What Does a Youth Soccer App Really Need to Know About Your Players?
If you store a parent's email and a child's photo on your phone, you are a data controller. Most coaches do not know that.
You set up a youth soccer app. The first screen asks you to add your players. It wants their names. Then their photos. Then their parents' email addresses, phone numbers, jersey numbers, and a free-text field for notes.
You enter what is asked. You do not think about it. You are coaching kids, not running a database.
But the app keeps that data. Now you are running a database, whether you wanted to or not. And under European data protection rules, you have just become a data controller: a legal status that comes with obligations.
Here is what an app should actually know about your players, what it should not, and why the difference matters.
The principle: data minimization
There is a single principle that most legal frameworks for personal data come back to. You collect what you need, and nothing more.
In data protection law, this is called data minimization. In product design, it is called not asking for what you do not need. In coaching, it is just common sense. A list of player names is enough to coach a team. The app does not need anything else to do its job.
What an app actually needs
Run through the functions of a substitution app. Match the data to the function.
Player name. The app needs to tell you "Sarah comes off, Liam comes on." Without names, the substitution function does not work. This is essential.
Optional positions. If the app uses positions to make better substitution suggestions, it needs to know who plays in defense, midfield, or attack. This is useful but not essential. A coach who does not care about position-aware rotation can leave it blank.
That is it. The substitution engine, the rotation calculation, the playing time history, the match rate signal, the lineup builder. All of this works on names alone, with positions as optional refinement. There is no other field a youth coaching app needs.
What an app does not need
Apps in this category routinely ask for more. Walk through each one.
Parent contact information. Email, phone, sometimes both. The argument is that you might want to message a parent. But you already have ways to do that. WhatsApp, Spond, Laget.se, club portals, plain text messages. None of those exist inside your substitution app. There is no coaching reason to duplicate them. Storing parent contact details inside an app you use on a Saturday morning is creating a private database of private information that nothing in the substitution flow needs.
Child photos. The argument is that photos help you remember who is who. After your second training session you will not need help. After your first match you will definitely not need help. A photo of a child is identifiable personal data of a minor, which sits in a special protected category in European law. There is no proportionate coaching reason to store it.
Free-text notes. "Allergic to peanuts." "Mum is a single parent, dad lives in Norway." "Sometimes wets the bed." Coaches write these things because they want to remember context. The moment any of it concerns health, family circumstance, or anything sensitive about the child, you have created a record of special category data under GDPR Article 9. That requires explicit consent per parent, written documentation, and a legal basis for storage. Almost no grassroots coach realises this.
Jersey numbers. Why? You are not running a registration system. The kids know their numbers. You can see the back of the shirt during a match.
The pattern across all of these is the same. Each looks like a useful feature when you are entering data in a calm moment. Each is a small step toward a database of private information about children that you have no business storing on a personal device.
The legal weight you do not see
Under European data protection law, the moment you store identifiable personal data about people, you become a controller. This is not a label you can decline. It is a fact about what you are doing. The law does not care whether you knew.
A controller has obligations. You need a lawful basis for the data you collect. You need to inform the people involved (or their parents, in the case of children) about what you are doing and why. You need to be able to delete data on request. You need to delete it after a reasonable retention period. You need to keep it secure.
For special category data (health, family circumstance, photos of minors), you need explicit consent per individual, not a blanket signup. You need to document that consent. You need to be able to prove it.
Almost no grassroots coach has done any of this. Not because they are negligent, but because they did not know they were doing the thing that triggered all the obligations. The app made the data collection feel routine. The law treats it as anything but.
What "private" actually means
Many apps say their data is private. Read carefully. There is a difference between private (only certain people can see it) and minimal (there is not much to see in the first place).
A truly private app collects little, stores it on your device, and never sends it to a server. The data is private because it does not exist anywhere except where you put it.
A private-sounding app collects a lot, stores it on a server, encrypts it carefully, and tells you only authorised people can access it. The data is private because of access controls. As long as the controls hold, the privacy holds. If the controls break, every record is exposed.
Both can be marketed as "private." Only the first is private in the way that survives a server breach, a subpoena, or a coach uninstalling the app.
Three questions to ask any tool
When you are choosing a coaching app, ask:
- What does it collect? If the answer includes anything beyond names and gameplay data, ask why. If the reason is "you might want this," that is not a reason. Skip it.
- Where does it store the data? On your device only? Or on a server somewhere? If a server, who owns it? In what country? What happens if the company shuts down?
- How do I delete a player? Try it. If the workflow involves "hide" or "archive" but not "delete," the data is still there. You want a single button that says delete and means it.
The app you want to use answers these questions easily. The app to be wary of answers them with marketing language.
The mindset shift
The default in tech for the last decade has been "collect everything, ask why later." For consumer apps competing on engagement, that has paid off. For tools that handle data about children, it is exactly backwards.
The right default is no. A piece of data is not collected unless you can articulate, in one sentence, what specific function would not work without it. If the function works without it, the data does not get collected. If the function still works without it but works better with it, the data is asked for clearly, separately, and only with explicit consent.
This is not a regulatory framework. It is a way of designing tools that respect the people they are built for. Children, in particular, who cannot give meaningful consent themselves, deserve a default that protects them by collecting less.
The bottom line
The coaching tool you reach for tells the children on your team what kind of relationship you have with their data. An app that wants to know everything tells them they are a database row. An app that asks only for their name tells them they are a player.
Pick the second one.