Privacy Policy

The data controller depends on the specific data:

• Controller for data provided in the context of a specific tournament (name, email, optional phone, availability and tournament results): the administrator of the club that created the tournament (hereinafter the "Organising Club"). PadelCortex acts here as data processor under Article 28 GDPR, processing the data on behalf of the Organising Club.
• Controller for data processed on PadelCortex's own initiative (cross-tournament ELO ranking aggregated by email, platform security, service improvement, billing): Alejandro Sanchez Ferrer, owner of PadelCortex. Full identification details are available in the Legal Notice.

For privacy queries relating to PadelCortex as a platform please write to info@padelcortex.app. For queries about data from a specific tournament, contact the Organising Club through the email shown on the public tournament page.

In the context of organising padel tournaments, PadelCortex may process the following categories of personal data:

• Player's name and surname.
• Email address.
• Availability declared by the player for match scheduling purposes.
• Match results and standings (internal ELO ranking).

No special category data within the meaning of Article 9 GDPR is collected.

Processing of your data rests on the following legal bases set out in Article 6 GDPR:

• Performance of a contract or pre-contractual measures (Art. 6.1.b): necessary to manage your participation in the tournament, schedule matches, and communicate results. This basis also covers administrator account management and SaaS platform operation.
• Consent (Art. 6.1.a): for sending optional marketing communications or notifications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legitimate interests (Art. 6.1.f): for maintaining the cross-tournament ELO ranking, platform security and service improvement, provided those interests are not overridden by your fundamental rights and interests.

Your data is used exclusively to:

• Manage your participation in padel tournaments organised through PadelCortex.
• Schedule matches based on declared availability and generate the competition draw.
• Send tournament notifications (schedules, results, call-ups).
• Maintain a cross-tournament ELO history for future participations.

Your data may be accessed by the following service providers acting as data processors or sub-processors:

• Vercel Inc. (hosting and CDN, USA): the web application is served via Vercel's infrastructure, which provides adequate safeguards for international transfers through Standard Contractual Clauses (SCCs) adopted by the European Commission and Vercel's certification under the EU-US Data Privacy Framework (DPF). Privacy policy: https://vercel.com/legal/privacy-policy
• Neon Inc. (PostgreSQL database): Neon hosts the database within the European Union (eu-central-1 region) with encryption at rest and in transit, so no international transfer occurs. Privacy policy: https://neon.tech/privacy
• Resend Inc. (transactional email delivery, USA): used to send registration confirmations and notifications to players and organisers. Transfers to the USA are covered by SCCs and by Resend's certification under the EU-US Data Privacy Framework. Privacy policy: https://resend.com/legal/privacy-policy

Web fonts are served from our own domain (self-hosted via next/font), so no runtime requests are made to Google Fonts servers.

No data is shared with third parties for commercial purposes or transferred internationally outside the safeguards required by Articles 44-49 GDPR. A Data Processing Agreement (DPA) is executed with each processor under Article 28 GDPR through the provider's portals or consoles.

Personal data is retained for as long as necessary to fulfil the purpose for which it was collected:

• Tournament and participation data: for the active duration of the tournament and up to 12 additional months after it ends (cross-tournament ELO maintenance and future participation facilitation).
• Activity logs: up to 30 days from generation, unless a legal obligation requires longer retention.
• Backups: up to 90 additional days after production data has been deleted.
• Contact form enquiries: up to 24 months from the last exchange, unless it leads to a contractual relationship or a longer legal retention duty applies.
• Billing and tax data: for the period required by applicable tax and commercial legislation (minimum 5 years under Art. 30 of the Spanish Commercial Code and 4 years under the General Tax Law).

After the applicable periods, data will be anonymised or securely deleted.

Under the GDPR you have the right to:

• Access (Art. 15): obtain confirmation as to whether we process your data and access it.
• Rectification (Art. 16): correct inaccurate or incomplete data.
• Erasure, "right to be forgotten" (Art. 17): request deletion of your data when it is no longer necessary or you withdraw consent.
• Objection (Art. 21): object to processing based on legitimate interests or for direct marketing.
• Restriction of processing (Art. 18): request that we restrict processing while a challenge regarding accuracy or lawfulness is resolved.
• Portability (Art. 20): receive your data in a structured, commonly used and machine-readable format, and transmit it to another controller where processing is based on consent or a contract and is carried out by automated means.
• Not to be subject to automated decision-making (Art. 22): not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. The internal ELO ranking calculation and the automatic generation of match schedules are algorithmic processes, but they do NOT constitute Art. 22 GDPR decisions because they do not produce legal effects or significantly affect you: they are sporting and logistical outputs reviewable by the organiser. If PadelCortex implements AI systems making automated decisions with significant effects in the future, you will be informed in advance and human intervention will be made available.

PadelCortex is not directed at children under 14. Under Article 8 GDPR and Article 7 LOPDGDD (Organic Law 3/2018), the minimum age to consent to the processing of personal data in information society services in Spain is 14 years.

Where a player is under 14, the tournament organiser (Organising Club) must obtain and retain verifiable consent from the holder of parental responsibility before submitting the minor's data through the platform. PadelCortex does not collect date of birth in the public registration form; it is the Organising Admin's responsibility to verify participants' age when the tournament includes youth categories.

If we become aware that data of a child under 14 has been collected without appropriate consent, we will delete it as soon as possible. You can request deletion by emailing info@padelcortex.app.

You may exercise any of the above rights by emailing info@padelcortex.app with the subject "Data Protection" and stating the right you wish to exercise along with the information needed to identify you.

All notification emails include an unsubscribe link so you can opt out of communications immediately.

If you believe our processing of your data does not comply with applicable law, you have the right to lodge a complaint with your local supervisory authority. In Spain: Agencia Española de Protección de Datos (www.aepd.es).

Appropriate technical and organisational measures are in place to ensure a level of security commensurate with the risk, including:

• Encryption in transit (TLS 1.2 or higher) for all communications with the platform and infrastructure providers.
• Encryption at rest of the database managed by the hosting provider (Neon).
• Administrator passwords stored as bcrypt hashes (cost factor 12), never in plain text.
• Authenticated sessions using HS256-signed JWTs stored in HttpOnly, Secure, SameSite=Lax cookies.
• HTTP security headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy.
• Per-club access control: each administrator can only access data for the clubs they are linked to.
• Rate limiting on public forms (contact, registration, unsubscribe) to mitigate automated abuse.
• Encrypted backups with up to 90 days of retention managed by the database provider.
• Periodic dependency review and security audit of the code base.

In the event of a security breach that may pose a risk to the rights and freedoms of data subjects, PadelCortex will notify the Spanish Data Protection Agency within 72 hours in accordance with Article 33 GDPR, and will inform affected users when the breach results in a high risk (Art. 34 GDPR).