1.1 Tocka Ltd is the data controller for the personal data processed through the Tocka platform. We are registered in England and Wales (company number 17125457), with our registered office at 2, Frederick Street, Kings Cross, London, WC1X 0ND.
1.2 We are registered with the Information Commissioner's Office (ICO) as a data controller. Our registration number is ZC115486.
1.3 If you have any questions about how we handle your data, you can contact us at [email protected].
2.1 Account data: your display name, email address, year of birth, and any profile information you choose to provide (such as a profile photo).
2.2 Game data: your availability responses, game attendance, team assignments, match results, Player of the Match votes, and related activity within groups you belong to.
2.3 Rating data: your player ratings, calculated from game results and other factors. This includes Group Score, Group Rating (OpenSkill), and any future Universal Rating.
2.4 Payment data: transaction records, payment amounts, and credit balances within the platform. We do not store your full card details — these are processed and stored by Stripe.
2.5 Technical data: IP addresses and basic request information recorded in server logs, and any device or browser information transmitted automatically when you access the Service.
2.6 Push notification tokens: if you enable push notifications, we store the device tokens necessary to send notifications to your device.
2.7 We do not collect any special category data (such as health data, racial or ethnic origin, or religious beliefs).
Create and manage your account; authenticate your identity.
Lawful basis: Contract (Art. 6(1)(b)). Retained: until account deletion + 30 days.
Provide core Service features: availability tracking, team balancing, results.
Lawful basis: Contract (Art. 6(1)(b)). Retained: for duration of account + 30 days.
Calculate and display player ratings; balance teams fairly.
Lawful basis: Legitimate interest (Art. 6(1)(f)). Retained: for duration of account + 30 days.
Process payments, manage credits, handle refunds, comply with tax obligations.
Lawful basis: Contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)). Retained: 6 years after last transaction.
Maintain security, monitor performance, improve the Service.
Lawful basis: Legitimate interest (Art. 6(1)(f)). Retained: 12 months rolling.
Send game reminders, availability requests, and other notifications.
Lawful basis: Consent (Art. 6(1)(a)). Retained: until notifications disabled or account deleted.
4.1 The Service uses AI-powered features for match predictions and post-game analysis. To generate these features, we send anonymised game data (team compositions, numerical ratings, and historical results) to a third-party AI provider (Anthropic, via their Claude API).
4.2 No personal data is sent to the AI provider. Player names and identifiers are replaced with anonymous labels (e.g. "Player 1", "Player 2") before data leaves our servers. The AI provider receives only numerical ratings and game statistics, which cannot be used to identify any individual.
4.3 Because the data sent to the AI provider is fully anonymised, it does not constitute personal data under UK GDPR and international data transfer rules do not apply to this processing.
5.1 Other users: your display name, availability, rating, and game activity are visible to other members of your group(s). Your email address and profile information are visible only to the organiser(s) of groups you belong to. If you use discovery features, limited profile information (display name, rating, and reliability score) may be visible to users outside your groups, in accordance with your settings.
5.2 Stripe: we share necessary data with Stripe to process payments. Stripe acts as an independent controller for payment data. See Stripe's privacy policy at stripe.com/privacy.
5.3 Hosting provider: our Service is hosted on servers provided by Hetzner Online GmbH, located in the European Economic Area.
5.4 AI provider: fully anonymised game data (containing no personal data) is processed by Anthropic for AI-powered features. Because the data is anonymised before transmission, this does not constitute a transfer of personal data.
5.5 We do not sell your personal data to any third party. We do not share your data with advertisers.
5.6 We may disclose your data if required by law, regulation, or legal process, or to protect the rights, safety, or property of Tocka, our users, or others.
6.1 The Service uses essential cookies and local storage to keep you logged in and to store your preferences. These are strictly necessary for the Service to function.
6.2 We do not use advertising cookies or third-party tracking cookies.
6.3 If we introduce analytics cookies in the future, we will update this policy and seek your consent where required.
7.1 Your personal data is stored on servers in the European Economic Area (EEA), hosted by Hetzner Online GmbH in Germany. Transfers between the UK and the EEA are covered by mutual adequacy decisions, meaning your data receives an equivalent level of protection to that provided under UK law.
7.2 We do not transfer your personal data outside the UK and EEA. The AI features described in section 4 use fully anonymised data which does not constitute personal data under UK GDPR.
7.3 Third-party services we use (such as Stripe and Cloudflare) may process data internationally under their own data protection frameworks. These providers maintain their own transfer safeguards, including Standard Contractual Clauses and adequacy decisions. See their respective privacy policies for details.
8.1 We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (HTTPS/TLS), access controls, and regular backups.
8.2 Payment card data is handled entirely by Stripe and is never stored on our servers.
8.3 While we take reasonable steps to protect your data, no system is completely secure. We cannot guarantee the absolute security of your data.
Under UK GDPR, you have the following rights in relation to your personal data:
9.1 Right of access: you can request a copy of the personal data we hold about you.
9.2 Right to rectification: you can ask us to correct inaccurate or incomplete data.
9.3 Right to erasure: you can ask us to delete your data, subject to our legal obligations.
9.4 Right to restrict processing: you can ask us to limit how we use your data in certain circumstances.
9.5 Right to data portability: you can request your data in a structured, commonly used, machine-readable format.
9.6 Right to object: you can object to processing based on legitimate interests.
9.7 Right to withdraw consent: where we rely on consent (e.g. push notifications), you can withdraw it at any time.
9.8 You can download a JSON copy of the personal data we hold about you at any time from Settings → Profile → Download my data. The file covers your account, group memberships, match history, ratings, payments, votes and predictions, and admin actions you have taken. To exercise any other right, or for help interpreting your download, contact us at [email protected]. We will respond within one month.
9.9 If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.
10.1 We retain your personal data only for as long as necessary for the purposes set out in this policy, or as required by law.
10.2 When you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain certain data for legal or regulatory reasons (for example, payment records are retained for 6 years for tax compliance).
10.3 Anonymised data (which cannot be used to identify you) may be retained indefinitely for analytical and statistical purposes.
11.1 Users must be at least 13 years old to create an account. Users aged 13 to 15 must have the consent of a parent or guardian before using the Service. We collect year of birth during registration to verify eligibility.
11.2 Payment features are restricted to users aged 16 and over, or where an adult's payment method is used with their consent.
11.3 If we become aware that we have collected personal data from a child under 13, we will take steps to delete that data promptly.
12.1 We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons.
12.2 We will notify you of material changes by email or through the Service. The "last updated" date at the top of this policy indicates when it was most recently revised.
If you have any questions about this Privacy Policy or our data practices, please contact us at:
Tocka Ltd, Data Controller
2, Frederick Street, Kings Cross, London, WC1X 0ND
Email: [email protected]