Padel GridPadelgrid

Privacy notice

Updated: April 10, 2026

1. Controller

The controller responsible for data processing on this website is the entity named in the imprint.

2. Purposes and legal bases

We process personal data only for the following purposes:

  • operation, security, and stability of the website
  • provision of maps, search, and nearby features
  • abuse detection such as rate limits and bot protection
  • handling contact requests
  • handling submitted location suggestions
  • review, moderation, and publication of submitted reviews
  • processing anonymous club check-ins and aggregated club insights
  • review, moderation, and publication of submitted club images
  • prevention of duplicate voting on club images
  • provision of optional PWA and convenience features in the browser
  • measurement and financing of the service, only with consent where required

Legal bases include in particular Article 6(1)(f) GDPR for our legitimate interest in secure and economically viable operation, Article 6(1)(a) GDPR for consent, Article 6(1)(b) GDPR where a user-requested service is provided, and Article 6(1)(c) GDPR for legal obligations.

3. Server operation and log data

When you access our pages, technically required connection data is processed, in particular IP address, timestamp, requested URL and parameters, header information, and user agent where transmitted. This processing is necessary for content delivery, system security, and defence against abusive access.

4. Maps and geocoding (Stadia Maps)

We use Stadia Maps services for map views and geocoding. When map tiles are loaded, your browser connects directly to Stadia Maps. In that context, your IP address, timestamp, and technical request data may be processed.

Search requests for location search are processed through our geocoding API and forwarded to Stadia Maps. The entered query, for example a place or address, optional focus parameters, and technical request data are processed for that purpose.

4a. Map sources and licences

We use the following sources for map display and geodata:

  • Map style and tiles: Stadia Maps including OpenMapTiles and OpenStreetMap attribution within the map.
  • OpenStreetMap data: © OpenStreetMap contributors.
  • Germany boundary data, country, states, and cities: GeoBasis-DE / BKG 2019, VG250 status December 31, 2018, provided via OpenDataLab simple-geodata-selector. Padel Grid uses locally stored, technically simplified GeoJSON derivatives based on that source. Source reference: bkg.bund.de, licence: Datenlizenz Deutschland Namensnennung 2.0.
  • Austria boundary data, country, federal states, and cities: Padel Grid uses locally stored, technically prepared GeoJSON derivatives. The source used for our derivative is geoBoundaries. The official original source is the Federal Office of Metrology and Surveying (BEV), administrative boundaries, published via bev.gv.at and data.gv.at. The authoritative notice regarding provenance and usage conditions is additionally the official BEV page on standard fees and terms of use. The licence information referenced by geoBoundaries for the dataset used is Creative Commons Attribution-ShareAlike 2.0. In our Austria-related displays, we additionally include a rights notice pointing to BEV.
  • Switzerland boundary data, country, cantons, and cities: Padel Grid uses locally stored, technically prepared GeoJSON derivatives. The source used for our derivative is geoBoundaries; the original source is the Federal Office of Topography swisstopo. Licence: swisstopo OGD.

These boundary datasets are not loaded live from external boundary APIs inside the app. They are shipped as local GeoJSON files in the deployment. Only map tiles and geocoding services are loaded live from third parties. These source notices also apply to static map thumbnails.

5. Nearby location feature

If you use nearby search or tournament-related searches with your current location, the website requests your location from the browser only with your explicit permission. The device coordinates are used to calculate nearby locations or tournaments.

We store the key padel-grid.nearby-location-consent locally in the browser to remember your decision for this location feature. This local storage is used solely to provide the feature and can be deleted at any time in your browser.

6. API protection, rate limits, and bot defence

To protect the service against misuse, we limit API calls per IP address and per endpoint. In that context, the IP address and request characteristics are processed. For certain functions, user-agent information may also be considered.

Caches inside our application contain only technically necessary data and are retained only briefly, typically between 1 and 10 minutes depending on the endpoint.

7. Contact form and enquiries

If you use our contact form, we process your name, email address, selected enquiry category, message, and technical anti-abuse data, in particular IP address, user agent, and Turnstile verification data, in order to handle the enquiry and prevent abuse.

We use Resend to send contact requests and automatic receipt confirmations. The legal bases are Article 6(1)(b) GDPR where your request is aimed at pre-contractual measures or concrete communication, and otherwise Article 6(1)(f) GDPR.

8. Location suggestions

On the add-location page you can submit new locations. For that purpose we process the data you enter, in particular location, court, and optional contact data, for review, editorial processing, and possible inclusion in our database.

We use Cloudflare Turnstile for spam and bot protection. A verification token is sent to Cloudflare for that purpose; additionally, IP address and technical characteristics may be processed. For successful submissions, we also store anti-abuse information, in particular the submitting IP address, user agent, and any optional contact details provided. The legal bases are Article 6(1)(b) GDPR and Article 6(1)(f) GDPR.

9. Reviews and club check-ins

If you submit a review, we process your name, email address, star rating, review text, confirmation of the review guidelines, and technical anti-abuse data, in particular IP-related data, user agent, and Turnstile verification. Reviews are manually checked before publication.

Your email address is processed internally for abuse prevention, duplicate checks, and where necessary for later review of individual submissions. Only review content approved by us is published. The legal basis is Article 6(1)(f) GDPR.

Where enabled, already approved review texts may additionally be summarised automatically with AWS Bedrock in order to display a short overall trend of public reviews. This also takes place on the basis of Article 6(1)(f) GDPR.

On club pages you can also submit anonymous check-ins. In that context, we process a random browser device ID, the relevant club, your selected check-in details such as play patterns, court quality, crowd level, or willingness to return, and technical anti-abuse data. We do not store raw IP addresses for this purpose, only hashed IP-based values. The legal basis is Article 6(1)(f) GDPR.

The anonymous device ID is stored in localStorage so that we can recognise your own entries later, limit repeat submissions, and assign follow-up updates to the same browser. The ID is used only for the check-in feature and is typically retained for up to 12 months.

Aggregated active check-in data may additionally be summarised automatically with AWS Bedrock into short club summaries. These texts are explicitly labelled as AI-generated on the relevant club page. If you want to remove your anonymous club check-ins, we provide a technical deletion endpoint based on your anonymous device ID.

10. Club images and image voting

On club pages, you can upload images for a venue. In that context, we process the uploaded image files, the related club or court, review markers, and anti-abuse data. Images are technically compressed before storage; where possible, embedded metadata such as EXIF data is removed. Before approval, files remain in a non-public review area. An image is published in the club gallery only after manual approval.

To detect and protect identifiable persons, we analyse uploaded images automatically with AWS Rekognition before storage and, where necessary, apply technical blurring to detected faces or person areas. The legal basis is Article 6(1)(f) GDPR.

For published club images, we also provide a reporting and contact option so that possible infringements or unlawful content can be reviewed quickly and removed where needed.

For image voting, we also set the technically required cookie padel_club_image_vote_device to prevent duplicate voting and misuse. The cookie contains a random device token, is httpOnly, serves only the voting function, and is stored for up to 12 months. In addition, we process IP-related hash values and the user agent. The legal bases are Article 6(1)(f) GDPR and, where access to terminal equipment is involved, Section 25(2) TDDDG.

11. Consent management, cookies, and similar technologies

We use a consent banner powered by CookieConsent for optional analytics. Without your consent, optional analytics remains disabled. We currently do not load an external advertising network.

Where optional purposes require access to information in terminal equipment, for example via cookies or identifiers, this is based on Section 25(1) TDDDG in conjunction with Article 6(1)(a) GDPR. Technically necessary access is based on Section 25(2) TDDDG.

At present we use the following browser-side storage in particular:

  • padel-grid-consent as the cookie that stores your consent-banner choice
  • padel-grid.nearby-location-consent in localStorage for the nearby feature
  • padel-grid.nearby-search, padel-grid.nearby-search-pending and padel-grid.tournament-search in sessionStorage to continue nearby and tournament searches only within the currently open browser tab
  • padel-grid-country and padel-grid-language as technically necessary preference cookies for country and language selection
  • padel-grid-checkin-device-id in localStorage as an anonymous ID for recognising your own check-ins and limiting abuse
  • pcf-install-cooldown-until, pcf-install-auto-sheet-seen, pcf-install-success-count, pcf-install-success-window-started-at, pcf-install-last-qualified-path, and pcf-mobile-route-stack for PWA install hints, mobile navigation, and usability
  • padel_club_image_vote_device as the technically required cookie for image voting
  • If analytics is enabled, additional PostHog storage with prefixes such as ph_*_posthog or ph_*_window_id for pseudonymous usage analytics

You can change or withdraw your choice at any time via the Cookie settings button in the footer or in the mobile more menus.

12. PostHog analytics

We use PostHog for pseudonymous product and audience analytics only after your explicit consent. This may include information about page views, search journeys, filters, clicks, and technical browser usage.

We use these insights to improve Padel Grid, especially to understand which country, city, and club pages are useful and which search or filter flows help users most. We do not currently use this analytics setup for personalised advertising or to connect external ad networks.

13. Affiliate links and partner content

On certain pages we display product recommendations linked through the affiliate network AWIN (AWIN AG, Eichhornstraße 3, 10785 Berlin, Germany). Product data (title, image, price) is fetched server-side via the AWIN product-feed API and cached on our servers. No personal data from your browser is sent to AWIN, and no AWIN cookies or tracking pixels are placed on our website.

When you click an affiliate link you are redirected through an AWIN redirect server (awin1.com) to the respective merchant (e.g. Tennis-Point). From that point, the merchant’s and AWIN’s privacy policies apply. AWIN may set a cookie on the merchant’s site to attribute any purchase to the referral link.

We integrate affiliate links on the basis of our legitimate interest in funding and operating the website (Art. 6(1)(f) GDPR). No consent via the cookie banner is required because no cookies are set and no terminal-device access within the meaning of § 25 TDDDG takes place on our site.

14. Recipients and third-country transfers

Depending on how the features are used, data may be transferred to the following recipients: Stadia Maps for maps and geocoding, Supabase for database and storage operation, Cloudflare for Turnstile, Resend for the contact form, PostHog for pseudonymous product analytics where consent has been granted, Amazon Web Services, in particular for Rekognition and, where enabled, Bedrock for image protection and automated review and check-in summaries, and AWIN AG for affiliate product data (server-side feed retrieval; a redirect via awin1.com occurs only when you click an affiliate link).

Processing outside the EU or EEA cannot be excluded depending on the service used. In such cases, we aim to ensure appropriate safeguards under Chapter V GDPR, in particular EU Standard Contractual Clauses. Information on this can be provided on request via our contact page, to the extent available to us.

15. Storage periods

We store personal data only for as long as necessary for the stated purposes or as long as statutory retention obligations apply.

  • rate-limit data: up to 24 hours depending on the protection window
  • short-term API caches: typically 1 to 10 minutes
  • contact requests: until final processing and beyond that only where proof or retention duties require it
  • location suggestions: until editorial review and beyond that where needed for documentation or data maintenance
  • reviews in review status: until manual review and beyond that where abuse prevention or evidentiary purposes require it
  • approved reviews: until removal, revision, or until legitimate reasons oppose further publication
  • anonymous club check-ins: until deletion, removal, or as long as they are required for aggregation, abuse prevention, or evidentiary purposes
  • club image uploads in review status: until manual review and where necessary for abuse prevention
  • approved club images: until editorial removal or until legitimate reasons oppose further publication
  • cookie padel-grid-consent: up to 180 days or until withdrawal
  • cookie padel_club_image_vote_device: up to 12 months
  • sessionStorage entries for search and navigation: until the browser tab is closed or until deleted by you
  • localStorage entries for location consent, the check-in device ID, or PWA hints: until deleted by your browser or by you; the check-in ID typically for up to 12 months
  • PostHog analytics storage: depending on SDK storage periods, typically up to 12 months or until withdrawal/browser deletion
  • consent data: according to the retention periods of the consent system used

16. Your rights

Under the GDPR, you have in particular the following rights:

  • access under Article 15 GDPR
  • rectification under Article 16 GDPR
  • erasure under Article 17 GDPR
  • restriction of processing under Article 18 GDPR
  • data portability under Article 20 GDPR
  • objection to processing based on Article 6(1)(f) GDPR under Article 21 GDPR
  • withdrawal of consent for the future under Article 7(3) GDPR
  • complaint to a supervisory data protection authority under Article 77 GDPR

17. Requirement to provide data

There is no legal obligation to provide personal data. Without certain information, individual features such as contact requests, nearby search, location suggestions, reviews, image uploads, or image voting may not be available or may be available only to a limited extent.

18. No automated decision-making

No automated decision-making including profiling within the meaning of Article 22 GDPR takes place.

19. Data security and updates

We implement appropriate technical and organisational measures to protect data against loss, manipulation, and unauthorised access.

If you would like to request removal of a published club image or report a possible infringement, please use our contact page and identify the affected club page as precisely as possible.

This privacy notice may be updated if features, service providers, or the legal situation change. The version published here applies.