Skip to main content

This privacy policy explains how Padelya collects, uses, shares and protects your personal data. It applies to every Padelya product — the marketplace, the player and club mobile apps, the cockpit dashboards, and the public site.

We are committed to data-protection regulation everywhere we operate: Loi n° 2008-12 in Senegal, the Law on Personal Data Protection in Georgia, and the General Data Protection Regulation (GDPR) in the European Union once we launch there.

1. Who we are

Padelya is operated by Padelya SAS (legal entity to be confirmed at corporate set-up). Our registered office address will be published here once finalised. In the meantime, the data controller for the purposes of this policy is the founding team, reachable at privacy@padelya.app.

2. What personal data we collect

We collect data only when you choose to provide it, when our service strictly requires it to function, or when applicable law requires us to log it.

Account data — when you sign up: email, full name, phone number, password (one-way hashed, we never see the clear-text value), preferred language, country.

Profile data — when you fill in your profile: avatar photo, gender (optional), self-assessed level, best stroke (optional), preferred play time, short bio, hand preference.

Booking and match data — every reservation you make: court, club, date, duration, price paid, payment status, cancellation status. For open matches: who joined, who was approved, who reported what.

Communication data — messages sent through Padelya's mediated chat are stored encrypted at rest; the content is accessible to a small operations team only when a safety report involves a thread.

Payment data — payment provider tokens (Stripe, TBC ePay, Bank of Georgia, Orange Money depending on country). We never see or store your full card number, your account number, or your CVV. Refund history is kept on our side for accounting reconciliation.

Technical data — IP address, device type, browser fingerprint, push-subscription endpoints, page-view history. Used for security (fraud prevention, rate limiting) and — only with your explicit consent — anonymous product analytics.

Cookies — see Section 10 and the separate Cookie Policy.

3. Legal basis for processing

We process your data under one of the following legal bases:

  • Performance of contract — to deliver the booking, match, payment and chat services you explicitly asked for when signing up.
  • Legitimate interest — to prevent fraud, abuse, harassment, and to protect other users (e.g. blocking and reporting features).
  • Legal obligation — to keep accounting records, respond to lawful authority requests, and to comply with the GDPR / Loi 2008-12 / Georgian PDP duties.
  • Your consent — for non-essential cookies (analytics), marketing communications you explicitly opt in to, and any future feature where consent is the right basis.

4. Purposes of processing

We use your data only for the following purposes:

  • Provide the marketplace (search, book, pay, play).
  • Send transactional notifications (booking confirmation, match invite, refund completed).
  • Send essential service emails (password reset, security alert, account-deletion confirmation).
  • Run anonymous product analytics (only with your consent — see Cookie Policy).
  • Detect and prevent fraud, harassment, scraping, and abuse.
  • Meet our legal obligations (accounting, tax, lawful requests).

We do NOT use your data for behavioural advertising. We do NOT sell, rent, or share your data with advertising networks.

5. Who has access to your data

Internally: the Padelya operations team (founders + a small support cohort), strictly under access controls and audit logging.

Externally — only the following sub-processors, each bound by a data-processing agreement:

  • Supabase (Frankfurt EU region) — auth, database, file storage.
  • Vercel (multi-region edge) — hosting and content delivery.
  • Stripe (Ireland HQ for EU customers) — card payment processing.
  • TBC Bank / Bank of Georgia — Georgian payment processing.
  • Orange Money — Senegalese payment processing.
  • Twilio (Ireland HQ for EU) — SMS phone verification.
  • Postmark / Resend (US, Standard Contractual Clauses) — transactional email.
  • PostHog (when enabled with your consent) — anonymous product analytics, EU-hosted.

Club operators receive the data strictly necessary to fulfil your booking — your display name, your phone number (only when the club has been verified as the venue), and the booking details.

6. International transfers

Our primary infrastructure is in the European Union (Supabase Frankfurt) to maximise data-protection alignment. Some operational sub-processors (email vendors) are based in the United States; transfers to those vendors are governed by the European Commission's Standard Contractual Clauses (SCCs), and we maintain DPAs requiring equivalent safeguards.

7. Data retention

  • Profile data — kept until you delete your account. Once you trigger account deletion, a 7-day cooldown applies; after that we hard-delete the profile, anonymise booking history (financial law requires us to retain payment records), and write an audit log of the cascade.
  • Booking and payment data — anonymised after account deletion and retained for at least 5 years for tax and accounting compliance.
  • Push subscription credentials — kept until the device unsubscribes or your account is deleted.
  • Audit logs — 18 months rolling, then purged.
  • Analytics events (consent-based) — 90 days in PostHog.

8. Your rights

Under GDPR (EU), Loi 2008-12 (Senegal), and the Georgian Law on Personal Data Protection, you have the right to:

  • Access — request a copy of every personal data point we hold about you.
  • Rectification — correct any inaccurate or incomplete data.
  • Erasure — delete your account and the associated personal data ("right to be forgotten"). Subject to legal retention obligations on accounting records.
  • Portability — receive your data in a structured, machine-readable format (JSON ZIP export).
  • Objection — object to processing based on legitimate interest.
  • Restriction — request that we limit (rather than delete) processing in specific circumstances.
  • Withdraw consent — for any processing based on consent (cookies, marketing) at any time.
  • Lodge a complaint with the supervisory authority of your country (see Section 13).

9. How to exercise your rights

The simplest paths:

  • Delete your account — go to your profile settings → "Delete my account". 7-day cooldown applies; sign in any time before then to cancel.
  • Export your data — go to your profile settings → "Export my data". A ZIP of JSON files is generated and emailed to you within 24 hours.
  • Withdraw cookie consent — open the cookie preferences card at the bottom of your profile settings, or revisit the banner on any device by clearing the __padelya_cookie_consent cookie.

For anything else, email privacy@padelya.app with your request, the email address tied to your account, and a description of what you'd like done. We respond within 30 days at the latest (the GDPR ceiling), and usually within 5 business days.

10. Cookies

We use a small number of strictly-necessary cookies (authentication session, language persistence, the consent decision itself) and — only with your consent — analytics cookies. See the separate Cookie Policy for the full inventory and the opt-in / opt-out controls.

11. Children

Padelya is not intended for children under 16. We do not knowingly collect data from anyone below that age. If you believe we have collected data from a child, please email privacy@padelya.app and we will delete it immediately.

12. Changes to this policy

We will notify you by email at least 30 days before any material change to this policy. Non-material changes (typo fixes, link updates, clarifications) are published silently with an updated date at the top of this page.

13. Contact and supervisory authorities

Data Protection Officer (interim): privacy@padelya.app

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the supervisory authority of your country:

  • Senegal — Commission de protection des données personnelles (CDP), https://cdp.sn
  • Georgia — Personal Data Protection Service of Georgia, https://pdp.ge
  • European Union — your national Data Protection Authority. The European Data Protection Board (EDPB) maintains a directory at https://edpb.europa.eu

Last updated: 2026-05-18