Table of Contents
Privacy Policy
Last updated: Sep 25, 2025
Preamble
With the following privacy policy we would like to inform you which types of your personal data (hereinafter also abbreviated as "data") we process for which purposes and in which scope. The privacy statement applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online services").
The terms used are not gender-specific.
Controller
Superstars of Tomorrow Football Academy
1040 Noel Drive, Suite 100-B
Menlo Park, CA 94025
United States
Authorized Representatives:
Richard Shinn, CEO
E-mail address: privacy@superstarstomorrow.com
Overview of Processing Operations
The following table summarises the types of data processed, the purposes for which they are processed and the concerned data subjects.
Categories of Processed Data
- Inventory data (names, addresses, contact information)
- Payment Data (billing information, transaction records)
- Contact data (email addresses, phone numbers)
- Content data (training videos, performance analysis)
- Contract data (subscription details, service agreements)
- Usage data (app interactions, feature usage)
- Meta/communication data (device information, IP addresses)
Categories of Data Subjects
- Prospective customers and trial users
- Communication partners and inquirers
- Active users and subscribers
- Business and contractual partners
- Parents and guardians (for minor participants)
Purposes of Processing
- Provision of contractual services and customer support
- Contact requests and communication management
- Office and organisational procedures
- Managing and responding to inquiries
- Feedback collection and service improvement
- Marketing and promotional activities
- Provision of our online services and usability enhancement
Legal Bases for the Processing
In the following, you will find an overview of the legal basis of the GDPR on which we base the processing of personal data. Please note that in addition to the provisions of the GDPR, national data protection provisions of your or our country of residence or domicile may apply.
Performance of a contract and prior requests (Article 6 (1) (b) GDPR)
Processing necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Compliance with a legal obligation (Article 6 (1) (c) GDPR)
Processing is necessary for compliance with a legal obligation to which the controller is subject.
Legitimate Interests (Article 6 (1) (f) GDPR)
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Security Precautions
We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input, transmission, securing and separation of the data.
SSL Encryption (HTTPS)
In order to protect your data transmitted via our online services in the best possible way, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.
Transmission of Personal Data
In the context of our processing of personal data, it may happen that the data is transferred to other places, companies or persons or that it is disclosed to them. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are embedded in a website.
In such a case, the legal requirements will be respected and in particular corresponding contracts or agreements, which serve the protection of your data, will be concluded with the recipients of your data.
Data Processing in Third Countries
If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of the use of third party services or disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements and with appropriate safeguards such as standard contractual clauses or adequacy decisions.
Erasure of Data
The data processed by us will be erased in accordance with the statutory provisions as soon as their processing is revoked or other permissions no longer apply (e.g. if the purpose of processing this data no longer applies or they are not required for the purpose).
If the data is not deleted because they are required for other and legally permissible purposes, their processing is limited to these purposes. This means that the data will be restricted and not processed for other purposes.
Business Services
We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as "contractual partners") within the context of contractual and comparable legal relationships as well as associated actions and communication.
Software and Platform Services
We process the data of our users in order to provide them with our contractual services and on the basis of legitimate interests to ensure the security of our offer and to develop it further.
Data retention: We delete the data after expiry of statutory warranty and comparable obligations, typically after 4 years, unless required for legal archiving purposes.
Provision of Online Services and Web Hosting
In order to provide our online services securely and efficiently, we use the services of web hosting providers from whose servers the online services can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services.
Collection of Access Data and Log Files
We collect data on each access to the server (server log files) for security purposes and to ensure optimal performance. Log file information is stored for a maximum period of 30 days and then deleted or anonymized.
Contact and Inquiry Management
When contacting us (e.g. via contact form, e-mail, telephone or via social media) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures.
Changes and Updates to the Privacy Policy
We kindly ask you to inform yourself regularly about the contents of our data protection declaration. We will adjust the privacy policy as changes in our data processing practices make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.
Rights of Data Subjects
As data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:
Right to Object
You have the right to object at any time to the processing of your personal data for direct marketing purposes or based on legitimate interests.
Right of Withdrawal for Consents
You have the right to revoke consents at any time.
Right of Access
You have the right to request confirmation as to whether data concerning you is being processed and to receive information about this data.
Right to Rectification
You have the right to request the completion or rectification of incorrect data concerning you.
Right to Erasure and Restriction
You have the right to demand that relevant data be erased immediately or that processing be restricted.
Right to Data Portability
You have the right to receive data concerning you in a structured, machine-readable format.
Complaint to Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority.
Terminology and Definitions
This section provides an overview of the terms used in this privacy policy. Many of the terms are drawn from the law and defined mainly in Article 4 GDPR.
Controller
"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Personal Data
"Personal data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly.
Processing
The term "processing" covers a wide range and practically every handling of data, be it collection, evaluation, storage, transmission or erasure.
Profiles in Social Networks (Social Media)
We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.
Instagram
Social network operated by Instagram Inc.
Facebook
Social network operated by Meta Platforms Ireland Limited
LinkedIn
Professional network operated by LinkedIn Ireland Unlimited Company