Privacy policy

Privacy Policy

GameSense (gamesense.coach)

Last updated: 17 March 2026

1. Who We Are

GameSense ("we", "us", "our") is a limited liability company incorporated under the laws of the Netherlands, having its office address at Laan van Kronenburg 14, 1183 AS Amstelveen, The Netherlands, and registered with the Chamber of Commerce under number 92153488.

GameSense is a web application for creating interactive video-based quizzes for sports coaching and tactical education. Coaches upload match footage, create clips at key moments, generate questions (optionally with AI assistance), and share quizzes with players.

This privacy policy explains what data we collect, why, and how we handle it.

Contact: info@gamesense.coach

2. What Data We Collect

2.1 Account Data

When you create an account, we collect:

  • Email address — to identify your account and send transactional emails

  • Display name — shown to other users (e.g. coach name on quizzes)

  • Password — stored as a hash by our authentication provider (Supabase Auth); we never see or store your plaintext password

  • Role — whether you are a coach or player

2.2 Profile Data (Optional)

  • Club name and team name — if your organisation uses ClubOS, this is synced automatically

  • Sport — selected during onboarding

2.3 Video Data

Coaches upload match footage to create quizzes. Videos are:

  • Uploaded directly from your browser to Mux (our video hosting provider)

  • Stored and streamed by Mux

  • Used to generate video clips at timestamps you define

We do not access your device camera or microphone. GameSense is a web application — you upload existing video files from your device.

2.4 Quiz Data

  • Questions and answers — created by coaches (or generated by AI)

  • Annotations — drawings/markings coaches add to video frames

  • Share codes — unique codes for distributing quizzes to players

2.5 Player Response Data

When players take a quiz, we collect:

  • Name and email — entered by the player to identify their submission

  • Answers — responses to each question

  • Scores — calculated automatically or via AI grading

  • Feedback — AI-generated or coach-written feedback on answers

2.6 Analytics Data

We use PostHog for product analytics. We collect:

  • Usage events — which features you use (e.g. quiz published, video uploaded)

  • Page views

  • UTM parameters — if you arrived via a marketing link

Analytics are only collected in production (not on localhost). We do not use session recording.

2.7 Technical Data

Collected automatically for security and service operation:

  • IP address — used for rate limiting and abuse prevention

  • Browser and device information — from HTTP headers (user agent)

3. What We Do NOT Collect

  • Camera or microphone access — we never request these permissions

  • Contacts or address book

  • Location data — we do not request geolocation

  • Social media accounts

  • Advertising identifiers

Our hosting configuration explicitly disables browser permissions for camera, microphone, and geolocation via the Permissions-Policy header.

4. How We Use Your Data

Provide the service (create/take quizzes)

Data used: Account, video, quiz, response data

Legal basis: Contract performance

Send transactional emails (welcome, quiz invitations, feedback)

Data used: Email, name, quiz content

Legal basis: Contract performance

AI question generation

Data used: Clip labels, timestamps, context text

Legal basis: Legitimate interest

AI answer grading and feedback

Data used: Questions, expected answers, player answers

Legal basis: Legitimate interest

Product analytics (improve GameSense)

Data used: Anonymised usage events

Legal basis: Legitimate interest

Prevent abuse and enforce rate limits

Data used: IP address, user ID

Legal basis: Legitimate interest

Sync team/player data from ClubOS

Data used: Club, team, and player roster data

Legal basis: Contract performance

Error monitoring and debugging

Data used: Error messages, page URL, browser info

Legal basis: Legitimate interest

5. AI Processing

GameSense uses OpenAI to power optional AI features:

  • Question generation — when a coach requests AI-generated questions, we send the clip label (max 200 characters) and optional context (max 1,000 characters) to OpenAI. We do not send video data to OpenAI.

  • Answer grading — when answers are graded by AI, we send the question text, expected answer, and player's answer to OpenAI. OpenAI returns a score and feedback.

All AI processing happens server-side. Text sent to OpenAI is sanitised to prevent prompt injection. We use OpenAI's gpt-4o-mini model.

Per OpenAI's API data usage policy, data sent via their API is not used to train their models.

6. Third-Party Processors

We share data with the following service providers who process it on our behalf:

Supabase — Database, authentication, edge functions

Data shared: All user data, quiz data, responses

Server location: EU (Frankfurt)

Mux — Video hosting, streaming, clipping

Data shared: Video files, playback metadata

Server location: US

OpenAI — AI question generation, answer grading

Data shared: Quiz text content only (no video)

Server location: US

PostHog — Product analytics

Data shared: Usage events, user ID, role

Server location: EU

Resend — Transactional email delivery

Data shared: Email addresses, names, quiz content

Server location: US

Vercel — Web hosting, CDN, edge delivery

Data shared: HTTP requests, static assets

Server location: Global (EU primary)

ClubOS — Team and player management sync

Data shared: User email, club/team/player roster data

Server location: EU

We do not sell your data to third parties or share it for advertising purposes.

7. Video Data

Video data deserves special attention because it may contain identifiable individuals (players on a sports field):

  • Videos are uploaded directly from your browser to Mux using signed upload URLs — they do not pass through our servers

  • Videos are stored by Mux and streamed to authorised viewers via HLS

  • Coaches are responsible for having appropriate rights or consent to upload footage of individuals

  • We generate video clips (sub-sections) from uploaded videos for use in quizzes

  • When a coach deletes a quiz or their account, associated video assets are deleted from Mux

8. Children and Young Athletes

GameSense may be used by sports teams with players under 16 years of age. In these cases:

  • Coaches act as the responsible party — coaches (or their club/organisation) are responsible for obtaining appropriate parental or guardian consent before inviting minors to take quizzes

  • Minimal data from minors — players only provide their name, email, and quiz answers

  • No direct marketing to minors — we do not send marketing communications to players

  • No profiling of minors — analytics data is not used to profile individual players

If you are a parent or guardian and believe your child's data has been collected without appropriate consent, please contact us at info@gamesense.coach.

9. Cookies and Local Storage

GameSense uses minimal browser storage:

Supabase auth session

Type: localStorage

Purpose: Keep you logged in

Duration: Until logout

PostHog analytics

Type: Cookie

Purpose: Anonymous analytics identifier

Duration: 1 year

Language preference

Type: localStorage

Purpose: Remember your language choice

Duration: Persistent

We do not use:

  • Advertising or tracking cookies

  • Third-party cookies for cross-site tracking

  • Social media pixels or trackers

10. Data Retention

  • Account data — retained while your account is active. Deleted upon account deletion request.

  • Video data — retained while the associated quiz exists. Deleted when the quiz or account is deleted.

  • Quiz responses — retained for as long as the quiz exists, so coaches can review player performance over time.

  • Analytics data — retained per PostHog's data retention policy (typically 1 year).

  • Error logs — retained for up to 90 days for debugging purposes.

11. Your Rights (GDPR)

If you are in the EU/EEA, you have the right to:

  • Access — request a copy of your personal data

  • Rectification — correct inaccurate data

  • Erasure — request deletion of your data ("right to be forgotten")

  • Restriction — restrict how we process your data

  • Portability — receive your data in a portable format

  • Object — object to processing based on legitimate interest

  • Withdraw consent — where processing is based on consent

To exercise any of these rights, email info@gamesense.coach. We will respond within 30 days.

12. Data Security

We implement the following security measures:

  • All data transmitted over HTTPS (enforced via HSTS with preload)

  • Server-side API keys for all third-party services (never exposed to browsers)

  • Rate limiting on authentication, AI, and email endpoints

  • Webhook signature verification (HMAC-SHA256) for Mux callbacks

  • Content Security Policy (CSP) headers restricting script and connection sources

  • Row-level security on database tables

  • Input validation and sanitisation on all user inputs

13. International Data Transfers

Some of our processors (Mux, OpenAI, Resend) are based in the United States. These transfers are governed by:

  • Standard Contractual Clauses (SCCs) where applicable

  • The processors' own data protection commitments and certifications

Our primary database (Supabase) and analytics (PostHog) are hosted in the EU.

14. Changes to This Policy

We may update this privacy policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For significant changes, we will notify you via email or an in-app notification.

15. Contact

For any questions about this privacy policy or your data:

Email: info@gamesense.coach

Website: https://gamesense.coach