PadelRanks — Privacy Policy

PadelRanks is an iOS and Android app that gives padel players access to national federation rankings, international pro rankings, tournaments, club information and a Danish "Find a Match" community. The app's federation-backed ranking and tournament data covers 18 countries:

For Denmark specifically, the underlying ranking data is owned and maintained by the Dansk Padel Forbund (DPF) — the Danish Padel Federation — and hosted on the Rankedin platform. We access this data through Rankedin's public API but the data controller for the ranking records themselves is DPF, not Rankedin or us.

We take your privacy seriously and only process the data strictly required for the app to function.

1. Data we process

1.1 Location data

If you grant permission, PadelRanks uses your location on your device to calculate the distance between you and padel tournaments and clubs, and to verify that you are physically located in Denmark when you sign in to the Find a Match feature (see §1.5). Your location is never sent to our own servers as a stored record. Outgoing requests to third-party tournament providers (see §3) only include your coordinates when you explicitly run a location-based search — and only as anonymous latitude/longitude, never your identity. (Playtomic tournament requests use fixed, app-defined city coordinates — not your location; see §3.1.) If you deny the location permission, the rankings and tournament parts of the app still work — distance simply isn't shown — but the Find a Match feature is unavailable because we cannot confirm you are in Denmark.

1.2 No federation login

The rankings, tournament and club parts of PadelRanks are entirely read-only and require no Rankedin or FIP account. You can browse all 18 countries without signing in to anything. We do not store federation credentials and there is no login form for Rankedin or FIP in the app.

You can optionally "claim" your own player profile by searching for your name in the Rankedin or FIP public player database — this selection is stored only on your device and contains no credentials.

1.3 Federation data (rankings, tournaments, clubs, profiles)

The app displays rankings, tournament results, player profiles and club information from the sources in §3. Most of this data — RankedIn rankings, team leagues, player profiles and player matches, tournaments, and FIP player rankings and the FIP Premier calendar — is fetched through our own backend (see §3), which retrieves it from the sources, caches it, and serves it to the app. A few requests still go directly from your device to the source — for example RankedIn team-league search and some FIP player-search and player-profile pages. In all cases the data is also held briefly in the app's on-device cache (AsyncStorage) for performance.

1.4 Player profile photos displayed in the app

Profile photos of other players shown in rankings and profile screens are sourced from the public APIs of Rankedin and the International Padel Federation (FIP) — they are not hosted by us. Photo availability varies by player and by country; where a photo is not available we display a generated avatar with the player's initials. The image URLs themselves are requested directly from the third-party CDN by your device and are cached on-device for performance. No personal identifier is attached to those requests.

1.5 Find a Match account and content (Apple / Google sign-in, posts, comments)

The "Find a Match" feature requires you to sign in with Apple or Google. When you do, PadelRanks receives and stores the following on our backend (Supabase — see §3):

• A Supabase user id (random UUID) — used to identify your account.
• The email address returned by Apple or Google. Apple users may choose to share a relay email instead of their real address; we accept whichever form Apple returns.
• Your chosen display name — the name shown on your posts. You set this on first sign-in. You can edit it later.
• Your chosen Danish postal code — used to scope which posts you see and to attach a postcode to posts you create.
• The content of any post or comment you create — the message text, your selected level range, your match date, and the optional time text.
• Your "I'm in" joins on other users' posts.
• A rough one-time location check at sign-in confirming you are in Denmark. We do not store your exact GPS coordinates — only the boolean result of the country check is associated with your account, and only at sign-in time.

We do not receive or store your Apple or Google password — the sign-in itself happens on Apple's / Google's servers, and we only receive the resulting identity token.

The Find a Match feature is currently restricted to users physically located in Denmark.

1.6 Push notifications (optional)

If you opt in to notifications, we collect an Expo push token (an opaque per-device identifier from Expo's push service) and store it in our Supabase backend with your notification preferences, so the server can deliver notifications when the app is closed.

Player-specific match notifications (pre-match, post-match, rank-change) are sent only for a small, curated list of professional players — players whose competitive activity is part of their public profession (e.g. FIP-tour professionals) — and for one profile you may designate as your own ("my profile"), stored locally on your device. We do not send player-specific notifications about other amateur or recreational players, regardless of their ranking position. Following any player is always possible and contributes only to an anonymous follower count (§1.7); following a non-professional player never triggers push notifications about that person.

Goal-progress notifications about your own tracked goal are calculated on your device and concern only you. You control all notifications through OS-level permission and the in-app bell settings, and can revoke at any time by signing out, switching notifications off, or revoking OS permission.

Team-match notifications for league teams you follow (e.g. Lunar Ligaen and the other federation team leagues we list in §1) are delivered as local notifications scheduled on your device when you tap the heart on a team. They are strictly aggregate at the team level: each notification carries only the team's name, the opponent team's name, the kick-off date and time, and the venue. They never name individual players, and they never report individual rubber or match results — even though such information is publicly displayed by the federations on the same source pages we read for the schedule itself. Inside the app you may see those individual scores as a passive display of public federation data; the push surface deliberately does not. You can stop these notifications for any team at any time by tapping the heart again to unfollow — we cancel every scheduled reminder for that team immediately, in addition to the OS-level and in-app controls above.

1.7 Follower counts (anonymous)

PadelRanks shows a small follower count next to each player in the rankings, search results, player profile and "Following" list — a number indicating how many other PadelRanks users follow that player. To compute this count we store one row per follow on our backend (Supabase — see §3) with:

• The player id being followed (an opaque identifier from the federation: Rankedin or FIP).
• An anonymous device identifier — a random UUID v4 generated on your device on first launch and persisted locally. It is not derived from your name, email, Apple ID, Google ID, location, IP address or any other personal information. It exists only so the same device cannot inflate a player's count and so you can unfollow later.
• A timestamp of when the follow was created.

The anonymous device identifier is never returned to any client — only the aggregate count (e.g. "134 followers") is visible to other users, and is the only value the server's public API ever emits. Row-level security blocks any direct read of the underlying table.

If you uninstall and reinstall the app your device receives a new anonymous identifier; your previous follows orphan in the database and continue to contribute to counts until removed (see §5 Erasure).

The follower-count feature works for both Rankedin- and FIP-backed players across all 18 countries and does not require sign-in.

1.8 Legal basis for processing (GDPR Article 6)

The lawful bases under GDPR Article 6(1) that we rely on are:

• Federation rankings, tournament results and public player profiles (display) — Article 6(1)(f) legitimate interests. Our legitimate interest is to make padel rankings and tournament results — already published by the national federations (DPF, FIP) and their platform (Rankedin) on publicly accessible pages without login — searchable in a single app, quickly and without overloading the source servers. To do this our backend fetches and caches the latest version of each resource (player names, ranking positions, results as published at source) and also retains historical snapshots of this public data on our server (see §3.2 and §4). We surface no more than the sources display publicly. We are aware that Rankedin has indicated it does not endorse or authorise third-party use of its data; we have weighed this and rely on the public, login-free nature of the source data and the limited, non-transformative display, while honouring takedown requests (§5) and removing data at source-deletion. We do not build profiles of which players a given user views — although, like any internet service, our backend keeps standard technical request logs (including IP address) for operating the service (§3.2). Player-specific push notifications are a separate, more active processing and are therefore restricted to professional players and the user's own designated profile only (§1.6).
• Find a Match account, posts, comments and "I'm in" joins — Article 6(1)(b) performance of a contract. When you sign in via Apple or Google to use Find a Match, you create an account with us and we process your account record, your posts and your interactions in order to provide that service to you.
• Push notifications (Find a Match, §1.6) — Article 6(1)(a) consent. Push delivery for Find a Match notifications only happens after you have explicitly opted in via the in-app notification settings. You can withdraw this consent at any time by switching off notifications.
• Followed-team match notifications (§1.6) — Article 6(1)(a) consent for delivery to you (you opt in by both granting OS-level notification permission and tapping the heart on a specific league team), and Article 6(1)(f) legitimate interests for the lightweight processing of the federation-published team-match schedule used to compose the notification. Our legitimate interest is to relay aggregate, team-level fixture information (team name, opponent team name, kick-off date/time, venue) that the federations themselves publish on the public team-league pages. The notification body never names individual players or reports individual match results — only the team identifier, opponent and kick-off time — so no individual data subject is implicated by the push surface. All scheduling happens locally on your device; we do not store the followed-team list on our backend.
• Followed-player notifications (§1.6.1) — Article 6(1)(a) consent for delivery to you (you opt in by both granting OS-level notification permission and explicitly tapping follow on a specific player), and Article 6(1)(f) legitimate interests for the processing of the third-party player's federation-published data used to compose the notification. Our legitimate interest is to relay publicly-published padel data — tournament registrations, match results and ranking movements — to people who have explicitly asked to follow that data. Every notification corresponds to data the federations themselves publish on rankedin.com and padelfip.com that any internet user could read by visiting those sites; the value PadelRanks adds is convenience (it polls for the user), not exposure of new information. We have weighed this interest against the rights of the data subjects: the underlying data is federation-published material already on public display; PadelRanks does not transform, aggregate, infer about or commentate on it (the notification text reproduces the same competitor names and competition results the federation site shows); the notification is generated locally on the user's device by a polling task that hits the same public endpoints the rest of the app uses; we do not store the user's follow list on our backend; the user must affirmatively grant OS-level permission AND tap follow for each player, both of which they can revoke at any time per-player or globally; the notifications carry no location data, no contact data and no information the publishing federations do not themselves display; and any player whose name appears in such notifications can request takedown at any time by contacting us (see §5 — Right to object), which applies across the app's entire follow/notification surface.
• Location-based distance / Denmark presence check — Article 6(1)(a) consent. Location is only accessed after you have granted the OS-level permission. The Denmark presence check at Find a Match sign-in stores only the boolean result, never your coordinates.
• Follower counts (anonymous) — Article 6(1)(f) legitimate interests. Our legitimate interest is to give padel players a lightweight social signal (how many other users in the community follow each player) — a feature widely expected in modern sports apps. We have weighed this interest against the rights of the data subjects: the device identifier is anonymous and not derivable from any PII; the underlying table is invisible to clients (only aggregate counts are exposed, via a SECURITY DEFINER RPC); follow events do not target identified natural persons (they reference public federation player IDs that we do not own); and you can request deletion of your device's follow records at any time — see §5.
• Security, abuse-prevention and account-deletion auditing — Article 6(1)(f) legitimate interests (preventing abuse of the Find a Match feature, retaining minimal logs to respond to deletion requests).

A documented legitimate-interest balancing test is available on request to Juliancilea@gmail.com.

2. Data we do not collect

3. Third-party data sources and processors

PadelRanks communicates with the following services. Most read-only padel data is fetched through our own backend (api.padelranks.online, hosted on Hetzner in the EU), which retrieves it from the sources below, caches it, and serves it to the app — this covers RankedIn (rankings, team leagues, player profiles, player matches and tournaments), FIP (the Premier calendar and player rankings), and place-name geocoding. A few requests still go directly from your device to the source — for example RankedIn team-league search, certain FIP player-search / player-profile pages, and all Playtomic tournament requests (§3.1). The Find a Match feature uses Supabase (§3.2).

3.1 Read-only data sources (rankings, tournaments, clubs)

• Dansk Padel Forbund (DPF) — the Danish Padel Federation. DPF is the controller of the Danish ranking records, tournament results and player registrations we display for Denmark. The data is published by DPF on the Rankedin platform (see next bullet). DPF website: dansk-padel.dk
• Rankedin — Rankedin is DPF's technology provider and also hosts national rankings, tournaments and player profiles for the other 12 Rankedin-backed countries listed in the introduction. We read Rankedin's public endpoints on api.rankedin.com mainly through our backend, which caches the responses (see §3.2); a few calls, such as team-league search, are still made directly from your device. Rankedin privacy policy: rankedin.com/privacy
• FIP (Federación Internacional de Pádel) — global pro rankings, international tournament calendar and player profile pages for Spain, Mexico, Argentina, Italy and France. FIP is the controller of these records. FIP player rankings and the FIP Premier calendar are fetched through our backend (refreshed roughly every 6 hours; see §3.2). Some FIP pages are still read directly by your device: FIP's public WordPress REST API at padelfip.com/wp-json/fip/v1/... (including the circuit-stats endpoint that exposes recent finals per player), FIP player search, and lightweight HTML scraping of FIP's public player-profile pages at padelfip.com/player/{slug}/ for fields that aren't exposed by the REST API. We only read endpoints that are publicly accessible without authentication. FIP privacy policy: padelfip.com/privacy
• Playtomic — an optional tournament catalogue covering 60+ further countries (for example Spain, Italy, France, the Netherlands, the United States, Mexico and Brazil). When you switch the tournament feed to the Playtomic catalogue, your device requests publicly listed tournaments directly from Playtomic's public API (api.playtomic.io). These requests contain only fixed, app-defined city coordinates for the country you picked — never your own location, your identity or any account data — and nothing about you is stored with Playtomic by us. Playtomic privacy policy: playtomic.com/privacy-policy
• OpenStreetMap / Nominatim — used by our backend for forward-geocoding of place names into map coordinates, so the app can show the distance to a club or tournament. Only the place name and country are sent — never your identity or your own location — and requests are rate-limited per OpenStreetMap's usage policy. If the backend is unavailable, your device's own operating-system geocoder (Apple / Google) is used as a fallback. OpenStreetMap Foundation privacy policy: osmfoundation.org

3.2 Our backend and data processors

• PadelRanks backend (api.padelranks.online, hosted on Hetzner in the EU) fetches and caches the public federation data we display: RankedIn (rankings, team leagues, player profiles, player matches, tournaments) and FIP (Premier calendar and player rankings), plus place-name geocoding via OpenStreetMap/Nominatim. Each successful fetch is stored as a snapshot in a database, so the backend holds a rolling history of these public-data snapshots (player names, ranking positions and results, as published at source) — not only the latest copy. It stores no user accounts and no Find-a-Match / app-user data — only cached public source material. Images are not stored on the backend; only the source image URLs are kept, and your device fetches the images directly. The backend keeps standard technical server logs (your IP address, the requested URL — which can indicate the player or tournament being looked up — timestamp and user-agent) for operating and debugging the service. The API is read-only and requires no login.
• Supabase (Supabase Inc., hosted in Frankfurt, Germany — EU region) acts as our data processor for the Find a Match feature and for anonymous follower-count tracking (§1.7). Supabase stores your account record, posts, comments, "I'm in" joins, push subscription and the anonymous follow rows inside a Postgres database hosted in the EU and is contractually bound by GDPR-compliant data-processing terms. Supabase privacy policy: supabase.com/privacy
• Apple Sign-In (Apple Inc.) — only used for authentication. Apple's privacy policy: apple.com/legal/privacy
• Google Sign-In (Google LLC) — only used for authentication. Google's privacy policy: policies.google.com/privacy
• Expo Push Service (650 Industries, Inc.) — delivers push notifications to APNs / FCM on our behalf. Expo privacy policy: expo.dev/privacy

We run a single backend (above) that caches the public federation data and performs geocoding; all Find a Match account data lives in Supabase. The original padel data is owned and published by the third-party providers listed above — our backend holds cached copies and snapshots of it for performance.

4. Retention

• On-device cache (rankings, tournaments, clubs, photos): cleared on uninstall, or whenever the app's normal cache-eviction logic decides. You can also clear it by reinstalling.
• Backend cache and snapshots (public RankedIn / FIP data on our server): short-lived cache entries expire automatically (typically 30 minutes to 24 hours). Each successful fetch is also stored as a historical snapshot of the public source data; these snapshots currently accumulate over time. Server access logs (IP address, requested URL, timestamp, user-agent) are kept for operating and debugging the service. No user accounts, Find a Match data or app-user profiles are stored on this backend.
• Find a Match posts and comments: each post automatically expires 7 days after it is created and is deleted from the database. Comments and "I'm in" joins on a post are deleted together with the post.
• Find a Match account record (display name, postal code, user id, email, push token): retained until you delete your account (see §5).
• Follower-tracking rows (anonymous device id + player id + timestamp): retained indefinitely so global follower counts remain stable across sessions. You can request deletion of your device's follow records — see §5 (Erasure).

5. Your rights (GDPR + UK GDPR + Swiss DPA)

You have the following rights under the GDPR. Article references are to the EU GDPR; equivalent rights exist under the UK GDPR and Swiss DPA.

• Access — Article 15. For the on-device parts of the app, all your data lives on your device. For the Find a Match feature, write to Juliancilea@gmail.com and we will provide a copy of the data associated with your account.
• Rectification — Article 16. You can edit your display name and postal code in the app at any time.
• Erasure ("right to be forgotten") — Article 17.
  • On-device data: uninstall the app and all local data is wiped.
  • Find a Match account and content: you can delete your account and all posts/comments inside the app (Find a Match → bell icon → "Delete account"), or by writing to Juliancilea@gmail.com. Deletion is final — your Find a Match user record, posts, comments, "I'm in" joins and push subscription are removed from Supabase, as is the corresponding entry in auth.audit_log_entries.
  • Removal of your public player profile: PadelRanks displays read-only data published by the federations themselves (DPF / Rankedin / FIP). The original records are owned and controlled by the federations; our backend keeps cached copies and snapshots of this public data for performance (§3.2). To have your player profile removed you must request deletion at the source: contact Rankedin (info@rankedin.no) or your national federation directly. Once the federation deletes your record, PadelRanks stops returning it on the next data refresh, and we will purge the corresponding cached copies and snapshots from our backend on request (write to the address below).
  • Anonymous follower records (§1.7): because the device identifier is not tied to any personal account, the in-app path is to unfollow individual players (each unfollow removes the corresponding row immediately). To delete ALL follow records originating from your device, write to Juliancilea@gmail.com and include your anonymous device id from Settings → Privacy → "Your anonymous device id". We will delete the matching rows from Supabase within 30 days of receipt.
• Restriction — Article 18. You can ask us to restrict processing of your Find a Match account while a dispute is investigated.
• Portability — Article 20. You can export your Rankedin data directly from rankedin.com. For Find a Match data, write to Juliancilea@gmail.com for a JSON export.
• Object — Article 21. You can object at any time to our processing of your data on the basis of legitimate interests (§1.8). For PadelRanks-side processing (your Find a Match account or anonymous follower-tracking rows), write to Juliancilea@gmail.com. For federation-published data we surface, see the "Removal of your public player profile" point above — the federations are the source controllers.
• Withdraw consent — Article 7(3). You can sign out of the Find a Match feature at any time from the bell-icon settings sheet. You can also revoke Apple / Google's authorisation in your Apple ID / Google Account settings. Switching off notifications in-app revokes your push consent.
• Complaint — Article 77. You can file a complaint with your national Data Protection Authority (e.g. Datatilsynet in Denmark, IMY in Sweden, BfDI in Germany, DSB in Austria, AEPD in Spain, Garante in Italy, CNIL in France, ICO in the UK) if you believe your rights have been infringed.

6. Children (GDPR Article 8)

PadelRanks's Find a Match feature is not directed at and may not be used by children under the age of 16. At Find a Match sign-up we require an explicit in-app confirmation that the user is 16 years of age or older. This is higher than the Danish digital-consent age of 13 (GDPR Article 8(1)) and is set deliberately to avoid processing the personal data of younger users without parental consent. Apple's and Google's sign-in flows additionally enforce platform-level minimum age requirements.

We do not knowingly collect data from children under 16 via Find a Match. If you believe a child under 16 has created a Find a Match account, please contact us at Juliancilea@gmail.com and we will delete the account and associated content.

The non-Find-a-Match parts of the app (rankings, tournaments, clubs) do not ask any user, of any age, for personal data or an account — they are a read-only display of data already published by the national padel federations (DPF, FIP, etc.) on their own public web pages. (As with any internet service, the backend that serves this data keeps technical request logs — see §3.2.) The federations are the controllers of the displayed data and are responsible for any age-related publication decisions about their members.

7. Security

Communication with all third-party APIs and with Supabase is encrypted with TLS. Find a Match data inside Supabase is protected by row-level security (RLS) — you can only read and write your own posts, comments, joins and push subscriptions, and the database refuses any operation that violates this. Follower-tracking rows (§1.7) are protected by the same row-level security mechanism — the underlying table is fully blocked from direct client reads, and only the aggregate count is exposed via a SECURITY DEFINER RPC, so no client (including signed-in users) can enumerate which devices follow which players. We rely on Supabase's underlying security measures (encryption at rest, secure key management, regular backups) for the database itself.

8. International transfers

Our backend cache is hosted on Hetzner in the EU, and Supabase hosts the Find a Match database in Frankfurt, Germany — also inside the EU. Apple, Google and Expo may process authentication and push-delivery data outside the EU under their own GDPR-compliant transfer mechanisms.

9. Changes

Changes to this policy will be published on this page together with an updated effective date. Material changes (e.g. new categories of data, new processors) will be announced in the app before they take effect.

We will not broaden player-specific notifications beyond professional players and the user's own designated profile without updating this policy and announcing the change in-app before it takes effect.

10. Contact

Questions, deletion requests, or data exports? Write to Juliancilea@gmail.com.