Privacy and security built for sports clubs
SAITO protects data on players, families, coaches and teams with access control, traceability and privacy-by-design AI.
Why it matters
A club manages much more than matches
A sports club manages minors, recurring payments, family communications, injuries, medical appointments, sport restrictions and sensitive contact data. All of that lives in the same platform and demands explicit decisions about who can see what.
SAITO is designed assuming this context: protection by default, clear separation between roles and traceability for the actions that matter.
Security principles
Controls ready from day one
Per-club data isolation
Each club operates in its own logical space. Queries are scoped per organisation so data never crosses entities.
Role-based permissions
Admin, manager, technical, medical and family. Each role only sees what they need to do their job.
Encryption in transit and at rest
TLS for all traffic and at-rest encryption for the database and file storage.
Sensitive-access logging
Actions on medical data, minors and payments are logged for the club's internal audit trail.
Specific controls for minors
Minor flagging, guardian management and age-based restrictions for communications and consents.
Health module with restricted access
Medical history, injuries and appointments are only visible to the medical role and to those the club expressly authorises.
Privacy-by-design AI
AI with permissions, limits and oversight
We do not train general models with your data
Club data is not used to train models shared with other customers or third parties.
AI only sees what you can see
Responses are generated only with context the user already has permission to access. No shortcuts past role permissions.
Human review for sensitive output
Output affecting health, minors or financial decisions is surfaced as a proposal for human review.
AI does not diagnose or replace professionals
It does not issue medical diagnoses, does not authorise return-to-play and does not replace clinical or technical judgement.
Configurable per module
AI can be limited, restricted to specific roles or disabled module by module from the club's settings.
Compliance & regulation
Designed to align with the EU and Spanish framework
GDPR and LOPDGDD
Designed to align with Regulation (EU) 2016/679 and Spanish data-protection law.
Health data as a special category
Medical data is treated as a special category under GDPR Art. 9, with restricted access and specific legal bases.
Minors and guardians
Minor identification, legal-guardian management and consent capture when required by the applicable legal basis.
Data Protection Impact Assessment (DPIA)
Templates and support for DPIAs on sensitive modules (health, minors, mass communication).
Data Processing Agreements
We sign a Data Processing Agreement with every customer for the data we process on their behalf.
Sub-processor management
Public list of sub-processors (hosting, email, AI) and a notification procedure when they change.
Breaches and GDPR rights
Documented breach-response procedure and handling of access, rectification, erasure, portability and objection rights.
ENS as an institutional target
Controls prepared to align with Spain's National Security Framework (ENS) as a target for public or institutional deployments.
We do not claim certifications we have not obtained. References to ISO 27001 or ENS refer to controls prepared to align with those frameworks and to a certification roadmap.
Trust roadmap
How our security posture grows
- 1
GDPR baseline
- Encryption, role-based access control and sensitive-access logging.
- Data Processing Agreement and published sub-processors.
- 2
Sensitive modules
- DPIA templates for health, minors and communications.
- Granular restriction of the medical module and enhanced traceability.
- 3
Enterprise
- SSO, per-club retention policy and auditable exports.
- Certification roadmap aligned with ISO 27001.
- 4
Advanced deployments
- Controls prepared to align with ENS for institutional customers.
- Data residency options and dedicated deployments.
FAQ
Top security questions
Does SAITO use club data to train models?
No. Club data is not used to train general models and is not shared with other customers.
Can a coach see full medical records?
Not by default. The health module is restricted to the medical role and to those the club explicitly authorises. Other roles only see availability or sport restrictions, not clinical history.
Does SAITO diagnose injuries?
No. SAITO does not diagnose, does not authorise return-to-play and does not replace medical judgement. AI can help record and summarise information, always under human review.
What about minors?
Minors are explicitly flagged and linked to legal guardians. Communications and consents follow specific rules based on age and the applicable legal basis.
Are you ISO 27001 or ENS certified?
We do not claim certifications we have not obtained. Our controls are designed to align with ISO 27001 and ENS, and we publish a certification roadmap for customers who need it.
Transparency
Real implementation status
We publish openly which controls are active today and which enter during the pilot phase. Validation happens with the club, not behind their back.
| Control | Status |
|---|---|
Per-organisation data isolation (RLS) Database-level policies scoped by organization_id. | Active |
Encryption in transit (TLS) | Active |
Encryption at rest (database and storage) Provided by Supabase managed infrastructure. | Active |
Application-level role permissions Roles defined and enforced in the backend; per-role UI under validation during the pilot. | In pilot |
Authenticated sessions with optional MFA Production authentication enters at the start of the first club pilot. | In pilot |
Sensitive-data access logging Active for the medical and payments modules during the pilot. | In pilot |
Medical module restriction | In pilot |
Minor flagging and guardian linkage | In pilot |
Role-scoped AI AI only receives the context authorised for the role on each query. | Active |
Data Processing Agreement (DPA) Template available; signature is included in the pilot onboarding. | In pilot |
Public sub-processor list | Planned |
Documented breach-response procedure | In pilot |
GDPR rights handling (access, erasure, portability) | In pilot |
Enterprise SSO | Planned |
Per-club configurable retention policy | Planned |
ISO 27001 / ENS alignment Roadmap published; no certification obtained to date. | Planned |
This table is updated at every product milestone. If you need a specific control before general availability, we can prioritise it within the pilot.
Want to see how we apply this to your club?
We'll walk you through the controls and configuration with your own data in a tailored demo.