Privacy Policy

Last Updated: 27 February 2026

1. Who We Are

The Rugby Factory Pty Ltd ("TRF", "we", "our", or "us") operates a global rugby talent platform as an Australian company.

Data Controller:
The Rugby Factory Pty Ltd
Nixon Street
Sydney, NSW, Australia
[email protected]

2. Information We Collect

2.1 Information You Provide

• Name, email address, and date of birth
• Password (securely hashed)
• Phone number (mandatory for guardians; optional otherwise unless required for verification)
• Player profile details
• Performance statistics and verification videos
• Posts, comments, messages, and other user-generated content

Payments processed via Stripe. Full card numbers are not stored.

2.2 Automatically Collected

• IP address
• Device and browser information
• Usage activity and interaction data
• Approximate location based on IP
• GPS location only where explicit consent is provided

Location permissions may be revoked anytime in device settings.

2.3 Verification Data

• Date of birth reconfirmation
• $0 credit card authorisation
• Identity verification results via third-party providers

Only verification status confirmation is received.

2.4 Fraud Prevention & Integrity

Limited device fingerprinting and IP reputation data collected for fraud detection and prevention only.

3. Legal Basis (Where Applicable)

Processing relies on:

• Contract performance
• Legitimate interests (security, fraud prevention, platform integrity)
• Consent (marketing, GPS location)
• Legal obligation
• Parental consent for minors

Legitimate interests are balanced against user rights and freedoms.

4. How We Use Information

Data enables:

• Account operation and management
• Rankings, discovery, and comparisons
• Payment processing
• Content moderation and Terms enforcement
• Fraud detection and minor protection
• Platform performance improvement

5. How We Share Information

Personal information is not sold, rented, or traded.

Information may be shared with:

• Service providers (hosting, payment, identity verification, analytics)
• Sponsors (aggregated or anonymised data only)
• Event organisers where you participate
• Legal authorities where required
• In connection with mergers, acquisitions, or asset sales

All service providers are contractually obligated to protect data.

6. Marketing

Marketing communications are strictly opt-in. Unsubscribe options available anytime. Service-related communications (security alerts) may continue.

7. Security

Implementation includes:

• TLS encryption in transit
• Encryption at rest
• Role-based access controls
• Monitoring and logging
• Encrypted backups

No system is completely secure, though reasonable safeguards are maintained.

8. Children's Privacy

• Users 16+ may register independently
• Users 13–15 require Guardian-Managed Profiles
• Users under 13 not permitted

Protections include:

• No direct messaging to minors
• No gym-based strength statistics collection under 16
• No children's data for advertising
• No children's data sharing for marketing

All communications to Guardian-Managed Profiles route through the Guardian. Guardians may request access, correction, deletion, or consent withdrawal anytime.

9. Age Verification & Integrity

Additional verification may be requested to protect users and maintain platform integrity.

10. Reporting & Investigations

Investigations under legitimate interest protect user safety. Reporter identities remain confidential.

11. Your Rights

Depending on jurisdiction (GDPR, Australian Privacy Act, applicable US state laws), you may have rights to:

• Access
• Correction
• Deletion
• Restriction
• Portability
• Object to processing
• Withdraw consent

Contact [email protected] to exercise rights.

Complaints may be lodged with the Office of the Australian Information Commissioner (oaic.gov.au) or your local data protection authority.

12. Data Retention

Data retained only as necessary for operational, legal, and security purposes:

• Active accounts: duration of account + 90 days
• Payment records: 7 years
• Investigation records: 24 months
• Logs: 90 days

After retention periods, data is securely deleted or anonymised.

13. International Transfers

Infrastructure located in the EU, Australia, and the United States.

International transfers rely on:

• Standard Contractual Clauses
• Adequacy decisions
• Contractual safeguards

14. Cookies

Used for:

• Essential session management
• Security
• Analytics and performance

No third-party advertising cookies employed.

15. Data Breach Notification

Affected users and regulators notified where required by applicable law.

16. Automated Decision-Making

Automated systems assist in:

• Content moderation
• Bot detection
• Ranking calculations

Human review of significant automated decisions may be requested.

17. Updates

Policy updates may occur. Material changes communicated via email or in-app notification.

18. Contact

• [email protected]
• [email protected]
• [email protected]

Australian regulator: oaic.gov.au