Privacy Policy

PugiList is a professional boxing matchmaking platform for amateur boxing coaches, built to help England Boxing affiliated clubs find eligible opponents.

This policy applies to the PugiList website at pugilist.io, the PugiList API at api.pugilist.io, and the PugiList mobile applications for iOS and Android.

The data controller is Pugilist Group Ltd, a company registered in England and Wales under company number 17122596, with registered office at 8 Blenheim Crescent, Leamington Spa, England, CV31 1FW. We are registered with the UK Information Commissioner's Office (ICO) under registration reference ZC135005. You can reach us at support@pugilist.io.

Territorial scope and EU representative. Pugilist Group Ltd is established in the United Kingdom and our processing is governed by UK GDPR and the Data Protection Act 2018. We do not offer the service to or target data subjects in the EU/EEA: PugiList is built exclusively for clubs affiliated with England Boxing, the UK governing body for amateur boxing, and we do not advertise, market, or accept registrations from clubs outside the UK. The territorial scope of EU GDPR (Article 3(2)) therefore does not extend to our processing, and we are not required to appoint an Article 27 representative in the EU. If a UK-based club registers a boxer who is resident in the EU/EEA, that boxer's data is still processed under UK GDPR by virtue of our establishment in the United Kingdom. If we begin offering the service to clubs based outside the UK we will update this notice and appoint a representative as required.

When you use PugiList we collect:

• Account data: your name and email address, managed via Supabase Auth
• Club data: club name, address, postcode, contact email, website, region
• Boxer records: first name, last name, gender, date of birth, weight class, height, reach, England Boxing registration number (optional), bout history and results, coach notes
• Health-related data: medical certificate expiry dates, suspension periods, availability status, and bout stoppage history used to assess boxer safety and eligibility
• Match and show data: match requests, sparring sessions, boxing show records, training attendance, and venue locations you create on the platform
• Billing data: subscription plan and status, processed by Stripe; we do not store card numbers
• Location data: club postcode and optional coordinates, used to estimate travel distance for matchmaking; you can use the platform without providing coordinates
• Usage data: access logs (request path, user ID, response time) and error logs retained for 30 days for security and reliability
• Device tokens: if you use the mobile app and enable push notifications, we store your Expo push token; it is deleted when you sign out
• Mobile diagnostics: if the mobile app encounters an error, anonymous crash and performance data may be transmitted to our error monitoring service (Sentry) to help us diagnose the issue. Personal data is filtered out before transmission (`send_default_pii=False`); we do not include boxer records, health data, or chat messages in crash reports.
• Chat and messaging: when you message another club we store the message content, sender, recipient, conversation thread, timestamps, and read state. If you report a message we store the report reason, your notes, and our moderation decision.
• Support tickets: if you contact support we store your name, email, the ticket subject and body, category, priority, status, and any internal admin notes used to resolve it.
• Audit log: for accountability we keep a record of who created, updated, or deleted key records (boxers, shows, bouts, match requests), the type of action, and a timestamp. We do not store the full before/after content of every change.
• Parental / guardian consent attestation: when a coach toggles data sharing on for a boxer who is under 18, we record that the coach has confirmed (via an explicit in-app attestation) that they have obtained the consent of a parent or legal guardian. We do not collect the parent or guardian's name, contact details, or any other identifying information about them; the coach is responsible for keeping their own primary record of that consent at the club. The platform records only the timestamp of the toggle and the user account who set it.

The mobile app does not request access to your camera, microphone, or photo library. Distance-to-opponent is calculated from your club postcode only. Your device's precise location is never sent to our servers. The maps inside the app may ask for location permission so they can show a “you are here” dot when you view the club directory or browse other gyms; if you decline, the map still works. Location data, if shared, stays on your device.

• To provide the matchmaking service: finding eligible opponents based on England Boxing weight and age criteria
• To facilitate match requests, sparring sessions, and boxing shows between clubs
• To send transactional emails (match requests, billing alerts, club verification)
• To process subscription payments via Stripe
• To detect and prevent fraud or abuse

Under UK GDPR our legal bases are:

• Contract performance: processing your account, boxer, and billing data to provide the service you have subscribed to
• Legitimate interest: sending notifications about match requests and platform activity; operating platform security and fraud detection
• Legal obligation: retaining billing records for 7 years as required by UK tax and financial regulations (Finance Act 1998, Companies Act 2006)
• Explicit consent: sharing a boxer's full name with other clubs for matchmaking, controlled by the data-sharing consent toggle on each boxer record

Health-related data (special category). We process medical certificate expiry dates, England Boxing membership status, suspension periods, last-fight dates, bout stoppage history, and free-text coach notes that may contain health information. Our conditions are layered by data subject group:

• For boxers under 18 (substantial public interest, safeguarding): We rely on UK GDPR Article 9(2)(g) (substantial public interest), with the substantial-public-interest condition specified in Data Protection Act 2018, Schedule 1, Part 2, paragraph 18 (safeguarding of children and of individuals at risk). The processing is necessary to protect minor boxers from foreseeable physical harm (weight mismatches, insufficient rest after a stoppage, expired medical certificates) that England Boxing rules and ordinary safeguarding practice require us to surface to the coach.
• For adult boxers, where data is shared cross-club (explicit consent): We rely on UK GDPR Article 9(2)(a) (explicit consent), given by the data-sharing toggle on each boxer record. When the toggle is off, no health data is shared outside the boxer's own club.
• For adult boxers, intra-club processing (legitimate sporting activities): Where data is processed only inside the boxer's own club and not shared cross-club, we rely on UK GDPR Article 9(2)(d) (legitimate activities of a not-for-profit body with a sporting aim, processing data only of members or persons with regular contact).

We maintain an Appropriate Policy Document covering this processing, as required by DPA 2018 Schedule 1 paragraph 39, available on request from support@pugilist.io. Health-related data is used solely to enforce England Boxing safety requirements and is never shared beyond the boxer's own club, never used for marketing, and never disclosed to third parties.

Our matchmaking engine uses automated scoring to rank potential opponents. This constitutes profiling under UK GDPR Article 4(4) and is partly automated processing within the scope of Article 22.

• Purpose: to suggest suitable opponents and surface safety concerns (e.g. weight mismatch, insufficient rest, high stoppage rate)
• Data used (logic of the processing): weight, height, reach, gender, date of birth, age band, total bouts and recent form, TrueSkill skill rating (mu and sigma), stoppage history, last-fight date, suspension and medical/membership status, ring-rust signals, coach goal, style tags, stance, and club region. Each candidate is scored against a multi-factor penalty/bonus function (physical fit, skill parity, form, opponent quality, ring rust, achievement gap, travel distance, rematch cooldown, reliability, style/goal alignment) and ranked. Hard constraints exclude any candidate who is in a different gender, in the same club, suspended, outside the weight tolerance, outside the age-band tolerance, or who has not had the minimum 28 days' rest since their last bout.
• Significance and consequences: the rank order influences which opponents a coach sees first. It does not automatically arrange any bout, does not block a coach from contacting any boxer they are entitled to see, and does not produce a legal or similarly significant effect within the meaning of Article 22(1) without human intervention.
• Human oversight (Article 22 safeguards): the engine produces recommendations only. The review by a coach is a meaningful one, not a rubber-stamp: each suggestion is presented with a per-factor score breakdown (physical fit, skill parity, form, travel, rest, etc.) so the coach can see why a candidate was ranked where it was. Hard eligibility warnings (weight gap, insufficient rest, expired medical, expired EB membership) are displayed prominently and require the coach to acknowledge each one before sending a match request. A coach can override the engine's ranking, decline any suggestion, or contact a candidate not in the top results. No bout is arranged automatically. Every match request requires an explicit coach action and explicit acceptance by the opponent club.
• Your rights: you may request meaningful information about the logic involved in any specific match score, contest the outcome, ask for human review of any automated suggestion, or request exclusion of a boxer from the matching pool, by emailing support@pugilist.io.

We use the following trusted processors:

We do not sell, rent, or licence your personal data to any third party. We do not use your personal data (including chat content, boxer records, or platform activity) to train artificial intelligence or machine learning models for any purpose other than the matchmaking, eligibility, and safety features we have described in this notice. We have data processing agreements (DPAs) in place with each processor listed above and review their sub-processors at least annually.

We may disclose your data without your consent only where strictly required by law (e.g. court order, statutory request from a regulator), or where necessary to protect the vital interests of a person, for example to disclose a credible safeguarding concern about a child to England Boxing or to the police.

Our primary database is hosted in the EU via Supabase. Some processors (Stripe, Resend, Render, Vercel, Google, Apple) may transfer data to the United States. Where this occurs, transfers are protected by:

• The UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses (SCCs), incorporated into each processor's DPA
• The UK-US Data Bridge where the processor is certified under that scheme
• Supplementary technical measures including encryption in transit and at rest

The role each party plays under UK GDPR depends on the activity. This section explains that allocation honestly, because mis-labelled controller/processor relationships are a common compliance gap.

• Your club is the controller for the personal data of the boxer, in the sense that you decide which boxers to enter, which fields to populate, and how the boxer information is used inside your club's training and competition operation.
• Pugilist Group Ltd is also a controller: at minimum a joint controller with you under UK GDPR Article 26 for the platform-level processing where we determine the means and purposes: the matchmaking algorithm, eligibility logic, fraud and abuse detection, audit logging, security monitoring, and aggregate analytics. We do not act purely on your instructions for these activities.
• We act as your processor only in respect of the storage, hosting, and retrieval of records you have entered, and the operations you instruct via the dashboard (creating, editing, deleting boxer records).

Our joint-controller arrangement is established under UK GDPR Article 26. Under it, your club is the primary point of contact for the data subject (the boxer) for transparency, consent, and rectification. We are the primary point of contact for matters relating to the matching engine, security, and platform-level rights. A boxer may exercise their rights against either of us, and we will route the request appropriately. The essence of this arrangement is set out in this notice; the full joint-controller agreement is available on request from support@pugilist.io.

Your obligation to deliver privacy information to your boxers (UK GDPR Article 14). Because boxers themselves do not have PugiList accounts, the obligation under UK GDPR Article 14 to provide privacy information to data subjects whose data is obtained from a third party falls, by our joint-controller arrangement, on the club coach who registers them. To make this practical, we publish a short Boxer Privacy Notice written for boxers and their parents/guardians. By registering a boxer on PugiList you confirm that you have provided this notice (or an equivalent club-issued notice) to the boxer or their parent/guardian.

You confirm, when adding a boxer record, that:

• You have a lawful basis to enter the boxer's data (typically Article 6(1)(b) contract or 6(1)(f) legitimate interest in operating the club, plus Article 9(2)(h) for any health-related fields)
• You have informed the boxer (and their parent or guardian where the boxer is a minor) what data is held, how it is used, that it is processed on PugiList, and how to exercise their rights
• The data you enter is accurate to the best of your knowledge and you will keep it up to date
• You will delete the boxer's record when they leave your club or withdraw their agreement to be on the platform

Cross-club views on the platform show opponent boxer initials, club name, weight class, age band, gender, and headline bout record only. Full names are only visible to other clubs when the data-sharing toggle is enabled on the boxer record and a match request is accepted. Health data, suspension reasons, and coach notes are never shared cross-club.

England Boxing competition categories include boxers from the age of 10 (Schoolboy/Girl) through to senior level. PugiList processes the data of these minors when a coach enters them onto the platform.

Who PugiList is for. The PugiList account holder is always an adult coach, club administrator, or governing-body administrator. Our Terms of Service require account holders to be at least 18 years old. The service is not offered to children directly and is not designed to be accessed by them. Section 9 of the Data Protection Act 2018 sets the age of digital consent for information society services offered directly to a child at 13 years. PugiList is not an information society service offered to a child within the meaning of UK GDPR Article 8(1) or DPA 2018 s.9, we provide tools to clubs whose coaches manage data about their junior members, and we do not provide any user interface to the boxers themselves. Section 9 therefore does not apply, and we process minor data on the lawful bases set out under “Legal basis for processing” above (Article 9(2)(g) substantial public interest, with DPA 2018 Schedule 1 paragraph 18 safeguarding), supported by parental consent obtained off-platform via the boxer's coach.

Parental / guardian consent (coach attestation model). Where a boxer record relates to a minor, the club coach is responsible for obtaining the consent of a parent or legal guardian before entering that boxer onto the platform, and for keeping their own primary record of that consent at the club (e.g. signed club registration form, email confirmation).

When the coach toggles data sharing on for a boxer under 18 they are shown an explicit attestation: “This boxer is under 18. By ticking this box, I confirm I have obtained the consent of their parent or legal guardian to process and share their data on PugiList. PugiList relies on this attestation. keep written records at your club.” The toggle cannot be enabled without the coach actively confirming this attestation, and the platform records the timestamp and the user account who set it.

We do not collect the parent or guardian's name, contact details, signature, or any other identifying information about them. We rely on the coach's attestation as evidence of consent, and we cannot independently verify the identity of the consenting adult. That verification remains the club's legal responsibility under their existing safeguarding and data-protection obligations to England Boxing. If a coach knowingly makes a false attestation, that is a breach of our Terms of Service and potentially of their wider safeguarding duties.

Evidentiary burden. We treat the coach's in-app attestation as the primary evidence we hold for the lawful basis of cross-club processing of a minor's data (UK GDPR Article 6(1)(a) and, where applicable, 9(2)(a)). If consent is later challenged (by a parent, the boxer themselves, the ICO, or another supervisory authority) the burden of producing the underlying primary record (signed registration form, parental email, etc.) falls on the club coach. Pugilist Group Ltd reserves the right to immediately suspend cross-club sharing for any boxer whose consent record cannot be produced on request, and to terminate platform access for clubs that repeatedly fail to evidence consent.

Special protections for minor data. We apply the same restrictions to data about minors as we do to adult data, and additional safeguards: the cross-club data-sharing toggle defaults to off; minor health data (medical/suspension/stoppage history) is never shared cross-club; minor data is excluded from any analytics dataset; and we prioritise breaches involving minor data as the highest severity in our incident-response procedure.

Right to withdraw. A parent or guardian may, at any time, ask their club coach to remove their child's record from PugiList, or contact us directly at support@pugilist.io to require removal. We will action this without undue delay and confirm completion in writing.

Account holders (i.e. those creating PugiList accounts) must be at least 18 years old and have authority to act on behalf of their club.

We retain personal data only for as long as necessary for the purposes set out in this notice, after which it is deleted, anonymised, or aggregated.

• Account and club records: for the duration of the contract; deleted within 30 days of an account deletion request (a 30-day grace period applies during which you can recover the account)
• Boxer records (including health data): for as long as the boxer remains affiliated with your club; deleted at any time via the roster page; cascade-deleted with your account
• Match requests and bout records: for the lifetime of the account, then 30 days after deletion; you may request earlier deletion of historic records
• Chat messages and conversations: until you delete the conversation, or 30 days after account closure
• Message reports / safety reports: 12 months after the report is resolved, then anonymised
• Support tickets: 24 months after the ticket is closed, then anonymised
• Billing records (Stripe customer ID, invoices, payment outcomes): 6 years from the end of the relevant accounting period, as required by Schedule 11 of the Value Added Tax Act 1994 read with regulation 31 of the VAT Regulations 1995, and section 388 of the Companies Act 2006
• Audit log: 24 months from the date of the logged action, then your user ID is replaced with an irreversible pseudonym so that the action remains for accountability but you are no longer identifiable
• Server access and error logs: 30 days, then deleted
• Sentry diagnostic events: 90 days, then deleted
• Mobile push tokens: until you sign out of the mobile app or revoke the OS-level notification permission, whichever is sooner
• Backups: encrypted database backups are retained for 30 days; deletion requests are honoured against the live database immediately, and any backup containing your data is overwritten on the rolling backup cycle

Providing your personal data is a contractual requirement to use the service. If you choose not to provide mandatory fields (email, club name), we cannot create your account. Optional fields (coordinates, height, reach, England Boxing number) can be left blank without affecting core functionality.

Under UK GDPR you have the right to:

• Access: request a copy of the data we hold about you. You can download your data directly from Settings > Export My Data, or email us for a manual export.
• Rectification: ask us to correct inaccurate data. Club and boxer details can be updated directly in the dashboard.
• Erasure: delete your account and associated data via Settings > Delete Account. A 30-day grace period applies before permanent deletion.
• Portability: receive your data in a machine-readable JSON format via Settings > Export My Data
• Restriction: ask us to pause processing your data while a dispute is resolved
• Objection: object to processing based on legitimate interest, including automated matching recommendations
• Withdraw consent: you may withdraw data-sharing consent for any boxer at any time by unchecking the consent toggle on that boxer's profile. This will immediately hide their full name from cross-club views.
• Object to direct marketing: under UK GDPR Article 21(2) you have an absolute right to object to your personal data being used for direct marketing, including any related profiling. We do not currently profile users for direct marketing purposes. You can withdraw consent for any marketing emails at any time using the unsubscribe link or by emailing support@pugilist.io.

Withdrawing consent is as easy as giving it (UK GDPR Article 7(3)). Where we rely on your consent (most importantly the per-boxer data-sharing toggle) you can withdraw at any time inside the dashboard or app, with no need to email us first. Withdrawal does not affect the lawfulness of any processing carried out before withdrawal, but we will stop further processing based on that consent within 24 hours of the toggle being switched off, and the boxer's full name will immediately be hidden from cross-club views.

To exercise any of these rights, email support@pugilist.io. We will respond within one calendar month of receiving a valid request, extendable by up to two further months for complex or numerous requests (we will notify you within the first month if an extension applies, and explain why). Responding to a request is free; we may charge a reasonable administrative fee or refuse to act only where the request is manifestly unfounded or excessive (for example, repetitive), in which case we will explain the reasons in writing and tell you how to complain to the ICO.

Identity verification. To prevent unauthorised disclosure, we may ask you to verify your identity before we action a rights request, typically by replying from the email address registered on your account, or by providing information that only the account holder would know. We do not require copies of identity documents unless we have a reasonable doubt. You do not need to provide a reason for your request, and exercising any right will not affect the service you receive.

On the web: PugiList uses a small number of functional storage items in your browser:

• Authentication session: a Supabase session token stored in localStorage to keep you logged in. Deleted when you sign out.
• Preference cookies: colour scheme preference (dark/light mode) stored in localStorage.
• Profile cache: a temporary copy of your user profile stored in sessionStorage for performance, automatically cleared after 10 minutes or when you close the tab.

In the mobile app:

• Authentication session: your Supabase access and refresh tokens are stored in your device's secure key store (iOS Keychain via expo-secure-store, Android EncryptedSharedPreferences). Tokens are encrypted at rest by the operating system and are not accessible to other apps. Deleted when you sign out.
• Profile cache: a temporary copy of your user profile stored in AsyncStorage with a 10-minute TTL, used to avoid a flash of empty UI while the app revalidates with the server.
• Push notification permission state: a single flag (true/false) recording whether you have been prompted for push permission, so we don't re-prompt on every launch.
• Push notification token: if you have enabled notifications, your Expo push token is sent to our backend and removed when you sign out.

We use Vercel Web Analytics to collect anonymous Core Web Vitals performance metrics (page load time, interaction speed, layout stability). This does not use cookies, does not collect personal identifiers, and cannot be used to identify individual users.

We do not use advertising cookies, behavioural analytics, or any cross-site tracking.

All storage items listed above are strictly necessary for the service to function (authentication, theme preference) or for its security and performance. Under the Privacy and Electronic Communications Regulations (PECR), strictly necessary storage does not require prior consent.

We only send you marketing or product-update emails if you have given us explicit opt-in consent. There are two places this consent can be given:

• At registration: there is an optional “Send me occasional product updates and news from PugiList” checkbox under the Terms of Service. It is unchecked by default.
• In Settings → Communication Preferences: you can toggle marketing on or off at any time. Each change records the timestamp at which it was made, kept as an audit trail.

Transactional emails (match requests, billing receipts, security alerts) are sent as part of the service and are not considered marketing, so they cannot be opted out of while your account is active.

You can withdraw marketing consent at any time by toggling the preference off in Settings, by clicking the unsubscribe link in any marketing email, or by emailing support@pugilist.io. Withdrawing marketing consent does not affect transactional emails or your ability to use the service. Per UK GDPR Article 7(3), withdrawing consent is as easy as giving it, and any processing carried out before withdrawal remains lawful.

Data protection by design and default (UK GDPR Article 25). The platform is built around privacy-protective defaults and design choices: cross-club views default to redacted (initials, weight class, age band only); the per-boxer data-sharing toggle defaults to off so that explicit coach action is needed before any name or record leaves the boxer's own club; minor health data (medicals, suspensions, stoppage history) is never shared cross-club regardless of toggle state; and new platform features go through a privacy review before release.

We protect your data with technical and organisational measures appropriate to the risk, including:

• TLS encryption in transit for all API and web traffic
• Encryption at rest at the database and storage layer (Supabase / PostgreSQL)
• On the mobile app, your authentication tokens are stored in the device's secure key store (iOS Keychain / Android EncryptedSharedPreferences) rather than in plaintext local storage
• ES256 asymmetric JWT authentication with JWKS validation; HS256 fallback disabled in production
• Role-based access control enforced at every API endpoint, with club-scoped authorisation and tenancy isolation. Boxer rosters, sparring sessions, tournament entries, and chat messages are visible only to members of the relevant club, with explicit membership checks on every detail endpoint
• Cross-club redaction at the response-schema level so health data, suspension reasons, and coach notes cannot leak through the API
• Rate limiting on every write endpoint and on expensive read endpoints (matching engine, exports, bulk operations) to prevent abuse and protect platform availability
• Audit logging of create, update, and delete actions on key records
• PII filtering on Sentry diagnostics (`send_default_pii=False`)
• Encrypted, region-restricted backups with a documented restore procedure
• Need-to-know access controls for engineering staff, multi-factor authentication on administrative accounts
• Regular dependency and vulnerability scanning

In the event of a personal data breach that is likely to result in a risk to data subjects' rights and freedoms, we will notify the Information Commissioner's Office within 72 hours as required by UK GDPR Article 33. Where the breach is likely to result in a high risk, we will also notify affected users without undue delay, as required by Article 34. Breaches involving children's data or special-category health data are escalated as the highest severity in our incident-response procedure regardless of perceived volume.

We will update the “Last updated” date when material changes are made. For significant changes, we will notify active subscribers by email.

For any questions about this privacy policy or how we handle your data, contact:

PugiList is a small organisation and is not required to appoint a Data Protection Officer under UK GDPR Article 37. All data protection queries are handled directly by the founding team.

If you are unhappy with how we handle your data you can complain to the UK's supervisory authority: