Privacy Policy

Last updated: May 8, 2026

1. Controller and Contact Details

The controller of your personal data is: CORE Rafał Czerny-Zwolak, NIP: 5492454381, ul. Kwiatowa 5, Babice 32-600, Poland.

Contact for all privacy requests: [email protected]

2. Scope

This Privacy Policy applies to GetPadelFlow, including the website, landing pages, application, account functionality, booking functionality, payment functionality, calendar integrations, and related services.

3. Categories of Data We Process

We may process the following categories of personal data:

• Account and profile data, such as your name, email address, account identifier, authentication details, role, and user preferences.
• Business, club, or organization data, such as club name, business contact details, location, opening hours, court configuration, service settings, and operational preferences.
• Booking and scheduling data, such as court availability, reservations, booking times, participants, booking status, calendar events, notes, and related metadata.
• Payment and billing data, such as payment status, subscription status, invoices, billing identifiers, transaction metadata, checkout session identifiers, payment provider references, tax-related information, and billing history. We do not store full payment card details.
• Communication data, such as transactional emails, booking confirmations, account notifications, payment updates, support messages, and service-related correspondence.
• Technical and usage data, including page views, device and browser information, IP-derived approximate geolocation, event timestamps, session activity, logs, diagnostic data, and product analytics events collected through PostHog.
• Calendar integration data, where enabled, such as calendar availability, calendar event metadata, booking synchronization data, and event update status processed through Google Calendar.
• Consent status, stored in your browser localStorage under the key getpadelflow_cookie_consent with values such as accepted or rejected.

4. Purposes and Legal Bases

We process personal data for the following purposes and legal bases under GDPR Art. 6:

• Providing and operating GetPadelFlow, including account management, club management, court configuration, bookings, scheduling, and service configuration: performance of a contract or steps prior to entering into a contract, Art. 6(1)(b) GDPR.
• Managing payments, subscriptions, billing, invoices, checkout, and related payment operations through payment providers such as Stripe and Polar: performance of a contract, Art. 6(1)(b) GDPR, and compliance with legal obligations, Art. 6(1)(c) GDPR.
• Sending transactional and service-related emails through Resend, such as booking confirmations, account messages, payment updates, invoices, system notifications, and operational messages: performance of a contract, Art. 6(1)(b) GDPR, or legitimate interest, Art. 6(1)(f) GDPR.
• Storing and managing application data through Supabase, including authentication, database, storage, and backend infrastructure: performance of a contract, Art. 6(1)(b) GDPR.
• Providing calendar synchronization through Google Calendar, where the user enables this integration: performance of a contract, Art. 6(1)(b) GDPR, or user consent, Art. 6(1)(a) GDPR, depending on the integration flow and permissions granted.
• Running analytics through PostHog to understand product usage and improve GetPadelFlow: based on your consent for analytics cookies/trackers, Art. 6(1)(a) GDPR, where such consent is required.
• Ensuring basic operation, security, fraud prevention, abuse prevention, debugging, and service reliability, including storing essential consent preference information: legitimate interest, Art. 6(1)(f) GDPR.
• Responding to support, privacy, and legal requests: legitimate interest, Art. 6(1)(f) GDPR, compliance with legal obligations, Art. 6(1)(c) GDPR, or performance of a contract, Art. 6(1)(b) GDPR, depending on the request.
• Complying with tax, accounting, legal, and regulatory obligations: legal obligation, Art. 6(1)(c) GDPR.

5. Cookies and Consent Management

We use:

• Essential technologies required for core website and application functionality.
• Authentication and application technologies required to provide the service, including technologies related to Supabase.
• Payment and security-related technologies required by providers such as Stripe and Polar where necessary to process payments, prevent fraud, and operate billing functionality.
• Calendar integration technologies where required to provide Google Calendar synchronization enabled by the user.
• Analytics technologies, including PostHog, only after your consent where consent is required.

On your first visit, you can accept or reject analytics in the cookie banner. If you reject, PostHog tracking is opted out. If you accept, PostHog tracking is opted in.

You can withdraw consent at any time by clearing site data/localStorage in your browser and setting your preference again in the banner. You can also manage cookies in your browser settings.

6. Data Recipients and Processors

We may share data with trusted third-party service providers acting on our instructions or providing services necessary to operate GetPadelFlow, including:

• Supabase — database, authentication, storage, and backend infrastructure.
• Resend — transactional email delivery.
• Google Calendar / Google APIs — calendar synchronization and scheduling integration, where enabled by the user.
• PostHog — product analytics, used only after analytics consent where required.
• Stripe — payment processing, billing, subscriptions, checkout, invoices, and related fraud prevention.
• Polar — payment, billing, subscription, checkout, and digital product or service monetization infrastructure.
• Website hosting and infrastructure providers required to operate, secure, and deliver the service.

These providers may process personal data only to the extent necessary to provide their services to us or to you.

7. International Data Transfers

Some processors may process data outside the European Economic Area. Where required, transfers are protected using GDPR-compliant safeguards, such as Standard Contractual Clauses, adequacy decisions, and additional technical or organizational measures where applicable.

8. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required by law.

• Account, profile, business, club, booking, and scheduling data is retained for as long as your account, organization, club workspace, or related service relationship remains active, or as needed to provide the service.
• Billing, payment, invoice, subscription, and tax-related data may be retained for the period required by applicable accounting, tax, and legal obligations.
• Transactional email records may be retained as needed for operational, security, support, and compliance purposes.
• PostHog analytics data is retained according to configured project retention settings and data minimization principles.
• Consent preference data remains in your browser until you delete it or change your choice.
• Calendar integration data is retained only as long as necessary to provide the enabled calendar functionality or until the integration is disconnected, subject to technical and legal requirements.
• Security, diagnostic, and log data is retained for a limited period necessary to protect the service, investigate issues, prevent abuse, and maintain reliability.

9. Your GDPR Rights

Subject to legal conditions, you have the right to:

• Access your personal data.
• Rectify inaccurate or incomplete data.
• Erase your data.
• Restrict processing.
• Object to processing based on legitimate interest.
• Data portability.
• Withdraw consent at any time, without affecting prior lawful processing.
• Lodge a complaint with a supervisory authority.

To exercise your rights, contact [email protected].

10. Supervisory Authority

You have the right to file a complaint with your local data protection authority. In Poland, this is the President of the Personal Data Protection Office, also known as UODO.

11. No Unrelated Marketing Use

We do not use personal data collected through GetPadelFlow for unrelated marketing campaigns or newsletter advertising without a separate legal basis, such as your consent where required.

We may send service-related and transactional messages necessary to operate GetPadelFlow, such as account notifications, booking confirmations, calendar synchronization messages, billing updates, payment confirmations, invoices, and security messages.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be posted on this page with a revised “Last updated” date.