Privacy Policy
Last updated: 10 July 2026
This Privacy Policy explains how ServeLeague ("ServeLeague", "we", "us", or "our") collects, uses, shares, and protects personal data when you use our website and our club management platform for racket sports (the "Service"). It also describes your privacy rights and how to exercise them.
Who we are
ServeLeague provides software that helps clubs manage leagues, sessions, matches, ratings, memberships, facilities, events, and communications. For questions about this policy or your personal data, contact us at [email protected].
What data we collect
We collect the following categories of data:
- Account information: your name, email address, password (stored hashed), and profile details you provide.
- Club and member data: information a club controls about its members, such as names, contact details, membership types, and tags. Where a club uses the Service, the club is the controller of this data and we act as its processor.
- Match and rating data: results, standings, ratings, and related competition records you or your club create.
- Payment information: billing is handled by Stripe. We do not store full card numbers. We receive limited billing metadata (such as plan, status, and the last four digits) needed to manage subscriptions.
- Usage and analytics data: pages viewed, features used, and similar activity, collected subject to your consent where required (see Cookies below).
- Device and log data: IP address, browser type, device information, and timestamps, used for security, diagnostics, and fraud prevention.
Cookies and similar technologies
We use cookies and similar technologies for the purposes described below. Analytics and advertising technologies are loaded only where permitted by your consent settings (see "Consent and how to change it").
| Category | Purpose | Consent required |
|---|---|---|
| Strictly necessary | Sign-in, session management, security, and remembering your consent choice. Required for the Service to function. | No |
| Analytics | Google Analytics 4 (GA4 measurement id, e.g. G-XXXXXXXXXX) to understand how the Service is used. We also use Cloudflare Web Analytics, which is privacy-first and cookieless (it sets no cookies and does not fingerprint visitors). | Yes, for Google Analytics in the EU, UK, and EEA |
| Advertising | Google Ads conversion and remarketing cookies may be used to measure ad performance and show relevant ads. These are loaded only when advertising consent is granted. | Yes |
How we use your data
- To provide, operate, and maintain the Service.
- To manage accounts, subscriptions, and billing.
- To calculate ratings, standings, and other competition features.
- To communicate with you about your account, updates, and support.
- To improve the Service through analytics (subject to consent where required).
- To keep the Service secure and prevent fraud and abuse.
- To comply with legal obligations.
Legal bases (GDPR)
Where the EU or UK General Data Protection Regulation applies, we rely on the following legal bases:
- Consent: for analytics and advertising cookies, and for optional communications. You can withdraw consent at any time.
- Contract: to provide the Service you or your club have signed up for, including account management and billing.
- Legitimate interests: to secure the Service, prevent fraud, and improve our product, balanced against your rights.
- Legal obligation: to meet accounting, tax, and other legal requirements.
Consent and how to change it
We use Google Consent Mode v2. Visitors in the EU, UK, and EEA are shown a cookie consent banner and analytics and advertising storage are denied by default until you make a choice. Elsewhere, analytics may run by default, and you can still opt out.
You can change or withdraw your consent at any time:
- Use the "Accept all" or "Reject all" options in the cookie banner.
- To re-trigger the banner and change a previous choice, clear this site's local storage in your browser (removing the stored consent value) and reload the page. The banner will appear again for regions where consent is required.
- You can also control cookies through your browser settings.
Data sharing and sub-processors
We do not sell your personal data. We share data with service providers (sub-processors) who help us run the Service, under contracts that require them to protect your data:
- Google (Google Analytics 4 and, where used, Google Ads) for analytics and advertising.
- Cloudflare for hosting, content delivery, security, and cookieless web analytics.
- Stripe for payment processing and subscription billing.
- Our email provider for transactional and account emails.
We may also disclose data where required by law, to protect our rights, or in connection with a business transfer.
International data transfers
Our sub-processors may process data in countries outside your own, including the United States. Where personal data is transferred internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or equivalent mechanisms offered by our providers.
Data retention
We keep personal data only as long as needed for the purposes described in this policy, or as required by law. Our default retention periods are:
- Google Analytics 4 data: retained for 14 months.
- Account and club data: retained while the account is active, and deleted or anonymised within 90 days of account closure.
- Backups: purged within 30 days.
Security
We use technical and organisational measures to protect personal data, including encryption in transit, hashed passwords, access controls, and monitoring. No method of transmission or storage is completely secure, but we work to protect your data and to respond promptly to any incident.
Your rights
Depending on where you live, you may have the following rights over your personal data:
- Access to the data we hold about you.
- Rectification of inaccurate or incomplete data.
- Erasure of your data (the "right to be forgotten").
- Portability of your data in a structured, machine-readable format.
- Objection to certain processing.
- Restriction of processing in certain circumstances.
If you are a California resident, you have rights under the CCPA/CPRA, including the right to know, delete, and correct your personal information, and the right to opt out of the sale or sharing of personal information. We do not sell your personal data. To exercise your "Do Not Sell or Share My Personal Information" right, or any of the rights above, contact us at [email protected].
Children's privacy
The Service is not directed to children under 13, and we do not knowingly collect personal data from children under 13 without appropriate consent. Where a club records data about junior members, the club is responsible for obtaining any required parental or guardian consent. If you believe a child has provided us with personal data without proper consent, contact us and we will take appropriate steps.
Clubs as independent controllers
Clubs that use ServeLeague are independent data controllers for the personal data of their own members. For that member data, ServeLeague acts as a processor and handles the data on the club's instructions under our terms. If you are a member of a club and wish to exercise your rights over your member data, please contact your club directly. We will support the club in responding to your request.
Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you. Your continued use of the Service after changes take effect means you accept the updated policy.
How to contact us
For any privacy question or to exercise your rights, contact us at [email protected]. You can also reach us through our contact page. This policy is governed by the laws of New Zealand.