Privacy Policy – 3Steps

Last updated: 20 May 2026 Version: 1.0

This policy explains how Readplay AS processes personal data when you use 3Steps. We comply with the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act.

1. Who is the data controller?

Readplay AS Org. no.: 933 239 292 Address: Hamar, Norway Contact: support@readplay.app

For any privacy matter, use the email above.

2. Two roles – read this section first

3Steps is used both by individual users and by clubs/teams. Our role depends on the context:

A) Data controller (for account holders). For coaches, club admins and other individuals who create their own account with us, Readplay AS is the data controller for account data (name, email, login credentials, billing, usage data).

B) Data processor (for player data entered by a club). When a club or team uses 3Steps to register players and match data, the club/team is the data controller for that data. Readplay AS acts as data processor and processes the data only on the club's instructions under a Data Processing Agreement (DPA) – which is part of our terms of service.

Player data restrictions:

  • 3Steps only registers players who are 17 years or older.
  • Only publicly available information is recorded (name, photo, position, team affiliation, match performance – the kind of information typically published on club or federation websites).
  • National ID numbers, contact details, health data and other sensitive information about players is not stored in 3Steps.
  • Photos and other personal information about minors (under 17) must not be uploaded or recorded. The club is responsible for ensuring this.

We follow the guidelines of the Norwegian Confederation of Sports (NIF) and Datatilsynet (Norwegian DPA) regarding processing of personal data and images in sport. The club is responsible for informing registered players that data is being processed. Readplay AS does not verify that obligation on behalf of the club.

3. What data we process

Account data (role A): name, email, password (hashed), phone (optional), role, club affiliation, language preference.

Billing data (role A): organisation, invoice address, subscription, payment status. Card data itself is handled by Stripe – we never store card numbers.

Usage data (role A): login timestamps, IP address, browser/device, event logs, error reports.

Player data (role B – the customer is the controller): name, photo, position, team affiliation, match performance and statistics entered by the club – only for players 17 or older, and only public information. No health data or other sensitive information. Photos of minors are not permitted.

Communications: support requests and emails you send us.

  • Deliver and operate the service – contract (GDPR Art. 6(1)(b)).
  • Billing and accounting – contract and legal obligation (Art. 6(1)(b) and (c)).
  • Security, debugging and abuse prevention – legitimate interest (Art. 6(1)(f)).
  • Product improvement based on anonymised or aggregated usage data – legitimate interest (Art. 6(1)(f)).
  • Marketing to existing customers – legitimate interest, with the right to object.
  • Newsletter and other marketing – consent (Art. 6(1)(a)).

For player data (role B), the club's legal basis applies – typically consent or legitimate interest in a sporting context.

5. Where data is stored (data residency)

All data is stored within the EU/EEA, on Microsoft Azure regions in Norway and Sweden. We do not transfer personal data outside the EU/EEA as part of primary operations.

Some sub-processors (see section 6) may access data from the US. In those cases, transfers rely on the EU Standard Contractual Clauses (SCC) and the sub-processor's participation in the EU–US Data Privacy Framework where applicable.

6. Sub-processors

We use the following sub-processors to deliver the service. All are under a valid DPA with us.

  • Microsoft Azure – hosting, database and infrastructure. Location: Norway and Sweden (EU).
  • Microsoft Entra ID – authentication and identity. Location: EU.
  • Stripe – payment processing. Location: EU and US (transfers under SCC and the EU–US Data Privacy Framework).
  • Resend – transactional email. Location: EU.
  • Sentry – error tracking. Location: EU.
  • PostHog – product analytics. Location: EU.
  • Payload CMS – website content. Location: EU.

A current list is available on request. We notify customers of material changes to sub-processors.

7. How long we keep data

  • Account data: while the account is active + 30 days after deletion.
  • Billing data: 5 years (Norwegian Bookkeeping Act).
  • Usage data / logs: up to 90 days, then aggregated/anonymised.
  • Player data (role B): for the duration of the customer's subscription + 30 days, or until the club requests deletion.
  • Support communications: up to 2 years.

We delete or anonymise data once the purpose has been fulfilled.

8. Your rights

Under GDPR you have the right to:

  • access the data we hold about you
  • rectify inaccurate data
  • erase data ("right to be forgotten")
  • restrict processing
  • data portability (receive your data in a machine-readable format)
  • object to processing based on legitimate interest
  • withdraw consent at any time, where processing is based on consent

For player data (role B): contact your club first. We will forward requests to the appropriate controller.

Send requests to support@readplay.app. We respond within 30 days.

You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet, datatilsynet.no).

9. Minors

3Steps does not process personal data about minors (under 17). The service is built to avoid this:

  • Player profiles may only be created for individuals 17 or older.
  • Photos and other personal information about minors must not be uploaded or recorded in the platform.
  • Clubs using 3Steps are responsible for upholding this restriction.

We follow the guidelines of the Norwegian Confederation of Sports (NIF) and Datatilsynet (Norwegian DPA) regarding processing of children's and youth personal data in sport. If we become aware that data about a minor has been entered, the data will be deleted without undue delay.

10. Security

We apply industry-standard security: encryption in transit (TLS) and at rest (Azure services), least-privilege access control, MFA for staff, security logging and monitoring. In the event of a breach that may pose a risk to data subjects, we notify Datatilsynet within 72 hours and affected customers without undue delay.

11. Cookies

3Steps uses necessary cookies for authentication and security. Analytics cookies (PostHog) require consent. Details are available in the in-app cookie notice.

12. Changes

We may update this policy. Material changes are communicated by email or in-app at least 30 days before they take effect. The current version is always available in 3Steps.

13. Complaints

If you believe we are processing personal data in breach of regulation, you may lodge a complaint with:

Datatilsynet (Norwegian Data Protection Authority) P.O. Box 458 Sentrum, 0105 Oslo, Norway postkasse@datatilsynet.no datatilsynet.no