ArenaIQ
Log in

ArenaIQ

GDPR & data protection

How ArenaIQ processes personal data for clubs, sponsors and users of the service.

Last updated: July 2026

This page is maintained by ArenaIQ and describes current technical and organizational measures. It is not an independent certification.

1. Roles

The club (the organization using ArenaIQ) is the data controller for personal data entered into the service – e.g. sponsor contact persons, contracts and activations. ArenaIQ is the data processor and only processes the data according to the club's instructions and this document. For visitors of arenaiq.se (e.g. anyone submitting the demo form), ArenaIQ acts as the data controller.

2. Data processed

• Account data for the club's users: name, email, role in the organization. • Sponsor data the club uploads: company name, contacts, deal values, activations, attachments. • Invoices and subscription data from Stripe. • Technical data: IP address, browser, session token and strictly necessary cookies. • Content sent to AI features to generate suggestions (e.g. renewal emails, contract drafts).

3. Where data is stored

All customer data is stored in our backend database within the EU. Files (contracts, activation proofs, org logos and invoices) are stored in private storage buckets and are only accessible to signed-in users of the correct organization. Data is encrypted in transit (HTTPS) and at rest at our provider.

4. Access control

Data is strictly scoped per organization via Row Level Security directly in the database. A user from one club cannot technically read data from another club, even if the frontend had a bug. Roles inside an organization control who sees invoices, subscription data and can invite new users. A superadmin role is used only by ArenaIQ for support and maintenance.

5. Subprocessors

We use the following subprocessors to deliver the service: • Supabase (EU) – database, authentication and file storage. • Stripe (EU/USA) – payments, subscription management and invoices. Standard Contractual Clauses apply. • Resend (EU/USA) – outbound email (invitations, notifications, receipts). Standard Contractual Clauses apply. • Cloudflare (global) – CDN, DNS and security protection for arenaiq.se. • Lovable AI Gateway – AI model calls for assistant features. • Firecrawl – web enrichment when the club searches for new sponsor prospects. The current list of subprocessors is communicated to the customer at material changes.

6. AI processing and data minimization

When the club uses AI features (e.g. Ask AI, contract generation, renewal emails), the relevant text is sent to Lovable AI Gateway. The content is used solely to generate the answer for the club and is not used to train external AI models. Sponsor contact details (name, email, phone, address) are NEVER sent to the AI models. Company name, industry and category are sent so the AI can produce meaningful answers, but the individual contact's details are only re-attached when the answer is shown to the user. Free text (notes, feedback, document excerpts) is automatically scrubbed so that email addresses, phone numbers and Swedish personal identity numbers are replaced with placeholders before being sent to the model. Exception: for OCR/extraction of uploaded contracts and documents, the full document content is sent to the AI model – that is the very purpose of the feature (to read the text). The club should not upload documents containing data that must not be processed by AI. If the club does not want a certain data point sent to AI, it should not be entered into the AI flow.

7. Cookies

We only use strictly necessary cookies (Cloudflare and a session cookie for sign-in) without requiring consent. No analytics or marketing cookies are currently set. Cookie settings can be changed at any time via the link in the footer.

8. Data subject rights

Data subjects have the right to request access to, correction of or deletion of their personal data, and to object to or request restriction of processing. Because the club is the data controller for sponsor data, data subjects should primarily contact the club that entered the data. ArenaIQ helps the club fulfill the request within a reasonable time. Complaints can be filed with the Swedish Authority for Privacy Protection (IMY).

9. Retention and deletion

Data is stored as long as the club's subscription is active. When an organization closes its account, customer data is deleted on request, at the latest within 30 days. Invoices and underlying transaction data may need to be kept longer to comply with Swedish bookkeeping law (up to 7 years).

10. Incident response

In the event of a personal data breach affecting a club's data, ArenaIQ notifies the customer without undue delay, so the customer can report the incident to IMY within 72 hours where required. We share available information about cause, scope and mitigating actions.

11. Data Processing Agreement (DPA)

The ArenaIQ standard DPA under art. 28 GDPR is automatically included as part of the Terms of Use – no separate signature is required for the agreement to be legally binding. The full text, including security measures and the list of subprocessors, is available at /en/dpa. If your procurement or internal policy requires a separately signed copy, please contact us and we will send a signing-ready version.

12. Contact

Questions about data protection, DPA or exercising your rights? Book a demo or use the contact form on the home page and we will get back to you.