Privacy Policy

PugiList is a professional boxing matchmaking platform for amateur boxing coaches, built to help England Boxing affiliated clubs find eligible opponents.

This policy applies to the PugiList website at pugilist.io and the PugiList mobile applications for iOS and Android.

The data controller is Pugilist Group Ltd, a company registered in England and Wales under company number 17122596, with registered office at 8 Blenheim Crescent, Leamington Spa, England, CV31 1FW. You can reach us at hello@pugilist.io.

When you use PugiList we collect:

• Account data — your name and email address, managed via Supabase Auth
• Club data — club name, address, postcode, contact email, website, region
• Boxer records — first name, last name, gender, date of birth, weight class, height, reach, England Boxing registration number (optional), bout history and results, coach notes
• Health-related data — medical certificate expiry dates, suspension periods, availability status, and bout stoppage history used to assess boxer safety and eligibility
• Match and show data — match requests, sparring sessions, boxing show records, training attendance, and venue locations you create on the platform
• Billing data — subscription plan and status, processed by Stripe; we do not store card numbers
• Location data — club postcode and optional coordinates, used to estimate travel distance for matchmaking; you can use the platform without providing coordinates
• Usage data — access logs (request path, user ID, response time) and error logs retained for 30 days for security and reliability
• Device tokens — if you use the mobile app and enable push notifications, we store your Expo push token; it is deleted when you sign out
• Mobile diagnostics — if the mobile app encounters an error, anonymous crash and performance data may be transmitted to our error monitoring service to help us diagnose the issue. No personal content from the app is included in crash reports.
• Camera and photo library — only accessed with your explicit permission if you choose to upload a club logo or boxer photo. Images are stored in our database; we do not retain the original file metadata beyond what you upload.

The mobile app does not use your device's GPS or precise location. Distance-to-opponent is calculated from your club postcode only.

• To provide the matchmaking service — finding eligible opponents based on England Boxing weight and age criteria
• To facilitate match requests, sparring sessions, and boxing shows between clubs
• To send transactional emails (match requests, billing alerts, club verification)
• To process subscription payments via Stripe
• To detect and prevent fraud or abuse

Under UK GDPR our legal bases are:

• Contract performance — processing your account, boxer, and billing data to provide the service you have subscribed to
• Legitimate interest — sending notifications about match requests and platform activity; operating platform security and fraud detection
• Legal obligation — retaining billing records for 7 years as required by UK tax and financial regulations (Finance Act 1998, Companies Act 2006)
• Explicit consent — sharing a boxer's full name with other clubs for matchmaking, controlled by the data-sharing consent toggle on each boxer record

Health-related data: We process medical certificate expiry dates, suspension periods, and bout stoppage history under UK GDPR Article 9(2)(h) — processing necessary for the assessment of the working/competitive capacity of an athlete. This data is used solely to enforce England Boxing safety requirements and is never shared beyond the boxer's own club.

Our matchmaking engine uses automated scoring to rank potential opponents based on weight compatibility, experience level, recent form, safety indicators, and geographic proximity. This constitutes profiling under UK GDPR Article 22.

• Purpose — to suggest suitable opponents and surface safety concerns (e.g. weight mismatch, insufficient rest, high stoppage rate)
• Data used — weight, height, reach, age band, bout record, recent form, TrueSkill rating, medical/suspension status, coach goal, and club location
• Human oversight — the engine produces recommendations only; a coach must review and explicitly accept or decline every match. No bout is arranged automatically.
• Your rights — you may request an explanation of how a specific match score was calculated, or ask us to exclude a boxer from automated matching, by emailing hello@pugilist.io

We use the following trusted processors:

We do not sell your data to any third party. We have data processing agreements (DPAs) in place with each processor listed above.

Our primary database is hosted in the EU via Supabase. Some processors (Stripe, Resend, Render, Vercel, Mapbox) may transfer data to the United States. Where this occurs, transfers are protected by:

• The UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses (SCCs), incorporated into each processor's DPA
• The UK–US Data Bridge where the processor is certified under that scheme
• Supplementary technical measures including encryption in transit and at rest

When you add boxer records to PugiList, you are acting as a data controller for that boxer's personal data. PugiList acts as a data processor on your behalf. You are responsible for:

• Obtaining appropriate consent from the boxer (and their parent or legal guardian if under 18) before entering their personal data
• Ensuring the data you enter is accurate and kept up to date
• Informing the boxer what data you hold and how it is used
• Deleting boxer records when they are no longer affiliated with your club or when the boxer withdraws consent

Cross-club views on the platform show opponent boxer initials and weight class only. Full names are only visible to other clubs when the data-sharing consent toggle is enabled on the boxer record and a match request is accepted.

Children's data: Boxers under 18 (Schoolboy/Girl, Junior, and Youth age bands) require parental or guardian consent before their data can be entered. Children under 13 — the UK age of digital consent under the Data Protection Act 2018 — require explicit verifiable parental consent recorded by the club. The platform prompts for this confirmation during boxer registration but cannot independently verify guardian identity — this responsibility rests with the club coach.

PugiList itself is a tool for adult coaches and club administrators. It is not directed at children, and users of the platform (i.e. those creating accounts) must be at least 18 years old.

• Account and club data is retained while your account is active, and for 30 days after you request deletion (grace period for recovery)
• Boxer records can be deleted at any time via the roster management page
• Billing records are retained for 7 years as required by UK financial regulations
• Access and error logs are retained for 30 days
• Audit logs (who created, updated, or deleted a record) are retained indefinitely with your user ID anonymised after account deletion
• Push notification tokens are deleted when you sign out of the mobile app

Providing your personal data is a contractual requirement to use the service. If you choose not to provide mandatory fields (email, club name), we cannot create your account. Optional fields (coordinates, height, reach, England Boxing number) can be left blank without affecting core functionality.

Under UK GDPR you have the right to:

• Access — request a copy of the data we hold about you. You can download your data directly from Settings > Export My Data, or email us for a manual export.
• Rectification — ask us to correct inaccurate data. Club and boxer details can be updated directly in the dashboard.
• Erasure — delete your account and associated data via Settings > Delete Account. A 30-day grace period applies before permanent deletion.
• Portability — receive your data in a machine-readable JSON format via Settings > Export My Data
• Restriction — ask us to pause processing your data while a dispute is resolved
• Objection — object to processing based on legitimate interest, including automated matching recommendations
• Withdraw consent — you may withdraw data-sharing consent for any boxer at any time by unchecking the consent toggle on that boxer's profile. This will immediately hide their full name from cross-club views.

To exercise any of these rights, email hello@pugilist.io. We will respond within 30 days. You do not need to provide a reason, and exercising your rights will not affect the service you receive.

PugiList uses a small number of functional storage items:

• Authentication session — a Supabase session token stored in localStorage to keep you logged in. Deleted when you sign out.
• Preference cookies — colour scheme preference (dark/light mode) stored in localStorage.
• Profile cache — a temporary copy of your user profile stored in sessionStorage for performance, automatically cleared after 10 minutes or when you close the tab.

We use Vercel Web Analytics to collect anonymous Core Web Vitals performance metrics (page load time, interaction speed, layout stability). This does not use cookies, does not collect personal identifiers, and cannot be used to identify individual users.

We do not use advertising cookies, behavioural analytics, or any cross-site tracking.

All storage items listed above are strictly necessary for the service to function (authentication, theme preference) or for its security and performance. Under the Privacy and Electronic Communications Regulations (PECR), strictly necessary storage does not require prior consent.

We only send you marketing or product-update emails if you have given us explicit opt-in consent — for example, by ticking a marketing opt-in box on the waitlist or inside your account settings. Transactional emails (match requests, billing receipts, security alerts) are sent as part of the service and are not considered marketing.

You can withdraw marketing consent at any time by clicking the unsubscribe link in any marketing email, or by emailing hello@pugilist.io. Withdrawing marketing consent does not affect transactional emails or your ability to use the service.

We protect your data with encryption in transit (TLS), encryption at rest, access controls, audit logging, and regular backups. Access to production data is limited to authorised engineering personnel under strict need-to-know.

In the event of a personal data breach that is likely to result in a risk to users' rights and freedoms, we will notify the Information Commissioner's Office within 72 hours as required by UK GDPR Article 33. Where the breach is likely to result in a high risk, we will also notify affected users without undue delay, as required by Article 34.

We will update the “Last updated” date when material changes are made. For significant changes, we will notify active subscribers by email.

For any questions about this privacy policy or how we handle your data, contact:

PugiList is a small organisation and is not required to appoint a Data Protection Officer under UK GDPR Article 37. All data protection queries are handled directly by the founding team.

If you are unhappy with how we handle your data you can complain to the UK's supervisory authority: