Data & Security

Private by design

Your agency data belongs to you and no one else. This page explains exactly how ATHLIVO stores, protects, and controls access to that data — in plain terms.

ATHLIVO is designed with GDPR principles in mind. Our full data processing obligations, sub-processor list, and DPA are available in the legal documents section below.

Infrastructure powered by

How we protect your data

Your data is yours alone

Every agency on Athlivo operates in complete isolation. Your players, contacts, and internal data are never visible to another agency — not in listings, not in searches, not anywhere.

Passwords are never stored

We never store your password in readable form. Every password is encrypted with bcrypt before it touches our database, making large-scale guessing attacks computationally impractical.

Session-based authentication

When you log in, we create a secure server-side session — not a token floating in the browser. If an account is deactivated, the session is invalidated instantly on the next request.

Files verified at the byte level

Contract PDFs and player documents are validated against their actual binary signature — not just the filename. A malicious file cannot be disguised by renaming it.

Role-based access

Agents see what they need. Admins control the rest. Sensitive contacts can be restricted to admin-only visibility. Every route is gated by the appropriate role check on every request.

No public file URLs

Contracts and documents stored in Cloudflare R2 are never publicly enumerable. Every file link is a short-lived signed URL generated at the moment of access.

Where your data lives

Every piece of data has a deliberate home. Nothing sits in a public bucket or an open endpoint.

All agency data is stored in a private PostgreSQL database — not accessible from the internet

Files are stored in Cloudflare R2, a zero-public-access object store

Sessions are stored server-side in the database and destroyed on logout

Passwords exist only as one-way bcrypt hashes — even we cannot read them

Data storage

Player data, contracts & contacts

PostgreSQL (private)

PostgreSQL — destroyed on logout or deactivation

Contract files & documents

Cloudflare R2 — presigned URLs only

Profile images & agency logos

Cloudflare R2 — presigned URLs only

Passwords

bcrypt hash only — never readable

Access control

Permissions are enforced server-side on every request — not just at the UI level.

Permission	Admin	Agent
View players	Yes	Yes
View contacts	Yes (all)	Only shared with them
View tasks	Yes (all)	Only assigned to them
View uploaded documents	Yes (all)	Only shared with them
Manage other users	Yes	—
Invite new team members	Yes	—
Deactivate / reactivate users	Yes	—
Billing & seat management	Yes	—
Change agency-wide settings	Yes	—
Personal notification settings	Yes	Yes

Audit logging & data portability

Activity log

Every notable action in your agency — player added, pitch sent, contact updated — is logged with a timestamp. Admins can review the full history at any time.

Export audit log

Every data export is recorded with the requesting user, timestamp, and what was exported. There is always a traceable record of when data left the platform and who requested it.

bcrypt

Password hashing

10 salt rounds

30 days

Session duration

Invalidated on logout or deactivation

File storage

Cloudflare — no public access

Common questions

Legal documents

The full legal details behind how ATHLIVO handles data, obligations, and third-party services.

How we collect, use, and protect personal data across the platform.

The terms that govern your use of ATHLIVO as an agency or individual user.

Sub-processors

A full list of third-party services that process data on our behalf.

Data Processing Addendum

Our DPA covering GDPR obligations between ATHLIVO and your agency.