Privacy Policy

1.Preamble

9316-6452 Québec inc., doing business as Decizif ("we", "our", "us" or "CoolPlay"), operates the CoolPlay cloud platform, accessible at coolplay.app and related services (collectively, the "Service"), enabling sports clubs and organizations to organize, manage and broadcast tournaments.

This privacy policy (the "Policy") describes how we collect, use, retain, disclose and protect your personal information when you use the Service, regardless of your role (club administrator, coach, scorekeeper, player, spectator, parent, sponsor or casual visitor).

We take the protection of your information seriously. We adhere to the principles of transparency, minimization, purpose limitation, security and accountability set out in Quebec's Law 25 and the federal PIPEDA.

By accessing the Service or creating an account, you acknowledge that you have read, understood and accepted this Policy. If you do not consent, please refrain from using the Service.

2.Data controller

The controller of your personal information is:

Person in charge of personal information protection

In accordance with section 3.1 of Law 25, we have designated a person in charge of personal information protection. You may contact this person for any matter relating to this Policy, the exercise of your rights, or an incident:

3.Definitions

For the purposes of this Policy:

• "Personal information" means any information that relates to a natural person and allows them to be identified, directly or indirectly.
• "Sensitive personal information" means information that, by its nature or the context of its collection, raises a high reasonable expectation of privacy (notably: medical data, data about minors, biometric data).
• "Processing" means any operation performed on personal information (collection, use, retention, disclosure, destruction).
• "You" means any natural person whose personal information we process through the Service.
• "Customer" means the club, organization or individual holding an administrator account having subscribed to a CoolPlay plan.
• "End user" means any person accessing the Service through a Customer (invited coach, volunteer scorekeeper, player, parent, spectator).

4.Information we collect

4.1 Information you provide directly

When you interact with the Service, you provide us with:

• Account creation (Customer / invited user): full name, email address, password (hashed with Bcrypt at 12 rounds, never in clear text), role (administrator, coach, scorekeeper).
• Club profile: club name, chosen subdomain, logo, contact information, mailing address, color palette.
• Tournament profile: name, description, sport, dates, venues, organizer, banner image, sponsors, announcements content.
• Team and player data: team names, division, age category, player names, group photos (if applicable), information provided during public team registration.
• Match data: scores, penalties, administrative notes, match sheet photos.
• Spectator photos: images uploaded via the public tournament interface.
• Payment information: we never store your credit card number. Payments are processed directly by Stripe Payments; we only retain reference identifiers issued by Stripe (customer ID, subscription ID, last 4 digits for display).
• Communications: content of messages exchanged via the control-room ↔ scorekeepers messaging, email invitations, support requests.

4.2 Information collected automatically

• Technical data: IP address, browser type and version, operating system, session identifier, preferred language, time zone.
• Usage data: pages visited, features used, timestamps, session duration, application paths, devices used (scorekeepers).
• Server logs: HTTP requests, errors, resource access, retained for security and diagnostics.
• Cookies and similar technologies: see section 14.

4.3 Information received from third parties

• Meta authentication (Facebook / Instagram): when an administrator connects a Meta account to publish on social media, we receive from Meta: your name, public Facebook identifier, list of Pages you manage and their identifiers, time-limited access token (encrypted in our database), and — if linked — your Instagram Business username. See section 16.
• Stripe: subscription status, billing dates, payment events (success, failure, refund) via signed webhooks.
• Email host: delivery statuses of transactional emails (sent, delivered, opened, failed) via our SMTP provider.

5.Purposes of processing

We process your personal information only for the following purposes:

We do not process your personal information for third-party targeted advertising, resale, or external commercial behavioral analysis.

6.Legal basis and consent

We process your personal information only when one of the following bases applies:

• Contract performance: processing is necessary to provide the Service you requested (managing your account, processing payments, hosting your data).
• Consent: for optional processing (publishing to social media on your behalf, newsletter, non-essential cookies). You may withdraw your consent at any time; withdrawal does not affect the lawfulness of prior processing.
• Legitimate interest: preventing fraud, ensuring platform security, improving the Service in a non-intrusive manner. We systematically assess whether our interests are balanced with your rights.
• Legal obligation: keeping accounting records, responding to formal authority requests.

7.Information about minors

The Service is designed for use by sports organizations whose activities may involve tracking minors (players, team photos, standings). We pay particular attention to such processing.

No minor directly creates an administrator account. Only adults (club administrators, coaches, parents) may register teams or add data about minors.

When data about minors is processed by the Service:

• The Customer (the organizing club) is responsible for obtaining explicit parental consent before any identifying photo upload, public naming, or dissemination of information about a minor.
• Photos uploaded by public spectators are made visible only after moderation by an administrator of the Customer.
• Upon request by a parent or guardian, we will promptly delete any data identifying a minor, subject to legal retention obligations.
• In accordance with Law 25, by default, the most restrictive privacy settings apply to minors' profiles.

For any request concerning a minor's information, write to privacy@coolplay.app with proof of your parental relationship.

8.Sharing with third parties

We never sell your personal information. We share it only with the following categories of recipients, and only to the extent necessary:

8.1 Service providers (processors)

Each of these processors is contractually bound to comply with security and confidentiality requirements equivalent to those of this Policy. We have conducted a privacy impact assessment (PIA) for transfers involving significant risks, in accordance with section 17 of Law 25.

8.2 Other recipients

• Public authorities and courts: where required by law (subpoena, warrant, valid court order), or to protect our rights, property or the safety of others.
• Successor in case of merger / acquisition / asset sale: provided the successor agrees to comply with this Policy. You will be notified beforehand.
• Professional advisors: lawyers, accountants, auditors, strictly within their mandates and under confidentiality obligations.

8.3 Intentional public broadcasting

Some data is made public by your deliberate action through the features of the Service:

• Public tournament pages (by token): tournament name, teams, players, scores, standings, validated photos.
• TV mode: live display in gymnasiums.
• Social media posts: at your request, via your connected accounts.

The Customer is responsible for ensuring it has the required consents before publicly disseminating identifying information.

9.Transfers outside Quebec

Some of your data may be hosted, processed or accessed outside Quebec (notably in Canada and the United States), via the providers listed in section 8.1.

Before any transfer of personal information outside Quebec, we conduct a privacy impact assessment in accordance with section 17 of Law 25, taking into account:

• the sensitivity of the information concerned;
• the purpose of the transfer;
• the contractual, technical and organizational protection measures offered by the recipient;
• the legal regime of the destination territory.

You may obtain, upon request, a summary description of the assessment carried out for a specific transfer.

10.Data retention

We retain your personal information only for the time necessary to achieve the identified purposes:

At the end of the retention period, information is either securely destroyed or irreversibly anonymized to serve our internal analytics.

11.Security measures

We implement reasonable technical and organizational measures to protect your information against unauthorized access, use, modification, disclosure or destruction:

• Encryption in transit: all communications with the Service use HTTPS/TLS 1.2 or higher.
• Encryption at rest of sensitive data: passwords hashed (Bcrypt 12 rounds), Meta OAuth tokens encrypted with the Laravel application key.
• Multi-tenant isolation: strict logical isolation of data between Customers via a tenant identifier verified on every request.
• Access control: password authentication, email verification, role-based management (administrator, coach, scorekeeper) with least-privilege.
• Backups: encrypted automatic backups; periodic restore tests.
• Logging and monitoring: audit logs, login anomaly detection, alerts on potential impersonation.
• Updates: regular application of security patches to the underlying software stack.
• Awareness: our employees and collaborators are trained in personal information protection.

No measure is infallible. We cannot guarantee absolute security, but we commit to acting with reasonable diligence.

12.Confidentiality incident notification

In the event of a confidentiality incident presenting a risk of serious harm (as assessed under Law 25), we undertake to:

• notify the Commission d'accès à l'information du Québec as soon as possible;
• notify the persons concerned, unless this is likely to hinder an investigation conducted by a law enforcement body;
• maintain an incident register for at least 5 years;
• take reasonable measures to mitigate harm and prevent recurrence.

13.Your rights

In accordance with Quebec's Law 25 and PIPEDA, you have the following rights regarding your personal information:

13.1 Right of access

Obtain confirmation that we hold information about you and receive an understandable copy of it.

13.2 Right of rectification

Request the correction of inaccurate, incomplete or equivocal information.

13.3 Right to portability

Obtain your personal information in a structured, commonly used technological format (JSON or CSV export), and request its direct transmission to another service provider, where technically feasible.

13.4 Right to withdraw consent

Withdraw at any time a previously granted consent, without affecting the lawfulness of prior processing.

13.5 Right to cease dissemination and de-indexing

Request the cessation of public dissemination of information, or its de-indexing, where dissemination causes you serious harm and the harm manifestly outweighs the public interest in information.

13.6 Right to erasure (right to be forgotten)

Request deletion of your personal information, subject to legal retention obligations (accounting, ongoing disputes).

13.7 Right to object to automated decisions

Request to be informed of any decision based exclusively on automated processing that produces legal effects or significantly affects you, and demand human intervention. To date, CoolPlay makes no purely automated decisions with such effect.

13.8 Exercising your rights

To exercise any of these rights, write to our Privacy Officer at privacy@coolplay.app specifying:

• your full name and email address associated with the account;
• the right you wish to exercise;
• the precise scope of your request;
• any document allowing identity verification (to prevent disclosure to an unauthorized third party).

We will respond to your request within a maximum of 30 days. If we refuse, we will provide you with the reasons and available remedies. Our services are provided free of charge, except for manifestly abusive or repetitive requests.

13.9 Remedies

If you believe we have not adequately responded to your request or have breached applicable legislation, you may file a complaint with:

• Commission d'accès à l'information du Québec — www.cai.gouv.qc.ca
• Office of the Privacy Commissioner of Canada — www.priv.gc.ca

14.Cookies and similar technologies

The Service uses cookies and similar technologies (browser local storage, session tokens). We distinguish:

You can configure your browser to refuse cookies; the Service may then not function correctly (login impossibility in particular).

15.Profiling and automated decisions

CoolPlay engages in no profiling for advertising or commercial purposes, and makes no decision exclusively automated producing legal effects or having a significant impact on you. The Service's automated calculations (standings, brackets, statistics) are transparent technical operations, and their results may be consulted, verified and corrected by Customer administrators.

16.Social media integrations (Meta: Facebook + Instagram)

The Service allows Customer administrators to connect a Facebook Page (and a linked Instagram Business account) to automatically publish, at their request, content related to their tournaments.

Upon connection:

• You are redirected to Meta's official authorization screen. We never see your Facebook credentials (email, password).
• Meta transmits to us an access token and the list of Pages you manage. These tokens are encrypted in our database via the Laravel application key.
• The permissions requested are strictly limited to what is necessary for publishing: pages_show_list, pages_read_engagement, pages_manage_posts, instagram_basic, instagram_content_publish, business_management.
• You can disconnect your Meta account at any time from the Settings → Integrations screen. This immediately removes the token from our database. To also revoke the authorization on Meta's side, visit your Facebook settings.

Use of Meta platforms is governed by Meta's own privacy policies, over which we have no control.

17.Changes to this Policy

We may modify this Policy to reflect Service evolution, legal requirements, or our practices. The "Last updated" date shown at the top of this page will be revised accordingly.

When changes are substantial, we will notify you by email and/or by a visible notification in the Service at least 30 days before they take effect, to give you time to review the changes and, if applicable, withdraw your consent.

18.Contact us

For any question, request to exercise a right, or complaint:

Note: This privacy policy forms an integral part of our Terms of Service. In case of discrepancy between the French and English versions, the French version prevails.