Privacy Policy

Introduction

Wymatch ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform for organizing padel and pickleball matches.

Information We Collect

Personal Information

When you create an account, we collect:

• Email address (for authentication and communication)
• Full name (for display within groups)
• Profile picture (for display within groups)
• Gender (for display within groups)
• Playing preferences (e.g., preferred court side)

Gameplay Data

As you use Wymatch, we collect:

• Match results and scores
• Player ratings and rating history
• Session attendance and sign-up history
• Group membership information

Technical Data

We automatically collect certain technical information, including browser type, device information, and IP address for security and service improvement purposes.

How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve Wymatch services
• Authenticate your account and keep you signed in
• Generate balanced match pairings based on skill ratings
• Calculate and update player ratings after matches
• Display leaderboards and statistics within your groups
• Send important service-related communications
• Respond to your inquiries and support requests

Cookies and Local Storage

Wymatch uses essential cookies and local storage to:

• Authentication cookies: Keep you signed in securely (provided by Supabase)
• Preference storage: Remember your cookie consent choice

We do not use cookies for advertising, tracking, or analytics purposes. All cookies used are strictly necessary for the functioning of the service.

Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

• Within your groups: Your name, ratings, and match history are visible to other members of groups you join
• Service providers: We use Supabase for authentication and data storage
• Legal requirements: When required by law or to protect our rights

Third-Party Services

We use the following third-party services:

• Supabase: Database, authentication, and backend services.View Supabase Privacy Policy
• Vercel: Hosting and deployment services.View Vercel Privacy Policy

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

For All Users

• Access your personal data through your profile settings
• Update or correct your information at any time
• Delete your account and associated data

For EU/UK Residents (GDPR)

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to data portability
• Right to restrict processing
• Right to object to processing

For California Residents (CCPA)

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of sale (note: we do not sell personal information)
• Right to non-discrimination for exercising your rights

Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal purposes. Match results and ratings may be retained in anonymized form for statistical purposes.

Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

Transport & Network Security

• HTTPS/TLS encryption: All data in transit is encrypted. HTTP Strict Transport Security (HSTS) is enforced with a two-year max-age and preloading, ensuring browsers always connect over HTTPS.
• Content Security Policy (CSP): A strict CSP header limits which scripts, styles, and resources the browser may load, reducing the risk of cross-site scripting (XSS) attacks.
• Referrer Policy: Set to strict-origin-when-cross-origin to prevent sensitive URL information from leaking to third-party sites.

Application Security

• CSRF protection: All data-modifying API endpoints validate that requests originate from the same host, blocking cross-site request forgery attacks.
• Clickjacking prevention: The X-Frame-Options: DENY and frame-ancestors 'none' CSP directive prevent the app from being embedded in iframes on other sites.
• MIME-type sniffing prevention: The X-Content-Type-Options: nosniff header prevents browsers from interpreting files as a different MIME type than declared.
• Permissions Policy: Access to sensitive browser APIs — including camera, microphone, and geolocation — is explicitly disabled at the HTTP header level.
• X-Powered-By header removed: Server technology information is not disclosed in HTTP responses.

Database Security

• Row Level Security (RLS): Enforced at the database level via Supabase so users can only read or write records they are authorized to access.
• Encryption at rest: Your data is stored encrypted in Supabase-managed PostgreSQL databases.
• Parameterized queries: All database interactions use parameterized queries to prevent SQL injection.

Children's Privacy

Wymatch is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. When we transfer your data, we ensure appropriate safeguards are in place to protect your information.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically for any changes.

Contact Us

If you have any questions about this Privacy Policy or our data practices, or if you wish to exercise any of your rights, please contact us at:

Email: privacy@wymatch.com