Privacy Policy

Controller within the meaning of the General Data Protection Regulation (GDPR): Yevhenii Serbul Lutherstraße 82 09126 Chemnitz Germany

Email: yevheniiserbul@gmail.com

Phone contact details are available in the Impressum. No data protection officer has been appointed.

• Email the controller

This Privacy Policy applies to TennisRank, an online platform for people who play tennis. TennisRank can be used worldwide and provides features for user accounts, profiles, clubs, club memberships, ranking pyramids, challenges, matches, results, notifications, and the administration of these features.

This policy applies to the public website, the web app, the API, and the related technical services of TennisRank.

We process personal data only where a legal basis exists. Depending on the feature, processing is based in particular on Art. 6(1)(b) GDPR where processing is necessary to provide the user account and TennisRank features; Art. 6(1)(f) GDPR where we have a legitimate interest in secure operation, abuse prevention, error analysis, and platform improvement; Art. 6(1)(c) GDPR where legal obligations apply; and Art. 6(1)(a) GDPR where you give consent, for example for optional cookies or analytics.

Where we store information on your device or access information on it, we also observe Section 25 TDDDG. Strictly necessary storage is used without prior consent where it is required to provide the digital service explicitly requested by the user. Optional categories are activated only after consent.

Depending on how you use TennisRank, the following data in particular may be processed:

• Account data: email address, password hash, email verification status, user ID, creation and update timestamps.
• Profile data: first name, last name, LK ranking, preferred language, avatar URL, and a future voluntary “About me” field.
• Club and competition data: clubs, memberships, roles, join codes, pyramids, positions, challenges, matches, results, statuses, and event histories.
• Communication data: email communication, verification and password reset emails, notification preferences, in-app notifications, and technical delivery information.
• Security and log data: IP address, user agent, timestamps, technical request data, failed login attempts, rate-limit counters, honeypot signals, and audit logs.
• Cookie and consent data: consent version, decision timestamp, and selected categories.

For registration, login, email verification, password change, password reset, email change, and session management, we process the account and security data required for these purposes. Passwords are not stored in plain text; they are processed as hashes.

After login, TennisRank uses a technically necessary HttpOnly refresh-token cookie to keep the session secure. This cookie currently has a lifetime of 7 days and is deleted on logout.

Profile data such as first name, last name, LK ranking, preferred language, avatar, and the planned “About me” field are used to display the player profile and provide club, ranking, and match features. Voluntary profile data can be left empty or changed later where the feature allows this.

TennisRank processes club and competition data so users can create or join clubs, manage memberships, play in ranking pyramids, send or respond to challenges, enter, confirm, or dispute match results, and follow ranking positions.

Club roles are OWNER, ADMIN, and MEMBER. There are also technical platform roles such as USER and OPERATIONS_ADMIN for platform operations. Roles and status values determine which features a user may use within a club or in platform operations.

Ranking positions, match results, challenge statuses, membership statuses, and relevant event histories may be visible to other authorized users, especially members of the same club and users with administrative rights based on their role.

If you upload an avatar, we process and store the image file so it can be displayed in your profile and in club, member, pyramid, and match views. Avatar files are served through a backend-managed upload path.

The planned “About me” field is voluntary. If you add content there, it may be shown to other users depending on profile and club views. Please do not enter sensitive information there if you do not want other authorized users to see it.

TennisRank sends transactional emails, for example for email verification, password reset, email change, club memberships, challenges, matches, results, positions, or administrative messages. We use Brevo as our email service provider.

For sending emails, we may process in particular recipient address, language, subject, message text, technical delivery information, provider message ID, delivery status, error status, bounce or complaint information, and webhook data. This processing supports the platform, account security, and reliable delivery of necessary or user-enabled notifications.

Newsletters and marketing emails are not currently sent.

• Brevo GDPR information

To protect the platform, we use backend rate limits, honeypot fields in public authentication forms, login protection, session boundaries, logs, and audit logs. This helps detect or limit abusive registrations, spam, automated requests, brute-force attacks, and unauthorized access.

Processing is based on our legitimate interests in security, stability, and abuse prevention and, where required, on performance of the contract with registered users.

TennisRank uses a cookie consent mechanism with the categories necessary, preferences, and analytics. Necessary cookies are always active because the service cannot be provided securely or with correct localization without them. Optional categories are disabled by default and activated only after your choice.

Current necessary cookies are tr_consent, which stores your consent choice for 180 days; NEXT_LOCALE, which stores the selected language for 1 year; and refreshToken, an HttpOnly session cookie for authenticated sessions with a 7-day lifetime.

Umami is planned for future web analytics, but it is not active yet. Even if you allow the analytics category, no Umami script is currently loaded and no Umami processing takes place. Before any later activation, the technical setup, the specific data categories, the retention period, and this Privacy Policy will be updated. Marketing pixels, tag managers, heatmaps, session recording, and CAPTCHA scripts are not currently planned.

• Umami FAQ

TennisRank uses Hetzner for hosting and database operation. Data required for operating, securing, and delivering the platform may be processed on Hetzner infrastructure. Avatar uploads are served through backend-managed delivery.

Backups are created and currently retained for 7 days. Backups are used to restore the platform after technical incidents, data loss, or security events.

Server log files and technical logs are stored only as long as required for operation, security, error analysis, and abuse prevention. Longer retention may occur where necessary to investigate specific security or abuse incidents.

• Hetzner data protection information

Personal data is shared with recipients only where this is necessary for the purposes described in this policy. Recipients may include hosting and infrastructure providers, email providers, technical service providers, and, where required, authorities or advisers in connection with legal obligations or legal enforcement.

Where service providers process personal data on our behalf, we conclude data processing agreements under Art. 28 GDPR. Where processing takes place outside the EU or EEA, it is based only on appropriate safeguards, such as EU Standard Contractual Clauses, adequacy decisions, or other mechanisms provided by law.

We store personal data only for as long as necessary for the relevant purposes or for as long as statutory retention obligations, evidence interests, security interests, or legal enforcement justify longer storage.

An automatic account deletion feature is not yet available. If you want your account or specific data deleted, you can contact us by email. We will review the request and delete or anonymize data where no statutory or legitimate reasons require further retention.

Inactive accounts are not currently deleted automatically. Payment features are not currently active; this Privacy Policy will be updated before paid features are introduced.

TennisRank can be used by tennis players of different age groups. The platform is not specifically directed at children, but younger players may use it where this is legally permissible and, where required, with consent of their legal guardians.

Where processing is based on consent and the user cannot validly consent under applicable law, consent of the legal guardians is required. Legal guardians can contact us if they have questions about data of a minor user or want to exercise rights on that user’s behalf.

Under the GDPR, you have in particular the right of access, rectification, erasure, restriction of processing, data portability, objection to processing based on legitimate interests, and withdrawal of consent with effect for the future.

To exercise your rights, you can contact us at yevheniiserbul@gmail.com. Please note that we may need to verify your identity to handle your request securely.

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. For the controller’s location in Saxony, the Saxon Data Protection and Transparency Commissioner is competent.

• Saxon Data Protection and Transparency Commissioner

TennisRank currently does not use automated decision-making within the meaning of Art. 22 GDPR and does not use profiling with legal or similarly significant effects.

We update this Privacy Policy when TennisRank, service providers, processing activities, retention periods, or legal requirements change.