Privacy Policy
How TotumTeams collects, uses, and protects your data — and that of your members.
Contents
1. Who we are
TotumTeams is an online platform for managing sports teams and music groups. The service is operated by TotumTeams and is provided to organisations (clubs, associations, ensembles) and their members.
For the purposes of data protection law, TotumTeams is the data controller for the personal data of account holders and organisation administrators. Individual organisations are data controllers for the member data they add to their own organisation on the platform — TotumTeams acts as their data processor for that data.
This policy covers all data processed through the TotumTeams platform, including the website at totumteams.com.
2. Data we collect
Account holders (admins & members with logins)
| Data | Why it's collected |
|---|---|
| Name | Display within the platform and in communications |
| Email address | Account login, event invitations, RSVP, notifications |
| Password (hashed) | Account authentication — never stored in plain text |
| Preferred language | To display the platform in the user's chosen language |
| Group membership & role | Access control, formation/seating layout, roster display |
| RSVP responses | Attendance tracking for events |
| Availability flags | Pre-event planning for group managers |
Young members (managed via guardian accounts)
| Data | Why it's collected |
|---|---|
| Name | Display in rosters, formation/seating editor, attendance views |
| Group membership & role | Access control and layout positioning |
| Guardian email(s) | Event invitations, RSVP, and guardian account login |
| Child's email address (optional) | Only if the guardian enables child access — used solely to send the child their own event notifications. Never visible to coaches, admins, or other members. |
| RSVP responses | Attendance tracking — submitted by guardian or by child if guardian has enabled that |
Technical & usage data
We collect standard server logs (IP address, browser type, page visited, timestamp) for security and operational purposes. We do not use cookies for advertising or third-party tracking. A session cookie is used solely to maintain your login state.
3. How we use it
We use personal data only for the following purposes:
- Providing the TotumTeams service — managing groups, events, RSVP, rosters, formations, and availability
- Sending event invitations, reminders, and notifications via email
- Account authentication and access control
- Responding to support requests
- Billing and subscription management (for paid plans)
- Complying with legal obligations
We do not use personal data for advertising, behavioural profiling, or any AI model training. We do not sell data or share it with third parties for their own purposes.
4. Legal basis for processing
| Processing activity | Legal basis (GDPR) |
|---|---|
| Account creation and platform access | Performance of a contract (Art. 6(1)(b)) |
| Event invitations and RSVP | Performance of a contract (Art. 6(1)(b)) |
| Email notifications and reminders | Legitimate interest — direct service communication (Art. 6(1)(f)) |
| Security logging | Legitimate interest — security and fraud prevention (Art. 6(1)(f)) |
| Processing children's data via guardian accounts | Performance of contract with the guardian / legitimate interest of the organisation (Art. 6(1)(b) and (f)); guardian consent where required by applicable law |
| Child's own platform access (if enabled by guardian) | Guardian consent (Art. 6(1)(a) and, where applicable, Art. 8) |
5. Children & guardian accounts
TotumTeams is used by many clubs that include children and young people as members. We take this seriously and have designed the platform to minimise risk.
How guardian accounts work
When a young person is added to a group, only their name and role are required — no email address or contact details for the child. A club admin invites a parent or guardian by email. Up to two guardians can be linked to a single child's account.
Guardians receive event invitations and manage attendance on behalf of their child. They can also optionally invite the child to their own access — and choose whether the child can only view their events, or also respond to invitations.
Child's email privacy
If a child is given their own access, their email address is stored privately by TotumTeams and used only to send them their own event notifications. It is never visible to coaches, group managers, organisation admins, or other members. This applies even to users with full organisation-level access.
No marketing to children
Children are never targeted with advertising or promotional communications. The only emails a child with platform access can receive are those directly related to their group's events — and only if their guardian has enabled this.
Age and parental consent
TotumTeams does not knowingly enable children to create independent accounts. Any access a child has is enabled and controlled by their parent or guardian. The guardian is responsible for ensuring that their consent to the child's participation is appropriate under the laws that apply to them.
6. Data sharing
We do not sell personal data. We do not share personal data with advertisers, data brokers, or any third party for their own purposes.
We use the following third-party service providers as data processors, who process data only on our documented instructions:
| Processor | Purpose | Data shared |
|---|---|---|
| Resend | Transactional email delivery (invitations, reminders, notifications) | Name, email address, event details included in email content |
| Hosting provider | Infrastructure hosting — servers, storage, database | All data stored on the platform (encrypted at rest) |
All processors are contractually bound to process data only as instructed, maintain appropriate security, and not use data for their own purposes.
We may also disclose data if required to do so by law, regulation, or a valid legal process. We will notify users where we are legally permitted to do so.
7. Storage & security
All data is stored within the European Union. It does not leave the EU and is not processed on infrastructure outside the EU. This means your data is subject to GDPR and European data protection standards.
We use industry-standard security measures including:
- Encrypted connections (HTTPS/TLS) for all data in transit
- Encrypted storage for data at rest
- Hashed and salted passwords — passwords are never stored in plain text
- Access controls limiting which staff can access production data
- Regular security reviews
No security system is perfect. In the event of a data breach that is likely to result in a risk to individuals, we will notify affected users and the relevant supervisory authority within the timeframes required by GDPR.
8. Retention
We retain personal data for as long as it is needed for the purpose it was collected.
| Data type | Retention period |
|---|---|
| Active account data | For as long as the account is active |
| Member data within an organisation | For as long as the organisation account is active, or until removed by an admin |
| Event and attendance records | Retained for 2 years after the event date, then deleted |
| Deleted account data | Deleted within 30 days of account deletion request, except where retention is legally required |
| Security logs | Up to 90 days |
| Email delivery logs (via Resend) | As per Resend's data retention policy — typically 30 days |
9. Your rights
Under GDPR, you have the following rights regarding your personal data. These rights also apply to guardians acting on behalf of a child in their care.
- Right of access. You can request a copy of the personal data we hold about you.
- Right to rectification. You can ask us to correct inaccurate or incomplete data.
- Right to erasure. You can ask us to delete your personal data where we no longer have a lawful basis to hold it. Note that some data may need to be retained for legal reasons.
- Right to restriction. You can ask us to restrict how we process your data in certain circumstances — for example, while a dispute is being resolved.
- Right to data portability. You can request your data in a structured, machine-readable format for transfer to another service.
- Right to object. You can object to processing based on legitimate interest. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.
- Right to withdraw consent. Where processing is based on consent (e.g. a child's account access), you can withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, contact us at privacy@totumteams.com. We will respond within 30 days. We may ask you to verify your identity before processing a request.
If your request relates to a young member's data, please contact us from the guardian account email address linked to that member.
10. Supervisory authority
If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with your national data protection authority. A list of EU data protection authorities is available at edpb.europa.eu.
We would always prefer to resolve concerns directly first — please contact us before filing a formal complaint and we will do our best to address your concern.
11. Changes to this policy
We may update this policy from time to time as the service evolves or as legal requirements change. We will post the updated version on this page with a new "last updated" date. For significant changes, we will notify active users by email in advance of the change taking effect.
We encourage you to review this policy periodically.
12. Contact us
For any questions about this policy or about how we handle your data: