Back to bajada.app

Bajada Privacy Policy

Version 1.0 - Effective 19 May 2026

1. Who we are

Bajada is operated by Bajada Padel Limited, a company registered in England and Wales under company number 17199949 (view our Companies House record). This policy explains how we collect, use, store and share personal data when you use the Bajada iOS app or the bajada.app website.

If you have questions or want to exercise any of your data rights, contact us at [email protected].

For UK GDPR purposes the data controller is Bajada Padel Limited.

2. Data we collect

You provide directly

• Account: email, name (from Sign in with Apple or Sign in with Google), profile photo (optional).
• Padel profile: self-declared starting rating (0.0 to 7.0), home city, optional play preferences (handedness, preferred court side, best shot).
• Age confirmation: timestamp recording when you confirmed you are 18 or older during onboarding. We do not store your date of birth.
• Match data: scores you report, score confirmations from your opponents.
• League data: leagues you have joined, divisions, and payment status when a league charges an entry fee.
• Community content: posts and comments you make in club or league community spaces.
• Communications: messages to other players, support emails.
• Notification preferences: which push notification categories you have opted in or out of, and your "do not disturb" window if you set one.
• Mailing list: email address, only if you submit the sign-up form on bajada.app (double opt-in; confirmation email required before we add you to the list).

We collect automatically

• Device data: device type, OS version, app version, language.
• Device push token: when you opt in to notifications, so we can deliver them.
• Usage data: feature usage, screen views, session duration. Only after you opt in to analytics.
• Crash data: stack traces, device state at the time of crash. Only after you opt in to analytics.
• Approximate location: from the IP address of API requests, used for fraud signals and to default the city field at signup if you do not set one.

Sensitive data we do NOT collect

Bajada does not request or store special-category personal data (race, religion, political views, sexual orientation, biometric, health) beyond what you voluntarily put in your bio. We do not collect your date of birth, your home address, or your precise GPS coordinates.

3. Why we use your data and on what legal basis

Under UK GDPR Article 6 we rely on the following bases:

• Performance of a contract (Art. 6(1)(b)): running your account, leagues, communities, match scheduling and scoring, processing a league entry payment when there is a fee.
• Legitimate interests (Art. 6(1)(f)): fraud and abuse investigation, service announcements that are not marketing, the geofenced "new league in your city" push (which respects your notification preferences).
• Consent (Art. 6(1)(a)): product analytics (PostHog), crash reports (Sentry), the mailing list, and any future direct-marketing communication. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Legal obligation (Art. 6(1)(c)): tax record retention, response to lawful information requests, compliance with the Online Safety Act 2023.

4. Who we share data with

We use the following data processors. Each is contractually bound to handle your data lawfully under a UK-GDPR-compliant data-processing agreement.

• Supabase (database, auth, storage) - West Europe (London) region.
• Stripe Payments UK Ltd - payment processing when you pay a paid league entry fee. Stripe is a separate data controller for payment data; we receive only the payment status and the last 4 digits of the card.
• Apple - Sign in with Apple, Apple Push Notification service.
• Google LLC - Sign in with Google.
• PostHog (EU) - product analytics. Only used after you opt in.
• Sentry - crash reporting. Only used after you opt in.
• Postmark (ActiveCampaign LLC) - transactional email (sign-up confirmations, mailing list confirmations, account-recovery emails).
• Cloudflare - Turnstile bot-defence on web forms, edge caching for bajada.app static assets.
• Other players in your league or community - your profile name, photo, ELO and recent match results are visible to other players in leagues and communities you have joined.

5. International transfers

Primary data (account, profile, matches, leagues, communities) is stored on Supabase in the UK / EU region. Some processors (Stripe, Apple, Google, Postmark, Cloudflare, PostHog, Sentry) operate globally; transfers outside the UK rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or on UK adequacy regulations for the recipient country.

6. Retention

• Account, profile, league entries, communities: kept while your account is active. Deleted within 30 days of an account deletion request.
• Match results: kept indefinitely so league history remains coherent. If you delete your account, your name is replaced with "Deleted Player" on the public-facing leaderboard and your matches stay attached to that label.
• Payment records: kept for 7 years (HMRC requirement).
• Consent logs (analytics opt-in, age confirmation, push opt-ins): kept indefinitely as audit trail.
• Analytics events (PostHog): 12 months on our current plan; we will update this section if we upgrade to a longer-retention plan.
• Crash reports (Sentry): 30 days on our current plan; same update note as above.
• Push delivery logs: 30 days.
• Admin alert audit log (player removals, abuse reports): 7 years.

7. Your rights (UK GDPR Articles 15 to 22)

You can:

• Access a copy of your data (Art. 15) - in-app "Export my data" button in Settings, or by emailing us.
• Correct inaccurate data (Art. 16) - via Settings or by emailing us.
• Delete your account and personal data (Art. 17) - in-app Delete Account button.
• Restrict processing (Art. 18) - email us.
• Receive your data in a portable format (Art. 20) - same as Art. 15.
• Object to processing based on legitimate interest (Art. 21) - email us.
• Withdraw analytics consent at any time - Settings → Privacy.
• Unsubscribe from the mailing list at any time - unsubscribe link in every email.

We will respond to data-rights requests within one month, in line with Art. 12(3). You can complain to the UK Information Commissioner's Office at ico.org.uk if you think we have mishandled your data.

8. Children

Bajada is for users aged 18 and over. We collect a confirmation timestamp at sign-up and do not knowingly process data from anyone under 18. If you believe a person under 18 has signed up, contact us and we will delete the account.

9. Security

We use industry-standard encryption in transit (TLS 1.2+) and at rest. Postgres row-level security ensures one user cannot read another user's private data via the client API. Payment card data is handled exclusively by Stripe and never reaches our servers. Service-role credentials are stored in Supabase Vault.

10. Cookies (website)

The bajada.app website uses essential cookies only. We use Cloudflare Turnstile on the contact and mailing-list forms; Turnstile sets a strictly necessary cookie to verify the request is not from a bot. There are no advertising or cross-site tracking cookies on the site.

11. Direct marketing

We do not send marketing email or push messages without your explicit consent. The mailing list on bajada.app is double opt-in: you submit your email, we send a confirmation link, and only once you click it do we add you to the list. Every marketing email contains a one-click unsubscribe link.

12. Automated decision-making

Bajada does not make decisions about you that have legal or similarly significant effects using fully automated processing. Auto-placement into a league division based on your declared ELO is automated but is reviewable by you (you can ask to be re-seated by emailing us) and does not have significant effect.

13. Changes to this policy

We will notify you of material changes via the app and by email at least 14 days before the new version takes effect. Your continued use of Bajada after the effective date is acceptance of the revised policy. The version number and effective date at the top of this page are kept current.

14. Contact

Email [email protected]
Bajada Padel Limited, London, United Kingdom.