Privacy Policy

1. Data Controller

The data controller for your personal data is YASTUNING OÜ, registered at Pae 25-47, 11414 Tallinn, Estonia, company number 14016370, VAT number EE102354272. For all data-privacy enquiries please contact us at: [email protected].

2. Data We Collect

We collect the following categories of data:

• –Account data: email address, full name, password hash.
• –Player profile: city, phone number, profile photo, sport skill level, reliability score (0–100).
• –Owner profile: company name, VAT number, address, contact details, company logo.
• –Booking data: selected court, date and time, amount, attendance status.
• –Billing data: company name, VAT number and address for invoice purposes.

The reliability score is automatically calculated from booking history and constitutes profiling under GDPR Art. 4(4). The score is visible to other users in the context of open games. Legal basis: Art. 6(1)(b) GDPR (performance of the matchmaking contract). You have the right to object to profiling under GDPR Art. 21 - contact: [email protected].

The score may affect the ability of other players to invite you to open games, which constitutes automated decision-making under GDPR Art. 22. You have the right to request human involvement in the decision-making process - contact: [email protected].

3. Technical and Payment Data

We collect technical data: IP address (for security and logging purposes), JWT tokens stored in the browser's localStorage.

Payment data is processed by Revolut, a PCI DSS Level 1 compliant operator. From Revolut's webhook we store only the last four digits of the card and its expiry month/year. Full card data (number, CVV) is never stored by KORTY ONLINE.

4. Legal Bases for Processing

We process your data on the following legal bases (Art. 6 GDPR):

• –Performance of a contract (Art. 6(1)(b)) - account, bookings, matchmaking.
• –Legitimate interests of the controller (Art. 6(1)(f)) - system security, event logging, fraud prevention.
• –Legal obligation (Art. 6(1)(c)) - retention of invoices for 7 years under Estonian accounting law.
• –Consent (Art. 6(1)(a)) - Google Analytics (you may withdraw at any time).

Regarding legitimate interests (Art. 6(1)(f)): the interest consists in ensuring the technical security of the Platform and protecting against fraudulent use. This interest prevails over the minimal privacy impact of retaining anonymised IP logs for 12 months.

5. Recipients and Data Transfers

We share data with the following third parties:

Transfers outside the EEA - basis: EU Standard Contractual Clauses (SCCs):
• Google LLC (USA) - OAuth authentication (email, name, Google ID; basis: Art. 6(1)(b) GDPR) and Google Analytics (analytics - only after your consent; basis: Art. 6(1)(a) GDPR). Google's Privacy Policy: policies.google.com/privacy.
• Cloudflare Inc. (USA) - Turnstile CAPTCHA security verification (session behavioural data transmitted); basis: legitimate interests (Art. 6(1)(f) GDPR).

Processors and recipients within the EEA:
• Revolut Ltd (United Kingdom - the UK is covered by EU adequacy decision No 2021/1772) - payment processing. Revolut acts as a data processor (Art. 28 GDPR) for payment execution on behalf of KORTY ONLINE, and as an independent controller for its own regulatory compliance (AML, fraud prevention). Revolut's Privacy Policy: revolut.com/legal/privacy.
• OpenStreetMap Foundation (United Kingdom) - map display and address geocoding (autocomplete); the UK is covered by an EU adequacy decision; no personal data beyond a standard HTTP request (IP address) is transferred.
• Geoapify GmbH (Germany, EU) - address geocoding and autocomplete when adding venues; address search queries and IP address are transmitted; basis: legitimate interests (Art. 6(1)(f) GDPR).

6. Cookies and localStorage

We use the following technologies:

• –Cookie is_auth (own, technical) - informs the browser of an active session; validity 7 days; does not require consent.
• –Google Analytics cookies _ga, _gat, _gid - analytics tracking; validity up to 2 years; require your consent.
• –Cloudflare Turnstile cookies - security verification; session-based; do not require consent.
• –localStorage: JWT access token (validity 5 minutes) and JWT refresh token (validity 7 days).

You can manage cookies in your browser settings.

7. Data Retention

We retain data for the following periods:

• –User account - until deletion.
• –Booking history - 3 years from the date of booking (legitimate interests, Art. 6(1)(f) GDPR - defence against claims within the general limitation period).
• –Invoices and billing data - 7 years (legal obligation, Art. 6(1)(c) GDPR; Estonian accounting law, Raamatupidamise seadus). Personal data contained in invoices is anonymised upon account deletion - the invoice record itself is retained in anonymised form for the required period.
• –Security logs - 12 months.

After these periods, data is deleted or anonymised.

8. Your Rights (GDPR)

Under the GDPR (Art. 15–22) you have the following rights:

• –Access to your data.
• –Rectification of inaccurate data.
• –Erasure of data (right to be forgotten).
• –Restriction of or objection to processing.
• –Data portability in a structured format.
• –Withdrawal of consent without affecting the lawfulness of prior processing.
• –Right to object to profiling (Art. 21 GDPR) - applies to the reliability score.
• –Rights related to automated decision-making (Art. 22 GDPR) - applies to the reliability score.

Submit requests to: [email protected] - you will receive a response within 30 days.

You have the right to lodge a complaint with the competent supervisory authority:
• Data protection (GDPR): Andmekaitse Inspektsioon (AKI), Estonia - aki.ee
• Consumer protection and electronic services: Tarbijakaitse ja Tehnilise Järelevalve Amet (TTJA), Estonia - ttja.ee
• Authority in your country of residence: e.g. the ICO (UK), UODO (Poland), or another national DPA

9. Data Security

We apply the following data protection measures:

• –HTTPS encryption for all transmissions.
• –Password hashing using Argon2.
• –Short-lived JWT tokens.
• –Account lockout after repeated failed login attempts.
• –PCI DSS Level 1 compliance for payment card data (Revolut).

Despite these measures, no information system is fully immune to external threats.

10. Changes to This Policy

We may update this Policy from time to time. We will notify you of significant changes by email at least 14 days in advance. The date of the last update appears in the document header. If you do not accept the changes, you may delete your account before they take effect. Continued use after that date constitutes acknowledgement of the updated Policy.

11. Personal Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, in accordance with GDPR Art. 34.

Every breach is investigated promptly. The supervisory authority (Andmekaitse Inspektsioon) is notified within 72 hours of becoming aware of a breach likely to result in a risk to individuals' rights and freedoms, in accordance with GDPR Art. 33.