Privacy Policy

Last updated: 26 April 2026 · Version 2.1

This Privacy Policy applies to the RecreationPro website (recreation-pro.com) and the RecreationPro mobile applications for Android and iOS (collectively, the "Service").

In short

We collect what we need to run your sports group: account details, matches, ratings, and (if you choose) wearable fitness data.
Your data is stored in the European Union. We do not sell it. We do not run ads. We do not profile you.
You can delete your account and all your personal data from inside the app at any time, or by emailing us. Deletion is immediate.
We use Google Analytics on the landing page only (not inside the app), and only after you click Accept in the cookie banner.

1. Data Controller

The data controller responsible for processing your personal data under the General Data Protection Regulation (EU) 2016/679 ("GDPR") is:

RecreationPro

Operated as sole trader (Einzelunternehmer) under Austrian law

Elisabethinergasse, 8020 Graz, Austria

Email: contact@recreation-pro.com

We have not appointed a Data Protection Officer because we are not legally required to do so under Article 37 GDPR. For any privacy matter, write to the email above.

2. What Data We Collect

a) Account & profile data

Name (or chosen display name), email address, password (stored as a salted hash using PBKDF2, never in plain text), profile photo (optional, hosted on Cloudinary), preferred sport(s), preferred playing position (optional), and notification preferences.

b) Group & match data

Groups you join, teams you belong to, matches you attend, attendance status, scores, in-app ratings you give and receive, achievements earned, and leaderboard standings.

c) Wearable & fitness data (mobile app, optional)

If you pair a compatible Bluetooth fitness device with the app, we process: heart rate, step count, distance moved during matches, active minutes, and basic body metrics (height, weight, age) that you may enter to improve calorie estimates. This category may qualify as health-related data under Article 9 GDPR. We process it only with your explicit consent (Article 9(2)(a)) and only for the features you enable. You can disconnect a device at any time in Settings → Devices.

d) Push notification token (mobile app)

When you enable notifications, the operating system (Apple Push Notification service or Firebase Cloud Messaging) issues a token tied to your install. We store this token to deliver match reminders and group updates. The token does not identify you outside our system. You can revoke it any time in your phone's notification settings or in Settings → Notifications.

e) Technical data

Device type and operating system version, app version, language, and time zone. We use this to debug crashes and improve the Service.

f) Communications

Messages you send to contact@recreation-pro.com, including any attachments and metadata.

3. Why We Process It (Purposes & Legal Basis)

Purpose	Data used	Legal basis (GDPR)
Create & secure your account	Account, technical	Art. 6(1)(b) — contract
Run matches, ratings, leaderboards, achievements	Group, match	Art. 6(1)(b) — contract
Pair wearables & show fitness stats	Wearable / fitness	Art. 6(1)(a) + Art. 9(2)(a) — explicit consent
Send match-day push reminders	Push token, notification settings	Art. 6(1)(a) — consent (system permission)
Detect abuse, secure the platform	Technical data	Art. 6(1)(f) — legitimate interest
Improve the Service (aggregated)	Aggregate usage	Art. 6(1)(f) — legitimate interest
Landing page analytics	Cookies, page interactions	Art. 6(1)(a) + § 165 TKG 2021 — consent
Reply to your support email	Communications	Art. 6(1)(b) / 6(1)(f)
Comply with tax / legal obligations	As required by law	Art. 6(1)(c) — legal obligation

You can withdraw consent at any time. Withdrawal does not affect processing carried out before the withdrawal.

4. Mobile App Permissions

The mobile app requests only the permissions strictly required to provide the features you enable. Each is opt-in at the operating-system level.

Permission	Purpose	When asked
Bluetooth (BLUETOOTH_SCAN, BLUETOOTH_CONNECT, NSBluetoothAlwaysUsageDescription)	Scan for and pair with your fitness wearable; sync match-day metrics to your profile.	Only when you tap "Pair a device" in Settings.
Notifications (POST_NOTIFICATIONS, UNAuthorizationOptions)	Send match reminders, attendance pings, and group updates.	First app launch, can be revoked anytime in OS settings.

We do not request access to: contacts, photos, microphone, camera, precise or background location, calendar, files, motion / pedometer, HealthKit, Google Fit, or Health Connect. Step and distance counts are derived solely from your paired Bluetooth wearable, not the phone's sensors.

5. What Other People Can See

RecreationPro is, by design, a shared experience. Other members of your group can see your display name, profile photo, position, attendance, ratings, achievements, and leaderboard ranking. Ratings are fully transparent — everyone in the group can see who rated whom. This is core to how the Service works (Art. 6(1)(b) GDPR).

Group administrators additionally have access to: match administration tools, attendance reports, and aggregated group statistics.

Wearable fitness data is private to you by default. It contributes anonymously and in aggregate to your skill radar and match summaries. Raw heart-rate, step, or distance data is never shared with other members or admins.

6. Service Providers (Subprocessors)

We engage the following carefully-selected providers to operate the Service. Each is bound by a Data Processing Agreement under Article 28 GDPR.

Provider	Purpose	Location of processing
Hetzner Online GmbH	Application hosting, database, file storage	Germany (EU)
Cloudinary Ltd.	Profile photo hosting & image processing	EU and United States (SCCs + EU–US DPF)
Brevo (Sendinblue) SAS	Transactional emails (verification, password reset)	Germany (EU)
Google Ireland Ltd. — Firebase Cloud Messaging	Push notifications to Android devices	EU and United States (SCCs + EU–US DPF)
Apple Inc. — Apple Push Notification service	Push notifications to iOS devices	United States (SCCs + EU–US DPF)
Cloudflare Inc. — Turnstile	Bot protection (CAPTCHA) on registration	EU and United States (SCCs + EU–US DPF)
Google Ireland Ltd. — Google Analytics 4 (landing page only)	Consent-gated landing page analytics (not used inside the app)	United States (SCCs + EU–US DPF)

We do not sell or rent personal data to anyone, ever. We do not share data with advertisers, data brokers, or marketing networks.

7. International Data Transfers

Your account and match data are stored in the European Union (Germany). Push notifications, photo hosting, bot protection, and landing page analytics involve transfers to the United States. For those transfers we rely on (i) the EU–US Data Privacy Framework where the recipient is certified, and (ii) Standard Contractual Clauses (Commission Decision 2021/914) as a fallback. You may request a copy of the safeguards by emailing us.

8. How Long We Keep Data

Category	Retention
Account & profile data	Until you delete your account, then erased immediately.
Group & match history	Anonymized (replaced by “Deleted User”) on account deletion. Aggregated team/season stats remain.
Wearable / fitness data	Deleted when you delete your account.
Push tokens	Deleted on logout, account deletion, or notification opt-out.
Support emails	Up to 24 months after the case closes.
Google Analytics (landing page)	14 months (Google’s enforced cap on our property).
Records required for tax / accounting law	7 years (Austrian Bundesabgabenordnung §132).

9. Your Rights Under GDPR

You have the right to:

Access the personal data we hold about you (Art. 15);
Rectify inaccurate or incomplete data (Art. 16);
Erase your data ("right to be forgotten", Art. 17);
Restrict processing in certain situations (Art. 18);
Receive your data in a portable, machine-readable format (Art. 20);
Object to processing based on legitimate interest (Art. 21);
Withdraw consent at any time (Art. 7(3));
Lodge a complaint with a supervisory authority (Art. 77).

To exercise any right, email contact@recreation-pro.com. We will respond within one month (extendable by two months for complex requests, Art. 12(3)). We will never charge you for exercising these rights.

Your supervisory authority in Austria is the Austrian Data Protection Authority (Datenschutzbehörde, DSB), Barichgasse 40-42, 1030 Wien, dsb.gv.at.

10. How to Delete Your Account

You can permanently delete your RecreationPro account and the personal data tied to it at any time, free of charge:

In the mobile app: open Profile → Settings → Delete account and confirm.
On the web: log in, open Profile → Settings → Delete account and confirm.
By email: write to contact@recreation-pro.com from the address you used to register. We will verify your identity and confirm deletion.

What is deleted immediately: name, email, password hash, profile photo, body metrics, push tokens, notification preferences, and any data tied to your identity.

What is anonymized (not deleted): historical match results, scores, and aggregate team statistics. Your name is replaced with “Deleted User” so the group’s history remains intact for the other players.

11. Cookies and Website Analytics

Essential storage is always active on the landing page and the app, and is used only for authentication, security, and remembering your cookie choice. No consent is required for these because they are strictly necessary to deliver the service you requested (§ 165(3) TKG 2021).

Optional analytics are loaded only after you click Accept in the cookie banner on the landing page (recreation-pro.com). The RecreationPro web app and mobile apps do not contain Google Analytics or any other third-party analytics SDK. We use Google Analytics 4 with Google Consent Mode v2 in the strictest configuration:

IP addresses are anonymized.
Google Signals (cross-device tracking) is disabled.
Advertising personalization signals are disabled.
If you decline, no analytics cookies are set and no identifiable data is sent to Google.

Cookies we may set:

Name	Purpose	Type	Retention
rp_consent_v1	Stores your cookie choice (granted / denied)	Essential	12 months
_ga	Google Analytics 4 — distinguishes unique visitors	Optional (consent)	13 months
_ga_<ID>	Google Analytics 4 — session state	Optional (consent)	13 months

Third-party processor: Google Ireland Limited / Google LLC (United States). Google may transfer analytics data to the United States. We rely on the EU–US Data Privacy Framework and Standard Contractual Clauses signed via Google’s Data Processing Amendment.

Data retention in GA4: 14 months. After that, event-level and user-level data is automatically deleted from Google’s servers.

Withdraw or change your choice at any time via the Cookie settings link in the footer of the landing page, or by clearing site storage in your browser.

12. Security

We apply technical and organizational safeguards appropriate to the risk of processing, including: TLS 1.2+ for all network traffic, password hashing with PBKDF2 (65,536 iterations, 256-bit key), least-privilege database access, daily compressed backups with 7-day rotation, and automated security patching. No system is fully risk-free; if a personal data breach is likely to result in a high risk to your rights, we will notify you and the supervisory authority within 72 hours as required by Articles 33–34 GDPR.

13. Children

The Service is intended for users aged 14 and over (the digital consent age in Austria, § 4(4) DSG). Users under 14 must obtain verifiable consent from a parent or guardian. We do not knowingly collect personal data from children younger than 14. If you believe a child under 14 has provided personal data without authorization, contact us and we will review and delete it promptly.

14. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you (Art. 22 GDPR). Achievement awards, leaderboard rankings, and skill radar values are computed automatically but are purely informational and do not affect your access to the Service.

15. Changes to This Policy

We may update this Privacy Policy as the Service evolves or as the law changes. The "Last updated" date at the top tells you when. For substantial changes, we will notify you in-app and by email at least 14 days before they take effect.

16. Contact & Supervisory Authority

For privacy-related questions, requests, or complaints, email contact@recreation-pro.com.

You also have the right to lodge a complaint with your local data protection authority. In Austria: Datenschutzbehörde, Barichgasse 40-42, 1030 Wien, dsb.gv.at.

← Back to RecreationPro