Last updated: 10 April 2026.

1. Controller of personal data

The controller of personal data is FUNDACJA "MASTERS-OLIMPIC POLSKA", with its registered office at ul. Główna 1, 05-126 Rynia, KRS 0001022588, NIP 9522239006, operating the masterspl.com website (the "Controller").

For all matters concerning personal data processing, the exercise of data subject rights and requests for erasure of personal data, you can contact us at This email address is being protected from spambots. You need JavaScript enabled to view it..

If the Controller appoints a data protection officer, that contact information will be made available on the website and on request.

2. Scope of this Policy

This Policy applies to personal data processing in connection with:

• use of masterspl.com;
• registration for and maintenance of a user account;
• the player registration form and the referee registration form;
• the contact form and other communication with the Controller;
• public sports modules of the website, including player lists, player profiles, rankings, schedules, results, statistics and organisational announcements;
• the cookie consent mechanism and similar technologies;
• the exercise of data subject rights.

3. What data we process

We may process in particular the following categories of personal data:

• User account data: full name, username, email address, encrypted or hashed authentication data and technical data necessary to create and secure the account.
• Player registration data: full name, date of birth, phone number, national ranking or league level, and data connected with organising participation in the tournament and confirming that the participant declaration has been read.
• Referee registration data: full name, date of birth, phone number, refereeing experience or level of play, and data connected with verifying the application and confirming that the referee declaration has been read.
• Contact form and correspondence data: name, email address, message subject, message content and data required to respond and continue communication.
• Public sports data of players: full name, country or flag, age or age information, league or category, ranking, tournament participation history, table assignment, schedule, match results, statistics, classifications and other basic sports data connected with the public nature of the competitions.
• Prize-payment and settlement data: bank account number provided for prize payout, prize amount, payout status, and the contact data and message content needed to arrange and confirm payment, including messages sent via WhatsApp if that channel is used.
• Technical and security data: IP address, session identifiers, browser and device data, security logs, data necessary to prevent abuse, local anti-spam protection and the proper operation of the website.
• Cookie and consent-proof data: consent identifier, date and time of the decision, selected categories, the version of the notice and this Policy, interface language, page path and pseudonymous technical identifiers used to demonstrate that consent was given or withdrawn.
• Data related to data subject rights requests: identification data, contact data, the content of the request, and information needed to verify identity and handle the request.

As a rule, we do not ask for medical documentation or diagnostic descriptions. Please do not enter health-related data in open text fields unless this is clearly necessary and agreed with the Controller. We do not publish health data.

4. Purposes and legal bases

We process personal data for the following purposes and on the following legal bases:

• creating and maintaining a user account - Article 6(1)(b) GDPR;
• handling player or referee registration and organisational communication about tournament participation or refereeing, including communication by email, phone, SMS or messaging applications used by the Controller - Article 6(1)(b) GDPR;
• verifying compliance with participation conditions, organising the tournament, safeguarding sports integrity, handling protests, enforcing the rules, preventing abuse and establishing, exercising or defending legal claims - Article 6(1)(f) GDPR;
• public presentation of entry lists, schedules, table assignments, results, rankings, statistics, player profiles and sports archives - Article 6(1)(f) GDPR; our legitimate interest is the transparent organisation of public sporting competitions, documenting how they unfold and informing the public about results;
• prize payments, settlements and tax or accounting obligations, if applicable - Article 6(1)(b) and Article 6(1)(c) GDPR;
• obtaining a bank account number, arranging prize-payment details, keeping information about the prize amount and payout status within the website's internal administration, including the Joomla admin panel accessible only to authorised persons, and documenting the settlement - Article 6(1)(b), Article 6(1)(c) and Article 6(1)(f) GDPR;
• event coverage, photographs and video documentation published in connection with the course of the tournament where a participant's image forms part of the overall event - Article 6(1)(f) GDPR;
• separate, individual use of a participant's image in promotional, advertising or highlighted materials - Article 6(1)(a) GDPR, that is separate consent;
• website security, protection of forms, local anti-spam mechanisms, abuse detection and demonstrating compliance - Article 6(1)(f) GDPR;
• handling data subject rights and documenting GDPR compliance - Article 6(1)(c) and Article 6(1)(f) GDPR;
• analytics cookies and Google Analytics - only after valid consent under Articles 399-400 of the Polish Electronic Communications Law and, as regards subsequent personal data processing, on the basis of Article 6(1)(a) GDPR.

5. Public presentation of sports data

Because the website and Masters tournaments have a public sporting character, some player data may be visible publicly to internet users. This concerns only data necessary to organise and document the competitions and to inform the public about their course.

The following may in particular be presented publicly:

• the player's full name;
• country or flag;
• age or age information;
• league, category or group;
• ranking, statistics and participation history;
• entry list, table assignment and schedule;
• match results, classifications, placements and archive records;
• organisational announcements about substitutions, withdrawals or non-participation in a tournament.

Player photographs may also be published publicly in event reports, tournament galleries or public sports profiles, in accordance with the principles described in section 6.

We do not publish phone numbers, email addresses, full dates of birth, home addresses, bank account numbers, information about the amount of a specific payout or health data. Public announcements about absence, resignation or withdrawal from a tournament should remain neutral and organisational in nature and should not disclose health-related reasons or other special-category data.

6. Image, photographs and recordings

Photographs and video recordings may be taken during tournaments.

Where publication constitutes event reporting and a participant's image forms part of the overall competition, audience or documentation of the tournament, the legal basis is Article 6(1)(f) GDPR.

This also covers the publication of player photographs on the website, in galleries, tournament reports, recap posts and, where justified by the nature of the service, in public sports profiles connected with participation in the competitions.

If the Controller wishes to use a participant's image in an individual and promotional way, in particular in a separate promotional asset, advertisement, event-promo graphic or highlighted post focused on a specific person, the legal basis will be separate consent. Withdrawal of such consent does not affect the lawfulness of processing carried out before consent was withdrawn.

7. Who may receive the data

Personal data may be disclosed to the following categories of recipients:

• hosting providers, website maintenance providers, technical support and IT administration providers;
• email, office and communication tool providers;
• telecommunications operators or communication service providers used to organise participation in the tournament or prize payouts, including email, SMS or internet messaging services, if such a channel is used, for example WhatsApp;
• local anti-spam mechanisms operated by the Controller, without sending data to an external captcha provider, where the relevant form operates in that way;
• analytics providers, in particular Google Analytics, but only after consent;
• legal, accounting or administrative service providers where necessary;
• banks, payment providers and entities handling donations or payouts, if such a service is used;
• competent public authorities where disclosure is required by law;
• all internet users - to the extent of data that we publish publicly in accordance with section 5;
• social media platform operators - if we publish event reports or promotional materials on those platforms.

8. Transfers outside the EEA

Some technical, communication, analytics or social media service providers may process personal data outside the European Economic Area.

If data is transferred outside the EEA, we apply an appropriate transfer mechanism, in particular an adequacy decision or appropriate safeguards such as standard contractual clauses. This may apply in particular to Google services used by the website, such as Google Analytics after consent and Google email or office services if they are actually used to operate the website, as well as internet messaging providers if they are used for prize-payment communication.

Information about the transfer mechanism used for a specific recipient can be obtained by contacting the Controller.

9. Cookies and similar technologies

The website uses cookies and similar client-side technologies. In relation to storing information on the user's terminal device and accessing information already stored there, we apply the rules set out in Articles 399-400 of the Polish Electronic Communications Law.

We divide these technologies into necessary and optional categories.

• Necessary - used to maintain sessions, secure the website, handle forms, protect against abuse and remember your cookie decision. These technologies may operate without separate consent only where they are strictly necessary for transmitting a communication or for a service expressly requested by the user.
• Analytics - used to measure traffic and analyse how the website is used. These technologies remain blocked until the user gives explicit consent, and any subsequent processing of personal data takes place on the basis of Article 6(1)(a) GDPR.

The website does not load external marketing cookies or other optional technologies by default unless this is clearly described and covered by an appropriate consent mechanism before activation.

On the first layer of the cookie notice, the user can accept all optional technologies, reject optional technologies or open the settings. Refusing optional technologies does not restrict access to the website.

Consent to optional technologies is voluntary, specific and not pre-ticked. Where different optional purposes are used, the user can consent separately to individual categories. Consent can be withdrawn or changed at any time just as easily by using the Cookie settings control available on every page.

In order to demonstrate when and to what extent consent was given, refused or withdrawn, we keep server-side consent evidence such as the date and time of the decision, selected categories, the version of the notice and this Policy, the interface language, the page path and pseudonymous technical identifiers. This record is not used for marketing.

If the website later adds other optional categories such as marketing, remarketing, embedded third-party content or social plugins that require consent, they will be described in this Policy and covered by an appropriate choice mechanism before activation.

10. How long we keep the data

We do not keep personal data longer than necessary for the purpose of processing, compliance with legal obligations, defence of claims or demonstrating compliance.

As a standard, we apply the following periods or criteria:

• user account data - for as long as the account is maintained and afterwards for the period needed to defend claims, comply with legal obligations and document compliance;
• player and referee registration data - for the period necessary to organise participation or cooperation and afterwards for settlements, disputes, claims and legal obligations;
• contact form data and ordinary correspondence - as a rule for 12 months after the matter is closed, unless a longer period is justified by the nature of the matter;
• public player profiles - during active participation in the competitions and afterwards, as a rule, up to 24 months after the last recorded participation, after which the profile is reviewed for any continuing need for public visibility;
• archived results, rankings, statistics and match history - as a rule for 5 years from the end of the calendar year in which the tournament took place, and then reviewed for continuing retention or anonymisation;
• photo and video materials used for event reporting - as a rule for 3 years from publication and then reviewed; for materials based solely on consent, until consent is withdrawn or the material is removed earlier;
• prize-payment data, including bank account number, prize amount, payout status and related correspondence - for the period necessary to make the payment, comply with tax and accounting obligations, handle complaints and defend claims, and afterwards in line with legal requirements and the retention policy for financial records;
• cookie preferences - up to 180 days or until the settings are changed earlier;
• cookie consent audit logs - up to 3 years from the recorded decision;
• Google Analytics data - the current retention setting is 2 months for event data and 14 months for user data; for user data, the reset-on-new-activity option is enabled; these settings are subject to periodic review under the data minimisation principle;
• data related to data subject rights requests - for the period necessary to handle the matter and document compliance;
• backups - for a limited time until the applicable backup-retention cycle ends; backups are not used for routine access to personal data and previously deleted records are erased again without undue delay after restoration.

11. Data subject rights

You have the right in particular to access your data, rectify it, erase it, restrict processing, object to processing based on Article 6(1)(f) GDPR, receive a portable copy, withdraw consent at any time and lodge a complaint with the President of the Polish Personal Data Protection Office.

We respond to requests without undue delay and, as a rule, within one month. If the matter is complex or the number of requests is higher, the period may be extended by up to two additional months; in that case we will inform you within the first month and explain why. If we refuse a request, we will explain the legal basis for that refusal and inform you about the possibility of lodging a complaint with the Polish supervisory authority and using available legal remedies.

The right to erasure is not absolute. In some cases, further processing may be necessary, for example because of legal obligations, defence of claims, demonstrating compliance or overriding legitimate grounds for retaining a minimal set of sports data.

12. Identity verification

Identity verification is carried out proportionately to the risk and the nature of the request. We do not routinely ask for a copy of an identity document where verification can be performed in a less intrusive way, for example using data already linked to the account, an earlier registration or a confirmation sent to the relevant email address.

13. Whether providing data is mandatory

Providing personal data is generally voluntary, but in some cases it is necessary in order to use a particular function or service.

• For a user account, failure to provide data marked as required makes it impossible to create the account.
• For player registration, failure to provide data marked as required makes it impossible to review the application and organise tournament participation.
• For referee registration, failure to provide data marked as required makes it impossible to review the application and organise cooperation.
• Optional data, such as ranking, league level or experience, is not mandatory but may help with the proper organisation of the competitions.
• For the contact form, failure to provide data marked as required may make it impossible to reply.
• For prize payout, failure to provide a bank account number or other data necessary for settlement may make it impossible to complete the transfer on time.
• Participation in publicly organised competitions operated through this website involves the processing and publication of the basic sports data described in section 5. If you do not accept that public nature of participation, the Controller may be unable to accept your application for competitions conducted in that format.

14. Automated decision-making

Your personal data is not used to make decisions based solely on automated processing, including profiling, that would produce legal effects concerning you or similarly significantly affect you.

15. Contact and data requests

If you want to exercise your right to erasure or another data subject right, you can use the form below or contact the Controller by email at This email address is being protected from spambots. You need JavaScript enabled to view it..

16. Request erasure of personal data

If you want to exercise your right to erasure, please use the form below and provide the same identifying details that were entered in the registration form or user account.

If the request concerns a website account, please provide the email address assigned to that account first. If it also concerns tournament registration data, please also provide the date of birth and/or phone number used in that registration. After submitting the form, you will receive a confirmation email with a confirmation link. Only after confirmation will the request be forwarded to the Controller for handling. Required fields are full name, contact email and confirmation that the identifying data matches. Date of birth and phone number are needed only if the request also concerns tournament registration data.