Privacy Policy
Padelfish — Padel Group Management & Tournaments
Effective date: 3 March 2026 · Last updated: 3 March 2026
Padelfish ("we", "us", "our") operates the Padelfish mobile application for iOS and Android and the website at padelfish.com (collectively, the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and your rights regarding that data. It applies to all users of the Service across all platforms (web, iOS, and Android).
By using the Service you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.
1. Information We Collect
1.1 Account & Profile Data
When you sign in via Google, Apple, or email, our authentication provider Auth0 supplies the following data from your identity provider:
- Email address
- Full name (first name, last name)
- Profile photo URL (from Google or Apple)
- Auth0 user identifier
1.2 User-Generated Content
- Groups you create or join (group name, description, member list)
- Tournaments and match results (scores, rounds, player assignments)
- Profile and group photos you upload (stored as compressed images)
- Player statistics computed from match results
1.3 Device & Technical Data
- Push notification token (Expo push token) and device platform (iOS/Android)
- IP address (collected automatically by our hosting provider and font services during normal web requests)
- Web performance metrics (page views, Web Vitals) via Vercel Analytics — web only, no personally identifiable information
1.4 Payment Data
Payments for Padelfish Pro subscriptions are processed entirely by the Apple App Store or Google Play Store. We never receive or store your credit card number, bank details, or billing address. Our subscription management provider (RevenueCat) receives your anonymised app user ID and entitlement status — not your payment instrument details.
2. How We Use Your Information
| Purpose | Data Used |
|---|---|
| Provide and operate the Service | Account data, user-generated content |
| Authenticate your identity | Email, name, Auth0 user ID |
| Send push notifications (invitations, tournament updates) | Push token, device platform |
| Manage subscriptions (Padelfish Pro) | Auth0 user ID, entitlement status |
| AI-powered name extraction from messages | Message text you paste (transient, not stored) |
| AI-powered schedule validation | Anonymised tournament round/court data (no names) |
| Improve performance and reliability (web) | Anonymised Web Vitals metrics |
| Respond to support requests | Email address |
We do not use your data for advertising, profiling, or selling to third parties.
3. Third-Party Services
We rely on the following trusted third-party services to operate Padelfish. Each service processes data only for its stated purpose and is subject to its own privacy policy.
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Auth0 (Okta) | Authentication & identity management | Email, name, profile photo, auth tokens | auth0.com/privacy |
| AWS (DynamoDB) | Primary database (EU West region) | All app data (stored encrypted at rest) | aws.amazon.com/privacy |
| Vercel | Web hosting, analytics, speed insights | IP address, page views, Web Vitals (web only) | vercel.com/legal/privacy-policy |
| RevenueCat | Subscription management | Auth0 user ID, purchase entitlement status | revenuecat.com/privacy |
| Apple (App Store & APNs) | iOS distribution, payments, push delivery | Payment via Apple, push tokens | apple.com/privacy |
| Google (Play Store & FCM) | Android distribution, payments, push delivery | Payment via Google, push tokens | policies.google.com/privacy |
| Expo (EAS) | Build service, push notification relay, OTA updates | Push tokens, app bundles | expo.dev/privacy |
| Google Gemini AI | Name extraction & schedule validation (server-side) | User-pasted text (transient), anonymised schedule data | ai.google.dev/terms |
| Google Fonts | Web font delivery (web only) | IP address (standard font loading) | policies.google.com/privacy |
We do not sell, rent, or trade your personal data to any third party. Data shared with the services above is limited to what is required for their stated function.
4. Cookies & Local Storage
| Item | Platform | Purpose | Duration |
|---|---|---|---|
| Auth0 session cookie (appSession) | Web | Keeps you signed in (HTTP-only, encrypted) | Session / up to 7 days |
| Theme preference | Web | Remembers your light/dark mode choice | Persistent |
| Auth0 Keychain / Keystore | iOS / Android | Securely stores authentication credentials | Until sign-out or app deletion |
| OTA update cache | iOS / Android | Caches app updates from Expo EAS | Until next update |
We do not use tracking cookies, advertising cookies, or any third-party cookies for analytics or remarketing.
5. Data Storage & Security
- All app data is stored in AWS DynamoDB in the EU West (Paris, eu-west-3) region, encrypted at rest using AWS-managed encryption keys.
- All data in transit is encrypted via HTTPS/TLS.
- Authentication tokens are validated server-side against Auth0 on every API request.
- Mobile credentials are stored in the device's secure hardware (iOS Keychain / Android Keystore).
- We do not store passwords — authentication is delegated entirely to Auth0 and your identity provider (Google, Apple, or email/OTP).
- Uploaded images (profile photos, group photos) are compressed and stored directly in the database — not in a public bucket or CDN.
6. Data Retention
| Data Type | Retained For | Notes |
|---|---|---|
| Account & profile data | Until account deletion | Deleted within 30 days of request |
| Groups, tournaments, match history | Until account deletion | Owned groups deleted with the account |
| Push notification tokens | Until sign-out or account deletion | Removed immediately |
| Auth0 authentication logs | Up to 30 days after deletion | Managed by Auth0 per their retention policy |
| Payment / subscription records | Up to 7 years | Required by tax & financial regulations (held by Apple, Google, RevenueCat) |
| Anonymised aggregate statistics | Indefinite | No personally identifiable information |
| AI-processed text (name extraction) | Not stored | Processed in real-time and discarded |
7. Your Rights
Depending on your jurisdiction (including rights under the EU/EEA GDPR, UK GDPR, California CCPA, and other applicable laws), you may have the following rights:
- Access — Request a copy of the personal data we hold about you.
- Rectification — Ask us to correct inaccurate data (you can also update your profile directly in the app).
- Erasure — Request deletion of your account and associated data. See our Account Deletion page for instructions.
- Data portability — Request your data in a structured, machine-readable format.
- Restriction / Objection — Ask us to limit or stop processing your data in certain circumstances.
- Withdraw consent — Where processing is based on consent, you may withdraw it at any time (e.g., disable push notifications in your device settings).
To exercise any of these rights, contact us at hello@padelfish.com. We will respond within 30 days.
8. Account Deletion
You can request permanent deletion of your account and all associated data at any time. To do so, email hello@padelfish.com or visit our Account Deletion page.
Upon deletion: your profile, owned groups, tournaments, match history, memberships, push tokens, and subscription records will be permanently removed. Payment records may be retained by Apple, Google, or RevenueCat as required by law (see Section 6).
9. Children's Privacy
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us at hello@padelfish.com and we will promptly delete it.
10. International Data Transfers
Your data is primarily stored in the EU (Paris, France) on AWS infrastructure. Some third-party services (Auth0, Vercel, RevenueCat, Expo, Google AI) may process data in the United States or other jurisdictions. Where data is transferred outside the EU/EEA, it is protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) or the service provider's participation in recognised data transfer frameworks (e.g., the EU-U.S. Data Privacy Framework).
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will notify you via an in-app notification or email. Continued use of the Service after changes constitutes acceptance of the updated policy.
12. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
- Email: hello@padelfish.com
- Website: padelfish.com
- Account deletion: padelfish.com/delete-account
If you are in the EU/EEA and believe your data protection rights have not been addressed, you have the right to lodge a complaint with your local Data Protection Authority.
© 2026 Padelfish. All rights reserved.