Privacy Policy
This Privacy Policy explains how DOR Digital ("we", "us", "our") collects, uses, and protects your personal data when you use Director of Rugby ("the Service").
We are committed to protecting your personal data and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are
Director of Rugby is operated by DOR Digital. For data protection purposes, we are the data controller.
If you have any questions about this policy or how we handle your personal data, please contact us at: [email protected]
2. What Data We Collect
We collect the following personal data:
- Account information: your email address and display name, provided when you register or sign in.
- Authentication data: if you sign in with a third-party provider, such as Google or Apple, we receive your name and email address from those providers. If you use a passkey, we store the public key credential associated with your device.
- Purchase data: when you subscribe to Director of Rugby, we share an account identifier with our payment processor so we can link your payments to your game account.
- Usage data: information about how you use the Service, including your activity within the game (squads, tactics, match history) and anonymised behavioural events (such as game creation, week advances, and subscription changes). These events contain no personal identifiers beyond your account ID.
- Technical data: your IP address (masked before storage), browser type, device type, and session information, collected automatically when you use the Service.
We do not collect payment card details directly. Subscription payments are handled by Stripe; please refer to Stripe's Privacy Policy for details of how they process your payment data.
3. How We Use Your Data
We use your personal data for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Providing and operating the Service | Performance of a contract |
| Managing your account and authentication | Performance of a contract |
| Sending transactional emails (match results, notifications) | Performance of a contract |
| Processing subscription payments via Stripe | Performance of a contract |
| Preventing fraud and maintaining security | Legitimate interests |
| Preventing repeated free-trial sign-ups via account deletion and re-registration | Legitimate interests |
| Improving the Service | Legitimate interests |
| Complying with legal obligations | Legal obligation |
| Marketing the game, offers and servcies to you | Consent |
We will only send you marketing communications if you have explicitly consented to receive them.
4. Data Retention
We retain your personal data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or accounting purposes.
Game save data (squads, match history, league records) is deleted with your account.
Anonymised behavioural analytics records (event logs and session records) are retained for a maximum of 12 months, after which they are automatically deleted.
Trial eligibility records
When we grant a free trial, we record a one-way cryptographic hash (SHA-256) of the email address used, together with the trial start and end dates. We retain this record for six months after the trial ends, and use it solely to prevent the same email address from obtaining repeated free trials by deleting and re-creating an account. The hash is irreversible: we cannot recover the original email address from it, and the record is not linked to any other personal data once the underlying account has been deleted. If you subsequently subscribe to a paid plan, the record is marked as converted and no longer restricts future sign-ups.
Legal basis. This processing relies on our legitimate interests under Article 6(1)(f) UK GDPR. Preventing circumvention of our free-trial terms is necessary to protect the commercial viability of the Service, and the use of irreversible hashing with a short (six-month) retention period minimises the impact on data subjects. You retain the right to object under Article 21 UK GDPR by contacting us at the address in section 10; we will balance any objection against our legitimate interest on a case-by-case basis.
This is the only category of personal data that may be retained beyond the 30-day post-deletion window described above.
5. Sharing Your Data
We do not sell your personal data. We only share your data with the following data processors.
Where necessary, we will transfer personal information outside of the UK. When doing so, we comply with the UK GDPR, making sure appropriate safeguards are in place.
For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.
Data processors
Fastmail
Fastmail maintain email systems for the domain @dor.game. If you send an email to an address at that domain, it will be processed by Fastmail.
Postmark
Postmark handles delivery of emails sent from within the Director of Rugby game, such as welcome and invitation emails.
- Organisation name: Postmark
- Category of recipient: Email Provider
- Country the personal information is sent to: United States of America
- How the transfer complies with UK data protection law: The country or sector has been assessed as providing adequate protection to data subjects (also known as Adequacy Regulations or UK data bridge)
Render
Render is our web site hosting service. They operate the systems that store all of the data in Director of Rugby.
- Organisation name: Render
- Category of recipient: Web Hosting Provider
- Country the personal information is sent to: United States of America
- How the transfer complies with UK data protection law: The country or sector has been assessed as providing adequate protection to data subjects (also known as Adequacy Regulations or UK data bridge)
Sentry
Sentry monitors the performance of the Director of Rugby game and associated services. Director of Rugby sends logging and performance information to Sentry.
- Organisation name: Sentry
- Category of recipient: Performance Monitoring
- Country the personal information is sent to: Germany
- How the transfer complies with UK data protection law: The country or sector has been assessed as providing adequate protection to data subjects (also known as Adequacy Regulations or UK data bridge)
Stripe
Stripe processes payments for Director of Rugby. When you subscribe to the game, we transfer data to Stripe to set up your subscription. All of your banking information remains with Stripe and is not procesed in any system operated by DOR Digital. Stripe returns information to Director of Rugby about the status of your subscription but we do not handle your bank information directly.
- Organisation name: Stripe
- Category of recipient: Payment Processor
- Country the personal information is sent to: United States of America
- How the transfer complies with UK data protection law: The country or sector has been assessed as providing adequate protection to data subjects (also known as Adequacy Regulations or UK data bridge)
6. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access: you can request a copy of the personal data we hold about you.
- Right to rectification: you can ask us to correct inaccurate or incomplete data.
- Right to erasure: you can ask us to delete your personal data in certain circumstances.
- Right to restriction: you can ask us to restrict how we process your data.
- Right to data portability: you can request your data in a structured, machine-readable format.
- Right to object: you can object to processing based on legitimate interests.
- Rights related to automated decision-making: we do not make automated decisions with significant legal or similar effects about you.
To exercise any of these rights, please contact us at [email protected] We will respond within one month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
7. Cookies and Tracking
We use the following first-party cookies:
- Session cookie — keeps you signed in. This cookie is essential for the Service to function and does not require your consent.
- Analytics visitor cookie (
ahoy_visitor) — a persistent, randomly-generated identifier used to measure how features are used across sessions. It contains no personal information and is used solely for our own product improvement. It is not shared with any third party.
We do not use third-party advertising or tracking cookies.
10. Children's Privacy
The Service is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email or by a prominent notice within the Service. The "Last updated" date at the top of this page will always reflect the most recent version.
12. Contact Us
For any questions about this Privacy Policy or to exercise your data rights, please contact:
DOR Digital Email: [email protected]