Privacy Policy

This Privacy Policy explains how ShuttlSync ("we", "us") collects, uses, stores, and shares personal data when you use ShuttlSync (the "Service") — including our website at shuttlsync.com and any native mobile apps that load the Service.

We are the data controller for personal data processed through the Service. If you have questions, contact us at contact@shuttlsync.com.

This policy is written for users in the United Kingdom and the European Economic Area (EEA). It describes your rights under UK GDPR and EU GDPR where they apply to you.

ShuttlSync helps recreational badminton clubs run sessions, track matches, skill ratings, and related statistics. Features may include club membership, live scoring, session history, optional club subscriptions, optional linking of health or fitness workouts after sessions, and optional AI-generated session summaries.

Some features are only available to signed-in members of a club. Club administrators and moderators can access additional operational data about their club as described below.

Account and profile: email address; password (stored by our authentication provider as a secure hash); display name; optional bio; language preference; profile photo (uploaded by you or from Google sign-in); account creation and sign-in timestamps.

Club membership and play data: clubs you join; your role (member, moderator, session manager, admin); player profile linked to your account; match results, skill rating changes, games played and sat out; session dates, notes, and optional community recap text; RSVP responses; club announcements you read or that moderators publish.

Data visible to other club members: within a club, other members typically see your display name, avatar, bio, and statistics derived from matches (for example wins, losses, skill rating). Moderators and admins see additional roster and operational information needed to run the club.

Club administration: club name and description; invite codes; venue names and coordinates entered by admins (not continuous GPS tracking of your device); billing status for club subscriptions.

Payments (club billing admins only): when a club admin sets up a subscription, we send the billing contact email to Stripe and store Stripe customer and subscription identifiers and status in our database. We do not store full payment card numbers.

Cookies and similar technologies: authentication session cookies; a cookie remembering your selected club; a language cookie for guests; a short-lived cookie used during Google sign-in. See the Cookies section below.

Analytics (production website only): aggregated page views and web performance metrics via Vercel Analytics and Speed Insights. Our custom analytics events are designed not to include your name, email, user id, or club identifiers.

Optional health and fitness data: if you use a supported mobile app and choose to link a workout, we may store workout identifiers, times, heart rate samples (downsampled), calories, distance, and derived per-match metrics. This data is visible only to you in the Service unless you choose to share information elsewhere outside the app.

Optional AI summaries: if enabled for a session, we may send match statistics and player display names to OpenAI to generate a short explanatory text, which we cache. You can still see factual stats without using this feature.

We do not operate an in-app contact form, marketing email list, or browser localStorage-based tracking. We do not collect your device's GPS location for tracking; venue coordinates are entered manually by club admins.

We process personal data for the following purposes and legal bases under UK GDPR / EU GDPR:

Providing the Service (contract / steps at your request): creating and managing your account; authenticating you; operating club features you use; storing match and session data; displaying your profile and stats to your club; syncing optional workout data you link.

Club subscriptions (contract / legal obligation): processing club billing through Stripe; keeping records of subscription status; communicating about payment failures where needed.

Security and abuse prevention (legitimate interests): protecting accounts, investigating misuse, and maintaining service integrity, balanced against your rights.

Analytics and product improvement (legitimate interests): understanding how the Service is used in aggregate in production, without identifying you in custom event properties.

Health and fitness linking (consent): reading and storing workout-related data only when you initiate linking and grant permission on your device. You can withdraw consent by not using the feature and requesting deletion of stored workout data.

Optional AI explanations (legitimate interests or consent depending on configuration): generating non-binding narrative summaries from match facts. These do not replace human decisions about membership or play.

Legal compliance: where we must retain or disclose data to comply with law or respond to valid requests from authorities.

Badminton clubs on the Service are shared spaces. Information you add to your player profile or that is generated from matches in a club is generally visible to other members of that club according to the product design.

Club moderators and admins can manage rosters, sessions, venues, announcements, and membership. They should only use member data for legitimate club administration.

If you leave a club or delete your account, visibility and retention are handled as described in the Data retention section.

Strictly necessary cookies: Supabase authentication cookies keep you signed in. The active club cookie remembers which club you are viewing. The auth-intent cookie briefly supports Google sign-in registration vs login.

Preference cookies: the NEXT_LOCALE cookie stores English or Polish for guests who use the language menu.

Analytics: on our production deployment only, Vercel Analytics and Speed Insights may set or rely on cookies or similar technologies to collect usage and performance data. See Vercel's privacy documentation for details.

You can control cookies through your browser settings. Blocking strictly necessary cookies may prevent you from signing in or using core features.

Workout and heart-rate data are special category data under UK/EU law. We only process this data when you explicitly choose to link a workout from Apple Health (HealthKit) or Android Health Connect after a club session, and only for showing you summaries and statistics inside the Service.

Linked workout data is stored in our database with access restricted so that only your account can read your own workout records.

You can stop future collection by not using the link feature and revoking HealthKit or Health Connect permissions on your device. To delete data already stored, contact us at the email below.

App store listings may require additional disclosures; this policy is the canonical description of how we handle health-related data in the Service.

Club subscription payments are processed by Stripe, Inc. Card details are collected and stored by Stripe, not on our servers.

We receive and store subscription status, billing period dates, Stripe customer and subscription identifiers, and the email used for the Stripe customer record.

Stripe's privacy policy applies to payment processing: https://stripe.com/privacy

Club admins can manage payment methods through the Stripe Customer Portal where available.

We use trusted processors who handle data on our instructions:

Supabase (authentication, database, file storage, realtime) — hosts and processes account and club data.

Stripe — payment processing and subscription management.

Vercel — website hosting, analytics, and speed insights in production.

Google — OAuth sign-in when you choose "Sign in with Google".

OpenAI — optional generation of session rating explanations when the feature is enabled.

Apple and Google — health platforms on your device; we receive data you authorize through their APIs.

Some providers may process data in the United States or other countries outside the UK/EEA. Where required, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or adequacy decisions. You may request more information about transfers by contacting us.

We keep personal data for as long as needed to provide the Service and for legitimate business purposes thereafter.

Account data: retained while your account is active. If you delete your account or ask us to erase data, we will delete or anonymize personal data within a reasonable period, except where we must retain it for legal, security, or dispute reasons.

Club and match history: may remain visible to the club until removed by club admins or until account/club deletion processes apply.

Billing records: retained as needed for tax, accounting, and Stripe reconciliation, typically for the period required by applicable law.

Workout and AI summary data: retained until you delete it, delete your account, or we no longer need it for the purpose collected.

Server logs and analytics: kept for limited periods according to our hosting and analytics providers' defaults.

We use industry-standard measures including encryption in transit (HTTPS), access controls, and row-level security in our database so users can only access data permitted by their club role.

Payment card data is handled by Stripe. We do not store full card numbers in our database.

No method of transmission or storage is completely secure. If you believe your account has been compromised, contact us promptly.

Depending on where you live, you may have the following rights regarding your personal data: access; rectification; erasure; restriction of processing; data portability; object to processing based on legitimate interests; withdraw consent where processing is based on consent (without affecting prior lawful processing).

To exercise your rights, email contact@shuttlsync.com. We may need to verify your identity before responding. We aim to respond within one month, or longer where permitted by law for complex requests.

You may also use in-product account settings to update your display name, bio, language, and avatar where available.

If you are in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at https://ico.org.uk.

If you are in the EEA, you have the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or where an alleged infringement occurred.

The Service calculates skill ratings and statistics from match results using defined rules. These outputs affect in-app statistics only and do not have legal or similarly significant effects on you outside the Service.

Optional AI-generated session explanations are descriptive text based on match facts. They are not used as the sole basis for decisions about your legal rights or club membership.

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16 without appropriate parental authority.

If you believe a child has provided us personal data without consent, contact us and we will take steps to delete it.

We may update this Privacy Policy from time to time. We will post the new version on this page and update the "Last updated" date.

For material changes, we may provide additional notice (for example in the app or by email where appropriate). Continued use of the Service after changes take effect means you accept the updated policy, subject to your rights under applicable law.

Data controller: ShuttlSync.

Privacy enquiries and data subject requests: contact@shuttlsync.com.

Postal address: available on request — email us if you need it for a formal request.