply alongside ours.
Law enforcement and legal process. We disclose personal information where required by Australian law, a court order, or where necessary to protect the safety of players (for example, an incident at a venue). We will tell you when this happens unless the law prevents us.
Business transfer. If Futsy is acquired or merges, personal information may transfer to the new operator, who must honour this policy or notify you of changes before departing from it.
Where your data lives, and overseas disclosure (APP 8)
Our primary database — your account, profile and participation data, and our authentication records — is hosted with Supabase in Sydney, Australia. It does not leave Australia for storage.
Some of our supporting providers (Vercel, Stripe, Resend, Upstash, Sentry) are US-headquartered, and data passing through those services — web requests, payment records, emails we send you, and error reports — may be stored or processed in the United States and other countries where they operate infrastructure. Before engaging any provider we take reasonable steps, as required by APP 8.1, to ensure they handle your information consistently with the APPs — including contractual data-protection commitments. If you would like the current list of storage locations, ask our Privacy Officer.
4. How we keep it secure
No online service can promise absolute security, and we won't pretend otherwise. What we actually do:
- Encryption in transit (TLS) for all connections, and encryption at rest for our database.
- Passwordless authentication: magic links are single-use and short-lived, which removes the risk of your Futsy password being stolen or reused — because there isn't one.
- Row-level security in our database, so a player's data can only be read through the permissions of their league role (player, captain, admin). This is enforced at the database layer, not just in app code.
- Rate limiting on sign-in and sensitive endpoints to slow down abuse and credential attacks.
- Least-privilege access: administrative database credentials are restricted to server-side operations; staff access to production data is limited to what support requires.
- Session revocation: we can invalidate all of a user's sessions if an account is compromised.
Data breaches. If a breach occurs that is likely to result in serious harm, we will notify affected users and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act — promptly, and in plain language about what happened and what you should do.
5. How long we keep it
We keep personal information only as long as we need it for the purposes above, then delete or de-identify it:
- Account and profile data: kept while your account is active. When you delete your account, contact details are erased and your profile is de-identified within 30 days (see Section 6 for exactly what happens).
- Match results and league statistics: retained indefinitely in de-identified form after account deletion (your name is replaced by an anonymous label), because removing individual results would corrupt historical ladders and other players' records.
- Payment and tax records: retained for 7 years as required by Australian tax law, held by Stripe and in our accounting records.
- Server logs and rate-limiting data: IP-level logs are retained for 30 days, then deleted. Rate-limit counters expire automatically within hours.
- Error reports (Sentry): retained for 90 days, then automatically deleted.
- Product analytics events: retained for up to 24 months, then deleted or aggregated so they no longer identify you.
- Support correspondence: retained for 2 years after your issue is closed.
6. Your rights and choices
Under the Privacy Act and APPs 12 and 13, you can:
- Access the personal information we hold about you. Ask, and we will provide it within 30 days at no charge.
- Correct inaccurate information — you can edit your own name, suburb and position in the app at any time; for anything else, email us.
- Delete your account. You can request deletion in-app or by email. Here is precisely what happens: your email, phone number and other contact details are deleted; your profile name is replaced with an anonymous pseudonym (e.g. "Deleted player 3f9a…"); your suburb and position are cleared; your future availability entries are deleted. De-identified match results remain in league history. One practical requirement: if you are a team captain, you must hand the captaincy to a teammate before deletion, so your team isn't orphaned mid-season.
- Opt out of marketing via the unsubscribe link in any marketing email, effective within 5 business days (Spam Act requirement — in practice it is immediate).
- Data portability: ask us for a machine-readable export of your profile, RSVPs and match statistics and we will provide it.
We will not discriminate against you (deny service, change pricing) for exercising any of these rights.
7. Cookies, tracking and analytics
We keep this deliberately minimal:
- Essential cookies only. We set authentication/session cookies so you stay signed in. These are strictly necessary — the app cannot work without them.
- First-party analytics. Product usage events are recorded in our own database, not sent to Google Analytics or any third-party analytics network. Your usage data does not leave our infrastructure for analytics purposes.
- No advertising trackers. We use no ad networks, no Facebook/Meta pixel, no cross-site tracking, and no fingerprinting.
- Error monitoring (Sentry) receives technical diagnostics when errors occur, as described in Section 1.
Because we don't use non-essential cookies, we don't show you a cookie consent banner — there is nothing optional to consent to. If that changes, this policy and the app will be updated and consent will be sought first.
8. Children and young players
Futsy is designed for adult social sport. You must be 16 or older to create your own Futsy account. Players aged under 18 may only be registered by a parent, guardian, or a league administrator who has obtained parental consent, and we collect only the minimum needed (name, and a parent/guardian contact email rather than the minor's own).
We do not knowingly collect personal information from children under 13, and the service is not directed at them (this is also our position for US users under COPPA). If you believe a child under 13 has an account, contact us and we will delete the account and its data promptly.
9. Questions, complaints and the OAIC
Privacy Officer Futsy — Melbourne, Victoria, Australia Email: privacy@futsy.com.au
For access, correction or deletion requests, or any privacy concern, email the Privacy Officer. We will acknowledge your complaint within 7 days and give you a substantive response within 30 days.
If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC):
- Online: oaic.gov.au
- Phone: 1300 363 992
- Post: GPO Box 5288, Sydney NSW 2001
You do not need our permission to go to the OAIC, but they will generally expect you to have raised the issue with us first.
Nothing in this policy excludes your rights under the Australian Consumer Law. Our services come with guarantees that cannot be excluded, and this policy does not attempt to limit them.
10. GDPR and CCPA (users outside Australia)
EU/UK users (GDPR/UK GDPR). Futsy is the data controller. Our legal bases are: performance of a contract (running your league account), legitimate interests (security logging, first-party analytics, error monitoring — balanced against your rights), consent (marketing), and legal obligation (tax records). You have rights of access, rectification, erasure, restriction, portability and objection — exercise them via the Privacy Officer. Transfers outside the EU/UK rely on our providers' Standard Contractual Clauses. You may also complain to your local supervisory authority.
California users (CCPA/CPRA). We do not sell or "share" (for cross-context behavioural advertising) personal information, and we have not done so in the preceding 12 months. The categories we collect are identifiers, commercial information, and internet activity, as described in Section 1, for the business purposes in Section 2. You may request to know, delete, or correct your information via the Privacy Officer, and we will not discriminate against you for doing so.
11. Changes to this policy
When we change this policy, we will update the date at the top and summarise what changed. For material changes — anything that expands what we collect, who we share with, or how long we keep data — we will notify you by email and in-app at least 14 days before the change takes effect, so you can review it (or delete your account) first. Minor clarifications take effect on posting. Previous versions are available on request.
Continuing to use Futsy after a change takes effect means the updated policy applies to you.