Privacy Policy.

JudoLytics is a sports analysis platform for judo. We help judokas, coaches, and club administrators analyze match performance, track training and body measurements, monitor recovery, create development plans, and manage judo clubs.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is the Dutch supervisory authority for the protection of personal data. More information at autoriteitpersoonsgegevens.nl.

We only collect data that is necessary for providing our service or for which we have another legal basis. Below you will find an overview per category.

Please note: recovery data (sleep quality, physical recovery, energy, motivation, soreness) is considered health data within the meaning of Article 9 GDPR. We process this data exclusively on the basis of your explicit consent, which you provide by voluntarily entering this data. You can stop entering recovery data at any time and delete existing data.

Explanation of legal bases: "Performance of contract" means that the processing is necessary to provide you with the service. "Legitimate interest" means that we have a business interest in the processing, always weighing it against your privacy interests.

When you link an opponent to an external profile, we retrieve additional data from publicly accessible sports databases at your request:

• IJF (International Judo Federation) — Public match data, world rankings, competition history, and weight category via the IJF Judobase.
• JudoManager — National match data, statistics, and club information via the JudoManager API.

This data is temporarily cached to optimize platform performance. The cached data is automatically refreshed and can be deleted by you by removing the opponent from your account.

We share your personal data with the following service providers (processors) who process data on our behalf. We have concluded a data processing agreement with each processor in accordance with Article 28 GDPR.

SCCs = Standard Contractual Clauses — contractual safeguards approved by the European Commission for international data transfers (Implementing Decision (EU) 2021/914). The EU-US Data Privacy Framework is an additional safeguard: US organizations certified under the framework provide an adequate level of protection for personal data transferred from the EU (European Commission adequacy decision of 10 July 2023).

To display country flags, we load static images from a public flag CDN (flagcdn.com). This only exposes the IP address that every internet request requires; no account data is shared.

JudoLytics offers the ability to join a judo club within the platform. Within a club, coaches, administrators and — depending on your settings — fellow club members can view certain member data, but only to the extent you have set this yourself. When you join a new club, nothing is shared by default until you make a choice.

You decide per data category who you share with, via the privacy settings in your dashboard. For each category you choose one level: 'Don't share' (private), 'Coaches only', or 'With the whole club'. You can set this for the following types of data:

• Match results, scores and statistics
• Opponent information and notes
• Match plans
• Match reflections (lessons learned for a match)
• Body measurements, including weight (set separately)
• Training, recovery check-ins and your personal development plan — these can only be shared with coaches, never with the whole club

A sharing setting applies to all your data in that category — including data you entered earlier. If you set a category to private, coaches and fellow club members will no longer see your older data in that category either. You can change all of these settings at any time via your privacy settings in the dashboard.

We reserve the right to anonymize and aggregate your data for the following purposes:

When anonymizing, we ensure that:

• Data is aggregated at group level (minimum 5 users)
• Individual identifiers are irrevocably removed
• It is impossible to trace results back to individual persons
• Anonymized data is not combined with other sources for re-identification

Anonymized and aggregated data no longer falls under the General Data Protection Regulation (GDPR) and can therefore be used without restriction, including for external publication and marketing purposes.

Legal basis: Legitimate interest (Article 6(1)(f) GDPR). We have conducted a balancing test weighing the interest of product improvement and knowledge development in judo against your privacy interests. Since the data is fully anonymized, we consider the risk to your privacy minimal.

We do not retain your data longer than necessary for the purpose for which it was collected, unless a legal retention obligation applies.

We know your recovery, performance, and health data is personal. That is why security is not an add-on but the foundation JudoLytics is built on. We take appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or modification. Below we explain, in plain language, how.

• Encryption — All your data is encrypted in transit (the entire app runs only over a secure HTTPS connection, enforced via HSTS) and encrypted at rest (encryption at rest via Supabase).
• Secure login — Login is via email and password or via Google (OAuth 2.0), with a PKCE-secured login flow and optional two-factor authentication (MFA/2FA) via authenticator apps.
• Access control (Row-Level Security) — At the database level, it is enforced that you can only access your own data. No other judoka or coach can see your data unless you choose to share it. This rule is enforced in the database itself, not only in the app, and is tested automatically.
• CAPTCHA protection — Cloudflare Turnstile protects the registration process against automated attacks.
• Rate limiting — Protection against brute-force login attempts and API abuse.
• Audit logging — Administrative actions are logged for accountability and debugging.
• MFA enforcement — Two-factor authentication is mandatory for administrator and support roles. Regular users can enable MFA voluntarily, with recovery codes and trusted devices.
• Security headers — A strict Content Security Policy and additional security headers counter common web attacks, such as clickjacking and code injection.
• Input validation — Everything you enter is checked both in your browser and on the server before it is stored.
• You stay in control — You can download all your data at any time or have your account and data permanently deleted, directly from your settings.

In short: your data is encrypted and technically isolated. No other user, not even a coach in your club, can see your data unless you choose to share it. Our database is hosted in the European Union; where we use service providers outside the EU, appropriate safeguards apply (see section 11). You remain the owner of your data and stay in control at all times.

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

JudoLytics uses cookies and local storage in your browser for the functioning of the application. Below you will find a complete overview of all cookies and storage mechanisms we use, divided into strictly necessary and optional (consent required).

Strictly necessary cookies and storage

These cookies and storage items are necessary for the website to function. They cannot be disabled.

Analytics cookies (consent required)

These cookies are only placed after your explicit consent via the cookie banner. You can withdraw or adjust your consent at any time.

Advertising cookies (consent required)

These cookies are used to measure the effectiveness of advertising campaigns. They are only placed after your explicit consent.

Embedded third-party content

Some pages may embed third-party content. This content only loads when you use it, and may then set cookies from that party. We therefore do not place these cookies in advance.

The strictly necessary cookies and storage are required for the functioning of the service. Under the Dutch Telecommunications Act (Article 11.7a), prior consent is not required for these. Analytics and advertising cookies are only placed after your explicit consent via the CookieYes cookie banner. Fonts are self-hosted; no external requests are made to Google Fonts or other CDN services.

Some of our service providers are based in the United States. This means that your personal data may be processed outside the European Economic Area (EEA).

To ensure an adequate level of protection, we use:

• Standard Contractual Clauses (SCCs) — Standard contractual clauses approved by the European Commission in accordance with Implementing Decision (EU) 2021/914.
• Data processing agreements — Written agreements have been concluded with all processors that comply with Article 28 GDPR.
• Additional technical measures — Encryption of data in transit and at rest.

JudoLytics is intended for judokas and coaches of all ages. Judo is a sport practiced from a young age, and we understand that minors may also use our platform.

In accordance with Article 8 GDPR and Article 5 of the Dutch GDPR Implementation Act (UAVG), consent from a parent or legal guardian is required for users under 16 years of age to create an account.

The platform offers the ability to enter recovery and health data (such as sleep quality and physical recovery). For minor users, the parent or legal guardian must give consent for the processing of this special category of personal data.

We do not actively verify age at registration. If we become aware that a minor is using our platform without parental or guardian consent, we will delete the relevant account and associated data. Parents or guardians can contact us at info@judolytics.com.

We may update this privacy policy from time to time, for example in response to new features, legal obligations, or changes in our service.

For substantial changes, we will inform you via:

• An email notification to the email address we have on file
• A notification within the application

The "Last updated" date at the top of this page is updated with each change. We recommend reviewing this privacy policy regularly.

Do you have questions about this privacy policy or about the processing of your personal data? Please contact us:

If you believe that we are not processing your personal data correctly, you have the right to file a complaint with the Dutch Data Protection Authority:

This privacy policy has been drawn up in conjunction with the Terms of Service of JudoLytics. In case of conflict between this privacy policy and the Terms of Service, this privacy policy prevails insofar as it concerns the processing of personal data. Terms of Service