TC
Team Cash

Privacy Policy

Effective date: April 27, 2026

1. Introduction

This Privacy Policy (hereinafter “Policy”) describes what personal data we collect, for what purposes we use it, how we protect it, and what rights you have in connection with its processing.

This Policy is issued in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and Act No. 110/2019 Coll., on the processing of personal data.

2. Data Controller

The controller of personal data is the operator of the TeamCash service:

  • Name: Tomáš Prokop
  • Address: Šrámkova 3213/12, 400 11 Ústí nad Labem – Severní Terasa, Czech Republic
  • IČO (Business ID): 19173326
  • Contact email: info@tymovakasa.cz

(hereinafter “Controller” or “we”)

In certain cases (see Art. 4.2), we also act as a processor of personal data that our Users enter into the Service as controllers. This relationship is governed by a separate Data Processing Agreement.

3. What Data We Process

3.1 Data you provide upon registration

  • First and last name
  • Email address
  • Password (stored exclusively as a secure hash using the bcrypt algorithm; we never store the password itself nor have access to it)
  • Preferred language

3.2 Data arising from use of the Service

  • Information about your team (name, currency, seasons)
  • Data about team members that you enter into the Service (see Art. 4.2)
  • Records of fines, contributions, payments, and treasury balance
  • Records of your activity in the Service (logins, actions performed)
  • Data shared via the “Team Overview Sharing” feature: if a team administrator shares the team overview (see Art. 6 below), only team members' names and photos, the fine price list, recorded fines, contributions, payments, balances, and transaction history are made accessible via the link (protected by PIN by default). Not email addresses, phone numbers, or other contact details.

3.3 Payment-related data

  • Information about the purchased plan, payment date, and subscription duration
  • Billing details (name, optionally company name, IČO/DIČ and address)
  • We never process payment data (card numbers etc.) — these are processed exclusively by the Stripe payment gateway

3.4 Technical data

  • IP address
  • Device, browser, and operating system type
  • Anonymized traffic data (via Vercel Analytics — see Art. 7)

3.5 Communications

  • Content of messages you send us via email or the contact form

4. Purpose and Legal Basis for Processing

4.1 Data where we are the controller

PurposeLegal basisRetention period
Creating and operating a user accountPerformance of contract (Art. 6(1)(b) GDPR)For the duration of the account
Providing Service featuresPerformance of contractFor the duration of the account
Sending transactional emails (registration confirmation, invitations, subscription renewal reminders)Performance of contractFor the duration of the account
Billing and invoicingCompliance with legal obligation (Art. 6(1)(c) GDPR)10 years (Accounting Act)
Ensuring Service securityLegitimate interest (Art. 6(1)(f) GDPR)As long as necessary
Improving the Service (anonymized traffic data)Legitimate interestAs long as necessary
Retaining the identity of the creator/editor of financial records (fines, payments, contributions) to ensure transparency and auditability of team recordsLegitimate interest (Art. 6(1)(f) GDPR)For the duration of the team's existence or until the creator's account is deleted (after which the reference is removed)

4.2 Data where we are the processor

When you as a User enter data about members of your team (names, contacts, photos, recorded fines and payments) into the Service, you are the controller of that data and we act as the processor. The relationship between us is governed by a separate Data Processing Agreement, which forms an integral part of the Terms of Service.

This means that:

  • We process this data exclusively according to your instructions and for the purposes of providing the Service
  • You are responsible for having a legal basis for processing this data (consent of the data subjects, legitimate interest of the club, etc.)
  • You are obliged to fulfil information obligations towards the data subjects (especially team members, and in the case of minors, towards their legal guardians)
  • You decide on activating the public sharing feature and bear responsibility for its consequences (see Art. 6)
  • We ensure adequate technical and organisational protection of this data

5. Recipients of Personal Data

We share your personal data only with the following processors, with whom we have concluded data processing agreements (DPA):

RecipientPurposeProcessing location
Supabase, Inc.Database and authentication (Primary Database: Frankfurt, Germany, eu-central-1)EU
Vercel, Inc.Application hosting, Vercel AnalyticsEU/USA (with SCC)
Resend, Inc.Sending transactional emailsEU/USA (with SCC)
Stripe Payments Europe, LimitedPayment processing and billingIreland / EU

Vercel and Resend are companies headquartered in the USA. Data transfers to the USA are carried out on the basis of Standard Contractual Clauses (SCC) approved by the European Commission, which provide appropriate safeguards for the protection of personal data within the meaning of Art. 46 GDPR. The relevant agreements (DPA) form part of the standard terms provided by these companies.

We never sell or share your data with third parties for marketing purposes.

We may disclose data to public authorities if required by law (e.g. on the basis of a court order).

6. Team Overview Sharing

6.1 The Service allows the team administrator to share the team overview in read-only mode via a link with randomly generated characters. Through this link, only the following data is made accessible:

  • First and last names of team members
  • Profile photos of team members (if uploaded)
  • Team fine price list
  • Recorded fines, contributions, and payments
  • Current balances and debts of team members
  • Transaction history
  • First name, last name, and profile photo of the person who created or last edited a financial record (team administrator or another authorized user)

The shared overview does NOT display: email addresses, phone numbers, dates of birth, postal addresses, or other contact details.

6.2 By default, sharing is set to “Private” mode — in addition to the link, a PIN code is required to view the overview content. This PIN is automatically generated by the Service when a team is created. This default state (“privacy by default”) is in accordance with Art. 25(2) GDPR.

6.3 The team administrator may:

  • Switch the mode to “Public” (without PIN protection) — this change is only possible after explicitly confirming a warning dialog displayed by the Service
  • Regenerate the link (the original link will then cease to work)
  • Change or remove the PIN in Private mode
  • Return to Private mode at any time

6.4 Team administrator's responsibility: By sharing the link with third parties (and especially by switching to Public mode), the team administrator declares that they have a legal basis for making the above data accessible to third parties, in particular the consent of the data subjects (and, for minor team members, the consent of their legal guardians). The operator, acting as processor, is neither obliged nor technically able to verify the existence of such legal basis and bears no responsibility for its absence.

6.5 The operator strongly recommends keeping Private mode active, especially for teams with minor players.

7. Cookies and Analytics Tools

7.1 Technical cookies

The Service uses only essential technical cookies that are necessary for the functioning of login, preservation of language settings, and session security. These cookies do not require your consent because they are necessary for providing the Service.

7.2 Vercel Analytics

We use Vercel Analytics to measure traffic, which:

  • Does not use cookies
  • Does not store personal data
  • Collects only anonymized traffic data (number of page views, device type, etc.)

For this reason, we do not require your consent to cookies for analytics purposes.

8. Data Retention

  • Data of active accounts: for the entire duration of the account
  • Data of deleted accounts (User's personal data): upon requesting account deletion, a 7-day grace period begins during which the User may restore the account by logging in again. After this period expires, the User's personal data is permanently deleted, the name in records is replaced with an anonymous designation, and references to financial records are removed. The User may request immediate deletion without waiting for the grace period to expire by sending a request to info@tymovakasa.cz
  • Financial records related to issued tax documents (PRO plan invoices): retained in the legally required form for 10 years (Act No. 563/1991 Coll., on Accounting)
  • Records of fines, contributions, and payments recorded within a team (where we are the processor): retained for the duration of the team's existence due to the integrity of historical overviews. Upon permanent deletion of a player by the team administrator, historical financial records are preserved with the original name in order to maintain the integrity of the team's accounting history. The legal basis for this processing is the legitimate interest of the team administrator in maintaining complete financial records (Art. 6(1)(f) GDPR)
  • Identity of the creator/editor of financial records: the name and profile photo of the person who created or last edited a record are displayed for the duration of the record's existence within the team. If the creator deletes their user account, the reference to their identity in the records is removed (set to an empty value). If the creator leaves the team but retains their account, their name and photo remain visible on records they created based on the legitimate interest in the transparency of team records.
  • Support communications: no longer than 1 year from the end of communication (except where the matter requires longer retention for dispute resolution or fulfilment of a legal obligation)
  • Backups: backups may contain data even after deletion for the period necessary for system recoverability (typically 7 days)

9. Your Rights

As a data subject, you have the following rights under GDPR:

  • Right of access to your personal data — you may request a copy of the data we process about you
  • Right to rectification of inaccurate or incomplete data
  • Right to erasure (“right to be forgotten”) — you may request deletion of your data if it is no longer needed for the fulfilment of a contractual or legal obligation (in particular the obligation to retain accounting documents)
  • Right to restriction of processing in certain cases
  • Right to data portability — you may obtain your data in a commonly used, machine-readable format
  • Right to object to processing based on legitimate interest
  • Right not to be subject to automated decision-making if it would have legal or similarly significant effects
  • Right to lodge a complaint with the supervisory authority, which in the Czech Republic is the Office for Personal Data Protection (Pplk. Sochora 27, 170 00 Praha 7, www.uoou.cz)

Note: If you are a team member recorded in the Service without your own account (typically a youth team player), the team administrator (e.g. a club, coach) is the controller of your personal data, not the Service operator. Please address your GDPR requests directly to the team administrator. The team administrator may, in justified cases, decide to completely delete a player including their historical records.

To exercise your rights against the operator, contact us at info@tymovakasa.cz. We will handle your request without undue delay, within 30 days of receipt at the latest.

10. Data Security

We protect your personal data with appropriate technical and organisational measures, in particular:

  • Encrypted data transmission (HTTPS/TLS)
  • Secure password storage via hashing (bcrypt)
  • Restricted database access (Row Level Security in Supabase)
  • Regular backups
  • Security updates of the technologies used

Despite our efforts, no method of transmission or storage of data on the internet is 100% secure. If you notice any security issue, please contact us immediately at info@tymovakasa.cz.

11. Children and Minors

11.1 Own user account: The Service is intended for persons aged 15 and over for the purposes of creating their own user account (in accordance with § 7 of Act No. 110/2019 Coll., which uses the exception under Art. 8(1) GDPR for the Czech Republic).

11.2 Recording within a team without a personal account: Younger persons (especially youth team players) may be recorded in the Service by the team administrator as team members without their own account. In such a case, the team administrator (typically a club, coach, or legal guardian) is the controller of their personal data and is responsible for ensuring a legal basis for processing (in particular the consent of the legal guardians of minors). The operator in this relationship acts solely as a processor following the team administrator's instructions.

11.3 If we discover that we have inadvertently collected personal data of a person under the age of 15 in connection with creating their own account without the consent of their legal guardian, we will delete the data immediately.

12. Changes to the Policy

We may update this Policy from time to time, in particular in response to changes in legislation or Service features. We will notify you of significant changes by email or through the Service.

The current version of the Policy is always available on the Service website.

13. Contact

If you have any questions regarding the processing of your personal data, please contact us:

  • Email: info@tymovakasa.cz
  • Address: Tomáš Prokop, Šrámkova 3213/12, 400 11 Ústí nad Labem – Severní Terasa, Czech Republic
  • IČO (Business ID): 19173326

This Policy takes effect on April 27, 2026.