Last updated: June 20, 2026.

1. Controller

Touchdown Tracker
Simon Kell
Goethestr. 136
41515 Grevenbroich
Germany
Email: support@touchdown-tracker.com

2. Scope

This policy applies to:

  • touchdown-tracker.com,
  • the Touchdown Tracker app,
  • the related user account, and
  • requests sent to our support team.

Touchdown Tracker is an independent American Football groundhopping service. The app includes team, game and stadium discovery, visited and planned games, personal statistics, photos, favorites, check-ins, leaderboards and optional notifications.

3. Website hosting and server logs

The website, content delivery network, app backend and database are hosted by Render Services, Inc. When the website or app is accessed, Render processes technically necessary connection data. This may include the IP address, date and time, requested page or API resource, referrer, browser or app, operating system, status code and transferred data volume.

This processing is necessary to provide a secure and stable website and is based on Article 6(1)(f) GDPR.

We do not maintain additional website access logs of our own. According to Render’s documentation, Render does not expose request logs for static sites in its dashboard. Web services may generate operational runtime logs and, depending on the workspace plan, HTTP request logs. Render currently specifies retention periods of 7 days for Hobby, 14 days for Pro and 30 days for Scale or Enterprise workspaces. More information: Render logging documentation, Render Privacy Policy and Render Data Processing Addendum.

4. Using the app without an account

Basic team, game, competition and stadium information can be accessed without an account. Technically necessary data such as IP address, time, requested API resource, device or app information and error data is processed when these services are used.

The purposes are content delivery, abuse prevention, troubleshooting and service security. The legal basis is Article 6(1)(f) GDPR.

5. Account and authentication

Depending on the sign-in method, we process:

  • email address,
  • username,
  • optional first and last name,
  • a securely hashed password,
  • for Sign in with Apple, the user identifier and possibly a private Apple relay address,
  • account status and timestamps,
  • short-lived access tokens and technically protected refresh tokens, and
  • security-related login attempts and errors.

This data is required to create and authenticate the account, manage sessions and provide personal features. The legal basis is Article 6(1)(b) GDPR. Security and abuse-prevention measures are also based on Article 6(1)(f) GDPR.

Sign in with Apple

When Sign in with Apple is used, Apple participates in the authentication process. The app receives a unique identifier, identity proof and, depending on the user’s choice, an email address or private relay address. Apple processes data under its own privacy policy. More information: Apple Privacy Policy.

6. Personal app data

When signed-in users use the app, we process in particular:

  • favorite teams and a favorite game,
  • visited games and check-ins,
  • planned visits,
  • ratings, notes and optional seat details,
  • photos uploaded for visits,
  • profile photo and its visibility setting,
  • timestamps and technical identifiers, and
  • personal and aggregated statistics calculated from this information.

This processing provides the personal digital stadium diary and requested app functions and is based on Article 6(1)(b) GDPR.

Photos are resized and processed as JPEG files before storage; an additional copy of the original file is not retained. Notes, seat details and private visit photos are associated with the relevant account and are not part of the public leaderboard.

7. Public profile elements and leaderboards

The global leaderboards may publicly display:

  • username,
  • optional first and last name,
  • numbers of visits, stadiums, countries and seasons, and
  • a profile photo if its visibility has expressly been set to “public”.

A profile photo set to “private” or “friends” is currently not displayed publicly. Public display of the photo is based on consent under Article 6(1)(a) GDPR, which can be withdrawn by changing the visibility setting. The remaining leaderboard data forms part of the social app functionality and is processed under Article 6(1)(b) GDPR.

8. Profile, visit and stadium photos

The app requests access to photos or the camera only when a user selects a corresponding function and grants the system permission. Permission can be withdrawn in iOS Settings.

Users may voluntarily submit stadium photos for review. We store the photo, file details, user and stadium association, rights confirmation, license and review status. Submissions are accepted only under the CC0 1.0 license and become public stadium images only after approval. Rejected submissions are currently retained until manual deletion or deletion of the user account.

The legal basis is Article 6(1)(b) GDPR and, for public display, the CC0 release provided by the user.

9. Location

Location access is optional and is used for nearby games, check-ins and local alerts. The latest known coordinates, accuracy and timestamp are stored locally on the device. Under the current technical implementation, the device location is not uploaded to our server.

Permission can be changed or withdrawn in iOS Settings. Other app functions remain available without location access, although location-based features may be limited.

10. Push notifications and weather alerts

Push notifications are optional. If enabled, we process:

  • the device token provided by Apple,
  • its user and device association,
  • platform, app environment and bundle ID,
  • enabled status, language and time zone, and
  • technical timestamps.

Notifications are delivered through the Apple Push Notification service (APNs). Apple receives the data required for delivery. Processing is based on consent under Article 6(1)(a) GDPR and can be stopped through iOS notification settings.

For optional weather alerts, our server requests weather data from Open-Meteo using the relevant stadium coordinates and game date. The user’s location is not transmitted for this purpose. More information: Open-Meteo Terms and Privacy.

11. In-app tips and support payments

The iOS app may offer voluntary one-time tips through Apple’s in-app purchase system. Tips do not unlock features or content. Apple processes purchase and payment details; we receive only the information required to confirm and provide the purchase. Apple’s privacy and payment terms apply.

The website support section currently embeds functions from PayPal and Stripe. Loading these embeds may transfer IP address, browser and device information, cookies or similar identifiers to the providers. If a payment is made, further payment and contact data is processed directly by the selected provider.

Loading non-essential payment widgets requires consent under Article 6(1)(a) GDPR. PayPal and Stripe content therefore loads only after consent.

The website does not use its own analytics or advertising cookies. It stores only the choice “necessary services only” or “allow optional services” in the browser’s local storage. This technically necessary setting prevents the consent request from appearing again on every page view. The legal basis is Section 25(2)(2) TDDDG; subsequent processing is based on Article 6(1)(f) GDPR.

PayPal and Stripe remain blocked until the user allows optional services. Consent can be changed or withdrawn at any time through Cookie settings in the website footer. After withdrawal, the services will not be loaded again. Transfers that already occurred are unaffected. The locally stored choice can also be deleted through the browser settings.

Team, league and stadium images may be loaded directly from external media servers, including league, team, sports-data or Wikimedia services. The relevant provider technically receives the IP address and browser or app information. The purpose is the editorial presentation of American Football content, based on Article 6(1)(f) GDPR.

Links to Instagram, the App Store and other external websites transfer data to those providers only when clicked. Their own privacy terms then apply.

Game, team and stadium information is partly compiled from publicly available or licensed third-party sources. Server-side retrieval of this factual information generally does not include user-account data.

14. App hosting and other recipients

The app backend and database are hosted by Render Services, Inc. Render may process the account, content, usage and technical data described in this policy on our behalf. For transfers outside the EEA, Render provides for the EU-U.S. Data Privacy Framework or EU Standard Contractual Clauses. More information: Render Privacy Policy and Render Data Processing Addendum.

Depending on the function used, other recipients or processors are:

  • Apple for authentication, push notifications and in-app purchases,
  • SMTP2GO for welcome, password-reset and operational emails,
  • Render for website hosting, CDN, app backend, database and technical logs,
  • Open-Meteo for stadium-based weather requests, and
  • PayPal or Stripe when their respective support-payment option is used.

Under the current implementation, data is not disclosed for advertising purposes, and the app does not use its own advertising or analytics trackers.

For email delivery, SMTP2GO processes in particular the recipient and sender addresses, message content, delivery status and technical sending information. Depending on the message, the legal basis is Article 6(1)(b) or Article 6(1)(f) GDPR. More information: SMTP2GO Privacy Policy.

15. Local storage on the device

For app functionality, the device stores in particular:

  • downloaded team, game and stadium information,
  • personal app data and synchronization state,
  • settings, image caches and the last known location,
  • push and device preferences, and
  • authentication tokens protected in the iOS Keychain.

Depending on the data type, local data can be removed by signing out, deleting it within the app, deleting the account or uninstalling the app.

16. Support requests

If a user contacts us by email, we process the sender address, message and any voluntarily supplied details to respond. The legal basis is Article 6(1)(b) GDPR for contract-related requests and otherwise Article 6(1)(f) GDPR. Messages are deleted when no longer required unless statutory retention obligations apply.

17. Retention and account deletion

We retain personal data only for as long as necessary:

  • account and personal app data generally until account deletion,
  • individual visits, plans and photos until deleted by the user or the account,
  • public profile photos until visibility is changed or the photo is deleted,
  • push tokens until notifications are disabled, sign-out or account deletion,
  • password-reset codes are valid for 30 minutes,
  • session and refresh tokens until expiry, revocation or account deletion,
  • rejected stadium-photo submissions currently until manual deletion or account deletion,
  • Render technical logs for 7, 14 or 30 days depending on the workspace plan, and
  • records subject to legal retention duties for the applicable statutory period.

The account can be permanently deleted in the app under Menu → Delete account. The account, favorites, visits, planned visits, related visit and profile photos and authentication records are then removed from the active system. Legally required records, limited security logs or temporary backups may remain until their respective retention period expires.

Depending on the processing, we rely on:

  • Article 6(1)(a) GDPR – consent,
  • Article 6(1)(b) GDPR – contract and pre-contractual steps,
  • Article 6(1)(c) GDPR – legal obligations, and
  • Article 6(1)(f) GDPR – legitimate interests, particularly operation, security, abuse prevention and troubleshooting.

19. International transfers

Some service providers are based in the United States or process data outside the European Economic Area. Where required, transfers rely on an adequacy decision, including the EU-U.S. Data Privacy Framework, or appropriate safeguards such as the European Commission’s Standard Contractual Clauses. Details are available in the providers’ privacy notices.

20. Data subject rights

Subject to applicable legal requirements, users have rights including:

  • access (Article 15 GDPR),
  • rectification (Article 16 GDPR),
  • erasure (Article 17 GDPR),
  • restriction of processing (Article 18 GDPR),
  • data portability (Article 20 GDPR),
  • objection to processing based on legitimate interests (Article 21 GDPR), and
  • withdrawal of consent with future effect (Article 7(3) GDPR).

Requests may be sent to support@touchdown-tracker.com. Users may also lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia
P.O. Box 20 04 44
40102 Düsseldorf, Germany
Telephone: +49 211 38424-0
Email: poststelle@ldi.nrw.de
www.ldi.nrw.de

21. Required data and automated decisions

An email address, username and supported authentication method are required for a user account. Without them, account-based features cannot be provided. Other details and permissions are generally optional.

We do not use automated decision-making, including profiling, within the meaning of Article 22 GDPR.

22. Security and changes

We use appropriate technical and organizational measures, including encrypted transmission, protected tokens, password hashing, access controls and login-attempt limits.

We may update this policy when functions, service providers or legal requirements change. The version published on this page applies.