Privacy Policy

We only collect data strictly necessary to operate the Service. The following categories of data are processed:

• Account data: username, email address, password (hashed with bcrypt), language and theme preferences.
• Profile data (optional): link to a player profile, club, picture, biography.
• Posted content: forum messages, reviews of clubs and tournaments, reactions, comments, private messages.
• Contact data: messages sent via the contact form, email correspondence.
• Alerts: subscription preferences (followed players, event types), email address and/or WhatsApp phone number voluntarily provided.
• Technical data: IP address (kept for security and technical log purposes), browser type, date and time of connection.
• Analytics data: anonymized visit statistics (see the Matomo section).
• Public federation data: results, rankings and sport statistics from public sources, processed on the basis of the legitimate interest of informing the Belgian tennis community.

We do not collect any special categories of data within the meaning of article 9 GDPR (health, political opinions, religious beliefs, sexual orientation, etc.).

Your data are processed for the following purposes, on the corresponding legal bases (article 6 GDPR):

• Management of your account and provision of the Service - basis: performance of the contract (art. 6.1.b).
• Sending of transactional emails (registration confirmation, password reset, notifications) - basis: performance of the contract (art. 6.1.b).
• Sending of email and WhatsApp alerts - basis: consent (art. 6.1.a), which can be withdrawn at any time.
• Moderation and security (abuse detection, anti-spam, activity logs) - basis: legitimate interest (art. 6.1.f) and legal obligation (art. 6.1.c, notably under the DSA).
• Anonymous audience measurement through self-hosted Matomo - basis: legitimate interest (art. 6.1.f), with IP anonymization.
• Service improvement and internal statistics - basis: legitimate interest (art. 6.1.f).
• Responding to contact requests - basis: legitimate interest or pre-contractual measures (art. 6.1.f / b).
• Compliance with legal obligations (response to judicial requests, statutory retention) - basis: legal obligation (art. 6.1.c).

We carry out no automated individual decision-making and no profiling producing legal effects within the meaning of article 22 GDPR.

Your data are only accessible to persons strictly necessary for providing the Service. We never sell, rent or transfer your data to third parties for commercial purposes.

We rely on a limited number of processors, selected for their data protection guarantees and bound by contracts compliant with article 28 GDPR:

• Hosting - Hetzner Online GmbH (Gunzenhausen, Germany): hosting of application servers and databases in its Helsinki (Finland) data center, within the European Union.
• Transactional emails and email alerts - Brevo SAS (formerly Sendinblue, 106 boulevard Haussmann, 75008 Paris, France): routing and delivery of emails. Infrastructure located within the European Union.
• WhatsApp alerts - Twilio (Twilio Ireland Limited, Dublin, Ireland / Twilio Inc., San Francisco, United States): transmission of your phone number and message content when you subscribe to this notification channel.
• Audience measurement - Matomo self-hosted on our European servers: no third-party processor is involved.

Public content (public profiles, reviews, forum messages) is by nature visible to all visitors of the Service and may be indexed by search engines.

Our application servers and databases are located in the European Union (Hetzner data center in Helsinki, Finland). However, when you subscribe to WhatsApp alerts, your phone number and the content of the messages are transmitted to our processor Twilio (Twilio Ireland Limited, Dublin, Ireland / Twilio Inc., San Francisco, United States), which may process such data in the United States.

This transfer to a third country is strictly framed by (i) the Standard Contractual Clauses adopted by the European Commission (Implementing Decision 2021/914), (ii) Twilio's certification under the EU-US Data Privacy Framework, and (iii) additional technical measures (encryption in transit via TLS). A copy of these safeguards is available on request at :email.

We retain your data only for as long as strictly necessary for the purposes for which they were collected:

• Account data: as long as your account is active, then up to 24 months after the last login in case of prolonged inactivity (anonymization or deletion).
• Posted content: kept as long as it remains online; if you delete your account, your messages are either deleted or dissociated from your identity depending on their nature and their interest for other users (third-party rights within the discussion thread).
• Private messages: automatically deleted no later than 12 months after account deletion.
• Technical and security logs (IP, logins, moderation): 12 months maximum.
• Contact form: 24 months from the last exchange.
• Matomo analytics data: 14 months, anonymized.
• Legal obligations: data for which a minimum retention period is imposed by law are retained for the prescribed period.

We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, alteration or disclosure:

• encryption of communications via HTTPS/TLS;
• passwords stored in hashed form (bcrypt) - never in plain text;
• administrator access control and logging of sensitive actions;
• encrypted and redundant backups;
• regular updates of software components;
• strict separation of production and development environments.

In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we undertake to inform you as soon as possible, in accordance with articles 33 and 34 GDPR, and to notify the Belgian Data Protection Authority within 72 hours.

The Service is accessible to persons aged at least 13 years, the age set by article 7, §1 of the Belgian Act of 30 July 2018 for consent to data processing in the context of information society services. Below that age, consent from a holder of parental authority is required.

If you are a parent or guardian and notice that a child under 13 has signed up without authorization, please contact us at :email so that we can delete the account and the associated data.

You can delete your account and all associated personal data at any time, without justification:

• From your account: log in, go to My profile → Account settings → Delete my account, then confirm. Your account is deleted immediately.
• By e-mail: if you can no longer access your account (loss of access to your e-mail address, deletion of your Google or Facebook third-party account, etc.), send a request to :email, indicating the e-mail address or identifier linked to your account. Requests are processed within a maximum of thirty (30) days.

Effects of deletion: your account, preferences, personal profile and private content (private messages, drafts, notifications) are deleted. Your public content (club reviews, forum posts, reactions) is either deleted or dissociated from your identity, in accordance with section 5 above.

If you signed up via Google or Facebook, revoking access from your third-party account does not automatically delete your GameSetMatch account. To delete your data with us, use one of the two methods above.

This policy may be updated to reflect changes in the Service, legal requirements or data protection best practices. The date of the last update is shown at the top of this page.

In case of a substantial change, we will inform you by email or through an in-Service notification at least fifteen (15) days before it takes effect.