Privacy Policy

Shortlistr is operated by The Win Factory (trading as Antigravity). We are the data controller for personal data collected through the platform. To contact us about your data, make a request, or raise a concern, email info@theshortlistr.com.

We collect the following categories of personal data, depending on the role you use Shortlistr in (player, agent, club staff, agency staff, or program staff):

We collect personal data when you:

• create an account or accept an invite
• build your player, agent, agency, or club profile
• send messages or post on the trade board / friendly finder
• subscribe to a paid plan and pay through Stripe
• contact us via the contact form, email, or feedback widget
• simply use the platform — we collect technical and usage data automatically

We also receive performance data on players from our data provider. Where relevant — for example, NCAA programs — we may also draw on publicly available roster and conference data.

We use personal data to:

• operate the platform — show your profile to clubs, agents, and programs, deliver messages, run searches, generate analytics
• run paid subscriptions — process payments through Stripe, send invoices, manage renewals, handle cancellations
• keep the platform safe — detect and prevent spam, abuse, harassment, impersonation, scraping, and fraud
• send you transactional emails — account verification, password resets, message notifications, receipts, important policy updates
• send you product updates and marketing — only where you have opted in, and you can opt out at any time
• improve the platform — measure feature usage, fix bugs, design new functionality
• comply with legal, regulatory, and safeguarding obligations

Where the UK GDPR or EU GDPR applies, we rely on the following lawful bases:

• Contract. To deliver the service you have signed up for — running your account, hosting your profile, delivering messages, processing payments.
• Legitimate interests. To run and improve the platform, keep it secure, prevent abuse, and market our service to existing professional users.
• Consent. For optional marketing emails, non-essential cookies, and any data use that goes beyond what is needed to run your account.
• Legal obligation. Where we are required to keep records or share information by law.

Player and club profiles on Shortlistr are designed to be discoverable — that is the point of the platform. By default, your profile is visible to other professional users (clubs, programs, agents, agencies) on the platform. Some elements — such as a public player profile link — can also be shared outside the platform.

If you want your profile removed or hidden from search, contact info@theshortlistr.com. Note that data we hold about you may also exist because our data provider supplies match and season statistics for professional and college soccer; we will work with you on a sensible resolution where that overlaps with a deletion request.

In-app messages are stored on our infrastructure. They are encrypted at rest and in transit. Our team does not routinely read user messages. However, we may review specific messages where:

• a user reports the message or thread for abuse
• automated checks flag the message for spam, harassment, or other rule-breaking
• we are required to do so by law, regulator, or governing body

Reviewed messages may be retained for audit and dispute-resolution purposes even after an account has been suspended or deleted.

We use a small number of essential cookies — primarily to keep you signed in across pages and to remember your preferences. We may also use privacy-respecting analytics to understand how the platform is used. Where any non-essential cookie is used, we will ask for your consent.

We may send you product updates, feature announcements, or recruitment- relevant information by email. You can opt out at any time by using the unsubscribe link in any marketing email or by contacting info@theshortlistr.com. Transactional emails — such as account verification, message notifications, billing receipts, and policy updates — are part of running your account and continue while your account is active.

We share personal data with a small, vetted set of providers who help us run the platform. Each is bound by its own privacy and security obligations:

• Supabase — authentication, database, and file storage.
• Vercel — application hosting and content delivery.
• Stripe — payment processing for paid subscriptions.
• SendGrid — transactional and notification email delivery.
• Our data provider — supplies player and team performance data; their data is received by us, not the other way round.

We also share data with other platform users where you have chosen to make it visible — for example, with the club staff member who receives your message, or with the agent you have invited to view your profile.

We may share data with law enforcement, regulators, or governing bodies where required by law or where it is necessary to investigate serious abuse on the platform. We do not sell personal data.

Several of the providers above are based in, or operate infrastructure in, the United States. As a result, personal data we collect may be transferred to and processed in countries outside the UK and the EEA. Where this happens, we rely on standard contractual clauses, adequacy decisions, or other appropriate safeguards permitted by applicable law.

We keep your personal data for as long as your account is active and for a reasonable period afterwards, so that we can:

• handle billing, refund, and chargeback questions
• investigate complaints, safeguarding concerns, or rule breaches
• comply with our legal and tax obligations
• keep an audit trail where accounts have been suspended or terminated for misuse

When we no longer need your data, we will delete it or anonymise it. Performance data supplied by our data provider may continue to be processed under our licence arrangement with them, even where an individual account has been closed.

We use a combination of technical and organisational measures to protect personal data — including encryption in transit, encryption at rest, role-based access controls, audit logging, and rate limiting on sensitive routes. Despite these measures, no system is perfectly secure. If you become aware of a security issue, please contact us immediately.

We will only use your personal data for the purposes for which it was collected, unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose. If we need to use your personal data for a materially different purpose, we will notify you and explain the lawful basis we rely on.

Depending on the data-protection law that applies to you, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data (note that some fields, such as legal name and date of birth, are system-managed and cannot be edited directly by players — contact us if a correction is needed).
• Erase your data, subject to legal and audit retention.
• Restrict or object to certain processing — including direct marketing.
• Port your data to another service.
• Withdraw consent at any time where we rely on your consent.
• Complain to a supervisory authority. In the UK, that is the Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, contact info@theshortlistr.com. We will respond within the timescales required by applicable law — usually within one month. We may need to verify your identity before acting on a request.

Shortlistr is built for adult professional and college soccer. Player profiles are typically created by adults aged 16 and over (and, for many clubs and programs, 18 and over). If you believe a profile or account has been created for a minor in a way that violates this policy or any applicable law, contact us at info@theshortlistr.com and we will investigate.

We may update this policy from time to time. We will revise the "Last updated" date at the top of this page when we do. If a change materially affects your rights, we will give you reasonable notice — typically by email or an in-app message.

• Personal data — any information relating to an identified or identifiable individual.
• Processing — any operation performed on personal data: collection, storage, use, disclosure, deletion.
• Data controller — the party that decides why and how personal data is processed. Shortlistr is the data controller for the personal data described above.
• Data processor — a party that processes personal data on the controller's behalf, under contract.
• Our data provider — the third-party supplier of player and team performance data that powers our analytics.