Your club's data,
looked after properly.

Estadio runs on Vercel for application hosting and Supabase for database and authentication. Both are deployed in EU-West (Frankfurt). Production data does not leave the EU.

Vercel and Supabase both maintain SOC 2 Type II attestations on the underlying infrastructure we build on. Their reports are available on request.

• —In transit: All traffic between your browser and Estadio is encrypted with TLS 1.2+.
• —At rest: Database storage and backups are encrypted with AES-256.
• —Tenant isolation:Every shared table enforces row-level security policies scoped to your organisation. Another club's data is invisible to your queries — not because the application filters it out, but because the database itself refuses to return it.

• —Role-based access: 10 built-in roles (Administrator, Finance Admin, Manager, Physio, Board Member, Department Head, Commercial Manager, Operations Manager, Bar Staff, Hospitality Staff) that determine which sections of the platform a user sees by default.
• —Permission overrides: Per-user permission tweaks layer on top of the role default. A finance admin can be restricted from a single sensitive budget category; a manager can be granted read access to commercial data — all without inventing custom roles.
• —Audit logging: Sensitive admin actions (subscription changes, user role changes, billing events) are written to an immutable audit log.
• —Sessions: Authenticated sessions managed by Supabase Auth. Refresh tokens rotate; cookies are HTTP-only and SameSite-Lax.

• —Daily snapshotsof the production database, retained per Supabase's Pro-tier policy (7 days rolling).
• —Continuous WAL backups enabling point-in-time restore — request a restore to any moment within the retention window via security@estadio.io.
• —Off-region replication: backups are stored in a separate AWS region from the primary database to protect against region-wide outages.

• —UK GDPR aligned. We process personal data under the lawful basis of contract performance (Article 6(1)(b)) and as a data processor for our customers (Article 28).
• —ICO registered.Estadio Tech Ltd is registered with the UK Information Commissioner's Office. Registration no. 00013898302.
• —DPA available on request. Email security@estadio.io to receive a Data Processing Agreement.
• —Underlying infrastructure: Estadio is built on SOC 2 Type II-attested platforms (Vercel, Supabase). Their attestation reports are available on request.

The following providers process customer data on Estadio's behalf. We commit to notifying customers at least 30 days before adding a new sub-processor.

• —72-hour notification: in the event of a confirmed personal-data breach, affected customers are notified within 72 hours of confirmation, in line with GDPR Article 33.
• —Communication channel: notifications go to the registered organisation administrator email plus any nominated security contacts. Email security@estadio.io to add a second contact.
• —Post-incident report: a written summary of cause, scope, remediation, and preventative measures is provided to affected customers within 14 days of resolution.

If you believe you've found a security vulnerability in Estadio, please email security@estadio.io rather than disclosing it publicly. We commit to:

• —Acknowledging receipt within 48 hours.
• —Patching critical vulnerabilities within 7 days.
• —Crediting researchers (with consent) once the issue is resolved.