PadelFast Privacy Policy

1. Who we are (data controller)

PadelFast is operated by GAVA Group AB, a Swedish Aktiebolag (AB). GAVA Group AB is the data controller responsible for the personal data described in this policy.

• Company: GAVA Group AB
• Registered address: to be added by GAVA Group AB
• Swedish company registration number (organisationsnummer): to be added by GAVA Group AB
• Contact for privacy matters: support@padelfast.com
• Website and contact form: https://www.padelfast.com (contact form at https://www.padelfast.com/contact)

We have not appointed a named Data Protection Officer. As a controller established in Sweden (EU), an Article 27 EU/EEA representative is generally not required. Please direct all privacy questions and data-subject requests to support@padelfast.com.

2. Scope of this policy

This policy covers the PadelFast service across web (https://www.padelfast.com), iOS, and Android, and applies to all PadelFast users worldwide. PadelFast helps you organize and play padel — running americano, mexicano, ladder, and cup tournaments, joining leagues, finding clubs, tracking your rating, and connecting with other players.

Our native iOS and Android apps provide the same core service and use the same backend (Google Firebase), but may include additional platform-specific components, for example app-store federated sign-in and push-notification delivery, which are noted where relevant. Where an app store provides its own privacy disclosure, those labels summarize the same practices described here, and this policy is the more detailed and authoritative source.

3. The personal data we collect

We collect the categories of personal data below. Not every user has every data point — much of it is optional or depends on how you use PadelFast. Most data is stored in our Google Firebase backend (Firestore database, Realtime Database for live match state, and Storage for images).

3.1 Account and identity data

• First name — required when you create an account, or taken from your sign-in provider's display name. We do not collect a separate surname field at signup.
• Email address — required; also obtained from your sign-in provider.
• Password — handled entirely by Firebase Authentication. We do not store your password ourselves.
• Phone number — optional; you can add it during onboarding or in profile settings, and it may also come from your sign-in provider if available.
• Profile photo / avatar — optional; uploaded and cropped by you, or taken from your sign-in provider. Stored in Firebase Storage.
• Account type — player or club, chosen at signup.
• Sign-in provider — email/password, or Google, Facebook, or Apple sign-in.
• Account metadata — account creation timestamp, last login timestamp, the platform you registered on (web, iOS, or Android), an onboarding-completion flag, an internal administrator flag (set by us, not by you, where applicable), and your online/offline presence status.

3.2 Profile and preference data (provided by you)

• Bio / description (free text).
• Gender (Man / Woman / not specified).
• Rating-system preference (1–10 or 0–7).
• Playing preferences — preferred hand, preferred court position, preferred mode (ranked / casual), and preferred sport(s).
• Skill self-profile — your best shot and best attribute.
• Availability windows — the days and time ranges when you can play.
• Notification preferences — for tournament updates, friend activity, and game invitations.

3.3 Performance and rating data (generated as you play)

• ELO rating and points, including before/after rating values for each match.
• Win / loss / draw records, point differentials, and current points.
• Matchmaking history — full historical match results, including participants, winners, and rating changes.
• League memberships and status (for example active or restricted).
• Club memberships and roles (owner, manager, staff) and the clubs you follow.

3.4 Location data

• Country — stored on your profile.
• Coarse geohash (approximately 600 meters) — derived from your location and stored on your profile, updated on each login, used for nearby-clubs proximity matching and distance features.
• Approximate location from your IP address — when the app loads it performs an IP-based location lookup (see Section 5) that returns your IP address and an approximate location (coordinates, city, postal code, region, country). Of this, only the derived geohash and country code are saved to your profile; the remaining details are held only temporarily in the app during your session.
• Precise device location — only if you allow it through your browser/operating-system permission prompt. It is used for location-targeted ads in the ad banner and, on an opt-in basis, for the club search's nearby feature and distance calculations.

See Section 5 for full detail on how location works, including where it is collected automatically, and how to control it.

3.5 Social and communication data

• Social graph — the players you follow and who follow you.
• Chats and messages — message content you send, including sender name, message text, and timestamps.
• Notifications — in-app notifications (follows, requests, invites, challenges, comments, welcome), including sender information, read status, and timestamps.
• Predefined players (team members) — records you create about other people you play with, which may include their name, email, phone number, description, gender, and stats. See Section 16 regarding data about other people.

3.6 Billing and payment data

• Subscription / entitlement status via RevenueCat, keyed to your user ID. We receive only whether entitlements (for example Pro, Manager, Lifetime, or a Tournament day-pass) are active or inactive, plus related transaction dates. We never receive your payment-instrument details from RevenueCat.
• For clubs/hosts: Stripe Connect account identifiers and the related account metadata Stripe holds for payouts and identity verification (business profile, capabilities, external/bank accounts, address, requirements, and settings).
• Payment records for tournament fees — for paid tournaments: a reference to the tournament, your user ID, Stripe identifiers (payment intent, customer, and connected-account IDs), the amount, our platform fee, the currency, the type, the status (pending / completed / refunded), and a timestamp.

3.7 Newsletter data

• A newsletter subscription flag and a contact ID on your profile. If you opt in, your name and email (and, where applicable, a push token) may be sent to our newsletter provider so we can send you product news.

3.8 User-generated content

• Free-text content you create, including your bio, chat messages, and predefined-player records. As the platform and intended recipient of in-app chats, we process this to operate the messaging and team-management features.

3.9 Technical, usage, and analytics data

• Standard device and browser information, page/usage data, performance metrics, and behavioral/session analytics collected by our analytics providers (see Section 9), and traffic signals used for bot and abuse protection.

4. Why we process your data (purposes and legal bases)

Under the GDPR we must have a legal basis for each processing purpose. The list below sets out our purposes and the bases we rely on.

• Account creation and authentication (identity, email, credentials, sign-in provider data) — performance of a contract (Art. 6(1)(b)).
• Core service delivery (tournaments, leagues, club directory) — performance of a contract (Art. 6(1)(b)).
• Matchmaking and ratings (ELO, records, skill and play preferences) — performance of a contract (Art. 6(1)(b)); see Section 11 on automated rating.
• Proximity and discovery (country and coarse geohash for nearby clubs) — legitimate interests (Art. 6(1)(f)).
• Precise device location for nearby/search and ads — consent (Art. 6(1)(a)) via the browser/OS permission; see the compliance note below and Section 5.
• Social features (follows, chats, notifications) — performance of a contract (Art. 6(1)(b)).
• Payments and billing (tournament fees, host payouts/KYC, subscription gating) — performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) for tax, accounting, and KYC/anti-money-laundering where applicable.
• Transactional communications (password reset, email verification, welcome and referral emails) — performance of a contract (Art. 6(1)(b)).
• Marketing communications (newsletter) — consent (Art. 6(1)(a)); opt-in and withdrawable at any time.
• Push notifications — consent (Art. 6(1)(a)) via your device permission.
• Analytics (Hotjar and Firebase Analytics) — consent (Art. 6(1)(a)) via our cookie banner.
• Performance and usage measurement (Vercel Analytics and Vercel Speed Insights) — legitimate interests (Art. 6(1)(f)); see the note in Section 9 on their current consent status.
• Security and abuse prevention (BotID) — legitimate interests (Art. 6(1)(f)).
• Referrals (confirming referrals and rewards) — performance of a contract and/or legitimate interests.
• Administration and service operation (including admin-gated newsletter and targeted notification streams) — legitimate interests (Art. 6(1)(f)) and/or consent for the underlying messaging.

Where we rely on legitimate interests, we have weighed those interests against your rights and freedoms; you may object at any time (see Section 12). Where we rely on consent, you may withdraw it at any time without affecting processing already carried out.

5. Location data — detailed explanation and your controls

PadelFast uses location in two distinct ways.

5.1 Approximate location from your IP address (automatic)

When the app loads, it performs an IP-based location lookup (via the provider geolocation-db.com) to estimate your general area. This returns your IP address and an approximate location (coordinates, city, postal code, region, and country). From this we derive and store on your profile a coarse geohash (approximately 600 meters) and your country code, which power location-aware features such as nearby clubs and distance sorting. The remaining IP-derived details are held only in the app during your session and are not written to your profile. This IP-based lookup currently happens automatically when the app loads, before the cookie banner is acted upon, and there is currently no automated opt-out beyond contacting us.

5.2 Precise device location (only with the device permission)

Some features can use your device's precise location, but only if you grant the browser/operating-system permission. You can decline, and you can revoke the permission in your browser/device settings at any time.

• Location-targeted ads — the in-app ad banner requests your precise location automatically when it loads, converts it to a coarse geohash, and uses it to show locally relevant ads. If location is unavailable or declined, it falls back to non-targeted ads. This request is not gated by the cookie banner; the browser/OS permission prompt is the only control.
• Club search (nearby) — opt-in: you choose to enable location for the club search by tapping a button. This lets us calculate distances to clubs near you and show a nearby section. It is off by default, and the app remembers your choice on your device.

5.3 Your location controls

• Decline or revoke the browser/OS location permission at any time through your device or browser settings.
• The club-search location feature is opt-in and can be turned off.
• The IP-based approximate lookup currently runs automatically; if you do not want approximate location used, please contact us at support@padelfast.com.

5.4 Retention and precision

The stored geohash is coarse (approximately 600 meters) and is refreshed and overwritten on each login. We use it for proximity queries within roughly a 10-kilometer radius.

6. US state privacy disclosures (CCPA/CPRA and similar laws)

This section is for residents of California and other US states with comprehensive consumer privacy laws, including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana. It supplements the rest of this policy.

6.1 Categories of personal information we collect

Using the categories defined under the CCPA, as amended by the CPRA, in the preceding 12 months we have collected: identifiers (first name, email, phone, user ID, IP address, online identifiers); customer records/contact information (name, email, phone); protected classifications (optional self-reported gender); commercial information (subscriptions, tournament purchases, transaction records); internet/network activity (usage, session/behavioral analytics, device/browser data); geolocation data (approximate IP-based location, and precise location only via the device permission); audio/visual (optional profile photo); user-generated content (chat messages, bio free-text, predefined-player records); and inferences (rating, skill profile, and play-preference data derived from your activity). We do not collect professional/employment information or education information.

Sensitive personal information: precise device geolocation collected via the browser/OS permission is sensitive personal information; for the ad banner this is requested automatically on load. The coarse, IP-derived/geohash location we store (approximately 600 meters) is not precise enough to be sensitive personal information. Account log-in credentials are handled by Firebase Authentication. The contents of in-app chats are not treated as sensitive personal information because PadelFast is the platform and intended recipient of those messages. We do not use or disclose sensitive personal information for purposes other than those permitted under Cal. Civ. Code 1798.121, so the right to limit the use of sensitive personal information is honored by default.

6.2 Sources, purposes, and disclosures

• Sources: directly from you; automatically from your device as you use the app; and from your chosen sign-in provider (Google, Facebook, or Apple).
• Business purposes: the purposes listed in Section 4 (providing and securing the service, matchmaking and ratings, social features, payments, communications, analytics, and advertising).
• Disclosures for a business purpose: we disclose identifiers, commercial information, internet/network activity, geolocation, audio/visual content, and user-generated content to the service providers/processors listed in Section 8 — for example to our hosting/backend (Firebase), payment processors (Stripe, RevenueCat), analytics providers (Hotjar, Vercel), and sign-in providers — so they can perform services on our behalf.

6.3 No sale; no sharing for cross-context behavioral advertising

We do not sell your personal information, and we do not knowingly share it for cross-context behavioral advertising, as those terms are defined under California and other US state privacy laws. Our ad banner uses only a coarse, area-based signal derived on your device to show locally relevant ads served from our own systems — it does not track you across other companies' apps and websites. In the preceding 12 months, we have not sold personal information and have not shared personal information for cross-context behavioral advertising. We also do not use sensitive personal information for purposes beyond those permitted under the CPRA.

6.4 Global Privacy Control (GPC)

Because we do not sell or share personal information, there is no required opt-out. Where you use a browser-based Global Privacy Control (GPC) signal, we will treat it as a valid request to opt out of any sharing for the browser used, to the extent applicable.

6.5 Your US state privacy rights

• Know / access the personal information we have collected, including categories, sources, purposes, and categories of recipients.
• Delete the personal information we have collected from you, subject to exceptions permitted by law (such as completing transactions, complying with legal obligations including tax/accounting retention, and detecting security incidents).
• Correct inaccurate personal information.
• Data portability — receive a copy in a portable format.
• Opt out of sale and of sharing for cross-context behavioral advertising (we do neither), and, in states such as Virginia, Colorado, and Connecticut, opt out of targeted advertising and of profiling in furtherance of decisions producing legal or similarly significant effects (we do neither; see Section 11).
• Limit the use of sensitive personal information (we already limit such use to permitted purposes).
• Non-discrimination — we will not deny you services, charge different prices, or provide a different level of quality because you exercised your privacy rights. We do not offer financial incentives or price differences in exchange for the collection, sale, or sharing of personal information. Our subscription tiers relate to product features, not to your exercise of privacy rights.

To exercise these rights, contact us by email at support@padelfast.com or via our contact form at https://www.padelfast.com/contact (these are our two designated request methods). You may use an authorized agent, subject to verification. We will verify your request against the information associated with your account before acting on it. We will not charge you for exercising these rights and will provide the requested information free of charge up to twice in a 12-month period. We will respond within the timeframes required by applicable law (generally 45 days, extendable where permitted). If we deny a request, you may appeal by replying to our response, and we will inform you of the outcome.

7. Payments and billing — how your money data is handled

7.1 Subscriptions (RevenueCat)

Premium features are managed through RevenueCat, which links your subscription status to your PadelFast user ID. We receive only whether your entitlements (for example Pro, Manager, Lifetime, or a Tournament day-pass) are active or inactive, plus related transaction dates. The Tournament day-pass is time-limited (valid for 6 hours). We never receive your card or payment-instrument details through RevenueCat. Subscription tier may gate certain features (for example, hosting paid tournaments or accepting entrance fees). Subscriptions purchased through the Apple App Store or Google Play are also subject to those stores' own billing terms and privacy practices.

7.2 Tournament entrance fees (Stripe)

For paid tournaments, payments are processed by Stripe. PadelFast operates as a Stripe Connect platform. Your card details are entered directly into Stripe's secure, sandboxed payment fields (Stripe Elements) and never reach PadelFast's servers; we are not in scope to see, store, or process your card number, CVV, or expiry date, and we receive only a temporary reference needed to complete the payment. When you pay, your name, email, and phone may be passed to Stripe to process the transaction; these are not stored in PadelFast's database as part of the payment flow — Stripe holds them as the payment processor. We store only a transaction record: Stripe reference IDs, the amount, our platform fee, the currency, and the status (pending, completed, or refunded), with a timestamp, for accounting and to manage your tournament participation.

7.3 Refunds

For paid tournaments, refunds are processed through Stripe only if your cancellation occurs at least 6 hours before the tournament start time. If you cancel less than 6 hours before start, your entrance fee is generally non-refundable; our records may still show a refunded status for accounting purposes even though no money is returned.

7.4 Host payouts and KYC

If you host paid tournaments, you must complete Stripe Connect onboarding, during which Stripe collects identity, business, and bank/payout information (KYC) directly. Charges are disabled until onboarding is complete. Stripe acts as the payment processor for that information as part of providing regulated payment services; we receive the account status and identifiers we need to enable charges and payouts and to compute platform fees.

8. Who we share data with (service providers / sub-processors)

We share personal data only with the providers below, each of which processes it on our behalf or to provide a service you have engaged, and only as needed. We do not sell your data or share it for cross-context behavioral advertising. The recipients below are those confirmed as actively used by PadelFast; each provider's privacy policy is linked.

• Google Firebase (Authentication, Firestore, Realtime Database, Storage, Analytics) — our primary backend; Realtime Database hosted in the EU (europe-west1)

• Google sign-in

• Facebook (Meta) sign-in

• Apple sign-in

• Google Maps Platform (Maps and Places) — club maps and place search

• RevenueCat — subscription and entitlement management

• Stripe (incl. Stripe Connect) — payment processing, host accounts, payouts, KYC

• Hotjar — behavior and session analytics (loads only after analytics consent)

• Vercel — Vercel Analytics, Vercel Speed Insights, and BotID (bot detection)

• Expo — push-notification delivery (primarily for the mobile apps)

Provider roles and data shared: Google Firebase processes substantially all data categories in Section 3 (including authentication credentials and avatars). Sign-in providers (Google, Facebook/Meta, Apple) receive only email, name, and photo per the provider's scopes, and only if you choose them. Google Maps Platform receives search queries and precise coordinates for location-biased results when you have enabled location. RevenueCat receives your user ID, subscription/entitlement status, and transaction dates. Stripe receives payer name/email/phone at checkout (held by Stripe) and, for hosts, business/payout identity, bank details, and address; card data is collected entirely by Stripe and never by us. Hotjar receives behavioral/session, device, and browser data. Vercel Analytics and Speed Insights receive usage and performance data; BotID (a Vercel service) receives request/traffic signals. Push tokens are routed to Expo by our backend; the mobile apps generate the tokens, and the web app does not transmit data to Expo directly.

geolocation-db.com is used to perform the IP-based approximate location lookup at app load (see Section 5.1) and receives your IP address. This is a third-party endpoint called directly from the browser, and we have not confirmed a published privacy policy or a Data Processing Agreement for it. We do not present it as a contracted, link-backed processor on a par with the providers above. The company must contract a compliant IP-geolocation provider, or replace it, before relying on this disclosure.

Our own first-party backend (operated by GAVA Group AB) handles server-side operations such as transactional email, server-side matchmaking, payments orchestration, place lookups, newsletter, and referrals. This is not a third party, but personal data described in this policy is transmitted to it securely with your authenticated session.

We may also disclose personal data where required by law, to enforce our terms, to protect the rights, safety, or property of PadelFast or others, or in connection with a corporate transaction such as a merger or acquisition, subject to appropriate safeguards.

9. Cookies, SDKs, tracking, and analytics opt-outs

PadelFast uses cookies, similar technologies, and software development kits (SDKs). Our cookie consent banner currently offers exactly two categories:

• Necessary — required to sign you in, keep you authenticated, remember settings (such as your club-search location choice), and secure the service. These cannot be switched off.
• Analytics — Hotjar (session/behavior) and Firebase Analytics load only after you provide analytics consent via our cookie banner; declining prevents them from loading and clears the related Google Analytics cookies.

Two analytics tools currently run independently of the cookie banner: Vercel Analytics and Vercel Speed Insights, which measure usage and performance. The IP-based geolocation lookup described in Section 5.1 also currently runs automatically and is not gated by the cookie banner. There is no separate advertising consent category in the banner; the only control over precise-location ad targeting is the browser/operating-system location permission (see Section 5.2).

How to control analytics and tracking

• Use our cookie/consent controls to decline analytics cookies, which prevents Hotjar and Firebase Analytics from loading.
• Configure your browser settings to block or delete cookies.
• On mobile, use your device's advertising/tracking controls (for example iOS App Tracking Transparency and Limit Ad Tracking; Android Reset advertising ID / opt out of ads personalization).
• Decline or revoke the browser/OS location permission to stop precise-location ad targeting (see Section 5.3).

• Hotjar opt-out

• Hotjar privacy policy

10. App store data disclosures

Our mobile apps are distributed through the Apple App Store and Google Play, each of which requires a standardized data-disclosure summary. Apple App Store App Privacy labels describe the data types PadelFast may collect (such as contact info, identifiers, usage data, location, and purchases) and whether they are linked to you. The Google Play Data safety section describes what data is collected and shared, why, and our security practices. These labels summarize the practices detailed in this policy.

If you notice any apparent discrepancy between a store label and this policy, this policy is the more detailed and authoritative description; please contact us so we can reconcile it.

11. Automated processing and ratings (ELO)

PadelFast automatically calculates a skill rating (an ELO points value) based on your match results, and uses it for pairing, scoring, and leaderboards. This is automated processing of your data, and it produces inferences such as your rating and skill profile, but it is a routine scoring feature used to run tournaments fairly. It does not produce legal or similarly significant effects on you within the meaning of GDPR Article 22, and we do not profile users for purposes that determine access to services, credit, or employment.

We do not use automated processing to make decisions producing legal or similarly significant effects about any user, including minors, and we do not profile minors for marketing. If you have questions about how your rating is calculated, contact us at support@padelfast.com.

12. Your data-protection rights (GDPR and similar laws)

If you are in the EU/EEA, the UK, or another region with comparable laws (and, in practice, we extend these rights to all users), you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data (right to be forgotten), subject to legal retention obligations (see Section 13).
• Restrict processing in certain circumstances.
• Data portability — receive your data in a structured, machine-readable format and have it transmitted to another controller where technically feasible.
• Object to processing based on legitimate interests, and to direct marketing at any time.
• Withdraw consent at any time where processing is based on consent (for example marketing, analytics, precise location), without affecting prior processing.
• Not be subject to solely automated decisions producing legal or similarly significant effects (see Section 11).

To exercise any right, email support@padelfast.com or use https://www.padelfast.com/contact. You may also be able to access, edit, or delete much of your data directly in your account settings, including deleting your account. We will respond within the timeframes required by law (generally one month under the GDPR), and we may need to verify your identity before acting.

Right to lodge a complaint

If you are in the EU/EEA, you have the right to complain to a supervisory authority. The lead authority for PadelFast is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY). You may also complain to the supervisory authority in your country of residence.

• Integritetsskyddsmyndigheten (IMY) — Swedish supervisory authority

13. Data retention

We keep personal data only as long as necessary for the purposes described in this policy, to provide the service to you, to comply with legal, accounting, or tax obligations, and to resolve disputes and enforce our agreements. In general:

• Account and profile data — retained while your account is active; deleted or anonymized after account closure, subject to legal retention requirements.
• Payment and transaction records — retained for the period required by Swedish accounting law (the Bokföringslagen requires certain financial records to be kept for 7 years).
• Match history and ratings — retained while your account is active to keep leaderboards and rating history coherent; deleted or anonymized on account deletion, subject to the above.
• Messages, notifications, and social graph — retained while your account is active.
• Location (geohash) — refreshed and overwritten on each login (see Section 5).
• Analytics data — retained according to each analytics provider's settings.

14. International data transfers

PadelFast is operated from Sweden (EU). Some of our providers process data outside the EU/EEA, including in the United States — for example certain processing by Google (Firebase, Maps, sign-in), Meta and Apple (sign-in), Stripe, RevenueCat, Hotjar, Vercel (Analytics, Speed Insights, BotID), and the IP-geolocation provider. Our Firebase Realtime Database is hosted in the EU (europe-west1); the data-residency region for Firestore and Firebase Storage, where most data lives, has not yet been confirmed.

Where personal data is transferred outside the EU/EEA, we rely on appropriate safeguards under the GDPR, such as the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, adequacy decisions including the EU–U.S. Data Privacy Framework for providers that are certified under it. You may request a copy of the relevant safeguards by contacting us.

15. How we protect your data

We use appropriate technical and organizational measures to protect personal data, including encryption in transit, authenticated and access-controlled backend operations (your requests carry a secure, signed authentication token), use of Google Firebase's managed infrastructure and other established providers such as Stripe, and the principle that sensitive payment-card data is handled entirely by Stripe and never stored by us. No method of transmission or storage is completely secure, but we work to protect your information and to respond appropriately if an incident occurs.

16. Data about other people

If you enter information about other people — for example by creating predefined-player / team-member records that include a person's name, email, phone, gender, or other details — you confirm that you are allowed to share that information with us and that you have informed those individuals as necessary. We process this data to provide the team-management features.

Once such data is stored in our systems, GAVA Group AB acts as a controller for it. Our legal basis is the legitimate interests of the user and the platform in providing team-management features, balanced against the affected person's rights. Because these individuals did not provide their data to us directly, providing them with individual notice is often not feasible (GDPR Article 14(5)); they may nonetheless exercise their rights, including access and erasure, by contacting us. If you are a parent or guardian and a child's data has been added this way, you may request its removal (see Section 17).

If someone believes their personal data has been added to PadelFast without a proper basis, they can contact us at support@padelfast.com and we will take appropriate steps, including erasure where required.

17. Children's privacy

PadelFast is intended for a general adult and teen audience and is not directed at children under 13.

Minimum age

You must be at least 13 years old to create an account, and older where the law in your country sets a higher minimum age for using online services. In the EU/EEA the digital-consent age for consent-based processing ranges from 13 to 16 depending on the country (in Sweden it is 13); where your country sets a higher age, you must meet that higher age to use PadelFast. The 13–16 digital-consent age applies specifically to processing we base on consent (such as marketing, analytics, precise location, and advertising, per Section 4); your eligibility to enter into a contract for the service as a minor is governed separately by your country's civil law and may set a higher effective minimum age.

United States (COPPA and state law)

We do not knowingly collect personal information from children under 13 without verifiable parental consent. If we learn that we have collected such information without it, we will delete it promptly. Because we do not sell or share personal information or engage in cross-context behavioral advertising, the heightened US-state opt-in rules for selling/sharing the data of consumers under 16 do not apply, and we do not knowingly use a minor's data for advertising.

Reporting and removal

If you believe a child has provided us with personal data, or that a child's personal data has been added by another user (for example via a predefined-player record), contact us at support@padelfast.com. We will act promptly on credible reports, apply a verification step appropriate to a parent/guardian or the minor, and delete or anonymize the data both in PadelFast's systems and, where applicable, by instructing the sub-processors that hold it (see Section 8). You can also delete an account directly in account settings.

18. Third-party services and links

PadelFast integrates with and links to third-party services — such as your sign-in provider, Stripe, the app stores, and mapped clubs/venues. Those services are governed by their own privacy policies, which are linked in Section 8 for our sub-processors, and we encourage you to review them. We are not responsible for the privacy practices of third parties.

19. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date above and, where appropriate, notify you in the app or by email. Your continued use of PadelFast after an update takes effect means you accept the revised policy.

20. Contact us and governing law

For any privacy question, request, or complaint, contact us at support@padelfast.com or via https://www.padelfast.com/contact.

• GAVA Group AB
• Email: support@padelfast.com
• Web: https://www.padelfast.com

This Privacy Policy and any dispute relating to it are governed by the laws of Sweden and applicable EU law, including the GDPR, without prejudice to any mandatory consumer-protection or data-protection rights you have under the laws of your country of residence.