Privacy Policy
This Privacy Policy describes how OpenTennis ("we", "us", "our"), operated as a sole proprietorship by Dawid Dereszewski, collects, uses, discloses, and protects your personal data when you visit or use our website at https://opentennis.net (the "Service"). We comply with the Swiss Federal Act on Data Protection (FADP), the EU General Data Protection Regulation (GDPR), Polish data protection laws, and other applicable privacy laws.
1. Data Controller and Contact Information
Data Controller:
- Name: Dawid Dereszewski (OpenTennis)
- Legal Form: Sole Proprietorship (Einzelpersonfirma)
- Address: Im Walder 25, 8702 Zollikon, Switzerland
- Email:
- Data Protection Officer:
Country-Specific Services:
2. Personal Data We Collect
2.1 Account and Profile Information
- Full name, email address, hashed password
- Selected playing locations and tennis skill level
- Profile information related to tennis abilities and preferences
- Age verification data (minimum 16 years or parental consent)
- Communication preferences and language settings
2.2 Payment and Billing Information
- Transaction details (amount, date, payment status)
- Billing addresses (collected and stored by Stripe)
- Payment method metadata (no full card numbers stored by us)
- VAT/tax identification numbers where applicable
- Invoice and receipt information
2.3 Service Usage Data
- Aggregated analytics via Cloudflare (no personal identifiers)
- Feature usage patterns and service interactions
- Error logs and diagnostic information (anonymized)
- Session duration and frequency of use
2.4 Communication Data
- Support ticket transcripts via Crisp
- Email correspondence records
- Chat logs and customer service interactions
- Feedback and survey responses
2.5 Authentication Data
- Google account identifier (when using "Login with Google")
- Facebook account identifier (when using "Login with Facebook")
- OAuth tokens for authentication purposes only
- Session identifiers and security tokens
2.6 Technical Data
- Cookie preferences and session identifiers
- Browser preferences and local storage data
- IP addresses (processed only by Cloudflare, not stored by us)
- Device and browser information (anonymized)
3. How We Use Your Data
3.1 Service Provision (Article 6(1)(b) GDPR - Contract Performance)
- User authentication and account management
- Delivery of core tennis matching services
- Processing payments and managing subscriptions
- Providing customer support and technical assistance
3.2 Service Improvement (Article 6(1)(f) GDPR - Legitimate Interest)
- Analyzing usage patterns to improve functionality
- Debugging and resolving technical issues
- Developing new features and services
- Ensuring service security and fraud prevention
3.3 Legal Compliance (Article 6(1)(c) GDPR - Legal Obligation)
- Maintaining records as required by Swiss and Polish law
- Responding to lawful requests from authorities
- Complying with tax and accounting obligations
- Fraud detection and prevention
3.4 Marketing Communications (Article 6(1)(a) GDPR - Consent)
- Sending promotional emails and service announcements
- Providing information about new features and updates
- Market research and customer satisfaction surveys
- Note: You can withdraw consent at any time via Account Settings
4. Legal Basis for Processing
We process your personal data based on:
4.1 Swiss FADP Compliance
- Consent: Explicitly obtained for marketing communications and non-essential cookies
- Contract Performance: Account management, service delivery, and payment processing
- Legitimate Interest: Service improvement, security, and fraud prevention
- Legal Obligation: Record-keeping and compliance with Swiss commercial law
4.2 GDPR/Polish Law Compliance
- Article 6(1)(a): Consent for marketing and optional features
- Article 6(1)(b): Contract performance for core services
- Article 6(1)(c): Legal obligations under Swiss and Polish law
- Article 6(1)(f): Legitimate interests for security and service improvement
5. Data Sharing and Third-Party Processors
We work with carefully selected processors who provide adequate data protection:
| Processor | Purpose | Location | Safeguards |
|---|
| Cloudflare | CDN, DDoS protection, hosting | Global (EU/US) | Standard Contractual Clauses |
| Crisp | Customer support chat | EU | GDPR Compliant |
| Stripe | Payment processing | Global (EU/US) | PCI DSS, SCCs |
| Ably | Real-time messaging | Global (EU/US) | Standard Contractual Clauses |
| Amazon SES | Email delivery | EU/US | AWS Data Processing Agreement |
| Proton | Secure email communication | Switzerland | Swiss data protection |
| OpenStreetMap | Map services | Global | Open source, minimal data |
| PostHog | Usage analytics | EU | GDPR Compliant |
5.1 Data Protection Safeguards
- Standard Contractual Clauses (SCCs) for non-EU processors
- Adequacy Decisions where available (Switzerland, UK)
- Additional Technical Safeguards: encryption, access controls, regular audits
- Processor Agreements: All processors bound by data protection agreements
5.2 No Data Sales
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
6. International Data Transfers
6.1 Transfer Mechanisms
Your data may be processed in:
- Switzerland: Recognized as adequate by EU Commission
- EU/EEA: Direct GDPR protection
- Other jurisdictions: Only with appropriate safeguards (SCCs, adequacy decisions)
6.2 Polish-Specific Transfers
For Polish users, cross-border transfers comply with:
- Chapter V of GDPR (Articles 44-49)
- Polish Data Protection Authority guidance
- Additional safeguards for sensitive data categories
7. Cookies and Tracking Technologies
7.1 First-Party Cookies
- Essential Cookies: Session management, authentication, security
- Preference Cookies: Language settings, user interface preferences
- Third-Party Cookies: Only with user consent
7.2 Cookie Consent (Swiss/Polish Requirements)
- Essential cookies: No consent required (legitimate interest)
- Preference cookies: Consent obtained through cookie banner
- Marketing cookies: Explicit consent required
- Analytics cookies: Explicit consent required
- Cookie Management: Available in browser settings and our privacy center
7.3 Local Storage
- Session tokens and temporary data
- User preferences and settings
- No persistent tracking identifiers
8. Data Retention Periods
8.1 Standard Retention Periods
- Account Data: Duration of account + 7 years (Swiss commercial law)
- Payment Records: 10 years (Swiss/Polish tax law requirements)
- Support Communications: 2 years or until deletion request
- Marketing Consent Records: Until consent withdrawal + 3 years (proof of compliance)
- Security Logs: 12 months maximum
8.2 Early Deletion
You may request earlier deletion of your data, subject to:
- Legal retention requirements
- Ongoing contractual obligations
- Legitimate business interests (fraud prevention)
9. Your Privacy Rights
9.1 Rights Under Swiss FADP
- Right to Information: Confirmation of processing and copy of data
- Right to Rectification: Correction of inaccurate data
- Right to Deletion: Erasure of data (with legal limitations)
- Right to Restrict Processing: Limitation of processing activities
- Right to Object: Opposition to processing based on legitimate interests
9.2 Additional Rights Under GDPR (Polish Users)
- Right to Data Portability: Receive data in structured, machine-readable format
- Right to Withdraw Consent: For consent-based processing
- Right Not to Be Subject to Automated Decision-Making: (Not applicable - we don't use automated profiling)
9.3 Exercising Your Rights
- Contact:
- Response Time: Within 30 days (GDPR) or 30 days (Swiss FADP)
- Verification: Identity verification may be required
- Free of Charge: Rights exercised free of charge (unless requests are excessive)
9.4 Right to Complain
You may lodge complaints with:
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC)
- Poland: President of the Personal Data Protection Office (UODO)
- EU/EEA: Your local Data Protection Authority
10. Data Security Measures
10.1 Technical Safeguards
- Encryption: AES-256 encryption in transit (TLS 1.3) and at rest
- Access Controls: Role-based access with multi-factor authentication
- Network Security: Firewall protection and intrusion detection
- Regular Security Audits: Quarterly security assessments
10.2 Organizational Measures
- Staff Training: Regular data protection training for all personnel
- Data Minimization: Collection limited to necessary purposes
- Purpose Limitation: Data used only for specified purposes
- Regular Reviews: Annual privacy impact assessments
10.3 Breach Notification
In case of a data breach:
- Supervisory Authority: Notification within 72 hours where required
- Individual Notification: Direct notification if high risk to rights and freedoms
- Swiss Requirements: Notification to FDPIC for high-risk breaches
- Polish Requirements: Notification to UODO as per GDPR requirements
11. Marketing Communications and Consent
11.1 Consent Management
- Explicit Consent: Required for all marketing communications
- Granular Choices: Separate consent for different communication types
- Easy Withdrawal: One-click unsubscribe in all marketing emails
- Consent Records: Maintained for compliance demonstration
11.2 Communication Types
- Service Communications: Essential notifications (cannot opt-out)
- Marketing Emails: Promotional content (consent required)
- Product Updates: Feature announcements (consent required)
- Surveys: Customer feedback requests (consent required)
12. Automated Decision-Making and Profiling
We do not engage in:
- Automated individual decision-making with legal effects
- Profiling that significantly affects users
- Algorithmic scoring for service access decisions
Any automated processing is limited to:
- Basic user matching based on stated preferences
- Fraud detection systems (human review required for account restrictions)
13. Special Categories of Personal Data
We do not intentionally collect special categories of personal data (health, biometric, etc.). If such data is inadvertently provided:
- Immediate identification and isolation
- Deletion unless explicit consent provided
- Additional security measures applied
- Special handling procedures activated
14. Children's Privacy Protection
14.1 Age Restrictions
- Minimum Age: 16 years (Swiss FADP and GDPR)
- Parental Consent: Required for users under 16
- Age Verification: Implemented during registration
- Special Protections: Enhanced privacy measures for users under 18
14.2 Parental Rights
Parents/guardians of users under 16 may:
- Access their child's personal data
- Request rectification or deletion
- Withdraw consent for processing
- Exercise all privacy rights on behalf of the child
15. Cross-Border Data Sharing
15.1 Swiss-Polish Data Flows
For users accessing both country-specific services:
- Data minimization principles applied
- Separate consent for cross-border features
- Additional encryption for international transfers
- Regular compliance reviews
15.2 Third-Country Transfers
All transfers to countries outside Switzerland/EU:
- Adequacy decision or appropriate safeguards required
- Additional contractual protections
- Regular monitoring of third-country privacy laws
- Contingency plans for adequacy decision changes
16. Privacy by Design and Default
16.1 Design Principles
- Data Minimization: Collect only necessary data
- Purpose Limitation: Use data only for stated purposes
- Storage Limitation: Retain data only as long as necessary
- Privacy-Friendly Defaults: Most privacy-protective settings by default
16.2 Regular Reviews
- Annual Privacy Audits: Comprehensive review of all processing activities
- Impact Assessments: For new features or processing activities
- Policy Updates: Regular updates to reflect legal and operational changes
- Staff Training: Ongoing privacy education for all team members
17. Country-Specific Provisions
17.1 Swiss Users (opentennis.net/ch)
Additional protections under Swiss FADP:
- Data Processing Register: Maintained as required by Swiss law
- Cross-Border Transfer Notifications: To FDPIC where required
- Swiss Court Jurisdiction: For legal disputes
- FDPIC Consultation: For high-risk processing activities
17.2 Polish Users (opentennis.net/pl)
Additional protections under Polish implementation of GDPR:
- UODO Registration: Where required for high-risk processing
- Polish Language: Privacy notices available in Polish
- Local Representative: Available for Polish regulatory matters
- Polish Consumer Rights: Additional protections under Polish consumer law
18. Updates to This Privacy Policy
18.1 Change Notification
- Email Notification: 30 days advance notice for material changes
- Website Notice: Prominent notice on service homepage
- Version Control: Previous versions available upon request
- Consent Re-collection: Where required for material changes
18.2 Continued Use
Continued use of the service after changes constitutes acceptance, unless:
- Material changes require new consent
- Legal requirements mandate explicit acceptance
- User objects to changes and terminates service
19. Contact Information and Data Protection
19.1 Privacy Inquiries
- General Privacy Questions:
- Data Subject Rights:
- Data Protection Officer:
- Response Time: Within 30 days of receipt
19.2 Regulatory Authorities
Switzerland:
- Federal Data Protection and Information Commissioner (FDPIC)
- Website: https://www.edoeb.admin.ch/
- Address: Feldeggweg 1, 3003 Bern, Switzerland
Poland:
- President of the Personal Data Protection Office (UODO)
- Website: https://uodo.gov.pl/
- Address: ul. Stawki 2, 00-193 Warsaw, Poland
European Union:
This Privacy Policy is effective as of the date listed above and governs your use of OpenTennis services. By using our service, you acknowledge that you have read, understood, and agree to this Privacy Policy.