Privacy Policy

1. Introduction

This Privacy Policy describes how Ace ("we," "our," or "us") collects, uses, and protects your personal information when you use our tennis community platform and related services. This policy applies to all services offered through our website, mobile applications, and related platforms (collectively, the "Service"). We process your personal data based on various legal grounds as described in Section 4 of this policy, including contract performance, legitimate interests, consent where required, and legal obligations. We adhere to the principles of data minimization (Article 5(1)(c) GDPR) and purpose limitation (Article 5(1)(b) GDPR) by collecting and processing only the data necessary for the respective purposes.

When you download our mobile app via the Apple App Store or Google Play, we and the respective store operator are jointly responsible for the initial data collection pursuant to Article 26 GDPR. The essence of this arrangement covers data phases required for provision and installation confirmation (in particular store account details, download timestamp, app/device identifiers such as a device ID for installation confirmation, and technical transaction metadata). We have no influence over any subsequent processing by the respective store operator; such processing is carried out under that operator's own data protection responsibility. Data subject rights regarding app-download processing can usually be exercised most effectively directly with Apple or Google.

2. Data Controller

3. Information We Collect

We may collect the following types of information:

• Personal Information: Name, email address, phone number, date of birth, profile picture, postal address, and other contact details you provide during registration or account updates.
• Profile Information: Tennis skill level, playing preferences, availability, match history, club affiliations, tournament participation, rankings, achievements, and other tennis-related information you choose to share.
• Usage Data: Information about how you use our platform, including matches played, messages sent, communities joined, events attended, booking history, search queries, feature usage, and other interactions with our Service.
• Device and Technical Information: IP address, browser type and version, device type and model, operating system, language preferences, referring URLs, access times, pages viewed, click-stream data, and other technical information about your device and internet connection.
• Location Data: With your explicit consent, we may collect precise or approximate location data through GPS, Wi-Fi, or IP address to suggest nearby players, courts, events, and clubs.
• Communication Data: Content of messages you send through our platform, support tickets, feedback, and other communications with us or other users.
• Payment Information: Payment method details, billing address, transaction history, and other financial information necessary to process payments (processed securely through our payment providers).
• Biometric Data: We optionally allow you to use your device's biometric authentication features (e.g., FaceID, TouchID) for sign-in. Use is voluntary and serves as an alternative to PIN entry. At no time do we have access to your raw biometric data; verification is performed exclusively locally on your device by the operating system.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Consent: Where you have given explicit consent for specific processing activities, such as marketing communications or location tracking.
• Contract Performance: Processing necessary for the performance of our contract with you, including account management and service provision.
• Legitimate Interests: Processing necessary for our legitimate business interests, including: (1) Improving and optimizing our services, platform functionality, and user experience through analytics and user behavior analysis; (2) Preventing fraud, abuse, and security threats to protect our users and platform integrity; (3) Ensuring network and information security, including detecting and responding to technical issues and cyberattacks; (4) Analyzing usage patterns to develop new features and enhance existing functionality; (5) Managing business operations and ensuring service continuity. We have balanced these interests against your privacy rights and will only process data on this basis where our interests do not override your fundamental rights and freedoms.
• Legal Obligation: Processing required to comply with legal obligations, such as tax reporting or responding to legal requests.
• Vital Interests: Processing necessary to protect vital interests of you or another person in emergency situations.
• Special Categories of Personal Data: Special categories of personal data are processed only with your explicit consent pursuant to Article 9(2)(a) GDPR. You may withdraw your consent at any time.

5. How We Use Your Information

We use the collected information for various purposes, including:

• Service Provision: To create and manage your account, authenticate users, provide our core services, process transactions, and deliver requested features.
• Player Matching: To connect you with compatible tennis players based on skill level, location, preferences, and availability using our matching algorithms.
• Communications: To send you service-related notifications, updates, security alerts, support messages, and respond to your inquiries.
• Platform Improvement: To analyze usage patterns, diagnose technical problems, conduct research, and enhance the functionality, performance, and user experience of our platform.
• Personalization: To customize content, features, and recommendations based on your preferences, behavior, and interactions with our platform.
• Marketing: With your explicit consent, to provide you with news, special offers, promotional materials, and information about other services, events, and features that may interest you.
• Security and Fraud Prevention: To detect, prevent, and respond to fraud, security threats, abuse, and other harmful activities that may affect our Service or users.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests.
• Analytics: To understand how our Service is used, measure performance, and generate insights to improve our offerings.

6. Data Storage and Security

We store and process your information using our self-hosted database infrastructure. We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit and at rest, access controls, regular security assessments, and staff training. Your data is primarily stored in secure data centers within the European Union. While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Account data is typically retained for the duration of your account plus 3 years after account deletion. Tax-relevant accounting records (in particular invoices and payment-related booking records) are retained for 10 years pursuant to § 147 AO. General business correspondence is generally retained for 7 years as a compliance and safety reserve. Applicant data is deleted after 6 months if no employment relationship is established and no consent for longer retention has been granted (aligned with AGG limitation periods). Usage analytics data is anonymized after 2 years. You can request earlier deletion of your data by contacting us, subject to legal retention requirements.

8. Data Sharing and Disclosure

We may share your information in the following circumstances:

• Other Users: Your profile information, match history, and tennis-related data are visible to other users as necessary for the functioning of our platform. You can control the visibility of certain information through your privacy settings.
• Service Providers: Third-party vendors who provide services on our behalf, such as payment processing (Stripe), email delivery, data analysis, and customer support. These providers are contractually bound to protect your data.
• Legal Requirements: When required by law, court order, subpoena, or governmental authority, or when we believe disclosure is necessary to protect our rights, property, or safety, or that of our users or the public.
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the involved parties. We will notify you of any such change in ownership or control.
• With Your Consent: We may share your information for other purposes with your explicit consent.

9. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR) and other applicable data protection laws, you have the following rights regarding your personal data:

• Right of Access: You can request copies of your personal data that we hold, including information about how it is processed.
• Right to Rectification: You can ask us to correct inaccurate or incomplete personal data.
• Right to Erasure ('Right to be Forgotten'): You can request that we delete your personal data in certain circumstances, such as when it is no longer necessary for the original purpose.
• Right to Restriction of Processing: You can ask us to restrict the processing of your personal data in certain situations.
• Right to Data Portability: You can ask us to transfer your personal data to another organization or directly to you in a structured, commonly used, and machine-readable format.
• Right to Object: You can object to our processing of your personal data for direct marketing purposes or when processing is based on legitimate interests.
• Rights Related to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significant impacts. Our platform uses ELO-based local sorting recommendations and match suggestions to help display suitable tennis players based on factors such as skill level, location, playing preferences, availability, and match history. The algorithm provides suggestions only; there is no exclusivity in which players may be viewed, and you can manually override, adjust, or disable filters at any time. These calculations are an optional regional filtering and sorting aid, do not produce legal effects, and do not constitute deep or extensive systematic monitoring. Notwithstanding this, pursuant to Article 22(3) GDPR, you may request human intervention at any time, express your point of view, and request a review; you may also object to this type of processing. Please contact us at admin@playace.de.
• Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw your consent at any time. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal. You can withdraw consent by contacting us at admin@playace.de or through your account settings where applicable (e.g., marketing preferences).
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable law. The supervisory authority responsible for us is the State Commissioner for Data Protection of Lower Saxony (LfD Niedersachsen), Prinzenstraße 5, 30159 Hannover, Germany (www.lfd.niedersachsen.de). However, you may also contact the supervisory authority in your country of residence.

To exercise any of these rights, please contact us at admin@playace.de. We will respond to your request within 30 days and may need to verify your identity before processing your request. These services are provided free of charge, except in cases of manifestly unfounded or excessive requests.

10. Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking technologies to enhance your experience, analyze usage patterns, and provide personalized content. Cookies are small text files stored on your device. You can control cookie settings through your browser preferences or our cookie consent banner, but disabling certain cookies may limit some functionality of our Service.

The storage of information on the end user’s terminal equipment or the access to information already stored on the terminal equipment is carried out on the basis of § 25(1) TDDDG (Telecommunications Digital Services Data Protection Act), provided the end user has given consent on the basis of clear and comprehensive information. For technically essential cookies that are strictly necessary to provide a service explicitly requested by you, storage or access is carried out on the basis of § 25(2) TDDDG. The GDPR applies as a legal basis only for the subsequent processing of personal data collected through cookies or comparable technologies (in particular Art. 6(1)(a) GDPR for consent, Art. 6(1)(f) GDPR for legitimate interests).

You can manage your cookie preferences at any time through our cookie settings banner or by contacting us. Your consent preferences are stored locally on your device and can be changed at any time. Where technically available, we take browser privacy signals such as Global Privacy Control (GPC) into account when controlling consent-based tracking features.

11. Profiling and Match Suggestions

Our platform uses profile-based data processing to provide local sorting recommendations and match suggestions. This involves:

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification will include: (1) The nature of the breach; (2) The categories and approximate number of data subjects and records concerned; (3) The likely consequences of the breach; (4) The measures we have taken or propose to take to address the breach. We will also provide guidance on steps you can take to protect yourself, such as changing passwords or monitoring your accounts. We maintain comprehensive security measures and incident response procedures to prevent and address data breaches.

13. International Data Transfers

Your information may be transferred to and processed in countries outside the European Economic Area (EEA) where data protection laws may differ. When we transfer your data outside the EEA, we ensure appropriate safeguards are in place. For data transfers to the United States, we primarily rely on the adequacy decision (EU-U.S. Data Privacy Framework), as our third-party services such as Stripe and Sentry are certified under this framework. Additionally, we use Standard Contractual Clauses approved by the European Commission or other legally recognized transfer mechanisms. We primarily store data within the EEA through our EU-based service providers.

14. Children's Privacy

Our Service is not intended for children under the age of 16. We do not knowingly collect, use, or disclose personal information from children under 16 without the required consent. Under German law (BDSG), individuals aged 16 and above can consent to data processing themselves. For individuals between 13 and 15 years, parental consent is required. Individuals under 13 may not use the Service. If we become aware that we have collected personal information from a child under 16 without the required consent, we will take steps to delete such information promptly. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

15. Third-Party Services and App Stores

Our Service may contain links to third-party websites, applications, or services that are not owned or controlled by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services before providing them with your personal information.

16. Hosting

Our Service is hosted on servers provided by IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. When accessing our website or using our Service, the hosting provider automatically processes information transmitted by your browser. The legal basis for this processing is Art. 6(1)(f) GDPR (legitimate interest in the secure and efficient provision of our Service).

We have concluded a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR with IONOS SE. This agreement ensures that IONOS processes the personal data of our website visitors and users only in accordance with our instructions and in compliance with the GDPR.

17. Collection of General Data and Information (Server Log Files)

Our web server automatically stores so-called server log files with each access by default. These include the IP address of the accessing computer, date and time of access, name and URL of the retrieved file, the web browser used, the operating system, and the referring page (referrer URL). This data is processed exclusively to ensure trouble-free operation and to improve the IT security of our systems.

The legal basis for this processing is Art. 6(1)(f) GDPR (legitimate interest in the IT security and trouble-free operation of our systems).

These server log files are automatically deleted after 14 days, unless further retention is required for evidentiary purposes in the event of specific security incidents.

18. Bunny.net

We use the Content Delivery Network (CDN) of BunnyWay d.o.o., Dunajska cesta 165, 1000 Ljubljana, Slovenia (Bunny.net) to increase the security and delivery speed of our website. This corresponds to our legitimate interest (Art. 6 para. 1 lit. f GDPR). A CDN is a network of distributed servers capable of delivering optimized content to website users. For this purpose, personal data may be processed in server log files by Bunny.net. Please refer to Section 16 “Hosting” for further information.

Bunny.net is a recipient of your personal data and acts as a processor for us. This corresponds to our legitimate interest within the meaning of Art. 6 para. 1 sentence 1 lit. f GDPR in not operating a Content Delivery Network ourselves.

You have the right to object to the processing. Whether the objection is successful must be determined in the context of a balancing of interests.

The processing of the data specified in this section is neither legally nor contractually required. The functionality of the website is not guaranteed without the processing.

Your personal data will be stored by Bunny.net for as long as is necessary for the described purposes.

For more information on how to object to and remove data from Bunny.net, please visit: Bunny.net DPA / GDPR

Bunny.net is an EU-based company and has implemented compliance measures for international data transfers. For more information on sub-processors and data transfer safeguards, please visit: Bunny.net GDPR & Sub-processors

19. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

20. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our website and, where required by law, by sending you a notification via email or through our Service. We encourage you to review this policy periodically. Your continued use of our Service after any changes indicates your acceptance of the updated policy.