Padelatos Privacy Policy

• Controller: Padelatos is the data controller responsible for the processing of your personal data as described in this policy.
• Contact: For any data protection inquiries, you can reach us at hello@padelatos.com.
• Clubs as Joint Controllers: When Clubs use the Platform to manage their members and bookings, they act as joint data controllers with Padelatos for the data they collect and manage through the Platform. Each Club is responsible for its own compliance with data protection regulations regarding its members' data.

• Full name, email address, phone number (optional)
• Password (hashed, never stored in plain text) or OAuth tokens
• Profile photo (optional)

• Skill level self-assessment, handedness preference, preferred court position
• Rating score (Mu, Sigma, display rating) and tier classification
• Match history, game results, win/loss record
• Tournament participation and podium finishes
• Game result votes

• Club name, location addresses, operating hours, court details
• Staff names, emails, phone numbers, roles, and trainer levels
• Member profiles managed by the Club (name, email, phone, skill level, notes)

• Booking records (court, date, time, participants)
• Tournament registrations and match results
• Training session enrollments
• Notification preferences and read status

• Browser user agent (for push notification debugging)
• Push notification subscription endpoint and encryption keys
• Session data and authentication tokens

• Approximate geolocation coordinates (only when you grant browser permission)
• Used solely for finding nearby clubs and games
• Cached in browser session storage only — not sent to or stored on our servers

• Contractual Necessity (Art. 6(1)(b)): Processing necessary to provide the services you signed up for — account management, bookings, tournaments, game matching, and notifications.
• Consent (Art. 6(1)(a)): For optional processing such as push notifications, geolocation access, and marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legitimate Interest (Art. 6(1)(f)): For platform security, fraud prevention, service improvement, and aggregated analytics. We balance our interests against your rights and will not process data where your interests override ours.
• Legal Obligation (Art. 6(1)(c)): When required by law, such as tax record keeping or responding to lawful requests from authorities.

• Service Delivery: Managing your account, processing bookings, running tournaments, facilitating game matchmaking, and calculating player ratings.
• Communications: Sending booking confirmations, game reminders (2 hours before), cancellation alerts, tournament updates, replacement requests, and staff/member invitations.
• Matchmaking & Discovery: Displaying your name, skill level, and rating to other users for game organization. Showing available games filtered by your city and skill level.
• Rating System: Automatically calculating and updating your player rating based on ranked game and tournament results using an algorithmic system (OpenSkill/Bayesian methods).
• Platform Improvement: Aggregated, anonymized analytics to understand usage patterns and improve the service. We do not build individual profiles for advertising purposes.
• Security & Fraud Prevention: Rate limiting, detecting unauthorized access attempts, and preventing abuse of the Platform.

• Your name, rating, tier, and match statistics are visible to other players and club managers for game organization
• Tournament participants' names, teams, and results are visible on live tournament pages (accessible via shareable codes)
• Club staff can see member profiles and booking details for their location

• Convex (database hosting and serverless functions) — stores and processes all application data
• Resend (email delivery) — processes email addresses for transactional notifications
• Google (OAuth authentication) — processes authentication data if you sign in with Google
• Cloudflare (web hosting and CDN) — processes request metadata for content delivery

All third-party processors are bound by data processing agreements and process data only on our behalf, in compliance with GDPR.

• We may disclose data when required by law, regulation, or valid legal process
• We may share data to protect the rights, safety, or property of Padelatos, our users, or the public

• Authentication Tokens: Session cookies to keep you logged in (essential, cannot be disabled).
• Local Storage: User preferences such as your active location, active city, and theme selection. Stored locally in your browser and not transmitted to third parties.
• Session Storage: Temporary data including geolocation coordinates (if permitted) and PWA install prompt state. Cleared when you close the browser tab.
• Service Worker Cache: The Platform operates as a Progressive Web App (PWA) and caches static assets, images, and navigation pages locally for faster loading and offline access. Cached data expires after 30 days.

• Active Account Data: Retained for the duration of your account. You may request deletion at any time.
• Booking Records: Retained for the duration of the Club's account to provide booking history and manage recurring bookings.
• Rating & Match History: Retained for the duration of your player account to maintain your rating and statistics.
• Deleted Account Data: Personal data is removed upon account deletion. Some data may be retained in anonymized form for aggregated statistics.
• Soft-Deleted Records: Certain records (court configurations, memberships, tournaments) are soft-deleted (marked as deleted but retained in the database) to maintain data integrity. These records are excluded from active queries and are purged periodically.
• Email Audit Logs: Records of sent emails (type, status, recipient) are retained for troubleshooting and compliance purposes.
• Legal Requirements: Data may be retained longer when required by applicable law (e.g., tax or accounting obligations).

• Encryption: All data in transit is protected with SSL/TLS encryption. Passwords are cryptographically hashed and never stored in plain text.
• Authentication: We support secure authentication methods including email OTP (one-time passwords with 5-minute expiry), hashed passwords, and Google OAuth. Sessions expire after 30 days and are refreshed daily.
• Access Control: The Platform enforces role-based access control. Staff can only access data for locations they are assigned to. Players can only access their own data and publicly visible game information.
• Rate Limiting: Login attempts, OTP requests, and other sensitive operations are rate-limited to prevent brute-force attacks.
• Push Notification Security: Push notification subscriptions use VAPID-based encryption with per-device encryption keys (p256dh and auth secrets).
• Data Location: Our primary data processing is handled through Convex (serverless infrastructure). Email delivery is processed through Resend. Both providers maintain appropriate security certifications and GDPR compliance.
• No Guarantee: While we implement industry-standard security measures, no system is completely secure. We cannot guarantee absolute security of your data and encourage you to use strong, unique passwords.

• Rating System: The Platform uses an automated algorithmic system (OpenSkill/Bayesian) to calculate player skill ratings based on game and tournament results. This constitutes automated profiling under GDPR Article 22.
• Impact: Your rating and tier affect which tournaments you can register for (some have skill-level or rating restrictions) and how you appear to other players in game discovery.
• Safeguards: Ratings are based on objective match results, not subjective assessments. The system accounts for teammate strength to ensure fairness. Tournament ratings apply dampened changes to reduce volatility.
• Human Oversight: Game results that determine rating changes require consensus from multiple participants through a voting system. Tournament results are confirmed by tournament administrators.
• Right to Contest: You have the right to contest automated decisions that significantly affect you. Contact us at hello@padelatos.com to request a review of any rating-related decision.

• The Platform is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16.
• Users between 16 and 18 must have parental or guardian consent to use the Platform.
• If we become aware that we have collected data from a child under 16 without appropriate consent, we will take steps to delete that data promptly.
• If you believe a child under 16 has provided us with personal data, please contact us at hello@padelatos.com.

• Right of Access (Art. 15): Request a copy of all personal data we hold about you.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): Request deletion of your personal data ("Right to be Forgotten"). Note that some data may be retained where required by law or for legitimate business purposes.
• Right to Restriction (Art. 18): Request that we limit how we process your data in certain circumstances.
• Right to Data Portability (Art. 20): Request your data in a structured, commonly used, machine-readable format. Clubs may request export of their customer and booking data.
• Right to Object (Art. 21): Object to processing based on legitimate interests, including automated profiling for the rating system.
• Right to Withdraw Consent: Where processing is based on consent (e.g., push notifications, geolocation), you may withdraw consent at any time without affecting prior processing.
• Right to Lodge a Complaint: You have the right to file a complaint with your local supervisory authority. In Greece, this is the Hellenic Data Protection Authority (HDPA) at www.dpa.gr.

• In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
• If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly via email and/or in-app notification without undue delay, as required by GDPR Article 34.
• Our notification will include the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken to address the breach.

• We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or services.
• For significant changes that affect how we process your data, we will notify you via email or in-app notification at least 30 days before the changes take effect.
• The "Last updated" date at the top of this page indicates when this policy was most recently revised.
• Your continued use of the Platform after changes take effect constitutes acknowledgment of the updated policy.