Privacy policy

1. Data controller

The data controller responsible for your personal data in relation to the Klikteren platform is Klikteren (the entity operating this service). You can contact us at the email address provided on the Contact page. If you book a court at a venue through our platform, the relevant Venue Owner may also act as a data controller for data they process in connection with your booking and venue operations (e.g. co-player contact details, recurring booking content, internal notes); their processing is governed by their own privacy practices and applicable law.

2. Data we collect

We collect the following categories of data. (a) Account and profile data: email address, password (stored in hashed form), full name, phone number, date of birth, gender (male, female, prefer not to say), city, profile picture (optional) and preferred interface language. (b) System data about the user: platform role (player, staff, owner, administrator), penalty-point balance and any warnings related to no-shows or conduct. (c) Friendship and social data: list of friends, outgoing and incoming friend requests, invite links. (d) Booking data: venue, court, date, time, extra equipment, price (indicative), booking status, cancellation history and added co-players. (e) Reviews and bookmarked venues if you use those features. (f) Feedback you send through the app or website (category, description, optional error message). (g) Technical and log data: IP address, device and browser type, app version, device identifier, system language, time and date of access. (h) Push notification data: Expo push token and platform (iOS/Android), needed to deliver notifications. For venue owners who use recurring bookings on behalf of customers who do not have an account, the owner may enter that customer's name, email and phone - in that case the owner is the controller for that data and Klikteren is only a processor acting on the owner's behalf.

3. Legal basis for processing

We process your personal data on the following bases: (a) Contract: to perform our contract with you (e.g. to create and manage your account, process bookings, connect you with venues and communicate about your use of the Service). (b) Legitimate interests: to operate, secure and improve the Service, prevent abuse and fraud, safeguard the platform and defend our rights, where not overridden by your interests. (c) Consent: where we have asked for your consent (e.g. access to camera or photo library for your profile picture, push notifications). You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. (d) Legal obligation: where we must process data to comply with applicable law (e.g. accounting and tax duties of owners, security law obligations).

4. How we use your data

We use your data to: provide, maintain and improve the Service; create and manage your account and profile; process bookings and communicate with you, your co-players and Venue Owners about them; send booking confirmations, change notifications and reminders before the slot starts (push notifications and in-app notifications); enable social play and friend invites; operate the warning and penalty-point system to protect other players and venues; respond to your enquiries, feedback and support requests; enforce our Terms of Use and prevent fraud and misuse; comply with legal obligations; and monitor and fix technical errors on the platform. We may occasionally send summary notifications about your activity (e.g. a weekly or monthly overview) for engagement. We may also use aggregated or anonymised data for analytics and product improvement.

5. Sharing and disclosure of data

We may share your data in the following cases. (a) With Venue Owners and their staff: as necessary to fulfil your booking (e.g. full name, phone and booking details) and to contact you when needed. (b) With other players: your name, profile picture and availability may be visible to players you share a booking with or who have your invite link. (c) With trusted service providers that process data on our instructions: Supabase (database hosting, authentication and image storage), Resend (transactional email delivery), Expo (push notification delivery - which in turn relies on Apple APNs and Google FCM), Google (Sign in with Google), Apple (Sign in with Apple), Sentry (error tracking and stability monitoring), Upstash (rate limiting and abuse protection) and OpenStreetMap Nominatim (geocoding of venue addresses). All these processors are bound by confidentiality and data protection obligations. (d) For legal reasons: when required by law, court order or a competent authority, or when we believe disclosure is necessary to protect our rights, user safety or to prevent fraud. We do not sell your personal data to third parties and we do not use it for cross-site advertising.

6. Data retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected. Account and profile data are retained while your account is active. You can initiate account deletion yourself from the profile in the mobile app - we then delete your authentication record and profile picture, and the bookings you created are retained in anonymised form necessary for the history of slots and venues. Push tokens are deactivated and deleted on sign-out or account deletion. Booking and transaction data may be retained for the period required by law (e.g. accounting and tax rules). Log and technical data are retained for a limited period for security, analytics and debugging.

7. Your rights

Depending on your jurisdiction (including under the GDPR if you are in the EEA/UK and the Serbian Personal Data Protection Act), you may have the right to: access your personal data; rectify inaccurate data (most fields you can update yourself in the app profile); request erasure ("right to be forgotten") - account deletion is available self-service from the app; restrict processing; data portability; object to processing based on legitimate interests; withdraw consent where processing is based on consent; and lodge a complaint with a supervisory authority (in Serbia: the Commissioner for Information of Public Importance and Personal Data Protection). To exercise rights that are not available self-service (e.g. data export), contact us at the email on the Contact page. We will respond within the time limits set by applicable law (e.g. up to one month under the GDPR).

8. Cookies and similar storage

On the website we use strictly necessary cookies and browser local storage - for authentication, session handling, security and remembering your chosen language. In the mobile app we use the device's secure storage for session tokens and selected preferences. We do not use advertising cookies or technologies that track you across other websites. You can delete or block necessary cookies in your browser settings, but doing so may affect your ability to sign in or use the Service.

9. International transfers of data

Your data is primarily processed within the European Union and the European Economic Area, where our main processors operate (Supabase EU region, Resend, Upstash, Sentry). Some service providers (e.g. Expo and the push service operators Apple APNs and Google FCM) may process data on servers outside the EEA, including in the United States. In such cases we rely on adequate safeguards provided by law, including the European Commission's Standard Contractual Clauses.

10. Children

The Service is not intended for users under 16 years of age. Only users who are at least 16 (or the age of legal capacity in their jurisdiction) can create an account on their own; younger users require parental or guardian consent. If we learn that an account was created by a child without the required consent, we will deactivate the account and delete the submitted data. If you are a parent or guardian and believe your child has created an account without your consent, please contact us.

11. Mobile app specifics

The Klikteren mobile app may request the operating system for access to certain device features: (a) Camera and photo library - solely for uploading a profile picture; photos are uploaded to the storage we use (Supabase Storage). (b) Notifications - to deliver push notifications about bookings, co-player invitations and pre-slot reminders; you can disable notifications at any time in your system settings. (c) Technical device data (model, OS version, device identifier and app version) that is associated with the push token to reliably deliver notifications. The app does not use your device GPS location, does not access phone contacts and does not track you across other apps. Sign-in with Apple ID and Google account uses the official SDKs of those providers; their processing is governed by their privacy policies.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on the Service and update the "Last updated" date. Where required by law or where changes materially affect how we use your data, we will notify you by email or through the Service before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact

For any questions about this Privacy Policy or our handling of your personal data, or to exercise your rights, please contact us at the email address provided on the Contact page. We will respond as required by applicable data protection law.