PW PWFL Nominations
Back to overview Legal

Governance & compliance

Privacy Policy

Last updated: June 30, 2026

This Privacy Policy describes how PWFL Nominations ("we", "us", "our"), operated by the Powerlifting & Weightlifting Federation Luxembourg (PWFL), collects, uses, and protects personal data processed through the platform. It also explains how hosting partner Obsidian Corps assists us in safeguarding the service.

In this document you will find:

  • The exact data categories stored for accounts, athletes, and competitions.
  • How long data stays in backups, queues, and audit logs.
  • Who hosts the platform, what subprocessors are involved, and how to request a Data Processing Agreement (DPA).
  • How to exercise GDPR/UK GDPR rights or raise incidents.

Controller & Hosting

Controller: Powerlifting & Weightlifting Federation Luxembourg (PWFL)

Address: [Registered address]

Email: [privacy@example.com]

Data Protection Officer (if applicable): [Name / Contact]

Hosting & infrastructure: Managed by Obsidian Corps with data centers located in [region/EU].

Data We Process

  • Account & security data: name, email, password hash, role, email verification timestamps, two-factor authentication secrets and recovery codes, session IDs, IP address, user agent, password reset tokens, and activity timestamps.
  • Competition operations: competition name, slug, location, country code, start/end dates, federation name, nomination deadlines, competition status, public visibility flag, and time zone.
  • Athlete registry: first and last name, sex, date of birth, country code, primary group/club, membership number, IPF ID, discretionary notes (please avoid sensitive data).
  • Nominations: links to competition, athlete, and group; stage and status; age category; weight class; equipment; discipline; nominated lifts (squat, bench, deadlift, total); lot number; notes; audit fields (created by, updated by, locked at, timestamps).
  • Groups & memberships: group name, code, type, country code, activity status, user-group roles (coach/manager/delegate), timestamps.
  • Operational metadata: cache entries, job queue payloads, and error logs needed to provide the service.

Notes fields are free text and may inadvertently contain special categories of data. Do not include health or other sensitive data unless strictly required and lawfully permitted.

Sources of Data

  • Information you and other authorized users submit through the platform.
  • Data generated during competition management (e.g., nomination stages, audit logs).
  • System-generated metadata (sessions, security logs, background job information).

Purposes & Legal Bases

  • Provide and operate the platform (account management, competition setup, athlete registry, nominations).
    Legal basis: performance of a contract or pre-contractual steps (GDPR Art. 6(1)(b)).
  • Security and fraud prevention (roles, sessions, two-factor authentication, audit trails).
    Legal basis: legitimate interests in securing the service (Art. 6(1)(f)) and, where applicable, legal obligation (Art. 6(1)(c)).
  • Communications regarding the service (password resets, platform notices).
    Legal basis: performance of a contract (Art. 6(1)(b)) or legitimate interests (Art. 6(1)(f)).
  • Record-keeping and compliance (audit logs, regulatory reporting).
    Legal basis: legitimate interests (Art. 6(1)(f)) and/or legal obligation (Art. 6(1)(c)).
  • Optional communications (e.g., newsletters).
    Legal basis: consent (Art. 6(1)(a)). Consent can be withdrawn at any time without affecting prior processing.

Sharing & Disclosures

We share data only when necessary with:

  • Hosting and infrastructure providers supporting the application (as processors bound to GDPR obligations).
  • Email and messaging services delivering transactional communications.
  • Professional service providers (legal, compliance) under confidentiality agreements.
  • Competent authorities when required by law.

We do not sell personal data.

Subprocessors & DPA

A current list of infrastructure and messaging subprocessors (including hosting by Obsidian Corps) is available on request. We will notify account owners before onboarding a materially new subprocessor whenever required by Art. 28 GDPR.

If you need a signed Data Processing Agreement or Standard Contractual Clauses, contact us at [privacy@example.com]. We typically countersign within 5 business days.

International Transfers

If data is transferred outside the European Economic Area (EEA) or United Kingdom, we rely on lawful safeguards such as adequacy decisions or the European Commission's Standard Contractual Clauses (Art. 46 GDPR). Details are available upon request.

Retention

  • User accounts: retained while the account is active; upon deletion, limited data remains in encrypted backups for [30-90] days.
  • Sessions: retained up to [30] days after last activity.
  • Security and job logs: retained up to [12] months unless longer required for investigations.
  • Competition, athlete, and nomination records: retained for the lifecycle of the competition and for [24] months afterward unless regulatory or archival needs justify longer retention.
  • Password reset tokens: retained for less than 24 hours.
  • Cache entries: retained per operational necessity and automatically expire.

When retention periods expire, we delete or anonymize data.

Security

  • Password hashing using industry-standard algorithms (e.g., bcrypt or Argon2).
  • TLS encryption in transit and restricted access controls.
  • Role-based permissions and optional two-factor authentication.
  • Regular backups and disaster recovery procedures.
  • Managed hosting with observability, intrusion detection, and least-privilege access enforced by Obsidian Corps.

Incident Response

If we discover unauthorized access, loss, or disclosure of personal data, we will:

  1. Contain and investigate the incident with our hosting provider.
  2. Notify affected controllers and supervisory authorities without undue delay when required by law.
  3. Provide remediation steps and post-incident summaries.

Your Rights

Under GDPR (and similar laws), you may have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Request erasure ("right to be forgotten").
  • Restrict processing in certain circumstances.
  • Receive data portability copies in a structured, machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent (where processing relies on consent).
  • Lodge a complaint with your local supervisory authority (e.g., CNPD in Luxembourg).

To exercise rights, contact us at [privacy@example.com]. We respond within 30 days and may need to verify your identity before responding.

Children

Where minors are nominated, data is submitted by authorized officials (e.g., club coaches). Federations must ensure appropriate consent is obtained when required by law.

Cookies & Similar Technologies

  • Essential cookies: session ID, CSRF token, remember token for "remember me". These are strictly necessary to provide the service.
  • Analytics & marketing: No analytics or marketing cookies are set by default. If this changes, we will update this policy and request consent when required.

Automated Decision-Making

We do not use automated decision-making that produces legal or similarly significant effects.

Changes to This Policy

We may update this Privacy Policy from time to time. We will post updates on this page and revise the "Last updated" date accordingly. Material changes will be communicated via the platform or email.

Contact

Questions about this policy can be sent to [privacy@example.com] or by mail to the controller listed above.